gitlab-org--gitlab-foss/config/initializers/secret_token.rb

# Be sure to restart your server when you modify this file.

require 'securerandom'

def generate_new_secure_token
  SecureRandom.hex(64)
end

def warn_missing_secret(secret)
  warn "Missing `#{secret}` for '#{Rails.env}' environment. The secret will be generated and stored in `config/secrets.yml`"
end

def create_tokens
  secret_file = Rails.root.join('.secret')
  file_key = File.read(secret_file).chomp if File.exist?(secret_file)
  env_key = ENV['SECRET_KEY_BASE']
  yaml_additions = {}

  defaults = {
    secret_key_base: env_key || file_key || generate_new_secure_token,
    otp_key_base: env_key || file_key || generate_new_secure_token,
    db_key_base: generate_new_secure_token
  }

  defaults.stringify_keys.each do |key, default|
    if Rails.application.secrets[key].blank?
      warn_missing_secret(key)

      yaml_additions[key] = Rails.application.secrets[key] = default
    end
  end

  unless yaml_additions.empty?
    secrets_yml = Rails.root.join('config/secrets.yml')
    all_secrets = YAML.load_file(secrets_yml) if File.exist?(secrets_yml)
    all_secrets ||= {}

    env_secrets = all_secrets[Rails.env.to_s] || {}
    all_secrets[Rails.env.to_s] = env_secrets.merge(yaml_additions)

    File.write(secrets_yml, YAML.dump(all_secrets), mode: 'w', perm: 0600)
  end

  begin
    File.delete(secret_file) if file_key
  rescue => e
    warn "Error deleting useless .secret file: #{e}"
  end
end

create_tokens
init commit 2011-10-08 21:36:38 +00:00			`# Be sure to restart your server when you modify this file.`

Generate the Rails secret token on first run. Store the secret token in a .gitignored file called ".secret", which is created by the initializer if it doesn't exist. 2013-05-22 23:55:48 +00:00			`require 'securerandom'`

Groundwork for merging CI into CE 2015-08-26 01:42:46 +00:00			`def generate_new_secure_token`
			`SecureRandom.hex(64)`
			`end`

Store OTP secret key in secrets.yml .secret stores the secret token used for both encrypting login cookies and for encrypting stored OTP secrets. We can't rotate this, because that would invalidate all existing OTP secrets. If the secret token is present in the .secret file or an environment variable, save it as otp_key_base in secrets.yml. Now .secret can be rotated without invalidating OTP secrets. If the secret token isn't present (initial setup), then just generate a separate otp_key_base and save in secrets.yml. Update the docs to reflect that secrets.yml needs to be retained past upgrades, but .secret doesn't. 2016-07-15 12:19:29 +00:00			`def warn_missing_secret(secret)`
			warn "Missing `#{secret}` for '#{Rails.env}' environment. The secret will be generated and stored in `config/secrets.yml`"
			`end`

			`def create_tokens`
			`secret_file = Rails.root.join('.secret')`
			`file_key = File.read(secret_file).chomp if File.exist?(secret_file)`
			`env_key = ENV['SECRET_KEY_BASE']`
			`yaml_additions = {}`
Groundwork for merging CI into CE 2015-08-26 01:42:46 +00:00
Store all secret keys in secrets.yml Move the last secret from .secret to config/secrets.yml, and delete .secret if it exists. 2016-07-17 10:01:38 +00:00			`defaults = {`
			`secret_key_base: env_key \|\| file_key \|\| generate_new_secure_token,`
			`otp_key_base: env_key \|\| file_key \|\| generate_new_secure_token,`
			`db_key_base: generate_new_secure_token`
			`}`
Store OTP secret key in secrets.yml .secret stores the secret token used for both encrypting login cookies and for encrypting stored OTP secrets. We can't rotate this, because that would invalidate all existing OTP secrets. If the secret token is present in the .secret file or an environment variable, save it as otp_key_base in secrets.yml. Now .secret can be rotated without invalidating OTP secrets. If the secret token isn't present (initial setup), then just generate a separate otp_key_base and save in secrets.yml. Update the docs to reflect that secrets.yml needs to be retained past upgrades, but .secret doesn't. 2016-07-15 12:19:29 +00:00
Store all secret keys in secrets.yml Move the last secret from .secret to config/secrets.yml, and delete .secret if it exists. 2016-07-17 10:01:38 +00:00			`defaults.stringify_keys.each do \|key, default\|`
			`if Rails.application.secrets[key].blank?`
			`warn_missing_secret(key)`
Store OTP secret key in secrets.yml .secret stores the secret token used for both encrypting login cookies and for encrypting stored OTP secrets. We can't rotate this, because that would invalidate all existing OTP secrets. If the secret token is present in the .secret file or an environment variable, save it as otp_key_base in secrets.yml. Now .secret can be rotated without invalidating OTP secrets. If the secret token isn't present (initial setup), then just generate a separate otp_key_base and save in secrets.yml. Update the docs to reflect that secrets.yml needs to be retained past upgrades, but .secret doesn't. 2016-07-15 12:19:29 +00:00
Store all secret keys in secrets.yml Move the last secret from .secret to config/secrets.yml, and delete .secret if it exists. 2016-07-17 10:01:38 +00:00			`yaml_additions[key] = Rails.application.secrets[key] = default`
			`end`
Store OTP secret key in secrets.yml .secret stores the secret token used for both encrypting login cookies and for encrypting stored OTP secrets. We can't rotate this, because that would invalidate all existing OTP secrets. If the secret token is present in the .secret file or an environment variable, save it as otp_key_base in secrets.yml. Now .secret can be rotated without invalidating OTP secrets. If the secret token isn't present (initial setup), then just generate a separate otp_key_base and save in secrets.yml. Update the docs to reflect that secrets.yml needs to be retained past upgrades, but .secret doesn't. 2016-07-15 12:19:29 +00:00			`end`

			`unless yaml_additions.empty?`
			`secrets_yml = Rails.root.join('config/secrets.yml')`
			`all_secrets = YAML.load_file(secrets_yml) if File.exist?(secrets_yml)`
			`all_secrets \|\|= {}`

			`env_secrets = all_secrets[Rails.env.to_s] \|\| {}`
			`all_secrets[Rails.env.to_s] = env_secrets.merge(yaml_additions)`

			`File.write(secrets_yml, YAML.dump(all_secrets), mode: 'w', perm: 0600)`
			`end`
Store all secret keys in secrets.yml Move the last secret from .secret to config/secrets.yml, and delete .secret if it exists. 2016-07-17 10:01:38 +00:00
			`begin`
			`File.delete(secret_file) if file_key`
			`rescue => e`
			`warn "Error deleting useless .secret file: #{e}"`
			`end`
Groundwork for merging CI into CE 2015-08-26 01:42:46 +00:00			`end`
Store OTP secret key in secrets.yml .secret stores the secret token used for both encrypting login cookies and for encrypting stored OTP secrets. We can't rotate this, because that would invalidate all existing OTP secrets. If the secret token is present in the .secret file or an environment variable, save it as otp_key_base in secrets.yml. Now .secret can be rotated without invalidating OTP secrets. If the secret token isn't present (initial setup), then just generate a separate otp_key_base and save in secrets.yml. Update the docs to reflect that secrets.yml needs to be retained past upgrades, but .secret doesn't. 2016-07-15 12:19:29 +00:00
			`create_tokens`