From 1ad3bc12c73d1789ce1c6a1aeb6adf4490d5bbbe Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Sun, 23 Oct 2022 10:21:13 +1300 Subject: [PATCH 01/26] Remove confusing comment --- variants/backend-base/example.env.tt | 6 ------ 1 file changed, 6 deletions(-) diff --git a/variants/backend-base/example.env.tt b/variants/backend-base/example.env.tt index 39e07491..48ff655f 100644 --- a/variants/backend-base/example.env.tt +++ b/variants/backend-base/example.env.tt @@ -1,9 +1,3 @@ -# Copy this file into a new file called ".envrc" in the root of the project. -# Access values like this: ENV["RAILS_SECRET_KEY_BASE"] -# -# The purpose of this file is to keep secrets out of source control. -# For more information, see: direnv.net - # The environment variables below can be uncommented to enable HTTP basic # authentication # HTTP_BASIC_AUTH_USERNAME=example From 70c7dd46b5a507b4bb868560bc1d527f990b903d Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Sun, 23 Oct 2022 10:25:31 +1300 Subject: [PATCH 02/26] Modernise generated secrets.yml * Stop generating both `secrets.yml` and `secrets.example.yml`. Our `secrets.yml` loads everything from the ENV so it is safe to check in and having a separate example file is unnecessary. * Add secrets demonstrating how to configure ActiveRecord encrypted attributes without using Rails encrypted credentials. --- variants/backend-base/bin/setup | 1 - variants/backend-base/config/application.rb | 9 ++++++ .../config/secrets.example.yml.tt | 32 ------------------- variants/backend-base/config/secrets.yml | 25 +++++++++++++++ variants/backend-base/config/template.rb | 3 +- variants/backend-base/example.env.tt | 5 +++ 6 files changed, 40 insertions(+), 35 deletions(-) delete mode 100644 variants/backend-base/config/secrets.example.yml.tt create mode 100644 variants/backend-base/config/secrets.yml diff --git a/variants/backend-base/bin/setup b/variants/backend-base/bin/setup index aa541a89..873c9903 100755 --- a/variants/backend-base/bin/setup +++ b/variants/backend-base/bin/setup @@ -8,7 +8,6 @@ def setup! run "yarn install" if File.exist?("yarn.lock") run "bundle exec overcommit --install" copy "example.env" - copy "config/secrets.example.yml" test_local_env_contains_required_keys run "bin/rake tmp:create" run "bin/rake db:create:all" diff --git a/variants/backend-base/config/application.rb b/variants/backend-base/config/application.rb index 070d7b44..c1eaf394 100644 --- a/variants/backend-base/config/application.rb +++ b/variants/backend-base/config/application.rb @@ -16,5 +16,14 @@ config.middleware.insert_before Rack::Sendfile, HttpBasicAuth config.action_dispatch.default_headers["Permissions-Policy"] = "interest-cohort=()" + + # ActiveRecord encrypted attributes expectes to find the key secrets under + # `config.active_record.encryption.*`. If the secrets were stored in Rails + # encrypted credentials file then Rails would map them automatically for us. + # We prefer to store the secrets in the ENV and load them through + # `config/secrets.yml` so we have to manually assign them here. + config.active_record.encryption.primary_key = Rails.application.secrets.active_record_encryption_primary_key + config.active_record.encryption.deterministic_key = Rails.application.secrets.active_record_encryption_deterministic_key + config.active_record.encryption.key_derivation_salt = Rails.application.secrets.active_record_encryption_key_derivation_salt RUBY end diff --git a/variants/backend-base/config/secrets.example.yml.tt b/variants/backend-base/config/secrets.example.yml.tt deleted file mode 100644 index ac81bc29..00000000 --- a/variants/backend-base/config/secrets.example.yml.tt +++ /dev/null @@ -1,32 +0,0 @@ -# Be sure to restart your server when you modify this file. -# Make sure the secrets in this file are kept private -# if you're sharing your code publicly. - -# Environmental secrets are only available for that specific environment. -default: &default - # Your secret key is used for verifying the integrity of signed cookies. - # If you change this key, all old signed cookies will become invalid! - - # Make sure the secret is at least 30 characters and all random, - # no regular words or you'll be exposed to dictionary attacks. - # You can use `rails secret` to generate a secure secret key. - secret_key_base: "<%%= ENV['RAILS_SECRET_KEY_BASE'] %>" - - # The default `From:` address to use for email sent by this application - # obviously isn't a secret per se, but configuring it here is convenient - mail_from: "<%%= ENV['MAIL_FROM'] %>" - -development: - <<: *default - -test: - <<: *default - -# Do not keep production secrets in the unencrypted secrets file. -# Instead, either read values from the environment. -# Or, use `bin/rails secrets:setup` to configure encrypted secrets -# and move the `production:` environment over there. -production: - <<: *default - - diff --git a/variants/backend-base/config/secrets.yml b/variants/backend-base/config/secrets.yml new file mode 100644 index 00000000..ea86f715 --- /dev/null +++ b/variants/backend-base/config/secrets.yml @@ -0,0 +1,25 @@ +# Do NOT put secrets directly into this file. All secrets should be loaded from ENV! +# Be sure to restart your server when you modify this file. + +default: &default + # Your secret key is used for verifying the integrity of signed cookies. + # If you change this key, all old signed cookies will become invalid! + # Make sure the secret is at least 30 characters and all random, + # no regular words or you'll be exposed to dictionary attacks. + # You can use `rails secret` to generate a secure secret key. + secret_key_base: "<%= ENV['RAILS_SECRET_KEY_BASE'] %>" + active_record_encryption_primary_key: "<%= ENV['ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY'] %>" + active_record_encryption_deterministic_key: "<%= ENV['ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY'] %>" + active_record_encryption_key_derivation_salt: "<%= ENV['ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT'] %>" + +development: + <<: *default + +test: + <<: *default + +staging: + <<: *default + +production: + <<: *default diff --git a/variants/backend-base/config/template.rb b/variants/backend-base/config/template.rb index 3d851401..98f58f41 100644 --- a/variants/backend-base/config/template.rb +++ b/variants/backend-base/config/template.rb @@ -2,8 +2,7 @@ template "variants/backend-base/config/database.yml.tt", "config/database.yml", force: true -template "variants/backend-base/config/secrets.example.yml.tt", "config/secrets.example.yml" -remove_file "config/secrets.yml" +copy_file "variants/backend-base/config/secrets.yml", "config/secrets.yml", force: true copy_file "variants/backend-base/config/puma.rb", "config/puma.rb", force: true diff --git a/variants/backend-base/example.env.tt b/variants/backend-base/example.env.tt index 48ff655f..7cdc04a8 100644 --- a/variants/backend-base/example.env.tt +++ b/variants/backend-base/example.env.tt @@ -20,3 +20,8 @@ PORT=3000 # SENTRY_DSN=http://public@example.com/project-id SENTRY_CSP_HEADER_REPORT_ENDPOINT=https://SOMECODE.ingest.sentry.io/api/SOMENUMS/security/?sentry_key=SOMETHING SENTRY_ENV=development + +# run `bin/rails db:encryption:init` to create real versions of these secrets +ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY="TODO_CHANGE_ME" +ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY="TODO_CHANGE_ME" +ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT="TODO_CHANGE_ME" From cde294bf2d0d15e1731d5c3fdd4be9872ba3f1a8 Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Sun, 23 Oct 2022 10:26:40 +1300 Subject: [PATCH 03/26] Stop creating .env from example.env because bin/setup already does this --- template.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/template.rb b/template.rb index 55725e4e..8f356ebf 100644 --- a/template.rb +++ b/template.rb @@ -86,7 +86,6 @@ def apply_template! # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, Met remove_file "README.rdoc" template "variants/backend-base/example.env.tt", "example.env" - template "variants/backend-base/example.env.tt", ".env" copy_file "variants/backend-base/editorconfig", ".editorconfig" copy_file "variants/backend-base/gitignore", ".gitignore", force: true copy_file "variants/backend-base/overcommit.yml", ".overcommit.yml" From 983d8687ee525369480bba10c79b8ef639d10b7b Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Sun, 23 Oct 2022 10:27:53 +1300 Subject: [PATCH 04/26] Remove Rails encrypted credentials files to avoid confusion We have chosen not to use Rails encrypted credentials so we remove the files generated by Rails to avoid confusion. --- variants/backend-base/config/template.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/variants/backend-base/config/template.rb b/variants/backend-base/config/template.rb index 98f58f41..7752dbb7 100644 --- a/variants/backend-base/config/template.rb +++ b/variants/backend-base/config/template.rb @@ -3,6 +3,8 @@ template "variants/backend-base/config/database.yml.tt", "config/database.yml", force: true copy_file "variants/backend-base/config/secrets.yml", "config/secrets.yml", force: true +remove_file "config/master.key" +remove_file "config/credentials.yml.enc" copy_file "variants/backend-base/config/puma.rb", "config/puma.rb", force: true From d100d0c3e1439f5ec7ffbbf31f686417411783dd Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Sun, 23 Oct 2022 10:30:18 +1300 Subject: [PATCH 05/26] Load non-sensitive app config from config/app.yml * Put explanatory comment at top of `config/app.yml` to explain that non-sensitive config should go here and sensitive config should go in `config/secrets.yml` * Update existing references to `mail_from` config item in the app --- variants/backend-base/app/template.rb | 2 +- variants/backend-base/config/app.yml | 24 +++++++++++++++++++++ variants/backend-base/config/application.rb | 3 +++ variants/backend-base/config/template.rb | 1 + variants/devise/template.rb | 2 +- 5 files changed, 30 insertions(+), 2 deletions(-) create mode 100644 variants/backend-base/config/app.yml diff --git a/variants/backend-base/app/template.rb b/variants/backend-base/app/template.rb index cf1db616..4a045ff3 100644 --- a/variants/backend-base/app/template.rb +++ b/variants/backend-base/app/template.rb @@ -19,4 +19,4 @@ # Configure the default mailer to use the our default from address gsub_file "app/mailers/application_mailer.rb", "default from: 'from@example.com'", - "default from: Rails.application.secrets.mail_from" + "default from: Rails.application.config.app.mail_from" diff --git a/variants/backend-base/config/app.yml b/variants/backend-base/config/app.yml new file mode 100644 index 00000000..3ca7c5c0 --- /dev/null +++ b/variants/backend-base/config/app.yml @@ -0,0 +1,24 @@ +# Be sure to restart your server when you modify this file. +# +# Use this file to load non-sensitive app config from ENV. Config values here +# will be loaded into `Rails.application.config.app`. +# +# Sensitive config should be put in `config/secrets.yml` (which will load it +# into `Rails.application.secrets`) + +default: &default + # The default `From:` address to use for email sent by this application + # obviously isn't a secret per se, but configuring it here is convenient + mail_from: "<%= ENV['MAIL_FROM'] %>" + +development: + <<: *default + +test: + <<: *default + +staging: + <<: *default + +production: + <<: *default diff --git a/variants/backend-base/config/application.rb b/variants/backend-base/config/application.rb index c1eaf394..9b4d8bf9 100644 --- a/variants/backend-base/config/application.rb +++ b/variants/backend-base/config/application.rb @@ -14,6 +14,9 @@ # the empty line at the beginning of this string is required <<-'RUBY' + # load config/app.yml into Rails.application.config.app.* + config.app = config_for(:app) + config.middleware.insert_before Rack::Sendfile, HttpBasicAuth config.action_dispatch.default_headers["Permissions-Policy"] = "interest-cohort=()" diff --git a/variants/backend-base/config/template.rb b/variants/backend-base/config/template.rb index 7752dbb7..e39b216e 100644 --- a/variants/backend-base/config/template.rb +++ b/variants/backend-base/config/template.rb @@ -3,6 +3,7 @@ template "variants/backend-base/config/database.yml.tt", "config/database.yml", force: true copy_file "variants/backend-base/config/secrets.yml", "config/secrets.yml", force: true +copy_file "variants/backend-base/config/app.yml", "config/app.yml" remove_file "config/master.key" remove_file "config/credentials.yml.enc" diff --git a/variants/devise/template.rb b/variants/devise/template.rb index 051808fa..53b7677d 100644 --- a/variants/devise/template.rb +++ b/variants/devise/template.rb @@ -53,7 +53,7 @@ def print_header(msg) gsub_file "config/initializers/devise.rb", " config.mailer_sender = 'please-change-me-at-config-initializers-devise@example.com'", - " config.mailer_sender = Rails.application.secrets.mail_from" + " config.mailer_sender = Rails.application.cofig.app.mail_from" gsub_file "config/initializers/devise.rb", " # config.scoped_views = false", From 96f2c05eda961a41a059302c1bf53043ca32f097 Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Sun, 23 Oct 2022 10:42:54 +1300 Subject: [PATCH 06/26] Update variants/devise/template.rb Co-authored-by: Gareth Jones --- variants/devise/template.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variants/devise/template.rb b/variants/devise/template.rb index 53b7677d..59543fe1 100644 --- a/variants/devise/template.rb +++ b/variants/devise/template.rb @@ -53,7 +53,7 @@ def print_header(msg) gsub_file "config/initializers/devise.rb", " config.mailer_sender = 'please-change-me-at-config-initializers-devise@example.com'", - " config.mailer_sender = Rails.application.cofig.app.mail_from" + " config.mailer_sender = Rails.application.config.app.mail_from" gsub_file "config/initializers/devise.rb", " # config.scoped_views = false", From 3a6ef51ad193d5ed48e0cbf04d634d6a6741c591 Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Sun, 23 Oct 2022 11:00:26 +1300 Subject: [PATCH 07/26] Generate sensible default secrets for AR encryption --- variants/backend-base/example.env.tt | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/variants/backend-base/example.env.tt b/variants/backend-base/example.env.tt index 7cdc04a8..802538c4 100644 --- a/variants/backend-base/example.env.tt +++ b/variants/backend-base/example.env.tt @@ -21,7 +21,16 @@ PORT=3000 SENTRY_CSP_HEADER_REPORT_ENDPOINT=https://SOMECODE.ingest.sentry.io/api/SOMENUMS/security/?sentry_key=SOMETHING SENTRY_ENV=development -# run `bin/rails db:encryption:init` to create real versions of these secrets -ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY="TODO_CHANGE_ME" -ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY="TODO_CHANGE_ME" -ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT="TODO_CHANGE_ME" +# NEVER just copy these secrets from development env to a production env. Run: +# +# bin/rails db:encryption:init +# +# to create new versions of these secrets for each deployed environment (e.g. +# staging, production) +<% +raw_db_encryption_init_output = `bin/rails db:encryption:init` +db_secrets = YAML.load(raw_db_encryption_init_output.sub(/Add.+\n/, "")).fetch("active_record_encryption") +%> +ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY="<%= db_secrets.fetch("primary_key") %>" +ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY="<%= db_secrets.fetch("deterministic_key") %>" +ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT="<%= db_secrets.fetch("key_derivation_salt") %>" From 8a5492d8f5b9eca6bf3ac5486b8cd50b6a801074 Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Sun, 23 Oct 2022 11:00:55 +1300 Subject: [PATCH 08/26] Fail early if an expected secret is not available in the ENV --- variants/backend-base/config/secrets.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/variants/backend-base/config/secrets.yml b/variants/backend-base/config/secrets.yml index ea86f715..6ab18630 100644 --- a/variants/backend-base/config/secrets.yml +++ b/variants/backend-base/config/secrets.yml @@ -7,10 +7,11 @@ default: &default # Make sure the secret is at least 30 characters and all random, # no regular words or you'll be exposed to dictionary attacks. # You can use `rails secret` to generate a secure secret key. - secret_key_base: "<%= ENV['RAILS_SECRET_KEY_BASE'] %>" - active_record_encryption_primary_key: "<%= ENV['ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY'] %>" - active_record_encryption_deterministic_key: "<%= ENV['ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY'] %>" - active_record_encryption_key_derivation_salt: "<%= ENV['ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT'] %>" + secret_key_base: "<%= ENV.fetch('RAILS_SECRET_KEY_BASE') %>" + + active_record_encryption_primary_key: "<%= ENV.fetch('ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY') %>" + active_record_encryption_deterministic_key: "<%= ENV.fetch('ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY') %>" + active_record_encryption_key_derivation_salt: "<%= ENV.fetch('ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT') %>" development: <<: *default From 7a0a026a597c1a2d8dfdb0910625a0f3c48ee3c6 Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Mon, 24 Oct 2022 09:31:14 +1300 Subject: [PATCH 09/26] Set new required env vars in CI --- .github/workflows/ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9f81ca0b..8a9dd44a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -119,4 +119,8 @@ jobs: PGUSER: postgres PGPASSWORD: postgres PGHOST: localhost + RAILS_SECRET_KEY_BASE: "placeholder" + ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "placeholder" + ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "placeholder" + ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "placeholder" run: ./ci/bin/build-and-test From 0019a73ef40701207988414bbe7406140df40bf1 Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Mon, 24 Oct 2022 09:44:02 +1300 Subject: [PATCH 10/26] Fix CI --- variants/backend-base/Gemfile.tt | 2 +- variants/backend-base/example.env.tt | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/variants/backend-base/Gemfile.tt b/variants/backend-base/Gemfile.tt index a9cf2368..635d2c1e 100644 --- a/variants/backend-base/Gemfile.tt +++ b/variants/backend-base/Gemfile.tt @@ -1,7 +1,7 @@ source "https://rubygems.org" git_source(:github) { |repo| "https://github.com/#{repo}.git" } -ruby File.read(".ruby-version") +ruby File.read(".ruby-version").strip gem "rails", "<%= Rails.version %>" gem "puma", "~> 5.6" diff --git a/variants/backend-base/example.env.tt b/variants/backend-base/example.env.tt index 802538c4..ff45164d 100644 --- a/variants/backend-base/example.env.tt +++ b/variants/backend-base/example.env.tt @@ -31,6 +31,6 @@ SENTRY_ENV=development raw_db_encryption_init_output = `bin/rails db:encryption:init` db_secrets = YAML.load(raw_db_encryption_init_output.sub(/Add.+\n/, "")).fetch("active_record_encryption") %> -ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY="<%= db_secrets.fetch("primary_key") %>" -ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY="<%= db_secrets.fetch("deterministic_key") %>" -ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT="<%= db_secrets.fetch("key_derivation_salt") %>" +ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY="<%= db_secrets.fetch("primary_key", "FAILED_TO_GENERATE_DEFAULT_PRIMARY_KEY") %>" +ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY="<%= db_secrets.fetch("deterministic_key", "FAILED_TO_GENERATE_DEFAULT_DETERMINISTIC_KEY") %>" +ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT="<%= db_secrets.fetch("key_derivation_salt", "FAILED_TO_GENERATE_DEFAULT_KEY_DERIVATION_SALT") %>" From 64fb8f2a106e195ae0ba4221060355126ba3281c Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Mon, 24 Oct 2022 10:02:03 +1300 Subject: [PATCH 11/26] CI fix attempt 2 --- variants/backend-base/Gemfile.tt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variants/backend-base/Gemfile.tt b/variants/backend-base/Gemfile.tt index 635d2c1e..8e8e9c21 100644 --- a/variants/backend-base/Gemfile.tt +++ b/variants/backend-base/Gemfile.tt @@ -1,7 +1,7 @@ source "https://rubygems.org" git_source(:github) { |repo| "https://github.com/#{repo}.git" } -ruby File.read(".ruby-version").strip +ruby File.read(".ruby-version").gsub("ruby-", "").strip gem "rails", "<%= Rails.version %>" gem "puma", "~> 5.6" From 4c8981a83c2bdf13037adda60e0cb91ee474c4d8 Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Mon, 24 Oct 2022 10:15:10 +1300 Subject: [PATCH 12/26] Add debug logging to db:encryption:init --- variants/backend-base/example.env.tt | 29 +++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/variants/backend-base/example.env.tt b/variants/backend-base/example.env.tt index ff45164d..8e910e5e 100644 --- a/variants/backend-base/example.env.tt +++ b/variants/backend-base/example.env.tt @@ -28,9 +28,28 @@ SENTRY_ENV=development # to create new versions of these secrets for each deployed environment (e.g. # staging, production) <% -raw_db_encryption_init_output = `bin/rails db:encryption:init` -db_secrets = YAML.load(raw_db_encryption_init_output.sub(/Add.+\n/, "")).fetch("active_record_encryption") +db_secrets = begin + puts "DB_ENCRYPTION_INIT: Running rails db:encryption:init" + + raw = `bin/rails db:encryption:init` + puts "DB_ENCRYPTION_INIT: Raw output: '#{raw}'" + + unparsed_yaml = raw.sub(/Add.