mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Merge pull request #13298 from rails/secret_tokens
Create config/secrets.yml file for store of tokens
This commit is contained in:
commit
eed8c85f4b
8 changed files with 79 additions and 15 deletions
|
@ -1,4 +1,5 @@
|
|||
require 'fileutils'
|
||||
require 'active_support/core_ext/hash/keys'
|
||||
require 'active_support/core_ext/object/blank'
|
||||
require 'active_support/key_generator'
|
||||
require 'active_support/message_verifier'
|
||||
|
@ -104,7 +105,7 @@ module Rails
|
|||
delegate :default_url_options, :default_url_options=, to: :routes
|
||||
|
||||
INITIAL_VARIABLES = [:config, :railties, :routes_reloader, :reloaders,
|
||||
:routes, :helpers, :app_env_config] # :nodoc:
|
||||
:routes, :helpers, :app_env_config, :secrets] # :nodoc:
|
||||
|
||||
def initialize(initial_variable_values = {}, &block)
|
||||
super()
|
||||
|
@ -151,8 +152,8 @@ module Rails
|
|||
# number of iterations selected based on consultation with the google security
|
||||
# team. Details at https://github.com/rails/rails/pull/6952#issuecomment-7661220
|
||||
@caching_key_generator ||= begin
|
||||
if config.secret_key_base
|
||||
key_generator = ActiveSupport::KeyGenerator.new(config.secret_key_base, iterations: 1000)
|
||||
if secrets.secret_key_base
|
||||
key_generator = ActiveSupport::KeyGenerator.new(secrets.secret_key_base, iterations: 1000)
|
||||
ActiveSupport::CachingKeyGenerator.new(key_generator)
|
||||
else
|
||||
ActiveSupport::LegacyKeyGenerator.new(config.secret_token)
|
||||
|
@ -195,7 +196,7 @@ module Rails
|
|||
"action_dispatch.parameter_filter" => config.filter_parameters,
|
||||
"action_dispatch.redirect_filter" => config.filter_redirect,
|
||||
"action_dispatch.secret_token" => config.secret_token,
|
||||
"action_dispatch.secret_key_base" => config.secret_key_base,
|
||||
"action_dispatch.secret_key_base" => secrets.secret_key_base,
|
||||
"action_dispatch.show_exceptions" => config.action_dispatch.show_exceptions,
|
||||
"action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local,
|
||||
"action_dispatch.logger" => Rails.logger,
|
||||
|
@ -300,6 +301,27 @@ module Rails
|
|||
@config = configuration
|
||||
end
|
||||
|
||||
def secrets #:nodoc:
|
||||
@secrets ||= begin
|
||||
secrets = ActiveSupport::OrderedOptions.new
|
||||
yaml = config.paths["config/secrets"].first
|
||||
if File.exist?(yaml)
|
||||
require "erb"
|
||||
env_secrets = YAML.load(ERB.new(IO.read(yaml)).result)[Rails.env]
|
||||
secrets.merge!(env_secrets.symbolize_keys) if env_secrets
|
||||
end
|
||||
|
||||
# Fallback to config.secret_key_base if secrets.secret_key_base isn't set
|
||||
secrets.secret_key_base ||= config.secret_key_base
|
||||
|
||||
secrets
|
||||
end
|
||||
end
|
||||
|
||||
def secrets=(secrets) #:nodoc:
|
||||
@secrets = secrets
|
||||
end
|
||||
|
||||
def to_app #:nodoc:
|
||||
self
|
||||
end
|
||||
|
@ -391,8 +413,8 @@ module Rails
|
|||
end
|
||||
|
||||
def validate_secret_key_config! #:nodoc:
|
||||
if config.secret_key_base.blank? && config.secret_token.blank?
|
||||
raise "You must set config.secret_key_base in your app's config."
|
||||
if secrets.secret_key_base.blank? && config.secret_token.blank?
|
||||
raise "You must set secret_key_base in your app's config"
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -76,6 +76,7 @@ module Rails
|
|||
@paths ||= begin
|
||||
paths = super
|
||||
paths.add "config/database", with: "config/database.yml"
|
||||
paths.add "config/secrets", with: "config/secrets.yml"
|
||||
paths.add "config/environment", with: "config/environment.rb"
|
||||
paths.add "lib/templates"
|
||||
paths.add "log", with: "log/#{Rails.env}.log"
|
||||
|
|
|
@ -78,6 +78,7 @@ module Rails
|
|||
template "routes.rb"
|
||||
template "application.rb"
|
||||
template "environment.rb"
|
||||
template "secrets.yml"
|
||||
|
||||
directory "environments"
|
||||
directory "initializers"
