BREAKING CHANGES
- Set minimum Ruby version to 3.2 (Ruby 3.1 reaches EOL March 31, 2025)
- Set minimum Rails version to 7.0 (Rails 6.1 and earlier are EOL)
- Updated vault-ruby dependency from ~> 0.19 to ~> 0.20
IMPROVEMENTS
- Restored Rails version matrix testing in CI (was accidentally dropped during CircleCI to GitHub Actions migration)
- Updated CI to test currently supported Rails versions: 7.2, 8.0, 8.1
- Updated CI to test Ruby versions: 3.2, 3.3, 3.4, 4.0
- Updated CI to test currently supported Vault versions: 1.16.3 (LTS), 1.19.5 (LTS), 1.20.4, 1.21.2
- Changed default Rails version in Gemfile from 6.0.0 to 7.2.0
- Updated sqlite3 dependency from ~> 1.3.6 to >= 1.4 for Rails 7+ compatibility
BREAKING CHANGES
- Set minimum Ruby version to 3.1. All EOL Ruby versions are no longer supported.
IMPROVEMENTS
- Updated the
vaultdependency to~> 0.19which includes upgradednet-http-persistentandconnection_pooldependencies, improved connection handling, and Ruby 3.4 compatibility. - Added Ruby 3.2 and 3.4 to CI matrix; removed EOL Ruby versions 2.7 and 3.0.
- Updated Vault versions in CI matrix to 1.16, 1.19, 1.20, and 1.21.
IMPROVEMENTS
- Added
vault_encrypt_attributes!model method which allows callers to encrypt vault attributes without saving the model
IMPROVEMENTS
- Updated the
vaultdependency tov0.18.0to support TLS v1.3.
IMPROVEMENTS
- Added
Vault::MissingRequiredStateErrorto list of error types to be retried automatically inwith_retriesand updatedvaultgem minimum version requirement accordingly
- Relaxed the dependency requirements for the gem to only depend on ActiveSupport, not the Rails meta gem, which allows applications using vault-rails to not require all of Rails as necessary transitive dependencies.
IMPROVEMENTS
- Added support for the Vault Enterprise transform secrets engine, extending 'vault_attribute' with a 'transform_secret' hash that allows for format-preserving encryption [GH-102]
BUG FIXES
- Fixed an issue in newer versions of ActiveRecord where you could not access an encrypted attribute after a 'destroy' (for instance, as part of a dependant: :destroy chain). Attributes are now decrypted before a destroy, as a result.
- Fixed a regression where attributes being assigned to nil would be not respected [GH-107]
BREAKING CHANGES
- Dropped support for Rails 4.2 [GH-108]
IMPROVEMENTS
- Added support for Rails 5.2+ (including 6.0+)
- Added ciphertext prefixes in development/test environments to more closely resemble production environments
- Added single-decrypt functionality to allow clients to request individual attributes rather than exposing an entire model with one call
BREAKING CHANGES
- Ciphertext prefixes may break development environments for some users. If this occurs, a restart may fix the issue. Feel free to let the maintainers know if this is not the case.
IMPROVEMENTS
- Added support for Vault Transit derived keys with the
:contextoption. [GH-78] - Added a
:defaultoption tovault_attribute. [GH-83]
BREAKING CHANGES
- Dropped support for Ruby < 2.4, Rails < 4.2. [GH-79]
- Null and empty types were previously deserialized to an empty JSON object (
{}). They will now be properly deserialized asnull, empty string (""), and so on. To preserve the old behavior, adddefault: {}to JSON-serialized attributes. [GH-81]
BUG FIXES
- Fixed uniqueness of generated key for in-memory operations. [GH-80]
- Update supported Ruby and Rails versions [GH-50]
- Ruby
- Added 2.4.2
- Dropped 2.1
- Updated 2.2.x and 2.3.x families to 2.2.8 and 2.3.5 respectively
- Rails
- Restricted supported version to < 5.1
- Ruby
IMPROVEMENTS
- Added configuration setting for controlling appearance of warning messages about in-memory ciphers [GH-45]
vault-railsis licensed under Mozilla Public License 2.0, and has been for over 2 years. This patch release updates the gemspec to use the correct SPDX ID string for reporting this license, but no change to the licensing of this gem has occurred. [GH-48]
IMPROVEMENTS
- Add ability to lazy decrypt attributes [GH-41]
IMPROVEMENTS
- Add support for Rail 5 and better testing matrix
BUG FIXES
- Use a pre-configured client to ensure options are inherited from the default client
BREAKING CHANGES
-
The API for configuration now lives under
Vault::Railsinstead ofVault. Existing users will need to update their configuration as follows:- Vault.configure do |config| + Vault::Rails.configure do |config|
-
Remove testing mode and use an in-memory vault store in development and test instead with the option to disable
-
Load from Vault during initialize and save instead of on each change. This is not necessarily a "breaking" change, but users who were depending on the previous behavior of always making a call to Vault when setting attributes will experience a break. However, the new approach significantly reduces the load on the Vault cluster.
IMPROVEMENTS
- Allow specifying custom serialization options
- Add dirty tracking for Active Record models
- Unset instance variables when
reloadis called for ActiveRecord models - Fix issues that would occur when using multiple threads
- Add support for retries
BUG FIXES
- Update documentation to better describe configuration options
- Update documentation around advanced configuration options
- Update documentation to include example Vault policies for the transit backend
- Do not attempt to read back a secret after writing to the logical backend
- Increase test coverage
- Force character encodings
- Do not automatically mount or create keys (security issue, see README for more information)
- Add testing harness
- Lazy-connect to Vault - this fixes a bug which would require users to run a local Vault installation just to get the Rails application to boot.
- Initial release