+\n/, "") + puts "DB_ENCRYPTION_INIT: Unparsed YAML: '#{unparsed_yaml}'" + + parsed = YAML.load(unparsed_yaml) + puts "DB_ENCRYPTION_INIT: Parsed YAML: '#{parsed.inspect}'" + + parsed.fetch("active_record_encryption") + rescue StandardError => e + puts "DB_ENCRYPTION_INIT: Recovering from error: #{e.inspect}" + { + "primary_key" => "FAILED_TO_GENERATE_DEFAULT_PRIMARY_KEY", + "deterministic_key" => "FAILED_TO_GENERATE_DEFAULT_DETERMINISTIC_KEY", + "key_derivation_salt" => "FAILED_TO_GENERATE_DEFAULT_KEY_DERIVATION_SALT" + } + end %> -ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY="<%= db_secrets.fetch("primary_key", "FAILED_TO_GENERATE_DEFAULT_PRIMARY_KEY") %>" -ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY="<%= db_secrets.fetch("deterministic_key", "FAILED_TO_GENERATE_DEFAULT_DETERMINISTIC_KEY") %>" -ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT="<%= db_secrets.fetch("key_derivation_salt", "FAILED_TO_GENERATE_DEFAULT_KEY_DERIVATION_SALT") %>" +ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY="<%= db_secrets.fetch("primary_key") %>" +ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY="<%= db_secrets.fetch("deterministic_key") %>" +ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT="<%= db_secrets.fetch("key_derivation_salt") %>" From 59d83707d2a7fe95450974c764db356a95358c28 Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Mon, 24 Oct 2022 10:48:44 +1300 Subject: [PATCH 13/26] Fix chicken & egg of needing ENV vars to exist before we can set their values --- template.rb | 2 ++ variants/backend-base/example.env.tt | 29 ++----------------- .../set_active_record_encryption_secrets.rb | 25 ++++++++++++++++ 3 files changed, 30 insertions(+), 26 deletions(-) create mode 100644 variants/backend-base/set_active_record_encryption_secrets.rb diff --git a/template.rb b/template.rb index 8f356ebf..1b02e1ad 100644 --- a/template.rb +++ b/template.rb @@ -119,6 +119,8 @@ def apply_template! # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, Met run_with_clean_bundler_env "bin/setup" + apply "variants/backend-base/set_active_record_encryption_secrets.rb" + apply "variants/frontend-base/template.rb" apply "variants/frontend-base/sentry/template.rb" apply "variants/frontend-base/js-lint/template.rb" diff --git a/variants/backend-base/example.env.tt b/variants/backend-base/example.env.tt index 8e910e5e..4564b4e2 100644 --- a/variants/backend-base/example.env.tt +++ b/variants/backend-base/example.env.tt @@ -27,29 +27,6 @@ SENTRY_ENV=development # # to create new versions of these secrets for each deployed environment (e.g. # staging, production) -<% -db_secrets = begin - puts "DB_ENCRYPTION_INIT: Running rails db:encryption:init" - - raw = `bin/rails db:encryption:init` - puts "DB_ENCRYPTION_INIT: Raw output: '#{raw}'" - - unparsed_yaml = raw.sub(/Add.+\n/, "") - puts "DB_ENCRYPTION_INIT: Unparsed YAML: '#{unparsed_yaml}'" - - parsed = YAML.load(unparsed_yaml) - puts "DB_ENCRYPTION_INIT: Parsed YAML: '#{parsed.inspect}'" - - parsed.fetch("active_record_encryption") - rescue StandardError => e - puts "DB_ENCRYPTION_INIT: Recovering from error: #{e.inspect}" - { - "primary_key" => "FAILED_TO_GENERATE_DEFAULT_PRIMARY_KEY", - "deterministic_key" => "FAILED_TO_GENERATE_DEFAULT_DETERMINISTIC_KEY", - "key_derivation_salt" => "FAILED_TO_GENERATE_DEFAULT_KEY_DERIVATION_SALT" - } - end -%> -ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY="<%= db_secrets.fetch("primary_key") %>" -ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY="<%= db_secrets.fetch("deterministic_key") %>" -ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT="<%= db_secrets.fetch("key_derivation_salt") %>" +ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY="PLACEHOLDER_PRIMARY_KEY" +ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY="PLACEHOLDER_DETERMINISTIC_KEY" +ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT="PLACEHOLDER_KEY_DERIVATION_SALT" diff --git a/variants/backend-base/set_active_record_encryption_secrets.rb b/variants/backend-base/set_active_record_encryption_secrets.rb new file mode 100644 index 00000000..a03e9b5c --- /dev/null +++ b/variants/backend-base/set_active_record_encryption_secrets.rb @@ -0,0 +1,25 @@ +db_secrets = begin + puts "DB_ENCRYPTION_INIT: Running rails db:encryption:init" + + raw = `bin/rails db:encryption:init` + puts "DB_ENCRYPTION_INIT: Raw output: '#{raw}'" + + unparsed_yaml = raw.sub(/Add.+\n/, "") + puts "DB_ENCRYPTION_INIT: Unparsed YAML: '#{unparsed_yaml}'" + + parsed = YAML.load(unparsed_yaml) + puts "DB_ENCRYPTION_INIT: Parsed YAML: '#{parsed.inspect}'" + + parsed.fetch("active_record_encryption") +rescue StandardError => e + puts "DB_ENCRYPTION_INIT: Recovering from error: #{e.inspect}" + { + "primary_key" => "FAILED_TO_GENERATE_DEFAULT_PRIMARY_KEY", + "deterministic_key" => "FAILED_TO_GENERATE_DEFAULT_DETERMINISTIC_KEY", + "key_derivation_salt" => "FAILED_TO_GENERATE_DEFAULT_KEY_DERIVATION_SALT" + } +end + +gsub_file("example.env", "PLACEHOLDER_PRIMARY_KEY", db_secrets.fetch("primary_key")) +gsub_file("example.env", "PLACEHOLDER_DETERMINISTIC_KEY", db_secrets.fetch("deterministic_key")) +gsub_file("example.env", "PLACEHOLDER_KEY_DERIVATION_SALT", db_secrets.fetch("key_derivation_salt")) From 1633c3cfd509e4881ca49d1329cdc8aef2ca255f Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Mon, 24 Oct 2022 10:48:54 +1300 Subject: [PATCH 14/26] Undo previous attempted fix --- variants/backend-base/Gemfile.tt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variants/backend-base/Gemfile.tt b/variants/backend-base/Gemfile.tt index 8e8e9c21..a9cf2368 100644 --- a/variants/backend-base/Gemfile.tt +++ b/variants/backend-base/Gemfile.tt @@ -1,7 +1,7 @@ source "https://rubygems.org" git_source(:github) { |repo| "https://github.com/#{repo}.git" } -ruby File.read(".ruby-version").gsub("ruby-", "").strip +ruby File.read(".ruby-version") gem "rails", "<%= Rails.version %>" gem "puma", "~> 5.6" From 08737b98f447835d362fed166561c4d443a3e202 Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Mon, 24 Oct 2022 10:51:11 +1300 Subject: [PATCH 15/26] Use safe_load as suggested by rubocop --- variants/backend-base/set_active_record_encryption_secrets.