Release 0.3.2

Author: script3r

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.3.1
+current_version = 0.3.2
 commit = True
 tag = True
 

CHANGELOG.md

@@ -13,6 +13,31 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Performance benchmarks section
 - Security best practices guide
 
+## [0.3.2] - 2025-12-27
+
+### Added
+- Encrypted counterparts for common Django fields (JSON, UUID, Decimal, Boolean, URL, Slug, Float, PositiveInteger)
+- Deterministic UUID and Boolean field support
+- Example Django integration project and extended tests for new fields
+
+### Changed
+- JSON field encryption now preserves structured payloads on round-trip
+- Improved README clarity around easy Django field encryption
+
+## [0.3.1] - 2025-12-27
+
+### Added
+- Cached keyset handles to reduce repeated keyset file reads
+- Example Django project with integration tests covering ciphertext and tamper detection
+
+### Changed
+- Registered Tink primitives during direct field module imports
+- Prepared deterministic lookup values before encryption for better consistency
+- Updated dependency minimums to current releases
+
+### Removed
+- Retired legacy CHANGES.md in favor of this changelog
+
 ## [0.3.0] - 2024-12-19
 
 ### Added

CHANGES.md

@@ -7,7 +7,9 @@
 [![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)
 [![Tests](https://github.com/script3r/django-tink-fields/workflows/Tests/badge.svg)](https://github.com/script3r/django-tink-fields/actions)
 
-**Django Tink Fields** provides encrypted Django model fields using [Google Tink](https://developers.google.com/tink) cryptographic library. This package offers field-level encryption for Django models with strong security guarantees and easy integration.
+**Django Tink Fields** is a simple, production-ready way to encrypt Django model fields using the [Google Tink](https://developers.google.com/tink) cryptographic library. It offers drop-in encrypted field types for Django models, so you can protect sensitive data with minimal code changes.
+
+Keywords: Django field encryption, encrypted model fields, Google Tink, AEAD, deterministic encryption.
 
 ## ✨ Features
 
@@ -75,9 +77,31 @@ class UserProfile(models.Model):
 | `EncryptedCharField` | `CharField` | Encrypted character field |
 | `EncryptedTextField` | `TextField` | Encrypted text field |
 | `EncryptedEmailField` | `EmailField` | Encrypted email field |
+| `EncryptedBooleanField` | `BooleanField` | Encrypted boolean field |
 | `EncryptedIntegerField` | `IntegerField` | Encrypted integer field |
+| `EncryptedPositiveIntegerField` | `PositiveIntegerField` | Encrypted positive integer field |
+| `EncryptedFloatField` | `FloatField` | Encrypted float field |
+| `EncryptedDecimalField` | `DecimalField` | Encrypted decimal field |
+| `EncryptedUUIDField` | `UUIDField` | Encrypted UUID field |
+| `EncryptedJSONField` | `JSONField` | Encrypted JSON field |
+| `EncryptedURLField` | `URLField` | Encrypted URL field |
+| `EncryptedSlugField` | `SlugField` | Encrypted slug field |
 | `EncryptedDateField` | `DateField` | Encrypted date field |
 | `EncryptedDateTimeField` | `DateTimeField` | Encrypted datetime field |
+| `EncryptedBinaryField` | `BinaryField` | Encrypted binary field |
+
+### Deterministic Field Types
+
+| Field Type | Django Equivalent | Description |
+|------------|-------------------|-------------|
+| `DeterministicEncryptedTextField` | `TextField` | Deterministic encrypted text field |
+| `DeterministicEncryptedCharField` | `CharField` | Deterministic encrypted character field |
+| `DeterministicEncryptedEmailField` | `EmailField` | Deterministic encrypted email field |
+| `DeterministicEncryptedIntegerField` | `IntegerField` | Deterministic encrypted integer field |
+| `DeterministicEncryptedUUIDField` | `UUIDField` | Deterministic encrypted UUID field |
+| `DeterministicEncryptedBooleanField` | `BooleanField` | Deterministic encrypted boolean field |
+| `DeterministicEncryptedDateField` | `DateField` | Deterministic encrypted date field |
+| `DeterministicEncryptedDateTimeField` | `DateTimeField` | Deterministic encrypted datetime field |
 
