Skip to content

/rails

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add possibility to set custom `Rails.application.credentials` object. #31257

Closed
wants to merge 1 commit into from

Conversation

Reviewers
No reviews
Assignees

@kaspth kaspth

Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@morgoth @garrettqmartin8 @kaspth
@morgoth
Copy link
Member

commented Nov 28, 2017

In multi environment application one can set custom file by:

config.before_initialize do
  self.credentials = encrypted("config/custom-credentials.yml.enc")
end

The last missing part of credentials feature ;-)

r? @kaspth

@rails-bot rails-bot assigned kaspth Nov 28, 2017

@morgoth
Add possibility to set custom `Rails.application.credentials` object. 
In multi environment application one can set custom file by:

```
config.before_initialize do
  self.credentials = encrypted("config/custom-credentials.yml.enc")
end
```
Verified
This commit was signed with a verified signature.
morgoth Wojciech Wnętrzak
GPG key ID: 0EABD3BE530ECAC6 Learn about signing commits
Loading status checks…
dfe3a88

@morgoth morgoth force-pushed the freeletics:add-application-credentials-writer branch to dfe3a88 Nov 29, 2017

@garrettqmartin8

This comment has been minimized.

Sign in to view
Copy link

commented Nov 30, 2017

@morgoth I've been playing around with another implementation that allows you to keep all secrets in one credentials.yml.enc file and it uses the current Rails environment to determine the correct keys to use. I'm using the following structure.

development:
  # development keys...

staging:
  # staging keys...

production:
  # production keys...

Is it preferable to use a separate file for each environment?
@morgoth

This comment has been minimized.

Sign in to view
Copy link
Member Author

commented Nov 30, 2017

@garrettqmartin8 The problem with this approach is that you're sharing credentials for all environments with the single encryption key, which for some might be a security concern.

Without setting custom credentials object it won't be possible to store secret_key_base in it, as this is how it's retrieved now https://github.com/rails/rails/blob/master/railties/lib/rails/application.rb#L427-L435
@garrettqmartin8

This comment has been minimized.

Sign in to view
Copy link

commented Dec 1, 2017

Ah I see. That makes sense.
@kaspth

This comment has been minimized.

Sign in to view
Copy link
Member

commented Dec 3, 2017

I'm not that fond of the proposed API. You could write a custom wrapper in your app that falls back to credentials in the production environment.

Or hell, the wrapper just does something like credentials.config.merge(encrypted("config/env-specific-file.enc").config). Thanks!

@kaspth kaspth closed this Dec 3, 2017

@morgoth

This comment has been minimized.

Sign in to view
Copy link
Member Author

commented Dec 3, 2017

@kaspth Yes, that wouldn't be a problem. The issue currently is, that it's not possible to have secret_key_base encrypted in this file, as this is how Rails reads it https://github.com/rails/rails/blob/master/railties/lib/rails/application.rb#L427-L435

I would have to special case it and set SECRET_KEY_BASE env var only for this one (alongside RAILS_MASTER_KEY)

@morgoth morgoth referenced this pull request Feb 2, 2018

Merged

Add credentials using a generic EncryptedConfiguration class #30067

3 of 4 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.