Issue 341 modernise secret handling #392
Conversation
* Stop generating both `secrets.yml` and `secrets.example.yml`. Our `secrets.yml` loads everything from the ENV so it is safe to check in and having a separate example file is unnecessary. * Add secrets demonstrating how to configure ActiveRecord encrypted attributes without using Rails encrypted credentials.
We have chosen not to use Rails encrypted credentials so we remove the files generated by Rails to avoid confusion.
* Put explanatory comment at top of `config/app.yml` to explain that non-sensitive config should go here and sensitive config should go in `config/secrets.yml` * Update existing references to `mail_from` config item in the app
| @@ -19,4 +19,4 @@ | |||
| # Configure the default mailer to use the our default from address | |||
| gsub_file "app/mailers/application_mailer.rb", | |||
| "default from: 'from@example.com'", | |||
| "default from: Rails.application.secrets.mail_from" | |||
| "default from: Rails.application.config.app.mail_from" | |||
There was a problem hiding this comment.
We cannot load things directly in to Rails.application.config using a YAML file - we have to pick a namespace under config. I chose config.app but totally open to changing this.
Alternatively we could skip the YAML file completely and just have a ruby initializer which loads things directly into Rails.application.config. I slightly favour the YAML file because it makes it easier when secrets vary between environments.
| config.active_record.encryption.primary_key = Rails.application.secrets.active_record_encryption_primary_key | ||
| config.active_record.encryption.deterministic_key = Rails.application.secrets.active_record_encryption_deterministic_key | ||
| config.active_record.encryption.key_derivation_salt = Rails.application.secrets.active_record_encryption_key_derivation_salt |
There was a problem hiding this comment.
@G-Rath It turns out we can use encrypted attributes without encrypted credentials. It is very poorly documented so I think it's worth baking into the template.
| secret_key_base: "<%= ENV['RAILS_SECRET_KEY_BASE'] %>" | ||
| active_record_encryption_primary_key: "<%= ENV['ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY'] %>" | ||
| active_record_encryption_deterministic_key: "<%= ENV['ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY'] %>" | ||
| active_record_encryption_key_derivation_salt: "<%= ENV['ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT'] %>" |
There was a problem hiding this comment.
If you nest keys here then you have to use hash key syntax to get the value e.g.
aaa:
bb: "foo"
# Rails.application.secrets.aaa.bb # breaks
# Rails.application.secrets.aaa[:bb] # worksThis felt a bit ugly so I flattened the secrets instead
| remove_file "config/master.key" | ||
| remove_file "config/credentials.yml.enc" |
There was a problem hiding this comment.
We aren't using these but by default Rails creates them and puts a secret_key_base value in there which will be preferred by Rails if it exists and can be decrypted.
Co-authored-by: Gareth Jones <gareth.jones@ackama.com>
variants/backend-base/example.env.tt
Outdated
| # to create new versions of these secrets for each deployed environment (e.g. | ||
| # staging, production) | ||
| ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY="PLACEHOLDER_PRIMARY_KEY" | ||
| ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY="PLACEHOLDER_DETERMINISTIC_KEY" | ||
| ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT="PLACEHOLDER_KEY_DERIVATION_SALT" |
There was a problem hiding this comment.
These env vars need to exist to load Rails because we are loading them with ENV.fetch. We need to run Rails to set realistic values so we need to set these env vars to an initial placeholder value and later set better values.
|
|
||
| gsub_file("example.env", "PLACEHOLDER_PRIMARY_KEY", db_secrets.fetch("primary_key")) | ||
| gsub_file("example.env", "PLACEHOLDER_DETERMINISTIC_KEY", db_secrets.fetch("deterministic_key")) | ||
| gsub_file("example.env", "PLACEHOLDER_KEY_DERIVATION_SALT", db_secrets.fetch("key_derivation_salt")) |
There was a problem hiding this comment.
if we're using generated ones here, i wonder if we should add these keys to the initializer that checks for using the example.env secret key base. #313
There was a problem hiding this comment.
