Fix record encryptor trying to decrypt empty strings

[mrcasals]

🎩 What? Why?

When an authorization has a Hash with an empty string, the decryption process fails. This Pr fixes it.

📌 Related Issues

• Related to Encrypt authorization metadata #6947
• Fixes Can't migrate the DB after #6947 #7487 (comment)

Testing

Probably same as in #7488.

[mrcasals]

@ahukkanen care to check this out? 🙏

[mrcasals]

This needs to be backported to 0.24.

[ahukkanen]

Looks good @mrcasals, your fix works fine!

I think this could've also been solved just by changing the order of these lines:

decidim/decidim-core/lib/decidim/record_encryptor.rb

Lines 123 to 125 in b40411b

	next value unless value.is_a?(String)
	decrypted_value = decrypt_value(value)

To:

decrypted_value = decrypt_value(value)

next decrypted_value unless decrypted_value.is_a?(String)

This actually originates from this line which returns nil:

decidim/decidim-core/lib/decidim/attribute_encryptor.rb

Line 10 in b40411b

return if string_encrypted.blank?

I was actually thinking whether it's safe to return nil there but I didn't dare to change the behavior from the original one which also returned nil in case the value is blank:

decidim/decidim-core/lib/decidim/attribute_encryptor.rb

Line 10 in 491060a

cryptor.decrypt_and_verify(string_encrypted) if string_encrypted.present?

[mrcasals]

I think this could've also been solved just by changing the order of these lines:

I tried that, but then I get an error in the specs:

     Failure/Error: expect(subject.metadata).to eq(deep_metadata)

       expected: {"extras"=>{"foo"=>{"bar"=>"baz"}}, "foobar"=>"", "location"=>{"Country"=>{"Province"=>{"Region"=>{"Sub-region"=>{"Municipality"=>{"Quarter"=>{"Block"=>"Street"}}}}}}}}
            got: {"extras"=>{"foo"=>{"bar"=>"baz"}}, "foobar"=>nil, "location"=>{"Country"=>{"Province"=>{"Region"=>{"Sub-region"=>{"Municipality"=>{"Quarter"=>{"Block"=>"Street"}}}}}}}}

       (compared using ==)

       Diff:
       @@ -1,4 +1,4 @@
        "extras" => {"foo"=>{"bar"=>"baz"}},
       -"foobar" => "",
       +"foobar" => nil,
        "location" => {"Country"=>{"Province"=>{"Region"=>{"Sub-region"=>{"Municipality"=>{"Quarter"=>{"Block"=>"Street"}}}}}}},

And I didn't want the signature to change, that's why I left it as a rescue, although I'm not really happy about it...

[ahukkanen]

I think in this case it is fine to change the expectation if we want the values to be changed to nil when they are empty as in:

decidim/decidim-core/lib/decidim/attribute_encryptor.rb

Line 10 in b40411b

return if string_encrypted.blank?

Or you could just return an empty string here but I'm not sure if it has some other consequences as I mentioned above...

Either way is fine, your solution is also good!