Ensure that secrets are hidden by default in audit logs

app/views/admin/audits/_setting_row.html.erb

@@ -0,0 +1,22 @@
+<td class="text-nowrap">
+  <%= link_to fa_icon('eye', title: 'Show'), admin_audit_path(model.id) %>
+</td>
+<td class="text-nowrap"><%= model.user.try(:username) %></td>
+
+<%- model_attributes.each do |attr_name| %>
+  <td class="<%= attr_name.gsub(/[^\w\s]/, '') %>">
+    <%- data = model.send(attr_name) %>
+    <%- if data.is_a? ActiveRecord::Associations::CollectionProxy %>
+      <%- data =  data.join ", " %>
+    <%- end %>
+    <%- if attr_name == 'audited_changes' %>
+      <%- change = data["value"].is_a?(Array) ? data["value"].last : data["value"]%>
+      <%- if model.auditable.respond_to?(:maybe_hide_attribute) %>
+        <%- data = { 'setting' => model.auditable.var, 'value' => model.auditable.maybe_hide_attribute(data) } %>
+      <%- end %>
+        <pre><code><%= redact(data).to_yaml %></code></pre>
+    <%- else %>
+      <%= data %>
+    <%- end %>
+  </td>
+<%- end %>

spec/controllers/admin/audits_controller_spec.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe Admin::AuditsController, type: :controller do
+  include ActiveJob::TestHelper
+  render_views
+
+  let(:user) do
+    user = User.create!(username: 'user', email: 'user@localhost', password: 'test123456')
+    user.confirm!
+    user
+  end
+  let(:group) { Group.create!(name: 'administrators', admin: true) }
+  let(:admin) do
+    user = User.create!(username: 'admin', email: 'admin@localhost', password: 'test123456')
+    user.groups << group
+    user.confirm!
+    user
+  end
+
+  before do
+    sign_in(admin)
+  end
+
+  it 'does not show encrypted passwords' do
+    user.password = 'new password 123'
+    user.save
+    get :index
+    expect(response.status).to eq(200)
+    expect(response.body).to include('encrypted_password: &quot;&lt;REDACTED&gt;&quot;')
+  end
+
+  it 'does not show password reset tokens' do
+    # The user creation above will trigger the password reset token
+    get :index
+    expect(response.status).to eq(200)
+    expect(response.body).to include('reset_password_token: &quot;&lt;REDACTED&gt;&quot;')
+  end
+
+  it 'does not show oidc_signing_key' do
+    secret1 = 'this is a secret!'
+    Setting.oidc_signing_key = secret1
+
+    get :index
+    expect(response.status).to eq(200)
+    sha = OpenSSL::Digest::SHA1.hexdigest(secret1)
+    expect(response.body).to include("setting: oidc_signing_key\nvalue: &#39;Sha1 of secret: #{sha}&#39")
+
+    secret2 = 'this is also a secret!'
+    Setting.oidc_signing_key = secret2
+
+    get :index
+    expect(response.status).to eq(200)
+    sha = OpenSSL::Digest::SHA1.hexdigest(secret2)
+    expect(response.body).to include("setting: oidc_signing_key\nvalue: &#39;Sha1 of secret: #{sha}&#39")
+  end
+
+  it 'does not show SAML key' do
+    secret1 = 'this is a secret!'
+    Setting.saml_key = secret1
+
+    get :index
+    expect(response.status).to eq(200)
+    sha = OpenSSL::Digest::SHA1.hexdigest(secret1)
+    expect(response.body).to include("setting: saml_key\nvalue: &#39;Sha1 of secret: #{sha}&#39")
+
+    secret2 = 'this is also a secret!'
+    Setting.saml_key = secret2
+
+    get :index
+    expect(response.status).to eq(200)
+    sha = OpenSSL::Digest::SHA1.hexdigest(secret2)
+    expect(response.body).to include("setting: saml_key\nvalue: &#39;Sha1 of secret: #{sha}&#39")
+  end
+
+  it 'does show SAML certificate' do
+    Setting.saml_certificate = 'this is not a secret!'
+
+    get :index
+    expect(response.status).to eq(200)
+    # binding.pry
+    expect(response.body).to include("setting: saml_certificate\nvalue: this is not a secret!")
+  end
+end