Optional update encrypted attributes only when values changed

.github/workflows/test.yml

@@ -0,0 +1,37 @@
+name: CI
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby-version: ['2.7', '3.0', '3.1', '3.2']
+        rails-version: ['5.1.1', '5.2.8', '6.0.6', '6.1.7', '7.0.4']
+        exclude:
+          - ruby-version: 2.7
+            rails-version: 7.0.4
+          - ruby-version: 3.0
+            rails-version: 5.1.1
+          - ruby-version: 3.0
+            rails-version: 5.2.8
+          - ruby-version: 3.1
+            rails-version: 5.1.1
+          - ruby-version: 3.1
+            rails-version: 5.2.8
+          - ruby-version: 3.2
+            rails-version: 5.1.1
+          - ruby-version: 3.2
+            rails-version: 5.2.8
+    env:
+      ACTIVERECORD: ${{ matrix.rails-version }}
+    steps:
+    - uses: actions/checkout@v2
+    - uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true
+    - name: Run tests
+      run: bundle exec rake

.gitignore

@@ -4,3 +4,4 @@
 pkg
 Gemfile.lock
 coverage
+.idea/

.ruby-gemset

@@ -0,0 +1 @@
+attr_encrypted

README.md

@@ -1,18 +1,21 @@
 # attr_encrypted
 
-[![Build Status](https://app.travis-ci.com/attr-encrypted/attr_encrypted.svg?branch=master)](https://travis-ci.org/attr-encrypted/attr_encrypted) [![Test Coverage](https://codeclimate.com/github/attr-encrypted/attr_encrypted/badges/coverage.svg)](https://codeclimate.com/github/attr-encrypted/attr_encrypted/coverage) [![Code Climate](https://codeclimate.com/github/attr-encrypted/attr_encrypted/badges/gpa.svg)](https://codeclimate.com/github/attr-encrypted/attr_encrypted) [![Gem Version](https://badge.fury.io/rb/attr_encrypted.svg)](https://badge.fury.io/rb/attr_encrypted)
+[![Build Status](https://github.com/KentaaNL/attr_encrypted_v4/actions/workflows/test.yml/badge.svg)](https://github.com/KentaaNL/attr_encrypted_v4/actions)
 
 Generates attr_accessors that transparently encrypt and decrypt attributes.
 
 It works with ANY class, however, you get a few extra features when you're using it with `ActiveRecord` or `Sequel`.
 
+Forked from [attr-encrypted/attr_encrypted](https://github.com/attr-encrypted/attr_encrypted) with the following fixes:
+
+* Optional update encrypted attributes only when values changed  (#1)
 
 ## Installation
 
 Add attr_encrypted to your gemfile:
 
 ```ruby
-  gem "attr_encrypted"
+  gem "attr_encrypted", github: "KentaaNL/attr_encrypted_v4"
 ```
 
 Then install the gem:
@@ -152,7 +155,8 @@ The following are the default options used by `attr_encrypted`:
   decrypt_method:    'decrypt',
   mode:              :per_attribute_iv,
   algorithm:         'aes-256-gcm',
-  allow_empty_value: false
+  allow_empty_value: false,
+  update_unchanged:  true
 ```
 
 All of the aforementioned options are explained in depth below.
@@ -329,6 +333,16 @@ You may want to encrypt empty strings or nil so as to not reveal which records a
   end
 ```
 
+### The `:update_unchanged` option
+
+You may want to only update changed attributes each time the record is saved.
+
+```ruby
+  class User
+    attr_encrypted :email, key: 'some secret key', marshal: true, update_unchanged: false
+  end
+```
+
 
 ## ORMs
 

lib/attr_encrypted.rb

@@ -106,6 +106,9 @@ def self.extended(base) # :nodoc:
   #   allow_empty_value:    Attributes which have nil or empty string values will not be encrypted unless this option
   #                         has a truthy value.
   #
+  #   update_unchanged:     Attributes which have unchanged values will be encrypted again on each update.
+  #                         Defaults to true.
+  #
   # You can specify your own default options
   #
   #   class User
@@ -164,16 +167,18 @@ def attr_encrypted(*attributes)
       end
 
       define_method("#{attribute}=") do |value|
-        send("#{encrypted_attribute_name}=", attr_encrypted_encrypt(attribute, value))
-        instance_variable_set("@#{attribute}", value)
+        if should_update_encrypted_attribute?(attribute, value)
+          send("#{encrypted_attribute_name}=", attr_encrypted_encrypt(attribute, value))
+          instance_variable_set("@#{attribute}", value)
+        end
       end
 
       define_method("#{attribute}?") do
         value = send(attribute)
         value.respond_to?(:empty?) ? !value.empty? : !!value
       end
 
