From d9e45bc0f604009ad76243764fa1a7c25611ba34 Mon Sep 17 00:00:00 2001 From: Casper Smits Date: Fri, 28 Dec 2018 00:08:40 +0100 Subject: [PATCH] Use environment-specific credential files for credential storing --- .env.example | 25 +----- .gitignore | 12 +++ Gemfile | 1 + Gemfile.lock | 3 + app/controllers/users_controller.rb | 4 +- app/helpers/slack_helper.rb | 2 +- config/application.rb | 4 +- config/credentials-development.yml.enc | 1 + config/credentials-staging.yml.enc | 1 + config/credentials-test.yml.enc | 1 + config/credentials.yml.enc | 1 + config/environments/production.rb | 6 +- config/environments/staging.rb | 107 +++++++++++++++++++++++++ config/initializers/devise.rb | 4 +- config/initializers/sentry.rb | 2 +- config/secrets.yml | 19 ----- 16 files changed, 139 insertions(+), 54 deletions(-) create mode 100644 config/credentials-development.yml.enc create mode 100644 config/credentials-staging.yml.enc create mode 100644 config/credentials-test.yml.enc create mode 100644 config/credentials.yml.enc create mode 100644 config/environments/staging.rb delete mode 100644 config/secrets.yml diff --git a/.env.example b/.env.example index 9b5584b15..336ada131 100644 --- a/.env.example +++ b/.env.example @@ -1,24 +1 @@ -COMPOSE_PROJECT_NAME=alpha_tomato_ - -BIND_ON=0.0.0.0:5000 - -# RAILS_MAX_THREADS=5 -# WEB_CONCURRENCY=2 - -REDIS_PASSWORD= - -# POSTGRES_USER=alpha_tomato_ -# POSTGRES_PASSWORD= - -MAILGUN_API_KEY= - -SENTRY_DSN=https://localhost - -SECRET_KEY_BASE= - -BANANA_CLIENT_ID= -BANANA_CLIENT_SECRET= -BANANA_API_HOST=http://localhost:4200 - -LISTEN_ON_PORT=5000 -TOMATO_HOST=localhost +RAILS_ENV=development diff --git a/.gitignore b/.gitignore index afe7e6312..fdf51e14c 100644 --- a/.gitignore +++ b/.gitignore @@ -36,3 +36,15 @@ yarn-error\.log /node_modules yarn-debug.log* .yarn-integrity + +# Ignore master key for decrypting credentials and more. +/config/master.key + +# Ignore master key for decrypting credentials and more. +/config/master-development.key + +# Ignore master key for decrypting credentials and more. +/config/master-staging.key + +# Ignore master key for decrypting credentials and more. +/config/master-test.key diff --git a/Gemfile b/Gemfile index bb90ab263..e7e1549ba 100644 --- a/Gemfile +++ b/Gemfile @@ -48,6 +48,7 @@ group :development, :test do gem 'guard-rspec', require: false gem 'pry-byebug' gem 'pry-rails' + gem 'rails-env-credentials' gem 'rspec-rails' gem 'slim_lint' end diff --git a/Gemfile.lock b/Gemfile.lock index f8c3153f7..900a00d9a 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -271,6 +271,8 @@ GEM rails-dom-testing (2.0.3) activesupport (>= 4.2.0) nokogiri (>= 1.6) + rails-env-credentials (0.1.3) + rails (>= 5.2.0.rc1) rails-html-sanitizer (1.0.4) loofah (~> 2.2, >= 2.2.2) rails-i18n (5.1.2) @@ -483,6 +485,7 @@ DEPENDENCIES pundit (~> 2.0) rack-attack (~> 5.0) rails (~> 5.2) + rails-env-credentials rails-i18n (~> 5.1) redis-rails (~> 5.0.2) rest-client (~> 2.0.2) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index ec7a64a55..2fe8cebab 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -61,8 +61,8 @@ def api_token return @token if @token options = { grant_type: 'client_credentials', - client_id: Rails.application.secrets.fetch(:banana_client_id), - client_secret: