From 12472e7f407c42bcff6ee204b9f1887b5824734f Mon Sep 17 00:00:00 2001 From: Claire Date: Fri, 17 May 2024 11:28:40 +0200 Subject: [PATCH] Add emphasis on ActiveRecord Encryption configuration values being secret (#30340) --- .env.test | 9 +++++---- config/initializers/active_record_encryption.rb | 13 +++++++++++-- lib/tasks/db.rake | 2 +- 3 files changed, 17 insertions(+), 7 deletions(-) diff --git a/.env.test b/.env.test index 9e6abea5c9..d2763e582a 100644 --- a/.env.test +++ b/.env.test @@ -4,7 +4,8 @@ NODE_ENV=production LOCAL_DOMAIN=cb6e6126.ngrok.io LOCAL_HTTPS=true -# Required by ActiveRecord encryption feature -ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=fkSxKD2bF396kdQbrP1EJ7WbU7ZgNokR -ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=r0hvVmzBVsjxC7AMlwhOzmtc36ZCOS1E -ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=PhdFyyfy5xJ7WVd2lWBpcPScRQHzRTNr +# Secret values required by ActiveRecord encryption feature +# Use `bin/rails db:encryption:init` to generate fresh secrets +ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=test_determinist_key_DO_NOT_USE_IN_PRODUCTION +ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=test_salt_DO_NOT_USE_IN_PRODUCTION +ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=test_primary_key_DO_NOT_USE_IN_PRODUCTION diff --git a/config/initializers/active_record_encryption.rb b/config/initializers/active_record_encryption.rb index 7cda8c621c..777bafc273 100644 --- a/config/initializers/active_record_encryption.rb +++ b/config/initializers/active_record_encryption.rb @@ -5,7 +5,7 @@ ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY ).each do |key| - ENV.fetch(key) do + value = ENV.fetch(key) do abort <<~MESSAGE Mastodon now requires that these variables are set: @@ -14,9 +14,18 @@ - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY - Run `bin/rails db:encryption:init` to generate values and then assign the environment variables. + Run `bin/rails db:encryption:init` to generate new secrets and then assign the environment variables. MESSAGE end + + next unless Rails.env.production? && value.end_with?('DO_NOT_USE_IN_PRODUCTION') + + abort <<~MESSAGE + + It looks like you are trying to run Mastodon in production with a #{key} value from the test environment. + + Please generate fresh secrets using `bin/rails db:encryption:init` and use them instead. + MESSAGE end Rails.application.configure do diff --git a/lib/tasks/db.rake b/lib/tasks/db.rake index d6377c9c82..d8bc927bc4 100644 --- a/lib/tasks/db.rake +++ b/lib/tasks/db.rake @@ -8,7 +8,7 @@ namespace :db do desc 'Generate a set of keys for configuring Active Record encryption in a given environment' task :init do # rubocop:disable Rails/RakeEnvironment puts <<~MSG - Add these environment variables to your Mastodon environment:#{' '} + Add these secret environment variables to your Mastodon environment (e.g. .env.production):#{' '} ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=#{SecureRandom.alphanumeric(32)} ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=#{SecureRandom.alphanumeric(32)}