From a3d8ae693d5d65889eb799ef73583d9d74ea9029 Mon Sep 17 00:00:00 2001
From: Gaetan Craig-Riou <gaetan.riou@gmail.com>
Date: Mon, 7 Oct 2024 14:53:35 +1100
Subject: [PATCH] Add encryption for ConnectedApps::Vine#data

Added layer of security, we encrypt the API key and related secret.
It requires setting up some encryption keys that can be generated wiht
`bin/rails db:encryption:init`
---
 .env                              |  6 ++++++
 .env.development                  |  5 +++++
 .env.test                         |  4 ++++
 app/models/connected_apps/vine.rb |  2 ++
 config/application.rb             | 11 +++++++++++
 5 files changed, 28 insertions(+)

diff --git a/.env b/.env
index fe9b06d4ff1..14902e28e9e 100644
--- a/.env
+++ b/.env
@@ -61,3 +61,9 @@ SMTP_PASSWORD="f00d"
 # NEW_RELIC_AGENT_ENABLED=true
 # NEW_RELIC_APP_NAME="Open Food Network"
 # NEW_RELIC_LICENSE_KEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+
+# Database encryption configuration, required for VINE connected app
+# Generate with bin/rails db:encryption:init
+# ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+# ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+# ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
diff --git a/.env.development b/.env.development
index 68640acf212..94f1750d52f 100644
--- a/.env.development
+++ b/.env.development
@@ -24,3 +24,8 @@ SITE_URL="0.0.0.0:3000"
 RACK_TIMEOUT_SERVICE_TIMEOUT="0"
 RACK_TIMEOUT_WAIT_TIMEOUT="0"
 RACK_TIMEOUT_WAIT_OVERTIME="0"
+
+# Database encryption configuration, required for VINE connected app
+ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY="dev_primary_key"
+ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY="dev_determinnistic_key"
+ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT="dev_derivation_salt"
diff --git a/.env.test b/.env.test
index c0097a0416f..d65627ce33b 100644
--- a/.env.test
+++ b/.env.test
@@ -18,3 +18,7 @@ SITE_URL="test.host"
 OPENID_APP_ID="test-provider"
 OPENID_APP_SECRET="12345"
 OPENID_REFRESH_TOKEN="dummy-refresh-token"
+
+ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY="test_primary_key"
+ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY="test_deterministic_key"
+ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT="test_derivation_salt"
diff --git a/app/models/connected_apps/vine.rb b/app/models/connected_apps/vine.rb
index 3e83ac5e64f..350d8ac6ba9 100644
--- a/app/models/connected_apps/vine.rb
+++ b/app/models/connected_apps/vine.rb
@@ -4,6 +4,8 @@
 #
 module ConnectedApps
   class Vine < ConnectedApp
+    encrypts :data
+
     def connect(api_key:, secret:, vine_api:, **_opts)
       response = vine_api.my_team
 
diff --git a/config/application.rb b/config/application.rb
index a1bda0a7d5c..19cd559d977 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -255,5 +255,16 @@ module ::Reporting; end
     config.exceptions_app = self.routes
 
     config.view_component.generate.sidecar = true # Always generate components in subfolders
+
+    # Database encryption configuration, required for VINE connected app
+    config.active_record.encryption.primary_key = ENV.fetch(
+      "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY", nil
+    )
+    config.active_record.encryption.deterministic_key = ENV.fetch(
+      "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY", nil
+    )
+    config.active_record.encryption.key_derivation_salt = ENV.fetch(
+      "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT", nil
+    )
   end
 end