From 31acec37d0890bbb6d42c9825f3b09bcf352490c Mon Sep 17 00:00:00 2001
From: Eoin Kelly <eoin@eoinkelly.info>
Date: Mon, 24 Jul 2023 08:39:28 +1200
Subject: [PATCH] Ensure new auto-generated example.env secrets not used in
 prod

---
 .../config/initializers/check_env.rb          | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/variants/backend-base/config/initializers/check_env.rb b/variants/backend-base/config/initializers/check_env.rb
index a121dda6..69f5bd97 100644
--- a/variants/backend-base/config/initializers/check_env.rb
+++ b/variants/backend-base/config/initializers/check_env.rb
@@ -1,6 +1,10 @@
 class VerifyPlaceholderSecretsNotUsedForReal
   class << self
-    PLACEHOLDER_PREFIX_REGEX = /(PLACEHOLDER|FAILED_TO_GENERATE)/.freeze
+    DB_ENCRYPTION_ENV_VAR_NAMES = %w[
+      ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
+      ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
+      ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
+    ].freeze
 
     def run
       return if local?
@@ -14,20 +18,16 @@ def run
     def verify_secret_key_base
       return unless Rails.root.join("example.env").read.include?(ENV.fetch("RAILS_SECRET_KEY_BASE"))
 
-      fail "RAILS_SECRET_KEY_BASE is unchanged from example.env. Generate a new one with `bundle exec rails secret`"
+      raise "RAILS_SECRET_KEY_BASE is unchanged from example.env. Generate a new one with `bundle exec rails secret`"
     end
 
     # Verify that placeholder values created by the Ackama rails template are
     # not being used for real.
-    def verify_activerecord_encryption_secrets # rubocop:disable Metrics/AbcSize
-      secrets = [
-        Rails.application.config.active_record.encryption.primary_key,
-        Rails.application.config.active_record.encryption.deterministic_key,
-        Rails.application.config.active_record.encryption.key_derivation_salt
-      ]
-
-      secrets.each do |secret|
-        fail "Insecure ENV: ActiveRecored encrypted credentials env contain an insecure placeholder value. Generate new ones with `bundle exec rails db:encryption:init`" if secret.match?(PLACEHOLDER_PREFIX_REGEX)
+    def verify_activerecord_encryption_secrets
+      example_env_contents = Rails.root.join("example.env").read
+
+      DB_ENCRYPTION_ENV_VAR_NAMES.each do |env_var_name|
+        raise "#{env_var_name} is unchanged from example.env. Generate a new one with `bundle exec rails db:encryption:init`" if example_env_contents.include?(ENV.fetch(env_var_name))
       end
     end