[WRSAT-473] Encrypt the SSN column (#198)

Author: cram-cfa

Dockerfile

@@ -61,8 +61,12 @@ COPY . .
 RUN bundle exec bootsnap precompile app/ lib/
 
 # Precompiling assets for production without requiring secret RAILS_MASTER_KEY
-RUN SECRET_KEY_BASE_DUMMY=1 ./bin/rails assets:precompile
-
+RUN \
+  SECRET_KEY_BASE_DUMMY=1 \
+  ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=dummy \
+  ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=dummy \
+  ACTIVE_RECORD_DERIVATION_SALT_KEY=dummy \
+  ./bin/rails assets:precompile
 
 # Final stage for app image
 FROM base

app/models/screener.rb

@@ -4,6 +4,7 @@ class Screener < ApplicationRecord
   has_one :nc_screener, dependent: :destroy
   attr_accessor :email_confirmation
   attr_accessor :from_download_form
+  encrypts :ssn_last_four
   enum :is_american_indian, {unfilled: 0, yes: 1, no: 2}, prefix: true
   enum :is_working, {unfilled: 0, yes: 1, no: 2}, prefix: true
   enum :is_volunteer, {unfilled: 0, yes: 1, no: 2}, prefix: true

app/views/download_form/edit.html.erb

@@ -11,7 +11,7 @@
 
 <% unless has_email %>
   <div>
-    <%= link_to(generate_pdf_path, class: "button button--primary spacing-below-0") do %>
+    <%= link_to(generate_pdf_path, class: "button button--primary spacing-below-0", target: "_blank") do %>
       <i class="button__icon--left icon-get_app"></i>
       <%= t("views.download_form.edit.download_form") %>
     <% end %>

config/environments/development.rb

@@ -75,4 +75,8 @@
 
   config.hosts << "development.wrsat.codeforamerica.app"
   config.hosts << /.*\.development\.wrsat\.codeforamerica\.app$/
+
+  config.active_record.encryption.primary_key = ENV.fetch("ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY", "edSK9biPXNhUVP17nNj6xPhtOeB84FAX")
+  config.active_record.encryption.deterministic_key = ENV.fetch("ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY", "eVrXlDsnIP0iSDNuxeub906KGv7SOU6j")
+  config.active_record.encryption.key_derivation_salt = ENV.fetch("ACTIVE_RECORD_DERIVATION_SALT_KEY", "ZpsjowhMSuZXLkAgzJRXXEIIDVytGv4z")
 end

config/environments/production.rb

@@ -83,4 +83,8 @@
   #
   # Skip DNS rebinding protection for the default health check endpoint.
   # config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
+
+  config.active_record.encryption.primary_key = ENV.fetch("ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY")
+  config.active_record.encryption.deterministic_key = ENV.fetch("ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY")
+  config.active_record.encryption.key_derivation_salt = ENV.fetch("ACTIVE_RECORD_DERIVATION_SALT_KEY")
 end

config/environments/staging.rb

@@ -81,4 +81,8 @@
   #
   # Skip DNS rebinding protection for the default health check endpoint.
   # config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
+
+  config.active_record.encryption.primary_key = ENV.fetch("ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY")
+  config.active_record.encryption.deterministic_key = ENV.fetch("ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY")
+  config.active_record.encryption.key_derivation_salt = ENV.fetch("ACTIVE_RECORD_DERIVATION_SALT_KEY")
 end

config/environments/test.rb

@@ -50,4 +50,8 @@
 
   # Raise error when a before_action's only/except options reference missing actions.
   config.action_controller.raise_on_missing_callback_actions = true
+
+  config.active_record.encryption.primary_key = "a" * 32
+  config.active_record.encryption.deterministic_key = "b" * 32
+  config.active_record.encryption.key_derivation_salt = "c" * 32
 end

spec/models/screener_spec.rb

@@ -709,4 +709,12 @@
       end
     end
   end
+
+  describe "encryption" do
+    it "stores ssn_last_four as encrypted data" do
+      screener = create(:screener, ssn_last_four: "4567")
+      expect(screener.encrypted_attribute?(:ssn_last_four)).to eq true
+      expect(screener.ssn_last_four).to eq "4567"
+    end
+  end
 end