Class: ConcealedString

Inherits:

Object

• Object
• ConcealedString

Defined in:

lib/familia/features/encrypted_fields/concealed_string.rb

Overview

ConcealedString

A secure wrapper for encrypted field values that prevents accidental plaintext leakage through serialization, logging, or debugging.

Unlike RedactedString (which wraps plaintext), ConcealedString wraps encrypted data and provides controlled decryption through the .reveal API.

Security Model: - Contains encrypted JSON data, never plaintext - Requires explicit .reveal { } for decryption and plaintext access - ALL serialization methods return ‘[CONCEALED]’ to prevent leakage - Maintains encryption context for proper AAD handling - Thread-safe and supports concurrent access

Key Security Features: 1. Universal Serialization Safety - ALL to_* methods protected 2. Debugging Safety - inspect, logging, console output shows [CONCEALED] 3. Exception Safety - never leaks plaintext in error messages 4. Future-proof - any new serialization method automatically safe 5. Memory Clearing - best-effort encrypted data clearing

Critical Design Principles: - Secure by default - no auto-decryption anywhere - Explicit decryption - .reveal required for plaintext access - Comprehensive protection - covers ALL serialization paths - Auditable access - easy to grep for .reveal usage

Example Usage: user = User.new user.secret_data = “sensitive info” # Encrypts and wraps user.secret_data # Returns ConcealedString user.secret_data.reveal { |plain| … } # Explicit decryption user.to_h # Safe - contains [CONCEALED] user.to_json # Safe - contains [CONCEALED]

Class Method Summary

• .finalizer_proc(encrypted_data) ⇒ Object

  Finalizer to attempt memory cleanup.

Instance Method Summary

• #+(_other) ⇒ Object

  String concatenation operations return concealed result.

• #==(other) ⇒ Object (also: #eql?)

  Returns true when it’s literally the same object, otherwise false.

• #as_json ⇒ Object

  Prevent exposure in Rails serialization (as_json -> to_json).

• #belongs_to_context?(expected_record, expected_field_name) ⇒ Boolean

  Validate that this ConcealedString belongs to the given record context.

• #blank? ⇒ Boolean
• #clear! ⇒ Object

  Clear the encrypted data from memory.

• #cleared? ⇒ Boolean

  Check if the encrypted data has been cleared.

• #coerce(other) ⇒ Object

  Handle coercion for concatenation like “string” + concealed.

• #concat(_other) ⇒ Object
• #deconstruct ⇒ Object

  Pattern matching safety (Ruby 3.0+).

• #deconstruct_keys ⇒ Object
• #downcase ⇒ Object
• #each {|'[CONCEALED]'| ... } ⇒ Object
• #empty? ⇒ Boolean
• #encrypted_value ⇒ String^?

  Access the encrypted data for database storage.

• #gsub ⇒ Object
• #hash ⇒ Object

  Consistent hash to prevent timing attacks.

• #include?(_substring) ⇒ Boolean
• #initialize(encrypted_data, record, field_type) ⇒ ConcealedString constructor

  Create a concealed string wrapper.

• #inspect ⇒ Object

  Safe representation for debugging and console output.

• #length ⇒ Object
• #map {|'[CONCEALED]'| ... } ⇒ Object

  Enumerable methods for safety.

• #present? ⇒ Boolean
• #reveal {|String| ... } ⇒ Object

  Primary API: reveal the decrypted plaintext in a controlled block.

• #size ⇒ Object
• #strip ⇒ Object

  String pattern matching methods.

• #to_a ⇒ Object
• #to_h ⇒ Object

  Hash/Array serialization safety.

• #to_json ⇒ Object

  Prevent exposure in JSON serialization.

• #to_s ⇒ Object

  Prevent accidental exposure through string conversion and serialization.

• #upcase ⇒ Object

  String methods that should return safe concealed values.

Constructor Details

#initialize(encrypted_data, record, field_type) ⇒ ConcealedString

Create a concealed string wrapper

Parameters:

• encrypted_data (String) —

  The encrypted JSON data

• record (Familia::Horreum) —

  The record instance for context

• field_type (EncryptedFieldType) —

  The field type for decryption

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 46

def initialize(encrypted_data, record, field_type)
  @encrypted_data = encrypted_data.freeze
  @record = record
  @field_type = field_type
  @cleared = false

  # Parse and validate the encrypted data structure
  if @encrypted_data
    begin
      @encrypted_data_obj = Familia::Encryption::EncryptedData.from_json(@encrypted_data)
      # Validate that the encrypted data is decryptable (algorithm supported, etc.)
      @encrypted_data_obj.validate_decryptable!
    rescue Familia::EncryptionError => e
      raise Familia::EncryptionError, e.message
    rescue StandardError => e
      raise Familia::EncryptionError, "Invalid encrypted data: #{e.message}"
    end
  end

  ObjectSpace.define_finalizer(self, self.class.finalizer_proc(@encrypted_data))
end

Class Method Details

.finalizer_proc(encrypted_data) ⇒ Object

Finalizer to attempt memory cleanup

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 278

def self.finalizer_proc(encrypted_data)
  proc do
    # Best effort cleanup - Ruby doesn't guarantee memory security
    # Only clear if not frozen to avoid FrozenError
    encrypted_data.clear if encrypted_data.respond_to?(:clear) && !encrypted_data.frozen?
  end
end

Instance Method Details

#+(_other) ⇒ Object

String concatenation operations return concealed result

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 198

def +(_other)
  '[CONCEALED]'
end

#==(other) ⇒ Object Also known as: eql?

