From eb88c5e9de155579864d951e2d262683c33a26f8 Mon Sep 17 00:00:00 2001
From: Colin Darie <colin@darie.eu>
Date: Tue, 2 May 2023 14:48:58 +0200
Subject: [PATCH] chore: setup active record encryption from secrets

---
 config/application.rb | 5 +++--
 config/env.example    | 4 ++++
 config/secrets.yml    | 6 ++++++
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/config/application.rb b/config/application.rb
index 527956cfc..cf264ec08 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -98,8 +98,9 @@ module TPS
       html_tag.html_safe # this is generated by rails
     end
     # rubocop:enable Rails/OutputSafety
+    #
 
-    config.active_record.encryption.key_derivation_salt = Rails.application.secrets.encryption_service_salt
-    config.active_record.encryption.primary_key = Rails.application.secrets.otp_secret_key
+    config.active_record.encryption.primary_key = Rails.application.secrets.active_record_encryption.fetch(:primary_key)
+    config.active_record.encryption.key_derivation_salt = Rails.application.secrets.active_record_encryption.fetch(:key_derivation_salt)
   end
 end
diff --git a/config/env.example b/config/env.example
index 978dfd183..a3624b572 100644
--- a/config/env.example
+++ b/config/env.example
@@ -142,6 +142,10 @@ API_EDUCATION_URL="https://data.education.gouv.fr/api/records/1.0"
 # Encryption key for sensitive columns in the database
 ENCRYPTION_SERVICE_SALT=""
 
+# ActiveRecord encryption keys. Generate them with bin/rails db:encryption:init (you can omit deterministic_key)
+AR_ENCRYPTION_PRIMARY_KEY=""
+AR_ENCRYPTION_KEY_DERIVATION_SALT=""
+
 # Salt for invisible_captcha session data.
 # Must be the same value for all app instances behind a load-balancer.
 INVISIBLE_CAPTCHA_SECRET="kikooloool"
diff --git a/config/secrets.yml b/config/secrets.yml
index 286874072..cf527bafe 100644
--- a/config/secrets.yml
+++ b/config/secrets.yml
@@ -13,6 +13,9 @@ defaults: &defaults
   secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
   encryption_service_salt: <%= ENV["ENCRYPTION_SERVICE_SALT"] %>
   otp_secret_key: <%= ENV["OTP_SECRET_KEY"] %>
+  active_record_encryption:
+    primary_key: <%= ENV["AR_ENCRYPTION_PRIMARY_KEY"] %>
+    key_derivation_salt: <%= ENV["AR_ENCRYPTION_KEY_DERIVATION_SALT"] %>
   basic_auth:
     username: <%= ENV['BASIC_AUTH_USERNAME'] %>
     password: <%= ENV['BASIC_AUTH_PASSWORD'] %>
@@ -103,6 +106,9 @@ test:
   secret_key_base: aa52abc3f3a629d04a61e9899a24c12f52b24c679cbf45f8ec0cdcc64ab9526d673adca84212882dff3911ac98e0c32ec4729ca7b3429ba18ef4dfd1bd18bc7a # ggignore
   encryption_service_salt: QUDyMoXyw2YXU8pHnpts3w9MyMpsMQ6BgP62obgCf7PQv # ggignore
   otp_secret_key: 78ddda3679dc0ba2c99f50bcff04f49d862358dbeb7ead50368fdd6de14392be884ee10a204a0375b4b382e1a842fafe40d7858b7ab4796ec3a67c518d31112b # ggignore
+  active_record_encryption:
+    primary_key: test-RgUyzplf0kehB5fyZpmCd37uvgb # ggignore
+    key_derivation_salt: test-yyMmzM9cTSD1rs3Fq3hwt3hMNg4 # ggignore
   api_entreprise:
     key: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ik9oIHllYWgiLCJpYXQiOjE1MTYyMzkwMjJ9.f06sBo3q2Yxnw_TYPFUEs0CozBmcV-XniH_DeKNWzKE" # ggignore
   pipedrive: