Load secret_key_base from tokens.yml, fallback to config.secret_key_base

2022-11-09 12:12:34 -05:00 · 2013-12-10 10:04:07 -05:00 · 2013-12-10 10:04:07 -05:00 · 3eaa29840b
commit 3eaa29840b
parent 0f4d235c16
5 changed files with 54 additions and 12 deletions
--- a/railties/lib/rails/application.rb
+++ b/railties/lib/rails/application.rb
@ -1,4 +1,5 @@
 require 'fileutils'
+require 'active_support/core_ext/hash/keys'
 require 'active_support/core_ext/object/blank'
 require 'active_support/key_generator'
 require 'active_support/message_verifier'
@ -104,7 +105,7 @@ module Rails
    delegate :default_url_options, :default_url_options=, to: :routes

    INITIAL_VARIABLES = [:config, :railties, :routes_reloader, :reloaders,
-                         :routes, :helpers, :app_env_config] # :nodoc:
+                         :routes, :helpers, :app_env_config, :secrets] # :nodoc:

    def initialize(initial_variable_values = {}, &block)
      super()
@ -151,8 +152,8 @@ module Rails
      # number of iterations selected based on consultation with the google security
      # team. Details at https://github.com/rails/rails/pull/6952#issuecomment-7661220
      @caching_key_generator ||= begin
-        if config.secret_key_base
-          key_generator = ActiveSupport::KeyGenerator.new(config.secret_key_base, iterations: 1000)
+        if secrets.secret_key_base
+          key_generator = ActiveSupport::KeyGenerator.new(secrets.secret_key_base, iterations: 1000)
          ActiveSupport::CachingKeyGenerator.new(key_generator)
        else
          ActiveSupport::LegacyKeyGenerator.new(config.secret_token)
@ -195,7 +196,7 @@ module Rails
          "action_dispatch.parameter_filter" => config.filter_parameters,
          "action_dispatch.redirect_filter" => config.filter_redirect,
          "action_dispatch.secret_token" => config.secret_token,
-          "action_dispatch.secret_key_base" => config.secret_key_base,
+          "action_dispatch.secret_key_base" => secrets.secret_key_base,
          "action_dispatch.show_exceptions" => config.action_dispatch.show_exceptions,
          "action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local,
          "action_dispatch.logger" => Rails.logger,
@ -300,6 +301,27 @@ module Rails
      @config = configuration
    end

+    def secrets #:nodoc:
+      @secrets ||= begin
+        secrets = ActiveSupport::OrderedOptions.new
+        yaml = config.paths["config/tokens"].first
+        if File.exist?(yaml)
+          require "erb"
+          env_secrets = YAML.load(ERB.new(IO.read(yaml)).result)[Rails.env]
+          secrets.merge!(env_secrets.symbolize_keys) if env_secrets
+        end
+
+        # Fallback to config.secret_key_base if secrets.secret_key_base isn't set
+        secrets.secret_key_base ||= config.secret_key_base
+
+        secrets
+      end
+    end
+
+    def secrets=(secrets) #:nodoc:
+      @secrets = secrets
+    end
+
    def to_app #:nodoc:
      self
    end
@ -391,8 +413,8 @@ module Rails
    end

    def validate_secret_key_config! #:nodoc:
-      if config.secret_key_base.blank? && config.secret_token.blank?
-        raise "You must set config.secret_key_base in your app's config."
+      if secrets.secret_key_base.blank? && config.secret_token.blank?
+        raise "You must set secret_key_base in your app's config"
      end
    end
  end
--- a/railties/lib/rails/application/configuration.rb
+++ b/railties/lib/rails/application/configuration.rb
@ -76,6 +76,7 @@ module Rails
        @paths ||= begin
          paths = super
          paths.add "config/database",    with: "config/database.yml"
+          paths.add "config/tokens",      with: "config/tokens.yml"
          paths.add "config/environment", with: "config/environment.rb"
          paths.add "lib/templates"
          paths.add "log",                with: "log/#{Rails.env}.log"
--- a/railties/test/abstract_unit.rb
+++ b/railties/test/abstract_unit.rb
@ -14,6 +14,6 @@ require 'rails/all'
 module TestApp
  class Application < Rails::Application
    config.root = File.dirname(__FILE__)
-    config.secret_key_base = 'b3c631c314c0bbca50c1b2843150fe33'
+    secrets.secret_key_base = 'b3c631c314c0bbca50c1b2843150fe33'
  end
 end
--- a/railties/test/application/configuration_test.rb
+++ b/railties/test/application/configuration_test.rb
@ -250,7 +250,7 @@ module ApplicationTests

    test "Use key_generator when secret_key_base is set" do
      make_basic_app do |app|
-        app.config.secret_key_base = 'b3c631c314c0bbca50c1b2843150fe33'
+        app.secrets.secret_key_base = 'b3c631c314c0bbca50c1b2843150fe33'
        app.config.session_store :disabled
      end

@ -270,7 +270,7 @@ module ApplicationTests

    test "application verifier can be used in the entire application" do
      make_basic_app do |app|
-        app.config.secret_key_base = 'b3c631c314c0bbca50c1b2843150fe33'
+        app.secrets.secret_key_base = 'b3c631c314c0bbca50c1b2843150fe33'
        app.config.session_store :disabled
      end

@ -285,7 +285,7 @@ module ApplicationTests

    test "application verifier can build different verifiers" do
      make_basic_app do |app|
-        app.config.secret_key_base = 'b3c631c314c0bbca50c1b2843150fe33'
+        app.secrets.secret_key_base = 'b3c631c314c0bbca50c1b2843150fe33'
        app.config.session_store :disabled
      end

@ -303,6 +303,26 @@ module ApplicationTests
      assert_not_equal default_verifier.object_id, text_verifier.object_id
    end

+    test "secrets.secret_key_base is used when config/tokens.yml is present" do
+      app_file 'config/tokens.yml', <<-YAML
+        development:
+          secret_key_base: 3b7cd727ee24e8444053437c36cc66c3
+      YAML
+
+      require "#{app_path}/config/environment"
+      assert_equal '3b7cd727ee24e8444053437c36cc66c3', app.secrets.secret_key_base
+    end
+
+    test "secret_key_base is copied from config to secrets when not set" do
+      remove_file "config/tokens.yml"
+      app_file 'config/initializers/secret_token.rb', <<-RUBY
+        Rails.application.config.secret_key_base = "3b7cd727ee24e8444053437c36cc66c3"
+      RUBY
+
+      require "#{app_path}/config/environment"
+      assert_equal '3b7cd727ee24e8444053437c36cc66c3', app.secrets.secret_key_base
+    end
+
    test "protect from forgery is the default in a new app" do
      make_basic_app

--- a/railties/test/isolation/abstract_unit.rb
+++ b/railties/test/isolation/abstract_unit.rb
@ -119,7 +119,6 @@ module TestHelpers

      add_to_config <<-RUBY
        config.eager_load = false
-        config.secret_key_base = "3b7cd727ee24e8444053437c36cc66c4"
        config.session_store :cookie_store, key: "_myapp_session"
        config.active_support.deprecation = :log
        config.action_controller.allow_forgery_protection = false
@ -139,7 +138,7 @@ module TestHelpers

      app = Class.new(Rails::Application)
      app.config.eager_load = false
-      app.config.secret_key_base = "3b7cd727ee24e8444053437c36cc66c4"
+      app.secrets.secret_key_base = "3b7cd727ee24e8444053437c36cc66c4"
      app.config.session_store :cookie_store, key: "_myapp_session"
      app.config.active_support.deprecation = :log