Good idea, will do.
| class VerifyPlaceholderSecretsNotUsedForReal | ||
| class << self | ||
| PLACEHOLDER_PREFIX_REGEX = /(PLACEHOLDER|FAILED_TO_GENERATE)/.freeze | ||
|
|
||
| # RAILS_SECRET_KEY_BASE should be set to something other than its value in example.env | ||
| def run | ||
| return if local? | ||
|
|
||
| if Rails.env.production? && Rails.root.join("example.env").read.include?(ENV.fetch("RAILS_SECRET_KEY_BASE")) | ||
| fail "RAILS_SECRET_KEY_BASE is unchanged from example.env. " \ | ||
| "Generate a new one with `bundle exec rails secret`" | ||
| verify_secret_key_base | ||
| verify_activerecord_encryption_secrets | ||
| end | ||
|
|
||
| private | ||
|
|
||
| def verify_secret_key_base | ||
| return unless Rails.root.join("example.env").read.include?(ENV.fetch("RAILS_SECRET_KEY_BASE")) | ||
|
|
||
| fail "RAILS_SECRET_KEY_BASE is unchanged from example.env. Generate a new one with `bundle exec rails secret`" | ||
| end | ||
|
|
||
| ## | ||
| # Verify that placeholder values created by the Ackama rails template are | ||
| # not being used for real. | ||
| # | ||
| def verify_activerecord_encryption_secrets # rubocop:disable Metrics/AbcSize | ||
| secrets = [ | ||
| Rails.application.config.active_record.encryption.primary_key, | ||
| Rails.application.config.active_record.encryption.deterministic_key, | ||
| Rails.application.config.active_record.encryption.key_derivation_salt | ||
| ] | ||
|
|
||
| secrets.each do |secret| | ||
| fail "Insecure ENV: ActiveRecored encrypted credentials env contain in insecure placeholder value." if secret.match?(PLACEHOLDER_PREFIX_REGEX) | ||
| end | ||
| end | ||
|
|
||
| def local? | ||
| Rails.env.development? || Rails.env.test? | ||
| end | ||
| end | ||
| end | ||
|
|
||
| VerifyPlaceholderSecretsNotUsedForReal.run |
There was a problem hiding this comment.
@robotdana You may want to review this because I've changed it quite a bit
| # Do NOT put secrets directly into this file. All secrets should be loaded from ENV! | ||
| # Be sure to restart your server when you modify this file. |
There was a problem hiding this comment.
🐘 I think it would be worth mentioning config/app.yml here
| staging: | ||
| <<: *default |
There was a problem hiding this comment.
🐘 ideally we should actually only add this if a capistrano variant is enabled, because Heroku doesn't do staging so it isn't reasonable to assume all apps will have it
There was a problem hiding this comment.
I think we should keep as is because:
- Heroku is the odd one out in not supporting a staging env out of the box - every other way of deploying Rails uses one AFAIK (not just capistrano based deploys).
- Having this here doesn't harm a Heroku deploy.
- We don't currently have a template config variable for "deploying to heroku". I don't think this use-case is enough to add that complexity.
There was a problem hiding this comment.
I'm not sure that can be the case because Rails/UnknownEnv does not include staging by default, but its a while since I looked at this so can't remember.
I'm fine with whatever you think is worth doing
| staging: | ||
| <<: *default |
There was a problem hiding this comment.
🐘 ideally we should actually only add this if a capistrano variant is enabled, because Heroku doesn't do staging so it isn't reasonable to assume all apps will have it
There was a problem hiding this comment.
I think we should keep as is because:
- Heroku is the odd one out in not supporting a staging env out of the box - every other way of deploying Rails uses one AFAIK (not just capistrano based deploys).
- Having this here doesn't harm a Heroku deploy.
- We don't currently have a template config variable for "deploying to heroku". I don't think this use-case is enough to add that complexity.
There was a problem hiding this comment.
I'm not sure that can be the case because Rails/UnknownEnv does not include staging by default, but its a while since I looked at this so can't remember.
I'm fine with whatever you think is worth doing
Co-authored-by: Gareth Jones <gareth.jones@ackama.com>
Co-authored-by: Gareth Jones <gareth.jones@ackama.com>
Co-authored-by: Gareth Jones <gareth.jones@ackama.com>
…-template into issue-341-modernise-secrets
Co-authored-by: Gareth Jones <gareth.jones@ackama.com>
| staging: | ||
| <<: *default |
There was a problem hiding this comment.
I'm not sure that can be the case because Rails/UnknownEnv does not include staging by default, but its a while since I looked at this so can't remember.
I'm fine with whatever you think is worth doing
| staging: | ||
| <<: *default |
There was a problem hiding this comment.
I'm not sure that can be the case because Rails/UnknownEnv does not include staging by default, but its a while since I looked at this so can't remember.
I'm fine with whatever you think is worth doing
|
Merging as discussed at our Ruby catchup. |
Closes #341
config/app.ymlto explain thatnon-sensitive config should go here and sensitive config should go in
config/secrets.ymlmail_fromconfig item in the appfiles generated by Rails to avoid confusion.
secrets.ymlandsecrets.example.yml. Oursecrets.ymlloads everything from the ENV so it is safe to check in and having a
separate example file is unnecessary.
without using Rails encrypted credentials.
.envrcat top of.envfile.