mirror of
https://github.com/mastodon/mastodon.git
synced 2024-12-22 12:55:56 +01:00
Add emphasis on ActiveRecord Encryption configuration values being secret (#30340)
This commit is contained in:
parent
a627219b25
commit
12472e7f40
3 changed files with 17 additions and 7 deletions
|
@ -4,7 +4,8 @@ NODE_ENV=production
|
||||||
LOCAL_DOMAIN=cb6e6126.ngrok.io
|
LOCAL_DOMAIN=cb6e6126.ngrok.io
|
||||||
LOCAL_HTTPS=true
|
LOCAL_HTTPS=true
|
||||||
|
|
||||||
# Required by ActiveRecord encryption feature
|
# Secret values required by ActiveRecord encryption feature
|
||||||
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=fkSxKD2bF396kdQbrP1EJ7WbU7ZgNokR
|
# Use `bin/rails db:encryption:init` to generate fresh secrets
|
||||||
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=r0hvVmzBVsjxC7AMlwhOzmtc36ZCOS1E
|
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=test_determinist_key_DO_NOT_USE_IN_PRODUCTION
|
||||||
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=PhdFyyfy5xJ7WVd2lWBpcPScRQHzRTNr
|
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=test_salt_DO_NOT_USE_IN_PRODUCTION
|
||||||
|
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=test_primary_key_DO_NOT_USE_IN_PRODUCTION
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
|
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
|
||||||
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
|
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
|
||||||
).each do |key|
|
).each do |key|
|
||||||
ENV.fetch(key) do
|
value = ENV.fetch(key) do
|
||||||
abort <<~MESSAGE
|
abort <<~MESSAGE
|
||||||
|
|
||||||
Mastodon now requires that these variables are set:
|
Mastodon now requires that these variables are set:
|
||||||
|
@ -14,9 +14,18 @@
|
||||||
- ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
|
- ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
|
||||||
- ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
|
- ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
|
||||||
|
|
||||||
Run `bin/rails db:encryption:init` to generate values and then assign the environment variables.
|
Run `bin/rails db:encryption:init` to generate new secrets and then assign the environment variables.
|
||||||
MESSAGE
|
MESSAGE
|
||||||
end
|
end
|
||||||
|
|
||||||
|
next unless Rails.env.production? && value.end_with?('DO_NOT_USE_IN_PRODUCTION')
|
||||||
|
|
||||||
|
abort <<~MESSAGE
|
||||||
|
|
||||||
|
It looks like you are trying to run Mastodon in production with a #{key} value from the test environment.
|
||||||
|
|
||||||
|
Please generate fresh secrets using `bin/rails db:encryption:init` and use them instead.
|
||||||
|
MESSAGE
|
||||||
end
|
end
|
||||||
|
|
||||||
Rails.application.configure do
|
Rails.application.configure do
|
||||||
|
|
|
@ -8,7 +8,7 @@ namespace :db do
|
||||||
desc 'Generate a set of keys for configuring Active Record encryption in a given environment'
|
desc 'Generate a set of keys for configuring Active Record encryption in a given environment'
|
||||||
task :init do # rubocop:disable Rails/RakeEnvironment
|
task :init do # rubocop:disable Rails/RakeEnvironment
|
||||||
puts <<~MSG
|
puts <<~MSG
|
||||||
Add these environment variables to your Mastodon environment:#{' '}
|
Add these secret environment variables to your Mastodon environment (e.g. .env.production):#{' '}
|
||||||
|
|
||||||
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=#{SecureRandom.alphanumeric(32)}
|
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=#{SecureRandom.alphanumeric(32)}
|
||||||
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=#{SecureRandom.alphanumeric(32)}
|
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=#{SecureRandom.alphanumeric(32)}
|
||||||
|
|
Loading…
Reference in a new issue