|
||||
|
|
|
@ -7,6 +7,14 @@
|
|||
# no regular words or you'll be exposed to dictionary attacks.
|
||||
# You can use `rake secret` to generate a secure secret key.
|
||||
|
||||
# Make sure your secret_key_base is kept private
|
||||
# Make sure the secrets in this file are kept private
|
||||
# if you're sharing your code publicly.
|
||||
Rails.application.config.secret_key_base = '<%= app_secret %>'
|
||||
|
||||
development:
|
||||
secret_key_base: <%= app_secret %>
|
||||
|
||||
test:
|
||||
secret_key_base: <%= app_secret %>
|
||||
|
||||
production:
|
||||
secret_key_base: <%= app_secret %>
|
|
@ -14,6 +14,6 @@ require 'rails/all'
|
|||
module TestApp
|
||||
class Application < Rails::Application
|
||||
config.root = File.dirname(__FILE__)
|
||||
config.secret_key_base = 'b3c631c314c0bbca50c1b2843150fe33'
|
||||
secrets.secret_key_base = 'b3c631c314c0bbca50c1b2843150fe33'
|
||||
end
|
||||
end
|
||||
|
|
|
@ -250,7 +250,7 @@ module ApplicationTests
|
|||
|
||||
test "Use key_generator when secret_key_base is set" do
|
||||
make_basic_app do |app|
|
||||
app.config.secret_key_base = 'b3c631c314c0bbca50c1b2843150fe33'
|
||||
app.secrets.secret_key_base = 'b3c631c314c0bbca50c1b2843150fe33'
|
||||
app.config.session_store :disabled
|
||||
end
|
||||
|
||||
|
@ -270,7 +270,7 @@ module ApplicationTests
|
|||
|
||||
test "application verifier can be used in the entire application" do
|
||||
make_basic_app do |app|
|
||||
app.config.secret_key_base = 'b3c631c314c0bbca50c1b2843150fe33'
|
||||
app.secrets.secret_key_base = 'b3c631c314c0bbca50c1b2843150fe33'
|
||||
app.config.session_store :disabled
|
||||
end
|
||||
|
||||
|
@ -285,7 +285,7 @@ module ApplicationTests
|
|||
|
||||
test "application verifier can build different verifiers" do
|
||||
make_basic_app do |app|
|
||||
app.config.secret_key_base = 'b3c631c314c0bbca50c1b2843150fe33'
|
||||
app.secrets.secret_key_base = 'b3c631c314c0bbca50c1b2843150fe33'
|
||||
app.config.session_store :disabled
|
||||
end
|
||||
|
||||
|
@ -303,6 +303,39 @@ module ApplicationTests
|
|||
assert_not_equal default_verifier.object_id, text_verifier.object_id
|
||||
end
|
||||
|
||||
test "secrets.secret_key_base is used when config/tokens.yml is present" do
|
||||
app_file 'config/secrets.yml', <<-YAML
|
||||
development:
|
||||
secret_key_base: 3b7cd727ee24e8444053437c36cc66c3
|
||||
YAML
|
||||
|
||||
require "#{app_path}/config/environment"
|
||||
assert_equal '3b7cd727ee24e8444053437c36cc66c3', app.secrets.secret_key_base
|
||||
end
|
||||
|
||||
test "secret_key_base is copied from config to secrets when not set" do
|
||||
remove_file "config/secrets.yml"
|
||||
app_file 'config/initializers/secret_token.rb', <<-RUBY
|
||||
Rails.application.config.secret_key_base = "3b7cd727ee24e8444053437c36cc66c3"
|
||||
RUBY
|
||||
|
||||
require "#{app_path}/config/environment"
|
||||
assert_equal '3b7cd727ee24e8444053437c36cc66c3', app.secrets.secret_key_base
|
||||
end
|
||||
|
||||
test "custom secrets saved in config/tokens.yml are loaded in app secrets" do
|
||||
app_file 'config/secrets.yml', <<-YAML
|
||||
development:
|
||||
secret_key_base: 3b7cd727ee24e8444053437c36cc66c3
|
||||
aws_access_key_id: myamazonaccesskeyid
|
||||
aws_secret_access_key: myamazonsecretaccesskey
|
||||
YAML
|
||||
|
||||
require "#{app_path}/config/environment"
|
||||
assert_equal 'myamazonaccesskeyid', app.secrets.aws_access_key_id
|
||||
assert_equal 'myamazonsecretaccesskey', app.secrets.aws_secret_access_key
|
||||
end
|
||||
|
||||
test "protect from forgery is the default in a new app" do
|
||||
make_basic_app
|
||||
|
||||
|
|
|
@ -318,7 +318,7 @@ module ApplicationTests
|
|||
|
||||
add_to_config <<-RUBY
|
||||
config.secret_token = "3b7cd727ee24e8444053437c36cc66c4"
|
||||
config.secret_key_base = nil
|
||||
secrets.secret_key_base = nil
|
||||
RUBY
|
||||
|
||||
require "#{app_path}/config/environment"
|
||||
|
|
|
@ -119,7 +119,6 @@ module TestHelpers
|
|||
|
||||
add_to_config <<-RUBY
|
||||
config.eager_load = false
|
||||
config.secret_key_base = "3b7cd727ee24e8444053437c36cc66c4"
|
||||
config.session_store :cookie_store, key: "_myapp_session"
|
||||
config.active_support.deprecation = :log
|
||||
config.action_controller.allow_forgery_protection = false
|
||||
|
@ -139,7 +138,7 @@ module TestHelpers
|
|||
|
||||
app = Class.new(Rails::Application)
|
||||
app.config.eager_load = false
|
||||
app.config.secret_key_base = "3b7cd727ee24e8444053437c36cc66c4"
|
||||
app.secrets.secret_key_base = "3b7cd727ee24e8444053437c36cc66c4"
|
||||
app.config.session_store :cookie_store, key: "_myapp_session"
|
||||
app.config.active_support.deprecation = :log
|
||||
|
||||
|
|
Loading…
Reference in a new issue