Remove memoization of key provider

jhawthorn · kstevens715 · jhawthorn · commit 48856482c890 · 2024-02-08T14:47:25.000-08:00
This is necessary to allow key_provider to be changed dynamically using
with_encryption_context.

Co-authored-by: Kyle Stevens &lt;kstevens715@gmail.com&gt;
diff --git a/activerecord/lib/active_record/encryption/encrypted_attribute_type.rb b/activerecord/lib/active_record/encryption/encrypted_attribute_type.rb
@@ -140,11 +140,11 @@ def encryptor
         end
 
         def encryption_options
-          @encryption_options ||= { key_provider: key_provider, cipher_options: { deterministic: deterministic? } }.compact
+          { key_provider: key_provider, cipher_options: { deterministic: deterministic? } }.compact
         end
 
         def decryption_options
-          @decryption_options ||= { key_provider: key_provider }.compact
+          { key_provider: key_provider }.compact
         end
 
         def clean_text_scheme
diff --git a/activerecord/lib/active_record/encryption/scheme.rb b/activerecord/lib/active_record/encryption/scheme.rb
@@ -50,7 +50,7 @@ def fixed?
       end
 
       def key_provider
-        @key_provider ||= @key_provider_param || build_key_provider || default_key_provider
+        @key_provider_param || build_key_provider || default_key_provider
       end
 
       def merge(other_scheme)
diff --git a/activerecord/test/cases/encryption/encryptable_record_test.rb b/activerecord/test/cases/encryption/encryptable_record_test.rb
@@ -33,6 +33,51 @@ class ActiveRecord::Encryption::EncryptableRecordTest < ActiveRecord::Encryption
     assert_invalid_key_cant_read_attribute(post, :body)
   end
 
+  test "swapping key_providers via with_encryption_context" do
+    key_provider1 = ActiveRecord::Encryption::DerivedSecretKeyProvider.new(SecureRandom.base64(32))
+    key_provider2 = ActiveRecord::Encryption::DerivedSecretKeyProvider.new(SecureRandom.base64(32))
+
+    post1 = post2 = nil
+
+    ActiveRecord::Encryption.with_encryption_context key_provider: key_provider1 do
+      post1 = EncryptedPost.create!(title: "post1!", body: "first post!")
+    end
+
+    ActiveRecord::Encryption.with_encryption_context key_provider: key_provider2 do
+      post2 = EncryptedPost.create!(title: "post2!", body: "second post!")
+    end
+
+    post1.reload
+    assert_raises ActiveRecord::Encryption::Errors::Decryption do
+      post1.title
+    end
+
+    post2.reload
+    assert_raises ActiveRecord::Encryption::Errors::Decryption do
+      post2.title
+    end
+
+    ActiveRecord::Encryption.with_encryption_context key_provider: key_provider1 do
+      post1.reload
+      assert_equal "post1!", post1.title
+
+      post2.reload
+      assert_raises ActiveRecord::Encryption::Errors::Decryption do
+        post2.title
+      end
+    end
+
+    ActiveRecord::Encryption.with_encryption_context key_provider: key_provider2 do
+      post2.reload
+      assert_equal "post2!", post2.title
+
+      post1.reload
+      assert_raises ActiveRecord::Encryption::Errors::Decryption do
+        post1.title
+      end
+    end
+  end
+
   test "ignores nil values" do
     assert_nil EncryptedBook.create!(name: nil).name
   end
