From 5a8bd35f3b95143433c136396e9f0511d1325999 Mon Sep 17 00:00:00 2001
From: Theodor Vararu <theo@vararu.org>
Date: Wed, 29 May 2024 10:58:20 +0200
Subject: [PATCH] Use audited fork that allows reading encrypted attrs

Audited automatically replaces entries in the `audited_changes` field on
audits with `[FILTERED]` for attributes that are encrypted. This is
designed to prevent leaking of sensitive information in
`audited_changes` which is an unencrypted field.

The downside to this is that the `audited_changes` field now provides
less information about what the audit actually changed.

To solve this, https://github.com/collectiveidea/audited/pull/694 adds
additional configuration attributes:

- `Audited.filter_encrypted_attributes = false` disables the automatic
  replacement with `[FILTERED]`
- `Audited.encrypt_audited_changes = true` encrypts the actual entire
  `audited_changes` field, ensuring that sensitive information isn't
  leaked

See:

- https://github.com/collectiveidea/audited/issues/690
- https://github.com/collectiveidea/audited/pull/694
---
 Gemfile                        |  2 +-
 Gemfile.lock                   | 14 ++++++++++----
 config/initializers/audited.rb |  6 ++++++
 3 files changed, 17 insertions(+), 5 deletions(-)
 create mode 100644 config/initializers/audited.rb

diff --git a/Gemfile b/Gemfile
index ea0fb7c4d..5a66ec9d3 100644
--- a/Gemfile
+++ b/Gemfile
@@ -4,7 +4,7 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 ruby "3.3.0"
 gem "rails", "~> 7.1.3"
 
-gem "audited"
+gem "audited", git: "https://github.com/tvararu/audited", branch: "encryption"
 gem "awesome_print"
 gem "bootsnap", require: false
 gem "config"
diff --git a/Gemfile.lock b/Gemfile.lock
index e643c98a6..0de067118 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -6,6 +6,15 @@ GIT
     capybara_accessible_selectors (0.11.0)
       capybara (~> 3.36)
 
+GIT
+  remote: https://github.com/tvararu/audited
+  revision: f52ac706d6e5faaeeab772face93a45e52eee6b8
+  branch: encryption
+  specs:
+    audited (5.6.0)
+      activerecord (>= 5.2, < 7.2)
+      activesupport (>= 5.2, < 7.2)
+
 GEM
   remote: https://rubygems.org/
   specs:
@@ -97,9 +106,6 @@ GEM
     asciidoctor-diagram-ditaamini (1.0.3)
     asciidoctor-diagram-plantuml (1.2024.0)
     ast (2.4.2)
-    audited (5.6.0)
-      activerecord (>= 5.2, < 7.2)
-      activesupport (>= 5.2, < 7.2)
     awesome_print (1.9.2)
     backport (1.2.0)
     base64 (0.2.0)
@@ -549,7 +555,7 @@ DEPENDENCIES
   annotate
   asciidoctor
   asciidoctor-diagram
-  audited
+  audited!
   awesome_print
   bootsnap
   brakeman
diff --git a/config/initializers/audited.rb b/config/initializers/audited.rb
new file mode 100644
index 000000000..3ecc9b725
--- /dev/null
+++ b/config/initializers/audited.rb
@@ -0,0 +1,6 @@
+# See https://github.com/collectiveidea/audited/pull/694
+Audited.filter_encrypted_attributes = false
+
+# Currently no-ops: https://github.com/collectiveidea/audited/pull/694/files#r1618767769
+# Fixed by https://github.com/tvararu/audited/commit/f52ac70
+Audited.encrypt_audited_changes = true