intro Ruby on Rails Encrypted Credentials

RAILS_MASTER_KEY env variable should be equal to config/credentials/production.key

.gitignore

@@ -19,7 +19,6 @@ config/policy_roles.yml
 config/pgq_processors.yml
 config/system_info.yml
 config/click_house.yml
-config/secrets.yml
 config/ldap.yml
 coverage
 debian/files
@@ -39,3 +38,7 @@ pgq-processors/vendor/bundler
 .versions.conf
 pgq-processors/.rspec_status
 /doc/api/
+
+/config/credentials/development.key
+/config/credentials/production.key
+/config/credentials/test.key

Makefile

@@ -92,8 +92,9 @@ config/click_house.yml:
 	cp config/click_house.yml.distr config/click_house.yml
 
 config/secrets.yml:
-	$(info:msg=Creating secrets.yml for tests)
-	cp config/secrets.yml.distr config/secrets.yml
+	$(info:msg=Creating master key for test env)
+	touch config/credentials/test.key
+	echo "3dfebf8475fd661c870bff8cf91f24a8" > config/credentials/test.key
 
 config/yeti_web.yml:
 	$(info:msg=Creating yeti_web.yml for build/tests)

app/lib/jwt_token.rb

@@ -8,7 +8,7 @@ module JwtToken
   # @param payload [Hash]
   # @return [String] token
   def encode(payload)
-    secret_key = Rails.application.secrets.secret_key_base
+    secret_key = Rails.application.credentials.secret_key_base
     payload[:aud] = Array.wrap(payload[:aud]) unless payload[:aud].nil?
     JWT.encode(payload, secret_key, ALGO)
   end
@@ -19,7 +19,7 @@ def encode(payload)
   def decode(token, verify_expiration:, aud: nil)
     return if token.blank?
 
-    secret_key = Rails.application.secrets.secret_key_base
+    secret_key = Rails.application.credentials.secret_key_base
     decode_options = {
       algorithm: ALGO,
       verify_expiration: verify_expiration,

config/credentials/development.yml.enc

@@ -0,0 +1 @@
+TqmN/EIkOlmCKihUdLG1OR+rjpzg74TERJW54Nk9QoxdfLULsIzYKfJLT7ij8mhfBtFhMiY3wowgu428KF7ulFTx2oq+X+06rtNTuEK7RX5rmA/+KmWdw7XNvaBczjrtGGP09EybVDXZ1jzpg8Ab9zt5mVixNfC8FT0wY00c10ugyLAcsTyHpQvTqPhDCOlakbxD1qq2Kg==--sBJUCjeEEsWjNoc/--hE4oMVcvTDFRWOTUxyLjcw==

config/credentials/production.yml.enc

@@ -0,0 +1 @@
+Y2Zd9zx2HWQWGC7nK8z7wxR243YClIA4Z6Qp+ZXV6n1ffohX7CeZx4fKgyjyh14JGsE1TjQjSl7s67ChYLXqmng8WuyhtJRhfqIVFXXugDMKMAL7eogovqtFSk0bzV9Ro11VeQS09aQ0q7nkcouEPEcNUMwFxYC1ibSYFPRRpJzsf7P2rUJgDaayyfwZA1k+cqgmINBWhQ==--etwe9m4fGlVN12ls--593008fY6PyxfJkPMneCjA==

config/credentials/test.yml.enc

@@ -0,0 +1 @@
+uJdc3zVrJE3YFkMhlvEFsbmObVKkrGl1ig233YRBq7xGS2yGDcMks3/uNocbalNehsQTPettEe8mgyBFghjlzbEpYacZZX/kAFa6+HsYWpVBat4sgkC909hXOOWDXAG8PfOXskFBMRXmQjt2KQ90TZ/i0uzSqgtKuJnF7j+BbQ06wafMXZklZi3G1+752taQkTWmtwtoOA==--/nN68Y+FzAZXhCvf--NYOUensf64fGc7BHCAb3hw==

config/environments/production.rb

@@ -127,4 +127,6 @@
   # config.active_record.database_selector = { delay: 2.seconds }
   # config.active_record.database_resolver = ActiveRecord::Middleware::DatabaseSelector::Resolver
   # config.active_record.database_resolver_context = ActiveRecord::Middleware::DatabaseSelector::Resolver::Session
+
+  config.require_master_key = true
 end

config/environments/test.rb

@@ -29,7 +29,7 @@
   config.cache_store = :null_store
 
   # Raise exceptions instead of rendering exception templates.
-  config.action_dispatch.show_exceptions = false
+  config.action_dispatch.show_exceptions = :none
 
   # Disable request forgery protection in test environment.
   config.action_controller.allow_forgery_protection = true

config/initializers/knock.rb

@@ -34,9 +34,7 @@
   ## -------------
   ##
   ## Configure the key used to sign tokens.
-  ##
-  ## Default:
-  # config.token_secret_signature_key = -> { Rails.application.secrets.secret_key_base }
+  config.token_secret_signature_key = -> { Rails.application.credentials.secret_key_base }
 
   ## If using Auth0, uncomment the line below
   # config.token_secret_signature_key = -> { JWT.base64url_decode Rails.application.secrets.auth0_client_secret }