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variants/backend-base/set_active_record_encryption_secrets.rb b/variants/backend-base/set_active_record_encryption_secrets.rb index a03e9b5c..74c7973d 100644 --- a/variants/backend-base/set_active_record_encryption_secrets.rb +++ b/variants/backend-base/set_active_record_encryption_secrets.rb @@ -7,7 +7,7 @@ unparsed_yaml = raw.sub(/Add.+\n/, "") puts "DB_ENCRYPTION_INIT: Unparsed YAML: '#{unparsed_yaml}'" - parsed = YAML.load(unparsed_yaml) + parsed = YAML.safe_load(unparsed_yaml) puts "DB_ENCRYPTION_INIT: Parsed YAML: '#{parsed.inspect}'" parsed.fetch("active_record_encryption") From 6a7dc47a99560458380dc0b886a5af65dc715b6c Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Mon, 24 Oct 2022 11:01:27 +1300 Subject: [PATCH 16/26] Tone down output --- .../set_active_record_encryption_secrets.rb | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/variants/backend-base/set_active_record_encryption_secrets.rb b/variants/backend-base/set_active_record_encryption_secrets.rb index 74c7973d..e65a7267 100644 --- a/variants/backend-base/set_active_record_encryption_secrets.rb +++ b/variants/backend-base/set_active_record_encryption_secrets.rb @@ -1,18 +1,12 @@ db_secrets = begin - puts "DB_ENCRYPTION_INIT: Running rails db:encryption:init" + puts "DB_ENCRYPTION_INIT: Running rails db:encryption:init to set realistic values in ENV variables" raw = `bin/rails db:encryption:init` - puts "DB_ENCRYPTION_INIT: Raw output: '#{raw}'" - unparsed_yaml = raw.sub(/Add.+\n/, "") - puts "DB_ENCRYPTION_INIT: Unparsed YAML: '#{unparsed_yaml}'" - parsed = YAML.safe_load(unparsed_yaml) - puts "DB_ENCRYPTION_INIT: Parsed YAML: '#{parsed.inspect}'" - parsed.fetch("active_record_encryption") rescue StandardError => e - puts "DB_ENCRYPTION_INIT: Recovering from error: #{e.inspect}" + puts "DB_ENCRYPTION_INIT: Recovering from error: #{e.inspect}" { "primary_key" => "FAILED_TO_GENERATE_DEFAULT_PRIMARY_KEY", "deterministic_key" => "FAILED_TO_GENERATE_DEFAULT_DETERMINISTIC_KEY", From d161f74d5091706af55696fd8a87393b8c966823 Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Sat, 6 May 2023 12:50:35 +1200 Subject: [PATCH 17/26] Check for placeholder secrets at app boot --- .../config/initializers/check_env.rb | 44 ++++++++++++++++--- 1 file changed, 39 insertions(+), 5 deletions(-) diff --git a/variants/backend-base/config/initializers/check_env.rb b/variants/backend-base/config/initializers/check_env.rb index 9bed9695..9adb5c11 100644 --- a/variants/backend-base/config/initializers/check_env.rb +++ b/variants/backend-base/config/initializers/check_env.rb @@ -1,8 +1,42 @@ -# frozen-string-literal: true +class VerifyPlaceholderSecretsNotUsedForReal + class << self + PLACEHOLDER_PREFIX_REGEX = /(PLACEHOLDER|FAILED_TO_GENERATE)/.freeze -# RAILS_SECRET_KEY_BASE should be set to something other than its value in example.env + def run + return if local? -if Rails.env.production? && Rails.root.join("example.env").read.include?(ENV.fetch("RAILS_SECRET_KEY_BASE")) - fail "RAILS_SECRET_KEY_BASE is unchanged from example.env. " \ - "Generate a new one with `bundle exec rails secret`" + verify_secret_key_base + verify_activerecord_encryption_secrets + end + + private + + def verify_secret_key_base + return unless Rails.root.join("example.env").read.include?(ENV.fetch("RAILS_SECRET_KEY_BASE")) + + fail "RAILS_SECRET_KEY_BASE is unchanged from example.env. Generate a new one with `bundle exec rails secret`" + end + + ## + # Verify that placeholder values created by the Ackama rails template are + # not being used for real. + # + def verify_activerecord_encryption_secrets # rubocop:disable Metrics/AbcSize + secrets = [ + Rails.application.config.active_record.encryption.primary_key, + Rails.application.config.active_record.encryption.deterministic_key, + Rails.application.config.active_record.encryption.key_derivation_salt + ] + + secrets.each do |secret| + fail "Insecure ENV: ActiveRecored encrypted credentials env contain in insecure placeholder value." if secret.match?(PLACEHOLDER_PREFIX_REGEX) + end + end + + def local? + Rails.env.development? || Rails.env.test? + end + end end + +VerifyPlaceholderSecretsNotUsedForReal.run From d8f32938c753648bfec645b0a89fb755c876f579 Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Sat, 6 May 2023 12:51:09 +1200 Subject: [PATCH 18/26] Generate separate ActiveRecord encryption secrets for example.env and .env --- .../set_active_record_encryption_secrets.rb | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/variants/backend-base/set_active_record_encryption_secrets.rb b/variants/backend-base/set_active_record_encryption_secrets.rb index e65a7267..03eead91 100644 --- a/variants/backend-base/set_active_record_encryption_secrets.rb +++ b/variants/backend-base/set_active_record_encryption_secrets.rb @@ -1,4 +1,4 @@ -db_secrets = begin +def generate_db_secrets puts "DB_ENCRYPTION_INIT: Running rails db:encryption:init to set realistic values in ENV variables" raw = `bin/rails db:encryption:init` @@ -14,6 +14,15 @@ } end -gsub_file("example.env", "PLACEHOLDER_PRIMARY_KEY", db_secrets.fetch("primary_key")) -gsub_file("example.env", "PLACEHOLDER_DETERMINISTIC_KEY", db_secrets.fetch("deterministic_key")) -gsub_file("example.env", "PLACEHOLDER_KEY_DERIVATION_SALT", db_secrets.fetch("key_derivation_salt")) +# To avoid setting a bad security example we don't use the same secrets for the +# example.env (which is checked in) and your local .env file. +example_env_db_secrets = generate_db_secrets +dot_env_db_secrets = generate_db_secrets + +gsub_file("example.env", "PLACEHOLDER_PRIMARY_KEY", example_env_db_secrets.fetch("primary_key")) +gsub_file("example.env", "PLACEHOLDER_DETERMINISTIC_KEY", example_env_db_secrets.fetch("deterministic_key")) +gsub_file("example.env", "PLACEHOLDER_KEY_DERIVATION_SALT", example_env_db_secrets.fetch("key_derivation_salt")) + +gsub_file(".env", "PLACEHOLDER_PRIMARY_KEY", dot_env_db_secrets.fetch("primary_key")) +gsub_file(".env", "PLACEHOLDER_DETERMINISTIC_KEY", dot_env_db_secrets.fetch("deterministic_key")) +gsub_file(".env", "PLACEHOLDER_KEY_DERIVATION_SALT", dot_env_db_secrets.fetch("key_derivation_salt")) From 944a40eceb1dae5440500f8c926d1faf3dfcfc1e Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Mon, 24 Jul 2023 07:41:25 +1200 Subject: [PATCH 19/26] Update variants/backend-base/config/app.yml Co-authored-by: Gareth Jones --- variants/backend-base/config/app.