From a8989ad951c22e1895756ee7e11df2e2cf22f971 Mon Sep 17 00:00:00 2001 From: Anton-Ivanov Date: Tue, 29 Oct 2024 08:19:58 +0200 Subject: [PATCH] intro Ruby on Rails Encrypted Credentials RAILS_MASTER_KEY env variable should be equal to config/credentials/production.key --- .gitignore | 5 ++++- Makefile | 2 +- app/lib/jwt_token.rb | 4 ++-- config/credentials/development.yml.enc | 1 + config/credentials/production.yml.enc | 1 + config/credentials/test.yml.enc | 1 + config/environments/production.rb | 2 ++ config/secrets.yml.distr | 22 ---------------------- 8 files changed, 12 insertions(+), 26 deletions(-) create mode 100644 config/credentials/development.yml.enc create mode 100644 config/credentials/production.yml.enc create mode 100644 config/credentials/test.yml.enc delete mode 100644 config/secrets.yml.distr diff --git a/.gitignore b/.gitignore index 19b2adff0..c8c11ba2c 100644 --- a/.gitignore +++ b/.gitignore @@ -19,7 +19,6 @@ config/policy_roles.yml config/pgq_processors.yml config/system_info.yml config/click_house.yml -config/secrets.yml config/ldap.yml coverage debian/files @@ -39,3 +38,7 @@ pgq-processors/vendor/bundler .versions.conf pgq-processors/.rspec_status /doc/api/ + +/config/credentials/development.key +/config/credentials/production.key +/config/credentials/test.key diff --git a/Makefile b/Makefile index c1879cd40..bd6e69569 100644 --- a/Makefile +++ b/Makefile @@ -93,7 +93,7 @@ config/click_house.yml: config/secrets.yml: $(info:msg=Creating secrets.yml for tests) - cp config/secrets.yml.distr config/secrets.yml + echo "fa94256290aa63e934c58071d49126af" > config/credentials/test.key config/yeti_web.yml: $(info:msg=Creating yeti_web.yml for build/tests) diff --git a/app/lib/jwt_token.rb b/app/lib/jwt_token.rb index 018c7639f..5089321a7 100644 --- a/app/lib/jwt_token.rb +++ b/app/lib/jwt_token.rb @@ -8,7 +8,7 @@ module JwtToken # @param payload [Hash] # @return [String] token def encode(payload) - secret_key = Rails.application.secrets.secret_key_base + secret_key = Rails.application.credentials.secret_key_base payload[:aud] = Array.wrap(payload[:aud]) unless payload[:aud].nil? JWT.encode(payload, secret_key, ALGO) end @@ -19,7 +19,7 @@ def encode(payload) def decode(token, verify_expiration:, aud: nil) return if token.blank? - secret_key = Rails.application.secrets.secret_key_base + secret_key = Rails.application.credentials.secret_key_base decode_options = { algorithm: ALGO, verify_expiration: verify_expiration, diff --git a/config/credentials/development.yml.enc b/config/credentials/development.yml.enc new file mode 100644 index 000000000..039f39080 --- /dev/null +++ b/config/credentials/development.yml.enc @@ -0,0 +1 @@ +MFHRF8NoqXMhhyqvq92oW2RN82u0KauHpTHvWlw4AKkNR0unZl5NB2l2DzvuuKfkuXPQBCqBafs8/MTMmjs5E2l90OA7wI0GTsKAzRQyWrCUAP4ME40subaB1Tm94vMRd9RSVyqvaiwD8hHBlE3Z5suMmB/tq9wFrctSMN54lIzY0G8oT9dOH2YaMdDHPC3+b3jpQBh2HQ==--4p4O1/xUiaoWp7TT--RQVYdqYovNLhtfJmfy45mw== \ No newline at end of file diff --git a/config/credentials/production.yml.enc b/config/credentials/production.yml.enc new file mode 100644 index 000000000..62a8bdc37 --- /dev/null +++ b/config/credentials/production.yml.enc @@ -0,0 +1 @@ +Y2Zd9zx2HWQWGC7nK8z7wxR243YClIA4Z6Qp+ZXV6n1ffohX7CeZx4fKgyjyh14JGsE1TjQjSl7s67ChYLXqmng8WuyhtJRhfqIVFXXugDMKMAL7eogovqtFSk0bzV9Ro11VeQS09aQ0q7nkcouEPEcNUMwFxYC1ibSYFPRRpJzsf7P2rUJgDaayyfwZA1k+cqgmINBWhQ==--etwe9m4fGlVN12ls--593008fY6PyxfJkPMneCjA== \ No newline at end of file diff --git a/config/credentials/test.yml.enc b/config/credentials/test.yml.enc new file mode 100644 index 000000000..3daa5b30b --- /dev/null +++ b/config/credentials/test.yml.enc @@ -0,0 +1 @@ ++Uh7+sIhDBWfS+x8Llq+wFWTX+tv26+bBrHJ8bugRbA22lvGHexJiWC7OsOyYH9TtMhqgr+Jt/VRdttBJd59QkYXKE4w3XU+cpz6FPxwy42C36A6JF+bUQCyRAG2R1qaVFr3buGwhiWO0dKnYu81hNPBcK60mzjuk0gWoqFC238ReUCrJazUeGdDE7o23A9YdbGtDuHQaA==--XtnMPvgU7213csxr--gOg/rH8tSbVJN8EoZdfL2g== \ No newline at end of file diff --git a/config/environments/production.rb b/config/environments/production.rb index dfb1efe25..5ec55579a 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -127,4 +127,6 @@ # config.active_record.database_selector = { delay: 2.seconds } # config.active_record.database_resolver = ActiveRecord::Middleware::DatabaseSelector::Resolver # config.active_record.database_resolver_context = ActiveRecord::Middleware::DatabaseSelector::Resolver::Session + + config.require_master_key = true end diff --git a/config/secrets.yml.distr b/config/secrets.yml.distr deleted file mode 100644 index d79c25258..000000000 --- a/config/secrets.yml.distr +++ /dev/null @@ -1,22 +0,0 @@ -# Be sure to restart your server when you modify this file. - -# Your secret key is used for verifying the integrity of signed cookies. -# If you change this key, all old signed cookies will become invalid! - -# Make sure the secret is at least 30 characters and all random, -# no regular words or you'll be exposed to dictionary attacks. -# You can use `rails secret` to generate a secure secret key. - -# Make sure the secrets in this file are kept private -# if you're sharing your code publicly. - -development: - secret_key_base: b89787dc4f8930ff36715598bddc8d28946c29c7d9d3c1f8272fc8eb307c4b1de6e9a20a824ac06b4a53efeaf99be20469da5355d7218851c8e87520db26a819 - -test: - secret_key_base: 3beeee45bc938475ecba45075c53aae0f94299a83f824b25bbaf7965b4b0c60ff2b0c66c9047a026578deb5ecadabaa602891be2be66ed123a7b26876d4daddf - -# Do not keep production secrets in the repository, -# instead read values from the environment. -production: - secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>