Fixes for tests and AR Encryption

2025-12-31 16:08:05 +11:00
parent 9d352ab8ec
commit 364e6e21dd
3 changed files with 32 additions and 26 deletions
--- a/config/initializers/active_record_encryption.rb
+++ b/config/initializers/active_record_encryption.rb
@@ -6,17 +6,23 @@
 #   - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
 #   - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
 #   - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
-Rails.application.config.after_initialize do
-  # Use env vars if set, otherwise derive from SECRET_KEY_BASE (deterministic)
-  primary_key = ENV['ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY'] || Rails.application.key_generator.generate_key('active_record_encryption_primary', 32)
-  deterministic_key = ENV['ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY'] || Rails.application.key_generator.generate_key('active_record_encryption_deterministic', 32)
-  key_derivation_salt = ENV['ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT'] || Rails.application.key_generator.generate_key('active_record_encryption_salt', 32)

-  # Configure Rails 7.1+ ActiveRecord encryption
-  Rails.application.config.active_record.encryption.primary_key = primary_key
-  Rails.application.config.active_record.encryption.deterministic_key = deterministic_key
-  Rails.application.config.active_record.encryption.key_derivation_salt = key_derivation_salt
-
-  # Ensure encryption is enabled
-  Rails.application.config.active_record.encryption.support_unencrypted_data = false
+# Use env vars if set, otherwise derive from SECRET_KEY_BASE (deterministic)
+primary_key = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY') do
+  Rails.application.key_generator.generate_key('active_record_encryption_primary', 32)
 end
+deterministic_key = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY') do
+  Rails.application.key_generator.generate_key('active_record_encryption_deterministic', 32)
+end
+key_derivation_salt = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT') do
+  Rails.application.key_generator.generate_key('active_record_encryption_salt', 32)
+end
+
+# Configure Rails 7.1+ ActiveRecord encryption
+Rails.application.config.active_record.encryption.primary_key = primary_key
+Rails.application.config.active_record.encryption.deterministic_key = deterministic_key
+Rails.application.config.active_record.encryption.key_derivation_salt = key_derivation_salt
+
+# Allow unencrypted data for existing records (new/updated records will be encrypted)
+# Set to false after all existing encrypted columns have been migrated
+Rails.application.config.active_record.encryption.support_unencrypted_data = true