Initial security fixes (#461)

* Initial sec

* Update PII fields

* FIX add tests

* FIX safely read plaintext data on rake backfill

* Update user.rb

* FIX tests

* encryption_ready? block

* Test conditional to encryption on

---------

Signed-off-by: Juan José Mata <juanjo.mata@gmail.com>
Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>

app/models/session.rb

@@ -1,14 +1,18 @@
 class Session < ApplicationRecord
+  include Encryptable
+
+  # Encrypt user_agent if ActiveRecord encryption is configured
+  if encryption_ready?
+    encrypts :user_agent
+  end
+
   belongs_to :user
   belongs_to :active_impersonator_session,
     -> { where(status: :in_progress) },
     class_name: "ImpersonationSession",
     optional: true
 
-  before_create do
-    self.user_agent = Current.user_agent
-    self.ip_address = Current.ip_address
-  end
+  before_create :capture_session_info
 
   def get_preferred_tab(tab_key)
     data.dig("tab_preferences", tab_key)
@@ -19,4 +23,13 @@ class Session < ApplicationRecord
     data["tab_preferences"][tab_key] = tab_value
     save!
   end
+
+  private
+
+    def capture_session_info
+      self.user_agent = Current.user_agent
+      raw_ip = Current.ip_address
+      self.ip_address = raw_ip
+      self.ip_address_digest = Digest::SHA256.hexdigest(raw_ip.to_s) if raw_ip.present?
+    end
 end