diff --git a/app/services/encryption_service.rb b/app/services/encryption_service.rb new file mode 100644 index 000000000..448ddcc7a --- /dev/null +++ b/app/services/encryption_service.rb @@ -0,0 +1,17 @@ +class EncryptionService + def initialize + len = ActiveSupport::MessageEncryptor.key_len + salt = Rails.application.secrets.encryption_service_salt + password = Rails.application.secrets.secret_key_base + key = ActiveSupport::KeyGenerator.new(password).generate_key(salt, len) + @encryptor = ActiveSupport::MessageEncryptor.new(key) + end + + def encrypt(value) + value.blank? ? nil : @encryptor.encrypt_and_sign(value) + end + + def decrypt(value) + value.blank? ? nil : @encryptor.decrypt_and_verify(value) + end +end diff --git a/config/env.example b/config/env.example index 17e3d081d..48266c857 100644 --- a/config/env.example +++ b/config/env.example @@ -112,3 +112,6 @@ API_EDUCATION_URL="https://data.education.gouv.fr/api/records/1.0" # Modifier le nb de tentatives de relance de job si echec # MAX_ATTEMPTS_JOBS=25 # MAX_ATTEMPTS_API_ENTREPRISE_JOBS=5 + +# Clé de chriffrement des données sensibles en base +ENCRYPTION_SERVICE_SALT="" diff --git a/config/secrets.yml b/config/secrets.yml index 2440c6d6c..1199d404a 100644 --- a/config/secrets.yml +++ b/config/secrets.yml @@ -11,6 +11,7 @@ # if you're sharing your code publicly. defaults: &defaults secret_key_base: <%= ENV["SECRET_KEY_BASE"] %> + encryption_service_salt: <%= ENV["ENCRYPTION_SERVICE_SALT"] %> signing_key: <%= ENV["SIGNING_KEY"] %> otp_secret_key: <%= ENV["OTP_SECRET_KEY"] %> basic_auth: @@ -75,6 +76,7 @@ development: test: <<: *defaults secret_key_base: aa52abc3f3a629d04a61e9899a24c12f52b24c679cbf45f8ec0cdcc64ab9526d673adca84212882dff3911ac98e0c32ec4729ca7b3429ba18ef4dfd1bd18bc7a + encryption_service_salt: QUDyMoXyw2YXU8pHnpts3w9MyMpsMQ6BgP62obgCf7PQv signing_key: aef3153a9829fa4ba10acb02927ac855df6b92795b1ad265d654443c4b14a017 otp_secret_key: 78ddda3679dc0ba2c99f50bcff04f49d862358dbeb7ead50368fdd6de14392be884ee10a204a0375b4b382e1a842fafe40d7858b7ab4796ec3a67c518d31112b api_entreprise: diff --git a/spec/services/encryption_service_spec.rb b/spec/services/encryption_service_spec.rb new file mode 100644 index 000000000..dc13b8fd2 --- /dev/null +++ b/spec/services/encryption_service_spec.rb @@ -0,0 +1,42 @@ +describe EncryptionService do + describe "#encrypt" do + subject { EncryptionService.new.encrypt(value) } + + context "with a nil value" do + let(:value) { nil } + + it { expect(subject).to be_nil } + end + + context "with a string value" do + let(:value) { "The quick brown fox jumps over the lazy dog" } + + it { expect(subject).to be_instance_of(String) } + it { expect(subject).to be_present } + it { expect(subject).not_to eq(value) } + end + end + + describe "#decrypt" do + subject { EncryptionService.new.decrypt(encrypted_value) } + + context "with a nil value" do + let(:encrypted_value) { nil } + + it { expect(subject).to be_nil } + end + + context "with a string value" do + let (:value) { "The quick brown fox jumps over the lazy dog" } + let(:encrypted_value) { EncryptionService.new.encrypt(value) } + + it { expect(subject).to eq(value) } + end + + context "with an invalid value" do + let(:encrypted_value) { "Gur dhvpx oebja sbk whzcf bire gur ynml qbt" } + + it { expect { subject }.to raise_exception StandardError } + end + end +end