audited icon indicating copy to clipboard operation
audited copied to clipboard

Published 20 hours ago verified publisher icon collectiveidea

Working with encrypted data

Open TiuTalk opened this issue 2 years ago • 2 comments

I'm adding audited to a Rails project that use ActiveRecord Encryption and I'd like to encrypts the Audited::Audit#audited_changes column so no PII is stored as plan text in the audit trail.

I tried creating a custom Audit model for this, but it didn't work:

# config/initializers/audited.rb

Audited.config do |config|
  config.audit_class = CustomAudit
end

# app/model/custom_audit.rb

class CustomAudit < Audited::Audit
  encrypts :audited_changes
end

While trying to update a model I got validation errors saying "audits is invalid".

Do you guys have any recommendations or plans to work with AR encryption in the future?

TiuTalk avatar Aug 19 '22 20:08 TiuTalk

Here is some more information about the issue and what happened:

The record could not be updated/created because the Audit object was invalid, here is an example of the audit that tried to be saved:

#<CustomAudit:0x00007fe4c5b531f8
  id: nil,
  auditable_id: "fe0186ee-46b2-470e-9055-c8a94bed6f2f",
  auditable_type: "User",
  associated_id: nil,
  associated_type: nil,
  user_id: nil,
  user_type: nil,
  username: nil,
  action: "update",
  audited_changes: {"name"=>["Teste 2", "test"], "encrypted_password"=>[nil, nil]},
  version: 0,
  comment: nil,
  remote_address: nil,
  request_uuid: nil,
  created_at: nil>

And here is the list of errors from this object:

#<ActiveModel::Errors [
	#<ActiveModel::Error attribute=user, type=blank, options={:message=>:required}>,
	#<ActiveModel::Error attribute=associated, type=blank, options={:message=>:required}>
]>

Not sure what caused the requirement of user and associated to kick in and fail with a simple update from the console.

From what I can tell, this is caused by the belongs_to :user and belongs_to :associated not having optional: true.

TiuTalk avatar Aug 19 '22 21:08 TiuTalk

This is definitely caused by the belongs_to user/associated being required by default in recent Rails versions.

I can get it working if I do this, which I don't feel like it's a good idea:

class CustomAudit < Audited::Audit
  clear_validators!
  encrypts :audited_changes
end

TiuTalk avatar Aug 19 '22 21:08 TiuTalk

May I ask if you're using

require "audited/audit"

anywhere in your application? Especially outside of on_load hooks?

From what I can tell, the Audit class (and subclasses) should have these validations, but due to the way the model is loaded, they aren't initialized? This was noted in #375. I caught this in a project I'm working on because it does that require separately in order to patch the class, which after this change, causes the validations to be added.

In either case, really seems like user and especially associated should be marked optional: true.

macowie avatar Dec 27 '22 23:12 macowie

In either case, really seems like user and especially associated should be marked optional: true.

Any chances to make this happened? It looks like the must-have change for all Rails with active_record.belongs_to_required_by_default = true config. Now it only works by coincidence with the logic how Rails enables this validation.

gsmetal avatar Feb 08 '23 10:02 gsmetal