Class: ConcealedString

Inherits:

Object

• Object
• ConcealedString

Defined in:

lib/familia/features/encrypted_fields/concealed_string.rb

Overview

ConcealedString

A secure wrapper for encrypted field values that prevents accidental plaintext leakage through serialization, logging, or debugging.

Unlike RedactedString (which wraps plaintext), ConcealedString wraps encrypted data and provides controlled decryption through the .reveal API.

Security Model:

• Contains encrypted JSON data, never plaintext
• Requires explicit .reveal { } for decryption and plaintext access
• ALL serialization methods return '[CONCEALED]' to prevent leakage
• Maintains encryption context for proper AAD handling
• Thread-safe and supports concurrent access

Key Security Features:

1. Universal Serialization Safety - ALL to_* methods protected
2. Debugging Safety - inspect, logging, console output shows [CONCEALED]
3. Exception Safety - never leaks plaintext in error messages
4. Future-proof - any new serialization method automatically safe
5. Memory Clearing - best-effort encrypted data clearing

Critical Design Principles:

• Secure by default - no auto-decryption anywhere
• Explicit decryption - .reveal required for plaintext access
• Comprehensive protection - covers ALL serialization paths
• Auditable access - easy to grep for .reveal usage

Example Usage: user = User.new user.secret_data = "sensitive info" # Encrypts and wraps user.secret_data # Returns ConcealedString user.secret_data.reveal { |plain| ... } # Explicit decryption user.to_h # Safe - contains [CONCEALED] user.to_json # Safe - contains [CONCEALED]

Constant Summary

REDACTED =

'[CONCEALED]'.freeze

Class Method Summary

• .finalizer_proc(encrypted_data) ⇒ Object

  Finalizer to attempt memory cleanup.

Instance Method Summary

• #+(_other) ⇒ Object

  String concatenation operations return concealed result.

• #==(other) ⇒ Object (also: #eql?)

  Returns true when it's literally the same object, otherwise false.

• #as_json ⇒ Object

  Prevent exposure in Rails serialization (as_json -> to_json).

• #belongs_to_context?(expected_record, expected_field_name) ⇒ Boolean

  Validate that this ConcealedString belongs to the given record context.

• #blank? ⇒ Boolean
• #clear! ⇒ Object

  Clear the encrypted data from memory.

• #cleared? ⇒ Boolean

  Check if the encrypted data has been cleared.

• #coerce(other) ⇒ Object

  Handle coercion for concatenation like "string" + concealed.

• #concat(_other) ⇒ Object
• #context_description ⇒ String

  Human-readable description of the record/field context this value was encrypted for.

• #deconstruct ⇒ Object

  Pattern matching safety (Ruby 3.0+).

• #deconstruct_keys ⇒ Object
• #downcase ⇒ Object
• #each {|'[CONCEALED]'| ... } ⇒ Object
• #empty? ⇒ Boolean
• #encrypted_value ⇒ String^?

  Access the encrypted data for database storage.

• #gsub ⇒ Object
• #hash ⇒ Object

  Consistent hash to prevent timing attacks.

• #include?(_substring) ⇒ Boolean
• #initialize(encrypted_data, record, field_type) ⇒ ConcealedString constructor

  Create a concealed string wrapper.

• #inspect ⇒ Object

  Safe representation for debugging and console output.

• #length ⇒ Object
• #map {|'[CONCEALED]'| ... } ⇒ Object

  Enumerable methods for safety.

• #present? ⇒ Boolean
• #reveal {|String| ... } ⇒ Object

  Primary API: reveal the decrypted plaintext in a controlled block.

• #size ⇒ Object
• #strip ⇒ Object

  String pattern matching methods.

• #to_a ⇒ Object
• #to_h ⇒ Object

  Hash/Array serialization safety.

• #to_json ⇒ Object

  Prevent exposure in JSON serialization - fail closed for security.

• #to_s ⇒ Object

  Prevent accidental exposure through string conversion and serialization.

• #upcase ⇒ Object

  String methods that should return safe concealed values.