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/variants/backend-base/config/app.yml b/variants/backend-base/config/app.yml index 3ca7c5c0..30c82e80 100644 --- a/variants/backend-base/config/app.yml +++ b/variants/backend-base/config/app.yml @@ -8,7 +8,6 @@ default: &default # The default `From:` address to use for email sent by this application - # obviously isn't a secret per se, but configuring it here is convenient mail_from: "<%= ENV['MAIL_FROM'] %>" development: From 61a18baec58708efe57570b9b0694e0887444bdc Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Mon, 24 Jul 2023 07:41:45 +1200 Subject: [PATCH 20/26] Update variants/backend-base/config/initializers/check_env.rb Co-authored-by: Gareth Jones --- variants/backend-base/config/initializers/check_env.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variants/backend-base/config/initializers/check_env.rb b/variants/backend-base/config/initializers/check_env.rb index 9adb5c11..536ca937 100644 --- a/variants/backend-base/config/initializers/check_env.rb +++ b/variants/backend-base/config/initializers/check_env.rb @@ -29,7 +29,7 @@ def verify_activerecord_encryption_secrets # rubocop:disable Metrics/AbcSize ] secrets.each do |secret| - fail "Insecure ENV: ActiveRecored encrypted credentials env contain in insecure placeholder value." if secret.match?(PLACEHOLDER_PREFIX_REGEX) + fail "Insecure ENV: ActiveRecored encrypted credentials env contain an insecure placeholder value. Generate new ones with `bundle exec rails db:encryption:init`" if secret.match?(PLACEHOLDER_PREFIX_REGEX) end end From 32470999cb678f2f7f76488a7f32f97a2687607b Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Mon, 24 Jul 2023 07:42:13 +1200 Subject: [PATCH 21/26] Update variants/backend-base/config/initializers/check_env.rb Co-authored-by: Gareth Jones --- variants/backend-base/config/initializers/check_env.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/variants/backend-base/config/initializers/check_env.rb b/variants/backend-base/config/initializers/check_env.rb index 536ca937..a121dda6 100644 --- a/variants/backend-base/config/initializers/check_env.rb +++ b/variants/backend-base/config/initializers/check_env.rb @@ -17,10 +17,8 @@ def verify_secret_key_base fail "RAILS_SECRET_KEY_BASE is unchanged from example.env. Generate a new one with `bundle exec rails secret`" end - ## # Verify that placeholder values created by the Ackama rails template are # not being used for real. - # def verify_activerecord_encryption_secrets # rubocop:disable Metrics/AbcSize secrets = [ Rails.application.config.active_record.encryption.primary_key, From 8f91295795f0765e5e5a116a906002bd613c00fb Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Mon, 24 Jul 2023 08:09:38 +1200 Subject: [PATCH 22/26] Improve comment based on PR feedback --- variants/backend-base/config/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/variants/backend-base/config/secrets.yml b/variants/backend-base/config/secrets.yml index 6ab18630..5221109e 100644 --- a/variants/backend-base/config/secrets.yml +++ b/variants/backend-base/config/secrets.yml @@ -1,5 +1,7 @@ -# Do NOT put secrets directly into this file. All secrets should be loaded from ENV! -# Be sure to restart your server when you modify this file. +# Sensitive app config values from ENV should be loaded in this file. +# +# Do NOT put secrets **directly** into this file. All secrets should be loaded +# from ENV! Be sure to restart your server when you modify this file. default: &default # Your secret key is used for verifying the integrity of signed cookies. From 24f115344b41f831e375aa0fbc150e7697a53c40 Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Mon, 24 Jul 2023 08:11:10 +1200 Subject: [PATCH 23/26] Update variants/backend-base/example.env.tt Co-authored-by: Gareth Jones --- variants/backend-base/example.env.tt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/variants/backend-base/example.env.tt b/variants/backend-base/example.env.tt index 4564b4e2..c00925b4 100644 --- a/variants/backend-base/example.env.tt +++ b/variants/backend-base/example.env.tt @@ -27,6 +27,6 @@ SENTRY_ENV=development # # to create new versions of these secrets for each deployed environment (e.g. # staging, production) -ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY="PLACEHOLDER_PRIMARY_KEY" -ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY="PLACEHOLDER_DETERMINISTIC_KEY" -ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT="PLACEHOLDER_KEY_DERIVATION_SALT" +ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=<%= SecureRandom.alphanumeric(32) %> +ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=<%= SecureRandom.alphanumeric(32) %> +ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=<%= SecureRandom.alphanumeric(32) %> From 380192014358ab5a150243be72dde6f559f53e3f Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Mon, 24 Jul 2023 08:12:50 +1200 Subject: [PATCH 24/26] Add missing end removed by merge --- variants/backend-base/config/initializers/check_env.