 ### Configuration Options
 
@@ -234,6 +258,16 @@ pytest tink_fields/test/test_fields.py  # Basic functionality
 pytest tink_fields/test/test_coverage.py  # Edge cases
 ```
 
+### Integration Test Harness
+
+This repo ships a minimal Django project under `example_project/` that exercises
+real model usage and verifies ciphertext at rest, tamper detection, deterministic
+lookups, and AAD behavior:
+
+```bash
+pytest -c example_project/pytest.ini example_project/example_app/tests
+```
+
 ## 🛠️ Development
 
 ### Setup Development Environment
@@ -307,7 +341,7 @@ We welcome contributions! Please see our [Contributing Guide](CONTRIBUTING.md) f
 
 ## 📝 Changelog
 
-### v0.3.0 (Latest)
+### v0.3.2 (Latest)
 - ✨ Modernized codebase with Python 3.10+ support
 - 🔧 Updated dependencies to latest versions
 - 📊 Improved test coverage to 97%+
@@ -320,7 +354,7 @@ We welcome contributions! Please see our [Contributing Guide](CONTRIBUTING.md) f
 
 ## 📄 License
 
-This project is licensed under the BSD License - see the [LICENSE](LICENSE) file for details.
+This project is licensed under the BSD License - see the [LICENSE.txt](LICENSE.txt) file for details.
 
 ## 🙏 Acknowledgments
 
@@ -336,4 +370,4 @@ This project is licensed under the BSD License - see the [LICENSE](LICENSE) file
 
 ---
 
-**Made with ❤️ for the Django community**
+**Made with ❤️ for the Django community**

README.md

@@ -1 +1 @@
-0.3.1
+0.3.2

VERSION

@@ -0,0 +1 @@
+"""Example app for integration testing."""

example_project/example_app/__init__.py

@@ -0,0 +1,6 @@
+from django.apps import AppConfig
+
+
+class ExampleAppConfig(AppConfig):
+    default_auto_field = "django.db.models.AutoField"
+    name = "example_app"

example_project/example_app/apps.py

@@ -0,0 +1,59 @@
+from django.db import models
+from django.utils.encoding import force_bytes
+
+from tink_fields import (
+    DeterministicEncryptedEmailField,
+    DeterministicEncryptedIntegerField,
+    DeterministicEncryptedTextField,
+    DeterministicEncryptedUUIDField,
+    EncryptedBooleanField,
+    EncryptedBinaryField,
+    EncryptedCharField,
+    EncryptedDateField,
+    EncryptedDateTimeField,
+    EncryptedDecimalField,
+    EncryptedEmailField,
+    EncryptedFloatField,
+    EncryptedIntegerField,
+    EncryptedJSONField,
+    EncryptedTextField,
+    EncryptedURLField,
+    EncryptedUUIDField,
+)
+
+
+def aad_for_field(field: models.Field) -> bytes:
+    return force_bytes(f"{field.model._meta.label}:{field.name}")
+
+
+class EncryptedSample(models.Model):
+    name = EncryptedCharField(max_length=50)
+    bio = EncryptedTextField()
+    email = EncryptedEmailField()
+    count = EncryptedIntegerField()
+    birth_date = EncryptedDateField()
+    created_at = EncryptedDateTimeField()
+    payload = EncryptedBinaryField(null=True)
+
+
+class EncryptedWithAad(models.Model):
+    secret = EncryptedCharField(max_length=50, aad_callback=aad_for_field)
+
+
+class DeterministicSample(models.Model):
+    keyword = DeterministicEncryptedTextField(keyset="deterministic")
+    email = DeterministicEncryptedEmailField(keyset="deterministic")
+    count = DeterministicEncryptedIntegerField(keyset="deterministic")
+
+
+class ExtendedEncryptedSample(models.Model):
+    flag = EncryptedBooleanField()
+    ratio = EncryptedFloatField()
+    amount = EncryptedDecimalField(max_digits=8, decimal_places=2)
+    token = EncryptedUUIDField()
+    payload = EncryptedJSONField()
+    url = EncryptedURLField()
+
+
+class DeterministicExtendedSample(models.Model):
+    token = DeterministicEncryptedUUIDField(keyset="deterministic")

example_project/example_app/models.py

@@ -0,0 +1 @@
+"""Integration tests for the example Django project."""

example_project/example_app/tests/__init__.py

@@ -0,0 +1,141 @@
+from datetime import date, datetime
+from decimal import Decimal
+from uuid import uuid4
+
+from django.db import connection
+from django.utils.encoding import force_bytes
+
+import pytest
+
+from example_app import models
+
+
+def _fetch_raw_bytes(model_cls, field_name, pk):
+    with connection.cursor() as cursor:
+        cursor.execute(
+            f"SELECT {field_name} FROM {model_cls._meta.db_table} WHERE id = %s",
+            [pk],
+        )
+        value = cursor.fetchone()[0]
