Module: ActiveCipherStorage::BlobMetadata

Defined in:
lib/active_cipher_storage/blob_metadata.rb

Overview

Reads and writes encryption metadata on ActiveStorage::Blob records.

Written fields (all stored under the blob’s existing ‘metadata` JSON column):

encrypted      => true
cipher_version => Integer  (Format::VERSION)
provider_id    => String   (e.g. "aws_kms", "env")
kms_key_id     => String   (CMK ARN, env-var name, or nil)

These are for operational visibility — rotation queries, auditing, backward-compat detection. The encrypted file header is always the authoritative source for decryption.

Class Method Summary collapse

Class Method Details

.blobs_for(provider) ⇒ Object

Finds all blobs whose metadata matches the given provider. Iterates in batches to avoid loading all blobs into memory. Yields each matching blob.

For large tables, add a DB-level index on ‘metadata->>’kms_key_id’‘ and narrow the scope before passing to this method.



84
85
86
87
88
89
90
91
92
93
94
95
96
 
# File 'lib/active_cipher_storage/blob_metadata.rb', line 84

def self.blobs_for(provider)
  return enum_for(:blobs_for, provider) unless block_given?
  return unless active_storage_available?

  ActiveStorage::Blob.find_each do |blob|
    meta = blob.metadata
    next unless meta["encrypted"] == true
    next unless meta["provider_id"] == provider.provider_id
    next if provider.key_id && meta["kms_key_id"] != provider.key_id

    yield blob
  end
end

.for(storage_key) ⇒ Object

Returns the metadata hash for a blob, or nil if AR is unavailable.



73
74
75
76
 
# File 'lib/active_cipher_storage/blob_metadata.rb', line 73

def self.for(storage_key)
  return nil unless active_storage_available?
  ActiveStorage::Blob.find_by(key: storage_key)&.metadata
end

.update_after_rotation(storage_key, new_provider) ⇒ Object 



54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
 
# File 'lib/active_cipher_storage/blob_metadata.rb', line 54

def self.update_after_rotation(storage_key, new_provider)
  return unless active_storage_available?

  blob = ActiveStorage::Blob.find_by(key: storage_key)
  return unless blob

  blob.update_columns(
    metadata: blob.metadata.merge(
      "provider_id" => new_provider.provider_id,
      "kms_key_id"  => new_provider.key_id
    ).compact
  )
rescue => e
  ActiveCipherStorage.configuration.logger.warn(
    "[ActiveCipherStorage] Could not update rotation metadata for #{storage_key}: #{e.message}"
  )
end

.write(storage_key, provider) ⇒ Object 



14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
 
# File 'lib/active_cipher_storage/blob_metadata.rb', line 14

def self.write(storage_key, provider)
  return unless active_storage_available?

  blob = ActiveStorage::Blob.find_by(key: storage_key)
  return unless blob

  blob.update_columns(
    metadata: blob.metadata.merge(
      "encrypted"      => true,
      "cipher_version" => Format::VERSION,
      "provider_id"    => provider.provider_id,
      "kms_key_id"     => provider.key_id
    ).compact
  )
rescue => e
  ActiveCipherStorage.configuration.logger.warn(
    "[ActiveCipherStorage] Could not write blob metadata for #{storage_key}: #{e.message}"
  )
end

.write_plaintext(storage_key) ⇒ Object 



34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
 
# File 'lib/active_cipher_storage/blob_metadata.rb', line 34

def self.write_plaintext(storage_key)
  return unless active_storage_available?

  blob = ActiveStorage::Blob.find_by(key: storage_key)
  return unless blob

  blob.update_columns(
    metadata: blob.metadata.merge(
      "encrypted" => false,
      "cipher_version" => nil,
      "provider_id" => nil,
      "kms_key_id" => nil
    ).compact
  )
rescue => e
  ActiveCipherStorage.configuration.logger.warn(
    "[ActiveCipherStorage] Could not write plaintext blob metadata for #{storage_key}: #{e.message}"
  )
end