Batch encryption - handle arrays with only blank values

FundingCircle · Dec 7, 2018 · da08d60 · da08d60
1 parent beda3df
commit da08d60
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 4 deletions.
diff --git a/lib/vault/rails.rb b/lib/vault/rails.rb
@@ -259,15 +259,17 @@ def vault_encrypt(path, key, plaintext, client, convergent)
       def vault_batch_encrypt(path, key, plaintexts, client)
         return [] if plaintexts.empty?
 
+        # Only present values can be encrypted by Vault. Empty values should be returned as they are.
+        non_empty_plaintexts = plaintexts.select { |plaintext| plaintext.present? }
+        return plaintexts if non_empty_plaintexts.empty? # nothing to encrypt
+
         route = File.join(path, 'encrypt', key)
 
         options = {
           convergent_encryption: true,
           derived: true
         }
 
-        # Only present values can be encrypted by Vault. Empty values should be returned as they are.
-        non_empty_plaintexts = plaintexts.select { |plaintext| plaintext.present? }
         batch_input = non_empty_plaintexts.map do |plaintext|
           {
             context: Base64.strict_encode64(Vault::Rails.convergent_encryption_context),
@@ -307,10 +309,12 @@ def vault_decrypt(path, key, ciphertext, client, convergent)
       def vault_batch_decrypt(path, key, ciphertexts, client)
         return [] if ciphertexts.empty?
 
-        route = File.join(path, 'decrypt', key)
-
         # Only present values can be decrypted by Vault. Empty values should be returned as they are.
         non_empty_ciphertexts = ciphertexts.select { |ciphertext| ciphertext.present? }
+        return ciphertexts if non_empty_ciphertexts.empty?
+
+        route = File.join(path, 'decrypt', key)
+
         batch_input = non_empty_ciphertexts.map do |ciphertext|
           {
             context: Base64.strict_encode64(Vault::Rails.convergent_encryption_context),

diff --git a/spec/unit/rails_spec.rb b/spec/unit/rails_spec.rb
@@ -157,6 +157,15 @@
       expect(Vault::Rails.batch_encrypt('path', 'key', ['plaintext1', 'plaintext2'], Vault::Rails.client)).to eq(%w(ciphertext1 ciphertext2))
     end
 
+    context 'with only blank values' do
+      it 'does not make any calls to Vault and just return the plaintexts' do
+        expect(Vault::Rails.client.logical).not_to receive(:write)
+
+        plaintexts = ['', '', nil, '', nil, nil]
+        expect(Vault::Rails.batch_encrypt('path', 'key', plaintexts, Vault::Rails.client)).to eq(plaintexts)
+      end
+    end
+
     context 'with presented blank values' do
       it 'sends the correct parameters to vault client' do
         expected_route = 'path/encrypt/key'
@@ -258,6 +267,16 @@
       expect(Vault::Rails.batch_decrypt('path', 'key', ['ciphertext1', 'ciphertext2'], Vault::Rails.client)).to eq( %w(plaintext1 plaintext2)) # in that order
     end
 
+    context 'with only blank values' do
+      it 'does not make any calls to Vault and just return the ciphertexts' do
+        expect(Vault::Rails.client.logical).not_to receive(:write)
+
+        ciphertexts = ['', '', nil, '', nil, nil]
+
+        expect(Vault::Rails.batch_decrypt('path', 'key', ciphertexts, Vault::Rails.client)).to eq(ciphertexts)
+      end
+    end
+
     context 'with presented blank values' do
       it 'sends the correct parameters to vault client' do
         expected_route = 'path/decrypt/key'