Module: ActiveCipherStorage::BlobMetadata

Defined in:: lib/active_cipher_storage/blob_metadata.rb

Overview

Reads and writes encryption metadata on ActiveStorage::Blob records.

Written fields (all stored under the blob’s existing ‘metadata` JSON column):

encrypted      => true
cipher_version => Integer  (Format::VERSION)
provider_id    => String   (e.g. "aws_kms", "env")
kms_key_id     => String   (CMK ARN, provider key identifier, or nil)

These are for operational visibility and auditing. The encrypted file header is always the authoritative source for decryption.

Class Method Summary collapse

.for(storage_key) ⇒ Object

Returns the metadata hash for a blob, or nil if AR is unavailable.
.write(storage_key, provider) ⇒ Object
.write_plaintext(storage_key) ⇒ Object

Class Method Details

.for(storage_key) ⇒ `Object`

Returns the metadata hash for a blob, or nil if AR is unavailable.

# File 'lib/active_cipher_storage/blob_metadata.rb', line 50

def self.for(storage_key)
  return nil unless active_storage_available?
  ActiveStorage::Blob.find_by(key: storage_key)&.metadata
end

.write(storage_key, provider) ⇒ `Object`

# File 'lib/active_cipher_storage/blob_metadata.rb', line 13

def self.write(storage_key, provider)
  return unless active_storage_available?

  blob = ActiveStorage::Blob.find_by(key: storage_key)
  return unless blob

  blob.update_columns(
    metadata: blob.metadata.merge(
      "encrypted"      => true,
      "cipher_version" => Format::VERSION,
      "provider_id"    => provider.provider_id,
      "kms_key_id"     => provider.key_id
    ).compact
  )
rescue StandardError => e
  log_metadata_failure(storage_key, "write", e)
end

.write_plaintext(storage_key) ⇒ `Object`

# File 'lib/active_cipher_storage/blob_metadata.rb', line 31

def self.write_plaintext(storage_key)
  return unless active_storage_available?

  blob = ActiveStorage::Blob.find_by(key: storage_key)
  return unless blob

  blob.update_columns(
    metadata: blob.metadata.merge(
      "encrypted" => false,
      "cipher_version" => nil,
      "provider_id" => nil,
      "kms_key_id" => nil
    ).compact
  )
rescue StandardError => e
  log_metadata_failure(storage_key, "write_plaintext", e)
end