Rails.application.secrets.fetch(:banana_client_secret) } + client_id: Rails.application.credentials.fetch.banana_client_id, + client_secret: Rails.application.credentials.fetch.banana_client_secret } token_response = RestClient.post "#{Rails.application.config.x.banana_api_host}/api/v1/oauth/token", options @token = JSON.parse(token_response)['access_token'] diff --git a/app/helpers/slack_helper.rb b/app/helpers/slack_helper.rb index 49586ab2a..aa9bf5426 100644 --- a/app/helpers/slack_helper.rb +++ b/app/helpers/slack_helper.rb @@ -5,7 +5,7 @@ module SlackHelper def notifier @notifier ||= Slack::Notifier.new( - Rails.application.secrets.fetch(:slack_webhook), + Rails.application.credentials.slack_webhook, username: 'Tomato', channel: Rails.application.config.x.slack_channel ) diff --git a/config/application.rb b/config/application.rb index fd452ba57..133f64455 100644 --- a/config/application.rb +++ b/config/application.rb @@ -23,8 +23,8 @@ class Application < Rails::Application # See https://github.com/kickstarter/rack-attack#getting-started config.middleware.use Rack::Attack - config.x.banana_api_host = ENV['BANANA_API_HOST'] - config.x.tomato_host = ENV['TOMATO_HOST'] + config.x.banana_api_host = credentials.banana_host + config.x.tomato_host = credentials.tomato_host config.x.slack_channel = '#monitoring' end end diff --git a/config/credentials-development.yml.enc b/config/credentials-development.yml.enc new file mode 100644 index 000000000..eeedc3974 --- /dev/null +++ b/config/credentials-development.yml.enc @@ -0,0 +1 @@ +WRKMZZtJre75RXj6I+DsqZ7R/kV+y84z0LKVFkMpGybNH2EUT+96sCMAAhUNRpR6F+e+svfACJ9G2YKhrZfkxYoHZKRWzrOI+iEz5PhOGbO0h/YJJ1bUB4TCaqzVA4+XpjEj/L8LJkJMUcJc50n1dd2/scpLhxPEcomMQtuxOFFCnN14OLai+krTr3faqVSS1mQ2FquUgBb0gDA21U2PfgVHoOevk8tu8EzvfarrOaTAfTLI4r7cOBWA2CwV29adwcjQq1SeuSMw59FLE1D4r6Dr7cenE16jIzVsRHzUiL+ga43gQfy0POQnfrLIjGeYge8pe9GsluSxqqflY+GvivS3bVfNkz2IcGv8j5TqSWAaGv0bgd55NolZEeuWjWgpdo789dC8KcXvulc0CqT8drcLwaue+3v3DGCNYW5Ynn3r/oZV094NmEsM375s3F/8ATkfpDm4XzS6W7afndk1lfenrQ0+BnQOMJvuu7yX8AgYB0kcchJufzyGm+F/IwES3Yk=--kVWrCcMjJ69Fsn+2--kKZl3Nx78xT6BQn4NK29Kg== \ No newline at end of file diff --git a/config/credentials-staging.yml.enc b/config/credentials-staging.yml.enc new file mode 100644 index 000000000..727a28899 --- /dev/null +++ b/config/credentials-staging.yml.enc @@ -0,0 +1 @@ +Ch2BPXRk2F/FSEoPlfi0IE3VW1uBNOgMkqidsZL0n6KJsdl5Ttsqh3IyMwVvzlLSHwd4IyECeU6YcYjeNlhsE3Ds2w1H1Sa2ynt4GmN0qNCcP+hITB2Sak6yV19FTg5ixAIsU/EGJXwYsPR546RbO4EGNeTvJDp3NA/8FojOPN11mQlhSyjFi4RfCWT6Y8aQTPXSr2gwILVJjPcezpObP/tq3FI5eBR+ndbiJJ2iMOpg/hg1wxSAu4fqeqzfz5ovoDhd/Oy42vtDGlBaP5Eiua8tp+Tjtvquqy7NFE5aU3PcpAqxLNHcIlBYQrHNvqfItBlTTjHi/FrwciQr78nSLMB1dsrdxRi0/3kuMnIJz8NPxw8glnKh/lDUTpPYk7184e5cEu1uQJGdUtkdBFNHoCCuiRYWARlExHcKUPLamb/vjrYaXutDLj6EJdPSEzgTtyku0+fEdtxPPDjw6zQxcOPfKE+GlX7pWgo3xlhB9wInbEYT0NniLYErtTbEEXWSsJVRaUa5zcZrhK4pJmjihRJwj+DSEBRSUdXyAp7i2fsuJc0oBygzx52DZZR37hagALV5Lma80Ig0uKSxG8mCK49S3DHdqNYNaaL8RaIHjvWbMR7YC7Drf8lGYh+g/k+oGpVVr6QW5wYBbLs9eAHTU5UEz3OMW+1z7krZUkzKYWDAJfBLN1P2N0uyQxCL+2ZFpBfH+XyIpOqbrDjTZt2Ern/DsAu06bgB3fgs6RTy4QSlF5qpDhXtqohMQKWYMOsSj29BMtUAIAV0YLus3ZqZZReY1vkGr2xsT+NQoAGK0sjj3GfMydjwZcZ+EqmozZsvqtDGckGC/gtRJgjavWS20FPc6QTbJwNbvOnYyJRox0Qj6edMyc/ER75T2XCJtlLlAOs/RQAx/4IkGekZY2u/CTses7nbA7taKGlZ/ktAlSgQKOqflanEBbAC1vJ/7oLOFCLzd2ZwVDtDXtxpR78FpNaTZ/YoGWGV4rIJaM0/c93e1LiLKUNVynbq6dEPHbND--R+xG3I6jla9lzf5x--/P75526kAr/4KJlOA1Y4nQ== \ No newline at end of file diff --git a/config/credentials-test.yml.enc b/config/credentials-test.yml.enc new file mode 100644 index 000000000..886d173ee --- /dev/null +++ b/config/credentials-test.yml.enc @@ -0,0 +1 @@ +Ixjm7C4M5SBxKk1uAZ6ljFfqefnnLOSaqO/0DdH4xWNn3rqvAVR5nHxcpB3fAMabM8cTewzK98AOk69wEXKXTqka3Mz4oZZBbnfdK1WlrAI7lCXRZXoxdejJK3OMHt11s8VCeh950wgoaQTq+0hb7Eoay8eTQXyFt3ru8lk28UYRpF+3Ar9wPEhuJVQjO9pW9GhYAelOx+x4rlBbKS/BOV1ZcyDt/Mw+kuwPvmauV7sSTGyXYBnAfflWvd73AfQFUnGUX4mSWh74Hr8qTaz5Kc+2CkBvv/xcy+56zuFpQoA7jsngIeJ21VfHwUGyaZrznV05WlWlJFQFGcxEfo4wL1cz2zGzz2DTkUbQmIIu4TIPthrqUtkOX8es1tcWhU0dujfYAzmyAvD/y0ppGVc2NB8dvFo+8VFlrZubPNar3JWGh5sur7eGNmjllKrWULf+x/3iNXe9OHpCF1xKKSsA3EaCYxzUzKioWaLB+atCvmXgLdm/kN8=--KsWYjhaW5cDG4rG+--zxFe1JGKBS9jtrrPEROWaw== \ No newline at end of file diff --git a/config/credentials.yml.enc b/config/credentials.yml.enc new file mode 100644 index 000000000..81f6f9740 --- /dev/null +++ b/config/credentials.yml.enc @@ -0,0 +1 @@ +BxZTGrzRVLFfu/Lc1QdibIJQ39aKE01FjVl09qUgjMf+hFJvtns37mfgC1QbxUvA/nabt1T+LnIzFu0tF3pbD6lnftCrpk6P06eniRFK+Oc/1BMlbC0H5utQae/MfyPzDMnWDMcD6Ijusu052viXTuN8PxGeqNGE39W6H2G4/zltnv3uqIg8LGR5SHnl6LE+YfKsBbM1fQjK2bgCRpppJNA3nHb8uZInEMf2yd/L8WBwkATgfB7ZbrafN/eShraE1k4X7id69r0ADFpe+P+Xf9JHDoS6HiNIfNEjo7Rs31LEDB3xNV90NHBlUIqQnSUuBAkzQSYgD8SSQJEZ60o4m8sQmX11NlPExdsQeSqJkfIm1ZhJ3bgcpY9aKe2Clh8Qv9SM0lVLEG86EmGjg1T9sm1jdV0jJ3JrGnhKcGZaAJq64su68JyYdzCG6JIG1vwZ1yvVV/5ZnfzKZanKo0o9uaDlGF/jzmhEzQZr0BZbZntWNMfVQlTVl/SespZ9ZFGtJW6HaK8+VZYIueOp3XSH2wt2LARvs2qCGXX8BJDbB/BKOwta9v9lX6NdbuYRWGV8goMoLJvSqYSaiAkDEKo9iS9AA8ry6W2Voq7TbU7vpASw0Jk2IXzU+YgNDg/+4BDIrLqJbS0lNAa4ZjWvLjXeEsX2jclaa/oL3+IJWz8ekgYhjk+nfp6xIRHBx39brteDP+fgGyl2UTcIHKldJMSbnzSvYmu82k1NWKdtgwwWMxDgcKMmED/Y2e2FYL7zhW08ipNhGUUTMoqOBFtfRFwMFDB/dBPmfCVzqQYQQZmW2w7N2wiSmBxqF8XGHcMZwl+4VR/H7uNq4bnJ3s5xeiCoYlaqlv+KvQp9nPRa4EYul6SQsglKnwgxDDj45r/Rtb05L4JQlX6CP1aX8vUXFzudCqdCg/wBTrJPiUUu5B6e8D2lfvW5uyNLRYUMJYDSdFatm38o7XJjgVeR7lwRbMJShzBKyV1ziznjCTytVGOc+DQCI28XTTyDYK2wFuGRBXUNrJexZJq572FHYQqLVTNAKgFntPCrsFZi4hBbE5ptno4QOR/M8G01xO9WXlgDsu+mwImMWZzZC3duoNdidKkP81uH4vc93IE4Xu6qSxFptMkgFETiHMo3/yOCJHtVF+SfssehRiIWSSIK8e5w01lFHkL1pYuu0SIj3U7+nAHYSERZyxPYU6S/MFah2fn1/kLf+sCyhiHeS0BssvDa--UBWuaDX0lz7lWFpk--eMLQ/2xDN0ixjlzvkj6dcQ== \ No newline at end of file diff --git a/config/environments/production.rb b/config/environments/production.rb index 99192aec4..d3a368b15 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -86,14 +86,14 @@ # config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new 'app-name') config.action_mailer.default_url_options = { - scheme: 'https', host: Rails.application.config.x.tomato_host || 'tomato.csvalpha.nl' + scheme: 'https', host: Rails.application.config.x.tomato_host } config.action_mailer.delivery_method = :mailgun config.action_mailer.asset_host = "https://#{config.action_mailer.default_url_options[:host]}" config.action_mailer.mailgun_settings = { - api_key: Rails.application.secrets.fetch(:mailgun_api_key), - domain: 'csvalpha.nl' + api_key: Rails.application.credentials.mailgun_api_key, + domain: Rails.application.credentials.banana_host } if ENV['RAILS_LOG_TO_STDOUT'].present? diff --git a/config/environments/staging.rb b/config/environments/staging.rb new file mode 100644 index 000000000..53b429ce5 --- /dev/null +++ b/config/environments/staging.rb @@ -0,0 +1,107 @@ +Rails.application.configure do + # Verifies that versions and hashed value of the package contents in the project's package.json + config.webpacker.check_yarn_integrity = false + + # Settings specified here will take precedence over those in config/application.rb. + + # Code is not reloaded between requests. + config.cache_classes = true + + # Eager load code on boot. This eager loads most of Rails and + # your application in memory, allowing both threaded web servers + # and those relying on copy on write to perform better. + # Rake tasks automatically ignore this option for performance. + config.eager_load = true + + # Full error reports are disabled and caching is turned on. + config.consider_all_requests_local = false + config.action_controller.perform_caching = true + + # Attempt to read encrypted secrets from `config/secrets.yml.enc`. + # Requires an encryption key in `ENV["RAILS_MASTER_KEY"]` or + # `config/secrets.yml.key`. + config.read_encrypted_secrets = true + + # Disable serving static files from the `/public` folder by default since + # Apache or NGINX already handles this. + config.public_file_server.enabled = true + # config.public_file_server.enabled = Rails.env.production? + + # Compress JavaScripts and CSS. + config.assets.js_compressor = Uglifier.new(harmony: true) + # config.assets.css_compressor = :sass + + # Do not fallback to assets pipeline if a precompiled asset is missed. + config.assets.compile = false + + # `config.assets.precompile` and `config.assets.version` + # have moved to config/initializers/assets.rb + + # Enable serving of images, stylesheets, and JavaScripts from an asset server. + # config.action_controller.asset_host = 'http://assets.example.com' + + # Specifies the header that your server uses for sending files. + # config.action_dispatch.x_sendfile_header = 'X-Sendfile' # for Apache + # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX + + # Mount Action Cable outside main process or domain + # config.action_cable.mount_path = nil + # config.action_cable.url = 'wss://example.com/cable' + # config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ] + + # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies. + # config.force_ssl = true + + # Use the lowest log level to ensure availability of diagnostic information + # when problems arise. + config.log_level = :debug + + # Prepend all log lines with the following tags. + config.log_tags = [:request_id] + + # Use a different cache store in production. + # config.cache_store = :mem_cache_store + + # Use a real queuing backend for Active Job (and separate queues per environment) + # config.active_job.queue_adapter = :resque + # config.active_job.queue_name_prefix = "tomato_#{Rails.env}" + config.action_mailer.perform_caching = false + + # Ignore bad email addresses and do not raise email delivery errors. + # Set this to true and configure the email server for immediate delivery to raise delivery errors. + # config.action_mailer.raise_delivery_errors = false + + # Enable locale fallbacks for I18n (makes lookups for any locale fall back to + # the I18n.default_locale when a translation cannot be found). + config.i18n.fallbacks = true + + # Send deprecation notices to registered listeners. + config.active_support.deprecation = :notify + + # Use default logging formatter so that PID and timestamp are not suppressed. + config.log_formatter = ::Logger::Formatter.new + + # Use a different logger for distributed setups. + # require 'syslog/logger' + # config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new 'app-name') + + config.action_mailer.default_url_options = { + scheme: 'https', host: Rails.application.credentials.tomato_host + } + + config.action_mailer.delivery_method = :mailgun + config.action_mailer.asset_host = "https://#{config.action_mailer.default_url_options[:host]}" + config.action_mailer.mailgun_settings = { + api_key: Rails.application.credentials.mailgun_api_key, + domain: Rails.application.credentials.banana_host + } + + if ENV['RAILS_LOG_TO_STDOUT'].present? + logger = ActiveSupport::Logger.new(STDOUT) + logger.formatter = config.log_formatter + config.logger = ActiveSupport::TaggedLogging.new(logger) + end + + # Do not dump schema after migrations. + config.active_record.dump_schema_after_migration = false +end diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index 701ffd61c..98199ab55 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -9,6 +9,6 @@ # ==> OmniAuth require 'omniauth_strategies' - config.omniauth :banana_oauth2, Rails.application.secrets.fetch(:banana_client_id), - Rails.application.secrets.fetch(:banana_client_secret) + config.omniauth :banana_oauth2, Rails.application.credentials.banana_client_id, + Rails.application.credentials.banana_client_secret end diff --git a/config/initializers/sentry.rb b/config/initializers/sentry.rb index 8eec976e5..8967d15ce 100644 --- a/config/initializers/sentry.rb +++ b/config/initializers/sentry.rb @@ -1,5 +1,5 @@ Raven.configure do |config| - config.dsn = Rails.application.secrets.fetch(:sentry_dsn) + config.dsn = Rails.application.credentials.sentry_dsn config.environments = %w[production] config.sanitize_fields = Rails.application.config.filter_parameters.map(&:to_s) end diff --git a/config/secrets.yml b/config/secrets.yml deleted file mode 100644 index af322fd66..000000000 --- a/config/secrets.yml +++ /dev/null @@ -1,19 +0,0 @@ -defaults: &defaults - sentry_dsn: <%= ENV["SENTRY_DSN"] || "''" %> - banana_client_id: <%= ENV["BANANA_CLIENT_ID"] || "''" %> - banana_client_secret: <%= ENV["BANANA_CLIENT_SECRET"] || "''" %> - secret_key_base: <%= ENV["SECRET_KEY_BASE"] || "''" %> - slack_webhook: 'https://hooks.slack.com/services/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' - mailgun_api_key: <%= ENV["MAILGUN_API_KEY"] || "''" %> - -development: - <<: *defaults - -test: - <<: *defaults - secret_key_base: e3d3304b39dc13f2fbd50ce6bef4e3635cafd7bc81eb5421976665539b8279fad2c67b9336e2853d8b5104777b8fc9199bd20bf383a0beab291c8cd1cf6c2cb8 - banana_client_id: a46ccf8d4a6cb4119958924dc1865237e3596a2b7c1461a234f4d58e4ed554a8 - banana_client_secret: 3a4afdb72f83a2d219de1149589cf169f8744e1dcfa9be699aa54a61065d9b98 - -production: - <<: *defaults