Constructor Details

#initialize(encrypted_data, record, field_type) ⇒ ConcealedString

Create a concealed string wrapper

Parameters:

• encrypted_data (String) —

  The encrypted JSON data

• record (Familia::Horreum) —

  The record instance for context

• field_type (EncryptedFieldType) —

  The field type for decryption

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 50

def initialize(encrypted_data, record, field_type)
  @encrypted_data = encrypted_data.freeze
  @record = record
  @field_type = field_type
  @cleared = false

  # Parse and validate the encrypted data structure
  if @encrypted_data
    begin
      @encrypted_data_obj = Familia::Encryption::EncryptedData.from_json(@encrypted_data)
      # Validate that the encrypted data is decryptable (algorithm supported, etc.)
      @encrypted_data_obj.validate_decryptable!
    rescue Familia::EncryptionError => e
      raise Familia::EncryptionError, e.message
    rescue StandardError => e
      raise Familia::EncryptionError, "Invalid encrypted data: #{e.message}"
    end
  end

  ObjectSpace.define_finalizer(self, self.class.finalizer_proc(@encrypted_data))
end

Class Method Details

.finalizer_proc(encrypted_data) ⇒ Object

Finalizer to attempt memory cleanup

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 294

def self.finalizer_proc(encrypted_data)
  proc do
    # Best effort cleanup - Ruby doesn't guarantee memory security
    # Only clear if not frozen to avoid FrozenError
    encrypted_data.clear if encrypted_data.respond_to?(:clear) && !encrypted_data.frozen?
  end
end

Instance Method Details

#+(_other) ⇒ Object

String concatenation operations return concealed result

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 214

def +(_other)
  '[CONCEALED]'
end

#==(other) ⇒ Object Also known as: eql?

Returns true when it's literally the same object, otherwise false. This prevents timing attacks where an attacker could potentially infer information about the secret value through comparison timing

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 159

def ==(other)
  object_id.equal?(other.object_id) # same object
end

#as_json ⇒ Object

Prevent exposure in Rails serialization (as_json -> to_json)

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 289

def as_json(*)
  '[CONCEALED]'
end

#belongs_to_context?(expected_record, expected_field_name) ⇒ Boolean

Validate that this ConcealedString belongs to the given record context

This prevents cross-context attacks where encrypted data is moved between different records or field contexts. While moving ConcealedString objects manually is not a normal use case, this provides defense in depth.

Parameters:

• expected_record (Familia::Horreum) —

  The record that should own this data

• expected_field_name (Symbol) —

  The field name that should own this data

Returns:

• (Boolean) —

  true if contexts match, false otherwise

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 109

def belongs_to_context?(expected_record, expected_field_name)
  return false if @record.nil? || @field_type.nil?

  @record.instance_of?(expected_record.class) &&
    @record.identifier == expected_record.identifier &&
    @field_type.instance_variable_get(:@name) == expected_field_name
end

#blank? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 209

def blank?
  false # Never blank if encrypted data exists
end

#clear! ⇒ Object

Clear the encrypted data from memory

Safe to call multiple times. This provides best-effort memory clearing within Ruby's limitations.

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 134

def clear!
  return if @cleared

  @encrypted_data = nil
  @record = nil
  @field_type = nil
  @cleared = true
  freeze
end

#cleared? ⇒ Boolean

Check if the encrypted data has been cleared

Returns:

• (Boolean) —

  true if cleared, false otherwise

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 148

def cleared?
  @cleared
end

#coerce(other) ⇒ Object

Handle coercion for concatenation like "string" + concealed

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 223

def coerce(other)
  if other.is_a?(String)
    ['[CONCEALED]', '[CONCEALED]']
  else
    [other, '[CONCEALED]']
  end
end

#concat(_other) ⇒ Object

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 218

def concat(_other)
  '[CONCEALED]'
end

#context_description ⇒ String

Human-readable description of the record/field context this value was encrypted for. Used to make context-isolation errors actionable by showing the expected context alongside the accessing one.

Returns:

• (String) —

  "Class:field:identifier", or a marker if context was cleared

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 123

def context_description
  return '(context cleared)' if @record.nil? || @field_type.nil?

