More seamless mongoid support

Question

More seamless mongoid support

ajsharp opened this issue 5 years ago · 8 comments

I've recently integrated this library with mongoid, though this library relies on ActiveRecord to add the blind_index class method, and the query stuff only supports activerecord out of the box. This is pretty trivial to add, in client code, but it would be nice if the library did it.

Also, regarding query support, adding a class-level database lookup method would probably make this a little easier to integrate with different ORMs, rather than intercepting the relation building stuff.

All in all, this is a great library, but better Mongoid support would be great. Happy to submit a PR if you're open to it.

Answer 1 · 2019-07-29T06:35:22.000Z

Hey @ajsharp, happy to review a PR for Mongoid support. What library are you using for encryption?

Answer 2 · 2019-07-29T16:37:14.000Z

Currently I'm using a home-rolled KMS solution. I looked at kms-encrypted but I'm not sure it supports mongoid, and it looks like it just uses KMS' encrypt to encrypt the data and store it in KMS, rather than using KMS to generate an encrypted data key, and encrypting and storing locally.

Answer 3 · 2019-07-29T18:48:38.000Z

Yeah, KMS Encrypted doesn't do direct encryption. I think the biggest blocker for this is there isn't a great encryption library for Mongoid (as far as I know).

Answer 4 · 2019-07-29T19:17:01.000Z

Yea, my implementation just uses the standard ruby openssl libraries, e.g. OpenSSL::Cipher::AES256, and stores the ciphered data in a BSON::Binary field to avoid string encoding issues.

Answer 5 · 2019-07-30T21:18:58.000Z

I've considering adding support to Lockbox, but think it'll be more work than I'm willing to take on at the moment. If there are small changes that make Blind Index work with Mongoid (and can be tested), happy to accept them.

Answer 6 · 2019-08-03T20:22:33.000Z

Hey @ajsharp, I spent some time seeing what it would take to support Mongoid in Lockbox and Blind Index and have branches where everything appears to be working.

gem 'lockbox', github: 'ankane/lockbox', branch: 'mongoid'
gem 'blind_index', github: 'ankane/blind_index', branch: 'mongoid_lockbox'

and

class User
  field :email_ciphertext, type: String
  field :email_bidx, type: String

  encrypts :email
  blind_index :email
end

Let me know what you think.

Also, I was unable to get encode: false working with either, which is used for binary columns instead of a Base64 encoded string. BSON::Binary complains about the not being UTF-8, which is expected for binary data. It sounds like you've had success with BSON::Binary, so maybe you have ideas.

Answer 7 · 2019-08-05T20:42:41.000Z

@ankane awesome. will try to test this out later today or tomorrow.

Oddly I've never had an issue with BSON::Binary columns and string encodings. I think the strings start as ascii encoded but I've always assumed BSON::Binary forces the encoding to utf-8 before inserting in the DB?

My general sense is that base64 encoding is probably the right way to go for a library that aims to support multiple database backends. In a mongo context, I don't really know the pros and cons of choosing base64 over a BSON::Binary column, though, I assume a big part of the benefit would be compression/compaction and support for large binary blobs, which probably doesn't apply in this context.

Answer 8 · 2019-08-16T23:14:22.000Z

Just pushed a new release with this. https://ankane.org/modern-encryption-mongoid