Use config/secrets.yml to store session secret and database encryption secret

0c721239 · Kamil Trzcinski · 0261c8f1 · 0c721239 · 0c721239 · 0c721239
Commit 0c721239 authored 9 years ago by Kamil Trzcinski
--- a/.gitignore
+++ b/.gitignore
@@ -9,6 +9,7 @@ config/application.yml
 config/database.yml
 config/resque.yml
 config/unicorn.rb
+config/secrets.yml
 config/initializers/smtp_settings.rb
 coverage/*
 log/*

--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -4,6 +4,7 @@ before_script:
  - gem install bundler
  - cp config/database.yml.mysql config/database.yml
  - cp config/application.yml.example config/application.yml
+  - cp config/secrets.yml.example config/secrets.yml
  - 'sed "s/username\:.*$/username\: runner/" -i config/database.yml'
  - 'sed "s/password\:.*$/password\: ''password''/" -i config/database.yml'
  - bundle --without postgres

--- a/config/initializers/secret_token.rb
+++ b/config/initializers/secret_token.rb
@@ -2,22 +2,44 @@
  
 require 'securerandom'
  
-# Your secret key for verifying the integrity of signed cookies.
-# If you change this key, all old signed cookies will become invalid!
-# Make sure the secret is at least 30 characters and all random,
-# no regular words or you'll be exposed to dictionary attacks.
+# Your secret key for verifying the integrity of signed cookies and encryption database variables.
+# If you change or lose this key, you will lose also all encrypted data!
+# Ensue that you backup the `config/secrets.yml` in some place secure.
  
-def find_secure_token
+def generate_new_secure_token
+  SecureRandom.hex(64)
+end
+
+def find_old_secure_token
  token_file = Rails.root.join('.secret')
  if File.exist? token_file
    # Use the existing token.
    File.read(token_file).chomp
  else
    # Generate a new token of 64 random hexadecimal characters and store it in token_file.
-    token = SecureRandom.hex(64)
+    token = generate_new_secure_token
    File.write(token_file, token)
    token
  end
 end
  
-GitlabCi::Application.config.secret_key_base = find_secure_token
+if GitlabCi::Application.secrets.secret_key_base.blank? || GitlabCi::Application.secrets.db_key_base.blank?
+  warn "Missing `secret_key_base` or `db_key_base` for '#{Rails.env}' environment. The secrets will be generated and stored in `config/secrets.yml`"
+
+  all_secrets = YAML.load_file('config/secrets.yml') if File.exist?('config/secrets.yml')
+  all_secrets ||= {}
+
+  # generate secrets
+  env_secrets = all_secrets[Rails.env] || {}
+  env_secrets['secret_key_base'] ||= find_old_secure_token
+  env_secrets['db_key_base'] ||= generate_new_secure_token
+  all_secrets[Rails.env] = env_secrets
+
+  # save secrets
+  File.open('config/secrets.yml', 'w') do |file|
+    file.write(YAML.dump(all_secrets))
+  end
+
+  GitlabCi::Application.secrets.secret_key_base = env_secrets['secret_key_base']
+  GitlabCi::Application.secrets.db_key_base = env_secrets['db_key_base']
+end
--- a/config/secrets.yml.example
+++ b/config/secrets.yml.example
+production:
+  # secret_key_base is used to verify the integrity of signed cookies.
+  # If you change this key, all old signed cookies will become invalid!
+  # Make sure the secret is at least 30 characters and all random,
+  # no regular words or you'll be exposed to dictionary attacks.
+  # secret_key_base:
+
+  # db_key_base is used to encrypt for Variables. Ensure that you don't lose it.
+  # If you change or lose this key you will be unable to access variables stored in database.
+  # Make sure the secret is at least 30 characters and all random,
+  # no regular words or you'll be exposed to dictionary attacks.
+  # db_key_base:
+
+development:
+  secret_key_base: development
+  db_key_base: development
+
+test:
+  secret_key_base: test
+  db_key_base: test
--- a/doc/raketasks/backup_restore.md
+++ b/doc/raketasks/backup_restore.md
@@ -123,11 +123,14 @@ with the name of your bucket:
  
 ## Storing configuration files
  
-Please be informed that a backup does not store your configuration files.
+Please be informed that a backup does not store your configuration and secret files.
 If you use an Omnibus package please see the [instructions in the readme to backup your configuration](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#backup-and-restore-omnibus-gitlab-configuration).
 If you have a cookbook installation there should be a copy of your configuration in Chef.
-If you have an installation from source, please consider backing up your `application.yml` file, any SSL keys and certificates, and your [SSH host keys](https://superuser.com/questions/532040/copy-ssh-keys-from-one-server-to-another-server/532079#532079).
-
+If you have an installation from source:
+1. please backup `config/secrets.yml` file that contains key to encrypt variables in database,
+1. please consider backing up your `application.yml` file,
+1. any SSL keys and certificates, 
+1. and your [SSH host keys](https://superuser.com/questions/532040/copy-ssh-keys-from-one-server-to-another-server/532079#532079).
  
 ## Restore a previously created backup