Issue 341 modernise secret handling

.github/workflows/ci.yml

@@ -149,4 +149,8 @@ jobs:
           PGUSER: postgres
           PGPASSWORD: postgres
           PGHOST: localhost
+          RAILS_SECRET_KEY_BASE: "placeholder"
+          ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "placeholder"
+          ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "placeholder"
+          ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "placeholder"
         run: ./ci/bin/build-and-test

template.rb

@@ -83,7 +83,6 @@ def apply_template! # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, Met
   template "variants/backend-base/Gemfile.tt", "Gemfile", force: true
 
   template "variants/backend-base/example.env.tt", "example.env"
-  template "variants/backend-base/example.env.tt", ".env"
   copy_file "variants/backend-base/editorconfig", ".editorconfig"
   copy_file "variants/backend-base/gitignore", ".gitignore", force: true
   copy_file "variants/backend-base/overcommit.yml", ".overcommit.yml"
@@ -118,6 +117,8 @@ def apply_template! # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, Met
 
     run_with_clean_bundler_env "bin/setup"
 
+    apply "variants/backend-base/set_active_record_encryption_secrets.rb"
+
     apply "variants/frontend-base/template.rb"
     apply "variants/frontend-base/sentry/template.rb"
     apply "variants/frontend-base/js-lint/template.rb"

variants/backend-base/app/template.rb

@@ -19,4 +19,4 @@
 # Configure the default mailer to use the our default from address
 gsub_file "app/mailers/application_mailer.rb",
           "default from: 'from@example.com'",
-          "default from: Rails.application.secrets.mail_from"
+          "default from: Rails.application.config.app.mail_from"

variants/backend-base/bin/setup

@@ -8,7 +8,6 @@ def setup!
     run  "yarn install" if File.exist?("yarn.lock")
     run  "bundle exec overcommit --install"
     copy "example.env"
-    copy "config/secrets.example.yml"
     test_local_env_contains_required_keys
     run  "bin/rake tmp:create"
     run  "bin/rake db:prepare"

variants/backend-base/config/app.yml

@@ -0,0 +1,24 @@
+# Be sure to restart your server when you modify this file.
+#
+# Use this file to load non-sensitive app config from ENV. Config values here
+# will be loaded into `Rails.application.config.app`.
+#
+# Sensitive config should be put in `config/secrets.yml` (which will load it
+# into `Rails.application.secrets`)
+
+default: &default
+  # The default `From:` address to use for email sent by this application
+  # obviously isn't a secret per se, but configuring it here is convenient
+  mail_from: "<%= ENV['MAIL_FROM'] %>"
+
+development:
+  <<: *default
+
+test:
+  <<: *default
+
+staging:
+  <<: *default
+
+production:
+  <<: *default

variants/backend-base/config/application.rb

@@ -14,8 +14,21 @@
   # the empty line at the beginning of this string is required
   <<-'RUBY'
 
+    # load config/app.yml into Rails.application.config.app.*
+    config.app = config_for(:app)
+
     config.middleware.insert_before Rack::Sendfile, HttpBasicAuth
     config.action_dispatch.default_headers["Permissions-Policy"] = "interest-cohort=()"
+
+    # ActiveRecord encrypted attributes expectes to find the key secrets under
+    # `config.active_record.encryption.*`. If the secrets were stored in Rails
+    # encrypted credentials file then Rails would map them automatically for us.
+    # We prefer to store the secrets in the ENV and load them through
+    # `config/secrets.yml` so we have to manually assign them here.
+    config.active_record.encryption.primary_key = Rails.application.secrets.active_record_encryption_primary_key
+    config.active_record.encryption.deterministic_key = Rails.application.secrets.active_record_encryption_deterministic_key
+    config.active_record.encryption.key_derivation_salt = Rails.application.secrets.active_record_encryption_key_derivation_salt
+
     config.action_dispatch.default_headers["X-Frame-Options"] = "DENY"
   RUBY
 end

variants/backend-base/config/initializers/check_env.rb

@@ -1,8 +1,42 @@
-# frozen-string-literal: true
+class VerifyPlaceholderSecretsNotUsedForReal
+  class << self
+    PLACEHOLDER_PREFIX_REGEX = /(PLACEHOLDER|FAILED_TO_GENERATE)/.freeze
 
-# RAILS_SECRET_KEY_BASE should be set to something other than its value in example.env
+    def run
+      return if local?
 
-if Rails.env.production? && Rails.root.join("example.env").read.include?(ENV.fetch("RAILS_SECRET_KEY_BASE"))
-  fail "RAILS_SECRET_KEY_BASE is unchanged from example.env. " \
-       "Generate a new one with `bundle exec rails secret`"
+      verify_secret_key_base
+      verify_activerecord_encryption_secrets
+    end
+
+    private
+
+    def verify_secret_key_base
+      return unless Rails.root.join("example.env").read.include?(ENV.fetch("RAILS_SECRET_KEY_BASE"))
+
+      fail "RAILS_SECRET_KEY_BASE is unchanged from example.env. Generate a new one with `bundle exec rails secret`"
+    end
+
+    ##
+    # Verify that placeholder values created by the Ackama rails template are
+    # not being used for real.
+    #
+    def verify_activerecord_encryption_secrets # rubocop:disable Metrics/AbcSize
+      secrets = [
+        Rails.application.config.active_record.encryption.primary_key,
+        Rails.application.config.active_record.encryption.deterministic_key,
+        Rails.application.config.active_record.encryption.key_derivation_salt
+      ]
+
+      secrets.each do |secret|
+        fail "Insecure ENV: ActiveRecored encrypted credentials env contain in insecure placeholder value." if secret.match?(PLACEHOLDER_PREFIX_REGEX)
+      end
+    end
+
+    def local?
+      Rails.env.development? || Rails.env.test?
+    end
+  end
 end
+
+VerifyPlaceholderSecretsNotUsedForReal.run

