Use audited fork that allows reading encrypted attrs

Audited automatically replaces entries in the `audited_changes` field on audits with `[FILTERED]` for attributes that are encrypted. This is designed to prevent leaking of sensitive information in `audited_changes` which is an unencrypted field. The downside to this is that the `audited_changes` field now provides less information about what the audit actually changed. To solve this, collectiveidea/audited#694 adds additional configuration attributes: - `Audited.filter_encrypted_attributes = false` disables the automatic replacement with `[FILTERED]` - `Audited.encrypt_audited_changes = true` encrypts the actual entire `audited_changes` field, ensuring that sensitive information isn't leaked See: - collectiveidea/audited#690 - collectiveidea/audited#694
nhsuk · May 29, 2024 · f97eb27 · f97eb27
1 parent 1fc39c2
commit f97eb27
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 5 deletions.
diff --git a/Gemfile b/Gemfile
@@ -4,7 +4,7 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 ruby "3.3.0"
 gem "rails", "~> 7.1.3"
 
-gem "audited"
+gem "audited", git: "https://github.com/tvararu/audited", branch: "encryption"
 gem "awesome_print"
 gem "bootsnap", require: false
 gem "config"

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -6,6 +6,15 @@ GIT
     capybara_accessible_selectors (0.11.0)
       capybara (~> 3.36)
 
+GIT
+  remote: https://github.com/tvararu/audited
+  revision: 1a419bfcdb72d6e642e9481a4ea06799c3504c60
+  branch: encryption
+  specs:
+    audited (5.6.0)
+      activerecord (>= 5.2, < 7.2)
+      activesupport (>= 5.2, < 7.2)
+
 GEM
   remote: https://rubygems.org/
   specs:
@@ -97,9 +106,6 @@ GEM
     asciidoctor-diagram-ditaamini (1.0.3)
     asciidoctor-diagram-plantuml (1.2024.0)
     ast (2.4.2)
-    audited (5.6.0)
-      activerecord (>= 5.2, < 7.2)
-      activesupport (>= 5.2, < 7.2)
     awesome_print (1.9.2)
     backport (1.2.0)
     base64 (0.2.0)
@@ -549,7 +555,7 @@ DEPENDENCIES
   annotate
   asciidoctor
   asciidoctor-diagram
-  audited
+  audited!
   awesome_print
   bootsnap
   brakeman

diff --git a/config/initializers/audited.rb b/config/initializers/audited.rb
@@ -0,0 +1,6 @@
+# See https://github.com/collectiveidea/audited/pull/694
+Audited.filter_encrypted_attributes = false
+
+# Currently no-ops: https://github.com/collectiveidea/audited/pull/694/files#r1618767769
+# Fixed by https://github.com/tvararu/audited/commit/f52ac70
+Audited.encrypt_audited_changes = true