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/variants/backend-base/config/initializers/check_env.rb b/variants/backend-base/config/initializers/check_env.rb index 8a804fe9..a121dda6 100644 --- a/variants/backend-base/config/initializers/check_env.rb +++ b/variants/backend-base/config/initializers/check_env.rb @@ -35,5 +35,6 @@ def local? Rails.env.development? || Rails.env.test? end end +end VerifyPlaceholderSecretsNotUsedForReal.run From 31acec37d0890bbb6d42c9825f3b09bcf352490c Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Mon, 24 Jul 2023 08:39:28 +1200 Subject: [PATCH 25/26] Ensure new auto-generated example.env secrets not used in prod --- .../config/initializers/check_env.rb | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/variants/backend-base/config/initializers/check_env.rb b/variants/backend-base/config/initializers/check_env.rb index a121dda6..69f5bd97 100644 --- a/variants/backend-base/config/initializers/check_env.rb +++ b/variants/backend-base/config/initializers/check_env.rb @@ -1,6 +1,10 @@ class VerifyPlaceholderSecretsNotUsedForReal class << self - PLACEHOLDER_PREFIX_REGEX = /(PLACEHOLDER|FAILED_TO_GENERATE)/.freeze + DB_ENCRYPTION_ENV_VAR_NAMES = %w[ + ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY + ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY + ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT + ].freeze def run return if local? @@ -14,20 +18,16 @@ def run def verify_secret_key_base return unless Rails.root.join("example.env").read.include?(ENV.fetch("RAILS_SECRET_KEY_BASE")) - fail "RAILS_SECRET_KEY_BASE is unchanged from example.env. Generate a new one with `bundle exec rails secret`" + raise "RAILS_SECRET_KEY_BASE is unchanged from example.env. Generate a new one with `bundle exec rails secret`" end # Verify that placeholder values created by the Ackama rails template are # not being used for real. - def verify_activerecord_encryption_secrets # rubocop:disable Metrics/AbcSize - secrets = [ - Rails.application.config.active_record.encryption.primary_key, - Rails.application.config.active_record.encryption.deterministic_key, - Rails.application.config.active_record.encryption.key_derivation_salt - ] - - secrets.each do |secret| - fail "Insecure ENV: ActiveRecored encrypted credentials env contain an insecure placeholder value. Generate new ones with `bundle exec rails db:encryption:init`" if secret.match?(PLACEHOLDER_PREFIX_REGEX) + def verify_activerecord_encryption_secrets + example_env_contents = Rails.root.join("example.env").read + + DB_ENCRYPTION_ENV_VAR_NAMES.each do |env_var_name| + raise "#{env_var_name} is unchanged from example.env. Generate a new one with `bundle exec rails db:encryption:init`" if example_env_contents.include?(ENV.fetch(env_var_name)) end end From c6f4dc33353f0af905201bb5a8687eb2fc61b253 Mon Sep 17 00:00:00 2001 From: Eoin Kelly Date: Mon, 24 Jul 2023 08:52:34 +1200 Subject: [PATCH 26/26] Remove unnecessary tweaking of db:encryption secrets --- template.rb | 2 -- .../set_active_record_encryption_secrets.rb | 28 ------------------- 2 files changed, 30 deletions(-) delete mode 100644 variants/backend-base/set_active_record_encryption_secrets.rb diff --git a/template.rb b/template.rb index 8b9e09fc..79d157bf 100644 --- a/template.rb +++ b/template.rb @@ -117,8 +117,6 @@ def apply_template! # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, Met run_with_clean_bundler_env "bin/setup" - apply "variants/backend-base/set_active_record_encryption_secrets.rb" - apply "variants/frontend-base/template.rb" apply "variants/frontend-base/sentry/template.rb" apply "variants/frontend-base/js-lint/template.rb" diff --git a/variants/backend-base/set_active_record_encryption_secrets.rb b/variants/backend-base/set_active_record_encryption_secrets.rb deleted file mode 100644 index 03eead91..00000000 --- a/variants/backend-base/set_active_record_encryption_secrets.rb +++ /dev/null @@ -1,28 +0,0 @@ -def generate_db_secrets - puts "DB_ENCRYPTION_INIT: Running rails db:encryption:init to set realistic values in ENV variables" - - raw = `bin/rails db:encryption:init` - unparsed_yaml = raw.sub(/Add.+\n/, "") - parsed = YAML.safe_load(unparsed_yaml) - parsed.fetch("active_record_encryption") -rescue StandardError => e - puts "DB_ENCRYPTION_INIT: Recovering from error: #{e.inspect}" - { - "primary_key" => "FAILED_TO_GENERATE_DEFAULT_PRIMARY_KEY", - "deterministic_key" => "FAILED_TO_GENERATE_DEFAULT_DETERMINISTIC_KEY", - "key_derivation_salt" => "FAILED_TO_GENERATE_DEFAULT_KEY_DERIVATION_SALT" - } -end - -# To avoid setting a bad security example we don't use the same secrets for the -# example.env (which is checked in) and your local .env file. -example_env_db_secrets = generate_db_secrets -dot_env_db_secrets = generate_db_secrets - -gsub_file("example.env", "PLACEHOLDER_PRIMARY_KEY", example_env_db_secrets.fetch("primary_key")) -gsub_file("example.env", "PLACEHOLDER_DETERMINISTIC_KEY", example_env_db_secrets.fetch("deterministic_key")) -gsub_file("example.env", "PLACEHOLDER_KEY_DERIVATION_SALT", example_env_db_secrets.fetch("key_derivation_salt")) - -gsub_file(".env", "PLACEHOLDER_PRIMARY_KEY", dot_env_db_secrets.fetch("primary_key")) -gsub_file(".env", "PLACEHOLDER_DETERMINISTIC_KEY", dot_env_db_secrets.fetch("deterministic_key")) -gsub_file(".env", "PLACEHOLDER_KEY_DERIVATION_SALT", dot_env_db_secrets.fetch("key_derivation_salt"))