variants/backend-base/config/secrets.yml

@@ -0,0 +1,26 @@
+# Do NOT put secrets directly into this file. All secrets should be loaded from ENV!
+# Be sure to restart your server when you modify this file.
+
+default: &default
+  # Your secret key is used for verifying the integrity of signed cookies.
+  # If you change this key, all old signed cookies will become invalid!
+  # Make sure the secret is at least 30 characters and all random,
+  # no regular words or you'll be exposed to dictionary attacks.
+  # You can use `rails secret` to generate a secure secret key.
+  secret_key_base: "<%= ENV.fetch('RAILS_SECRET_KEY_BASE') %>"
+
+  active_record_encryption_primary_key: "<%= ENV.fetch('ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY') %>"
+  active_record_encryption_deterministic_key: "<%= ENV.fetch('ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY') %>"
+  active_record_encryption_key_derivation_salt: "<%= ENV.fetch('ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT') %>"
+
+development:
+  <<: *default
+
+test:
+  <<: *default
+
+staging:
+  <<: *default
+
+production:
+  <<: *default

variants/backend-base/config/template.rb

@@ -2,8 +2,10 @@
 
 template "variants/backend-base/config/database.yml.tt", "config/database.yml", force: true
 
-template "variants/backend-base/config/secrets.example.yml.tt", "config/secrets.example.yml"
-remove_file "config/secrets.yml"
+copy_file "variants/backend-base/config/secrets.yml", "config/secrets.yml", force: true
+copy_file "variants/backend-base/config/app.yml", "config/app.yml"
+remove_file "config/master.key"
+remove_file "config/credentials.yml.enc"
 
 copy_file "variants/backend-base/config/puma.rb", "config/puma.rb", force: true
 

variants/backend-base/example.env.tt

@@ -1,9 +1,3 @@
-# Copy this file into a new file called ".envrc" in the root of the project.
-# Access values like this: ENV["RAILS_SECRET_KEY_BASE"]
-#
-# The purpose of this file is to keep secrets out of source control.
-# For more information, see: direnv.net
-
 # The environment variables below can be uncommented to enable HTTP basic
 # authentication
 # HTTP_BASIC_AUTH_USERNAME=example
@@ -26,3 +20,13 @@ PORT=3000
 # SENTRY_DSN=http://public@example.com/project-id
 SENTRY_CSP_HEADER_REPORT_ENDPOINT=https://SOMECODE.ingest.sentry.io/api/SOMENUMS/security/?sentry_key=SOMETHING
 SENTRY_ENV=development
+
+# NEVER just copy these secrets from development env to a production env.  Run:
+#
+#     bin/rails db:encryption:init
+#
+# to create new versions of these secrets for each deployed environment (e.g.
+# staging, production)
+ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY="PLACEHOLDER_PRIMARY_KEY"
+ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY="PLACEHOLDER_DETERMINISTIC_KEY"
+ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT="PLACEHOLDER_KEY_DERIVATION_SALT"

variants/backend-base/set_active_record_encryption_secrets.rb

@@ -0,0 +1,28 @@
+def generate_db_secrets
+  puts "DB_ENCRYPTION_INIT: Running rails db:encryption:init to set realistic values in ENV variables"
+
+  raw = `bin/rails db:encryption:init`
+  unparsed_yaml = raw.sub(/Add.+\n/, "")
+  parsed = YAML.safe_load(unparsed_yaml)
+  parsed.fetch("active_record_encryption")
+rescue StandardError => e
+  puts "DB_ENCRYPTION_INIT: Recovering from error: #{e.inspect}"
+  {
+    "primary_key" => "FAILED_TO_GENERATE_DEFAULT_PRIMARY_KEY",
+    "deterministic_key" => "FAILED_TO_GENERATE_DEFAULT_DETERMINISTIC_KEY",
+    "key_derivation_salt" => "FAILED_TO_GENERATE_DEFAULT_KEY_DERIVATION_SALT"
+  }
+end
+
+# To avoid setting a bad security example we don't use the same secrets for the
+# example.env (which is checked in) and your local .env file.
+example_env_db_secrets = generate_db_secrets
+dot_env_db_secrets = generate_db_secrets
+
+gsub_file("example.env", "PLACEHOLDER_PRIMARY_KEY", example_env_db_secrets.fetch("primary_key"))
+gsub_file("example.env", "PLACEHOLDER_DETERMINISTIC_KEY", example_env_db_secrets.fetch("deterministic_key"))
+gsub_file("example.env", "PLACEHOLDER_KEY_DERIVATION_SALT", example_env_db_secrets.fetch("key_derivation_salt"))
+
+gsub_file(".env", "PLACEHOLDER_PRIMARY_KEY", dot_env_db_secrets.fetch("primary_key"))
+gsub_file(".env", "PLACEHOLDER_DETERMINISTIC_KEY", dot_env_db_secrets.fetch("deterministic_key"))
+gsub_file(".env", "PLACEHOLDER_KEY_DERIVATION_SALT", dot_env_db_secrets.fetch("key_derivation_salt"))

variants/devise/template.rb

@@ -47,7 +47,7 @@
 
 gsub_file "config/initializers/devise.rb",
           "  config.mailer_sender = 'please-change-me-at-config-initializers-devise@example.com'",
-          "  config.mailer_sender = Rails.application.secrets.mail_from"
+          "  config.mailer_sender = Rails.application.config.app.mail_from"
 
 gsub_file "config/initializers/devise.rb",
           "  # config.scoped_views = false",