intro Ruby on Rails Encrypted Credentials

RAILS_MASTER_KEY env variable should be equal to config/credentials/production.key

.gitignore

@@ -19,7 +19,6 @@ config/policy_roles.yml
 config/pgq_processors.yml
 config/system_info.yml
 config/click_house.yml
-config/secrets.yml
 config/ldap.yml
 coverage
 debian/files
@@ -39,3 +38,7 @@ pgq-processors/vendor/bundler
 .versions.conf
 pgq-processors/.rspec_status
 /doc/api/
+
+/config/credentials/development.key
+/config/credentials/production.key
+/config/credentials/test.key

Makefile

@@ -93,7 +93,7 @@ config/click_house.yml:
 
 config/secrets.yml:
 	$(info:msg=Creating secrets.yml for tests)
-	cp config/secrets.yml.distr config/secrets.yml
+	echo "fa94256290aa63e934c58071d49126af" > config/credentials/test.key
 
 config/yeti_web.yml:
 	$(info:msg=Creating yeti_web.yml for build/tests)

app/lib/jwt_token.rb

@@ -8,7 +8,7 @@ module JwtToken
   # @param payload [Hash]
   # @return [String] token
   def encode(payload)
-    secret_key = Rails.application.secrets.secret_key_base
+    secret_key = Rails.application.credentials.secret_key_base
     payload[:aud] = Array.wrap(payload[:aud]) unless payload[:aud].nil?
     JWT.encode(payload, secret_key, ALGO)
   end
@@ -19,7 +19,7 @@ def encode(payload)
   def decode(token, verify_expiration:, aud: nil)
     return if token.blank?
 
-    secret_key = Rails.application.secrets.secret_key_base
+    secret_key = Rails.application.credentials.secret_key_base
     decode_options = {
       algorithm: ALGO,
       verify_expiration: verify_expiration,

config/credentials/development.yml.enc

@@ -0,0 +1 @@
+MFHRF8NoqXMhhyqvq92oW2RN82u0KauHpTHvWlw4AKkNR0unZl5NB2l2DzvuuKfkuXPQBCqBafs8/MTMmjs5E2l90OA7wI0GTsKAzRQyWrCUAP4ME40subaB1Tm94vMRd9RSVyqvaiwD8hHBlE3Z5suMmB/tq9wFrctSMN54lIzY0G8oT9dOH2YaMdDHPC3+b3jpQBh2HQ==--4p4O1/xUiaoWp7TT--RQVYdqYovNLhtfJmfy45mw==

config/credentials/production.yml.enc

@@ -0,0 +1 @@
+Y2Zd9zx2HWQWGC7nK8z7wxR243YClIA4Z6Qp+ZXV6n1ffohX7CeZx4fKgyjyh14JGsE1TjQjSl7s67ChYLXqmng8WuyhtJRhfqIVFXXugDMKMAL7eogovqtFSk0bzV9Ro11VeQS09aQ0q7nkcouEPEcNUMwFxYC1ibSYFPRRpJzsf7P2rUJgDaayyfwZA1k+cqgmINBWhQ==--etwe9m4fGlVN12ls--593008fY6PyxfJkPMneCjA==

config/credentials/test.yml.enc

@@ -0,0 +1 @@
++Uh7+sIhDBWfS+x8Llq+wFWTX+tv26+bBrHJ8bugRbA22lvGHexJiWC7OsOyYH9TtMhqgr+Jt/VRdttBJd59QkYXKE4w3XU+cpz6FPxwy42C36A6JF+bUQCyRAG2R1qaVFr3buGwhiWO0dKnYu81hNPBcK60mzjuk0gWoqFC238ReUCrJazUeGdDE7o23A9YdbGtDuHQaA==--XtnMPvgU7213csxr--gOg/rH8tSbVJN8EoZdfL2g==

config/environments/production.rb

@@ -127,4 +127,6 @@
   # config.active_record.database_selector = { delay: 2.seconds }
   # config.active_record.database_resolver = ActiveRecord::Middleware::DatabaseSelector::Resolver
   # config.active_record.database_resolver_context = ActiveRecord::Middleware::DatabaseSelector::Resolver::Session
+
+  config.require_master_key = true
 end