+    return bytes(value)
+
+
+def _update_raw_bytes(model_cls, field_name, pk, raw_bytes):
+    with connection.cursor() as cursor:
+        cursor.execute(
+            f"UPDATE {model_cls._meta.db_table} SET {field_name} = %s WHERE id = %s",
+            [raw_bytes, pk],
+        )
+
+
+@pytest.mark.django_db
+def test_round_trip_and_ciphertext_at_rest():
+    payload = b"binary payload \x00\x01\x02"
+    instance = models.EncryptedSample.objects.create(
+        name="Alice",
+        bio="Encrypted bio",
+        email="[email protected]",
+        count=42,
+        birth_date=date(1990, 1, 1),
+        created_at=datetime(2024, 1, 1, 12, 0, 0),
+        payload=payload,
+    )
+    instance.refresh_from_db()
+
+    assert instance.name == "Alice"
+    assert instance.bio == "Encrypted bio"
+    assert instance.email == "[email protected]"
+    assert instance.count == 42
+    assert instance.birth_date == date(1990, 1, 1)
+    assert instance.created_at == datetime(2024, 1, 1, 12, 0, 0)
+    assert instance.payload == payload
+
+    raw_name = _fetch_raw_bytes(models.EncryptedSample, "name", instance.id)
+    raw_payload = _fetch_raw_bytes(models.EncryptedSample, "payload", instance.id)
+    assert raw_name != force_bytes("Alice")
+    assert raw_payload != payload
+
+
+@pytest.mark.django_db
+def test_tamper_detection():
+    instance = models.EncryptedSample.objects.create(
+        name="Tamper",
+        bio="Test",
+        email="[email protected]",
+        count=7,
+        birth_date=date(2000, 2, 2),
+        created_at=datetime(2024, 2, 2, 10, 0, 0),
+    )
+    raw_name = _fetch_raw_bytes(models.EncryptedSample, "name", instance.id)
+    tampered = bytearray(raw_name)
+    tampered[0] = (tampered[0] + 1) % 256
+    _update_raw_bytes(models.EncryptedSample, "name", instance.id, bytes(tampered))
+
+    with pytest.raises(Exception):
+        instance.refresh_from_db()
+
+
+@pytest.mark.django_db
+def test_deterministic_ciphertext_and_lookup():
+    first = models.DeterministicSample.objects.create(
+        keyword="repeat",
+        email="[email protected]",
+        count=5,
+    )
+    second = models.DeterministicSample.objects.create(
+        keyword="repeat",
+        email="[email protected]",
+        count=5,
+    )
+    raw_first = _fetch_raw_bytes(models.DeterministicSample, "keyword", first.id)
+    raw_second = _fetch_raw_bytes(models.DeterministicSample, "keyword", second.id)
+    assert raw_first == raw_second
+
+    matches = models.DeterministicSample.objects.filter(keyword="repeat")
+    assert matches.count() == 2
+
+
+@pytest.mark.django_db
+def test_aad_enforced():
+    instance = models.EncryptedWithAad.objects.create(secret="aad-secret")
+    raw_secret = _fetch_raw_bytes(models.EncryptedWithAad, "secret", instance.id)
+
+    field = models.EncryptedWithAad._meta.get_field("secret")
+    with pytest.raises(Exception):
+        field._keyset_manager.aead_primitive.decrypt(raw_secret, b"wrong-aad")
+
+
+@pytest.mark.django_db
+def test_extended_fields_round_trip():
+    token = uuid4()
+    payload = {"alpha": 1, "beta": {"gamma": "delta"}, "items": [1, 2, 3]}
+    instance = models.ExtendedEncryptedSample.objects.create(
+        flag=True,
+        ratio=3.14,
+        amount=Decimal("1234.50"),
+        token=token,
+        payload=payload,
+        url="https://example.com/alpha",
+    )
+    instance.refresh_from_db()
+
+    assert instance.flag is True
+    assert instance.ratio == 3.14
+    assert instance.amount == Decimal("1234.50")
+    assert instance.token == token
+    assert instance.payload == payload
+    assert instance.url == "https://example.com/alpha"
+
+    raw_payload = _fetch_raw_bytes(models.ExtendedEncryptedSample, "payload", instance.id)
+    assert raw_payload != force_bytes(payload)
+
+
+@pytest.mark.django_db
+def test_deterministic_uuid_ciphertext():
+    token = uuid4()
+    first = models.DeterministicExtendedSample.objects.create(token=token)
+    second = models.DeterministicExtendedSample.objects.create(token=token)
+
+    raw_first = _fetch_raw_bytes(models.DeterministicExtendedSample, "token", first.id)
+    raw_second = _fetch_raw_bytes(models.DeterministicExtendedSample, "token", second.id)
+    assert raw_first == raw_second