  "#{@record.class.name}:#{@field_type.name}:#{@record.identifier}"
end

#deconstruct ⇒ Object

Pattern matching safety (Ruby 3.0+)

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 275

def deconstruct
  ['[CONCEALED]']
end

#deconstruct_keys ⇒ Object

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 279

def deconstruct_keys(*)
  { concealed: true }
end

#downcase ⇒ Object

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 193

def downcase
  '[CONCEALED]'
end

#each {|'[CONCEALED]'| ... } ⇒ Object

Yields:

• ('[CONCEALED]')

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 250

def each
  yield '[CONCEALED]' if block_given?
  self
end

#empty? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 152

def empty?
  @encrypted_data.to_s.empty?
end

#encrypted_value ⇒ String^?

Access the encrypted data for database storage

This method is used internally by the field type system for persisting the encrypted data to the database.

Returns:

• (String, nil) —

  The encrypted JSON data

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 171

def encrypted_value
  @encrypted_data
end

#gsub ⇒ Object

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 236

def gsub(*)
  '[CONCEALED]'
end

#hash ⇒ Object

Consistent hash to prevent timing attacks

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 270

def hash
  ConcealedString.hash
end

#include?(_substring) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 240

def include?(_substring)
  false # Never reveal substring presence
end

#inspect ⇒ Object

Safe representation for debugging and console output

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 256

def inspect
  '[CONCEALED]'
end

#length ⇒ Object

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 197

def length
  11 # Fixed concealed length to match '[CONCEALED]' length
end

#map {|'[CONCEALED]'| ... } ⇒ Object

Enumerable methods for safety

Yields:

• ('[CONCEALED]')

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 245

def map
  yield '[CONCEALED]' if block_given?
  ['[CONCEALED]']
end

#present? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 205

def present?
  true # Always return true since encrypted data exists
end

#reveal {|String| ... } ⇒ Object

Primary API: reveal the decrypted plaintext in a controlled block

This is the ONLY way to access plaintext from encrypted fields. The plaintext is decrypted fresh each time using the current record state and AAD context.

Security Warning: Avoid operations inside the block that create uncontrolled copies of the plaintext (dup, interpolation, etc.)

Example: user.api_token.reveal do |token| HTTP.post('/api', headers: { 'X-Token' => token }) end

Yields:

• (String) —

  The decrypted plaintext value

Returns:

• (Object) —

  The return value of the block

Raises:

• (ArgumentError)

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 89

def reveal
  raise ArgumentError, 'Block required for reveal' unless block_given?
  raise SecurityError, 'Encrypted data already cleared' if cleared?
  raise SecurityError, 'No encrypted data to reveal' if @encrypted_data.nil?

  # Decrypt using current record context and AAD
  plaintext = @field_type.decrypt_value(@record, @encrypted_data)
  yield plaintext
end

#size ⇒ Object

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 201

def size
  length
end

#strip ⇒ Object

String pattern matching methods

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 232

def strip
  '[CONCEALED]'
end

#to_a ⇒ Object

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 265

def to_a
  ['[CONCEALED]']
end

#to_h ⇒ Object

Hash/Array serialization safety

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 261

def to_h
  '[CONCEALED]'
end

#to_json ⇒ Object

Prevent exposure in JSON serialization - fail closed for security

Raises:

• (Familia::SerializerError)

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 284

def to_json(*)
  raise Familia::SerializerError, 'ConcealedString cannot be serialized to JSON'
end

#to_s ⇒ Object

Prevent accidental exposure through string conversion and serialization

Ruby has two string conversion methods with different purposes:

• to_s: explicit conversion (obj.to_s, string interpolation "#{obj}")
• to_str: implicit coercion (File.read(obj), "prefix" + obj)

We implement to_s for safe logging/debugging but deliberately omit to_str to prevent encrypted data from being used where strings are expected.

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 184

def to_s
  '[CONCEALED]'
end

#upcase ⇒ Object

String methods that should return safe concealed values

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 189

def upcase
  '[CONCEALED]'
end