Returns true when it’s literally the same object, otherwise false. This prevents timing attacks where an attacker could potentially infer information about the secret value through comparison timing

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 143

def ==(other)
  object_id.equal?(other.object_id) # same object
end

#as_json ⇒ Object

Prevent exposure in Rails serialization (as_json -> to_json)

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 273

def as_json(*)
  '[CONCEALED]'
end

#belongs_to_context?(expected_record, expected_field_name) ⇒ Boolean

Validate that this ConcealedString belongs to the given record context

This prevents cross-context attacks where encrypted data is moved between different records or field contexts. While moving ConcealedString objects manually is not a normal use case, this provides defense in depth.

Parameters:

• expected_record (Familia::Horreum) —

  The record that should own this data

• expected_field_name (Symbol) —

  The field name that should own this data

Returns:

• (Boolean) —

  true if contexts match, false otherwise

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 105

def belongs_to_context?(expected_record, expected_field_name)
  return false if @record.nil? || @field_type.nil?

  @record.instance_of?(expected_record.class) &&
    @record.identifier == expected_record.identifier &&
    @field_type.instance_variable_get(:@name) == expected_field_name
end

#blank? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 193

def blank?
  false # Never blank if encrypted data exists
end

#clear! ⇒ Object

Clear the encrypted data from memory

Safe to call multiple times. This provides best-effort memory clearing within Ruby’s limitations.

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 118

def clear!
  return if @cleared

  @encrypted_data = nil
  @record = nil
  @field_type = nil
  @cleared = true
  freeze
end

#cleared? ⇒ Boolean

Check if the encrypted data has been cleared

Returns:

• (Boolean) —

  true if cleared, false otherwise

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 132

def cleared?
  @cleared
end

#coerce(other) ⇒ Object

Handle coercion for concatenation like “string” + concealed

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 207

def coerce(other)
  if other.is_a?(String)
    ['[CONCEALED]', '[CONCEALED]']
  else
    [other, '[CONCEALED]']
  end
end

#concat(_other) ⇒ Object

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 202

def concat(_other)
  '[CONCEALED]'
end

#deconstruct ⇒ Object

Pattern matching safety (Ruby 3.0+)

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 259

def deconstruct
  ['[CONCEALED]']
end

#deconstruct_keys ⇒ Object

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 263

def deconstruct_keys(*)
  { concealed: true }
end

#downcase ⇒ Object

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 177

def downcase
  '[CONCEALED]'
end

#each {|'[CONCEALED]'| ... } ⇒ Object

Yields:

• ('[CONCEALED]')

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 234

def each
  yield '[CONCEALED]' if block_given?
  self
end

#empty? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 136

def empty?
  @encrypted_data.to_s.empty?
end

#encrypted_value ⇒ String^?

Access the encrypted data for database storage

This method is used internally by the field type system for persisting the encrypted data to the database.

Returns:

• (String, nil) —

  The encrypted JSON data

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 155

def encrypted_value
  @encrypted_data
end

#gsub ⇒ Object

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 220

def gsub(*)
  '[CONCEALED]'
end

#hash ⇒ Object

Consistent hash to prevent timing attacks

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 254

def hash
  ConcealedString.hash
end

#include?(_substring) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 224

def include?(_substring)
  false # Never reveal substring presence
end

#inspect ⇒ Object

Safe representation for debugging and console output

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 240

def inspect
  '[CONCEALED]'
end

#length ⇒ Object

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 181

def length
  11 # Fixed concealed length to match '[CONCEALED]' length
end

#map {|'[CONCEALED]'| ... } ⇒ Object

Enumerable methods for safety

Yields:

• ('[CONCEALED]')

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 229

def map
  yield '[CONCEALED]' if block_given?
  ['[CONCEALED]']
end

#present? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 189

def present?
  true # Always return true since encrypted data exists
end

#reveal {|String| ... } ⇒ Object

Primary API: reveal the decrypted plaintext in a controlled block

This is the ONLY way to access plaintext from encrypted fields. The plaintext is decrypted fresh each time using the current record state and AAD context.

Security Warning: Avoid operations inside the block that create uncontrolled copies of the plaintext (dup, interpolation, etc.)

Example: user.api_token.reveal do |token| HTTP.post(‘/api’, headers: { ‘X-Token’ => token }) end

Yields:

• (String) —

  The decrypted plaintext value

Returns:

• (Object) —

  The return value of the block

Raises:

• (ArgumentError)

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 85

def reveal
  raise ArgumentError, 'Block required for reveal' unless block_given?
  raise SecurityError, 'Encrypted data already cleared' if cleared?
  raise SecurityError, 'No encrypted data to reveal' if @encrypted_data.nil?

  # Decrypt using current record context and AAD
  plaintext = @field_type.decrypt_value(@record, @encrypted_data)
  yield plaintext
end

#size ⇒ Object

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 185

def size
  length
end

#strip ⇒ Object

String pattern matching methods

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 216

def strip
  '[CONCEALED]'
end

#to_a ⇒ Object

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 249

def to_a
  ['[CONCEALED]']
end

#to_h ⇒ Object

Hash/Array serialization safety

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 245

def to_h
  '[CONCEALED]'
end

#to_json ⇒ Object

Prevent exposure in JSON serialization

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 268

def to_json(*)
  '"[CONCEALED]"'
end

#to_s ⇒ Object

Prevent accidental exposure through string conversion and serialization

Ruby has two string conversion methods with different purposes: - to_s: explicit conversion (obj.to_s, string interpolation “#obj”) - to_str: implicit coercion (File.read(obj), “prefix” + obj)

We implement to_s for safe logging/debugging but deliberately omit to_str to prevent encrypted data from being used where strings are expected.

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 168

def to_s
  '[CONCEALED]'
end

#upcase ⇒ Object

String methods that should return safe concealed values

# File 'lib/familia/features/encrypted_fields/concealed_string.rb', line 173

def upcase
  '[CONCEALED]'
end