mirror of
https://github.com/we-promise/sure.git
synced 2026-07-12 12:55:20 +00:00
* feat(security): warn when ActiveRecord encryption is not configured Self-hosted instances without explicit ACTIVE_RECORD_ENCRYPTION_* keys (or Rails credentials) store sensitive columns - API keys, provider/bank tokens, the MFA (TOTP) secret, and PII - unencrypted at rest. The app boots and works normally so this plaintext at rest state is easy to miss. Change: Make it visible: - log a clear startup warning (config/initializers/encryption_warning.rb) - show a warning banner on /settings/security when encryption is unconfigured * refactor(security): apply review feedback on encryption warning - list the three ACTIVE_RECORD_ENCRYPTION_* keys in the banner, rendered via the DS::Alert content block to match the log - drop the redundant respond_to?(:self_hosted?) guard in the initializer so it matches the controller check - add a managed-mode test asserting the banner is hidden
35 lines
1.2 KiB
Ruby
35 lines
1.2 KiB
Ruby
require "test_helper"
|
|
|
|
class Settings::SecuritiesControllerTest < ActionDispatch::IntegrationTest
|
|
setup { sign_in users(:family_admin) }
|
|
|
|
test "shows encryption warning when self-hosted and encryption is not configured" do
|
|
Rails.configuration.stubs(:app_mode).returns("self_hosted".inquiry)
|
|
ActiveRecordEncryptionConfig.stubs(:explicitly_configured?).returns(false)
|
|
|
|
get settings_security_url
|
|
|
|
assert_response :success
|
|
assert_includes response.body, I18n.t("settings.securities.show.encryption_warning.title")
|
|
end
|
|
|
|
test "hides encryption warning when encryption is configured" do
|
|
Rails.configuration.stubs(:app_mode).returns("self_hosted".inquiry)
|
|
ActiveRecordEncryptionConfig.stubs(:explicitly_configured?).returns(true)
|
|
|
|
get settings_security_url
|
|
|
|
assert_response :success
|
|
assert_not_includes response.body, I18n.t("settings.securities.show.encryption_warning.title")
|
|
end
|
|
|
|
test "does not show encryption warning in managed mode" do
|
|
Rails.configuration.stubs(:app_mode).returns("managed".inquiry)
|
|
|
|
get settings_security_url
|
|
|
|
assert_response :success
|
|
assert_not_includes response.body, I18n.t("settings.securities.show.encryption_warning.title")
|
|
end
|
|
end
|