-      self.attr_encrypted_encrypted_attributes[attribute.to_sym] = options.merge(attribute: encrypted_attribute_name)
+      attr_encrypted_encrypted_attributes[attribute.to_sym] = options.merge(attribute: encrypted_attribute_name)
     end
   end
 
@@ -206,6 +211,7 @@ def attr_encrypted_default_options
       mode:              :per_attribute_iv,
       algorithm:         'aes-256-gcm',
       allow_empty_value: false,
+      update_unchanged:  true
     }
   end
 
@@ -324,7 +330,7 @@ module InstanceMethods
     #  end
     #
     #  @user = User.new('some-secret-key')
-    #  @user.decrypt(:email, 'SOME_ENCRYPTED_EMAIL_STRING')
+    #  @user.attr_encrypted_decrypt(:email, 'SOME_ENCRYPTED_EMAIL_STRING')
     def attr_encrypted_decrypt(attribute, encrypted_value)
       attr_encrypted_encrypted_attributes[attribute.to_sym][:operation] = :decrypting
       attr_encrypted_encrypted_attributes[attribute.to_sym][:value_present] = self.class.not_empty?(encrypted_value)
@@ -365,6 +371,16 @@ def attr_encrypted_encrypted_attributes
 
     protected
 
+      # Determine if unchanged attribute needs to be updated again
+      def should_update_encrypted_attribute?(attribute, value)
+        if attr_encrypted_encrypted_attributes[attribute.to_sym][:update_unchanged]
+          return true
+        else
+          old_value = instance_variable_get("@#{attribute}")
+          return old_value.nil? || old_value != value
+        end
+      end
+
       # Returns attr_encrypted options evaluated in the current object's scope for the attribute specified
       def evaluated_attr_encrypted_options_for(attribute)
         evaluated_options = Hash.new

test/attr_encrypted_test.rb

@@ -31,6 +31,7 @@ class User
   attr_encrypted :with_false_unless, :key => SECRET_KEY, :unless => false, mode: :per_attribute_iv_and_salt
   attr_encrypted :with_if_changed, :key => SECRET_KEY, :if => :should_encrypt
   attr_encrypted :with_allow_empty_value, key: SECRET_KEY, allow_empty_value: true, marshal: true
+  attr_encrypted :with_unchanged_false, key: SECRET_KEY, update_unchanged: false
 
   attr_encryptor :aliased, :key => SECRET_KEY
 
@@ -469,6 +470,43 @@ def test_should_not_by_default_generate_iv_when_attribute_is_empty
     assert_nil user.encrypted_with_true_if_iv
   end
 
+  def test_should_not_generate_iv_if_same_value_when_option_is_false
+    user = User.new
+    assert_nil user.encrypted_with_unchanged_false_iv
+    user.with_unchanged_false = '[email protected]'
+    old_value = user.encrypted_with_unchanged_false_iv
+    refute_nil(old_value)
+    user.with_unchanged_false = '[email protected]'
+    assert_equal old_value, user.encrypted_with_unchanged_false_iv
+  end
+
+  def test_should_generate_iv_if_same_value_when_option_is_true
+    user = User.new
+    assert_nil user.encrypted_email_iv
+    user.email = '[email protected]'
+    refute_nil(old_value = user.encrypted_email_iv)
+    user.email = '[email protected]'
+    refute_equal old_value, user.encrypted_email_iv
+  end
+
+  def test_should_not_update_iv_if_same_value_when_option_is_false
+    user = User.new
+    user.with_unchanged_false = '[email protected]'
+    old_encrypted_with_unchanged_false_iv = user.encrypted_with_unchanged_false_iv
+    refute_nil old_encrypted_with_unchanged_false_iv
+    user.with_unchanged_false = '[email protected]'
+    assert_equal old_encrypted_with_unchanged_false_iv, user.encrypted_with_unchanged_false_iv
+  end
+
+  def test_should_not_update_iv_if_same_value_when_option_is_true
+    user = User.new(email: '[email protected]')
+    old_encrypted_email_iv = user.encrypted_email_iv
+    refute_nil old_encrypted_email_iv
+    user.email = '[email protected]'
+    refute_nil user.encrypted_email_iv
+    refute_equal old_encrypted_email_iv, user.encrypted_email_iv
+  end
+
   def test_encrypted_attributes_state_is_not_shared
     user = User.new
     user.ssn = '123456789'