hardcoding CONSUMER_KEY and CONSUMER_SECRET - ruby-on-rails

https://github.com/ryanatwork/sign-in-with-linkedin
This example rails application that lets a user log in with LinkedIn requires that the "rails server" command in the terminal be prefaced by 'CONSUMER_KEY=[consumer key] CONSUMER_SECRET=[consumer secret]' so that the whole command looks like:
CONSUMER_KEY=[consumer key] CONSUMER_SECRET=[consumer secret] rails server
The linkedin login obviously won't work with a consumer key/secret, but I'm having trouble hardcoding my consumer key/secret into the app so that I can deploy to Heroku successfully, but am not having any luck. I've tried in several different config and controller files without any luck. Help appreciated!

When you deploy to Heroku you need to have these variables set using the heroku config command:
heroku config:add CONSUMER_KEY=[consumer key]
If you use Foreman to start your server (as Heroku does at their end) then you can have these variables loaded from a local file which never gets committed into your source control (you don't want these secret details in your source control)

Don't hardcode to heroku. You can use environment variables in Heroku to set CONSUMER_KEY and CONSUMER_SECRET.
Here are the docs from Heroku:
https://devcenter.heroku.com/articles/config-vars

Related

Rails credential values are nil while running tests on github actions

I am encoding and decoding JSON web tokens using Rails secret_key_base, my secret_key_base is in the credentials.yml.enc file. In one of the test, I am using this function to decode JWT,locally the tests are running fine but on github action it is failing, I found out the the value of Rails.application.crendentials.secret_key_base is nil when running the test on github action. I fixed those tests by mocking like this
allow(Rails.application.credentials).to receive(:secret_key_base).
and_return("secret")
Is there a way I don't have to do this on github action for other credentials. Also since the master.key was not committed I hoped that I would see this error
ActiveSupport::MessageEncryptor::InvalidMessage
while reading from the credentials file but that also didn't happen.
This is a link to my project if that clears things up.
In Rails 6, you can create credentials.yml.enc file per environment.
In vscode:
EDITOR="code --wait" rails credentials:edit --environment production
EDITOR="code --wait" rails credentials:edit --environment test
it gives you production.key, production.yml.enc, test.key, test.yml.enc.
You can then commit test.key to github for testing or even better, set this key in RAILS_TEST_KEY env.
Though it gets a little bit tricky to maintain both env files. You can create credenetials.yml.example file with empty envs for reference
I think 'the cleanest/right way' to do this is to add master key(value from config/master.key) into github secrets.
Go to repository settings->secrets(left side menu)->new repository secret.
It makes sense to name it RAILS_MASTER_KEY.
And then in your workflow file add
env:
RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
And that's it, Rails will be smart enough to use that variable in credentials decryption.
No need to make additional credentials files. For me it's working with only one credentials.yml.enc
EDIT: Even better, if you can skip using credentials, add heroku config variable SECRET_KEY_BASE and in config/application.rb add
config.secret_key_base = ENV['SECRET_KEY_BASE']
and for production use Rails.configuration.secret_key_base,
for test/development Rails.application.secrest.secret_key_base that's set by rails
ex.
SECRET_KEY = Rails.env.production? ? Rails.configuration.secret_key_base : Rails.application.secrets.secret_key_base
This way you don't have to store master key on every machine that's running your app. ex. coworkers, github actions, staging, production.

Heroku sets SECRET_KEY_BASE when it's not defined

I want Heroku to not set SECRET_KEY_BASE so I can use the one from credentials, but despite me deleting it from the UI, verifying it doesn't exist by running heroku config, I still get it set as an environment variable on my dynos. And it's the same in all the dynos:
SECRET_KEY_BASE=d2753b472abb...
I also tried setting it to a blank string by running heroku config:set SECRET_KEY_BASE="" and Heroku insist on setting it up as I can see by running bash and then env within bash.
How can I prevent that from happening?
Unfortunately, the Heroku Ruby buildpack generates and sets SECRET_KEY_BASE via the shell if it doesn't exist in your Heroku config vars.
It currently doesn't seem possible to directly use the secret key set in credentials.yml. You could make credentials.yml and SECRET_KEY_BASE align though.
Source: https://github.com/heroku/heroku-buildpack-ruby/issues/1143
And here is a short extract from that issue:
If you set your own SECRET_KEY_BASE, we do nothing.
If you do not set a SECRET_KEY_BASE we generate and set one for you.
We recommend using our heroku config interface for storing secrets rather than using the encrypted file storage that ships with rails.
If you want to use encrypted file storage locally with rails you could copy our secret key base heroku run echo $SECRET_KEY_BASE or you can set your own
value manually locally and then again via heroku config.

Heroku: upload single unversioned file

I have a Rails 4 application hosted by Heroku.
Seeing as I'm working on an open-source project, there are several unversioned files containing sensitive information listed in .gitignore. For example, I have a .secret file at the root of the app that contains the key with which cookies are encrypted. I created this file by running the rake secret command.
My problem is that I cannot send this file to my heroku app since it is not versioned, it is not included in the deployment. Furthermore, I am using Github and cannot risk having my key disclosed publicly in the commit history.
I have attempted to use the heroku run command to create the file (heroku run 'rake secret > .secret' to no avail). I have attempted to connect with the terminal using heroku run bash but as the filesystem is ephemeral, my changes are not preserved when I exit the terminal.
Do you have any idea how I could achieve having unversioned files on a Heroku application?
Secret data (keys, passwords, etc) should be stored as config vars on Heroku. They are then accessed via the ENV hash in your code.
If you use something like figaro, you can place these vars in an application.yml (don't commit the file)
application.yml:
SECRET_KEY: my_secret_key
Figaro then has a rake task to push these to heroku:
rake figaro:heroku
Or, you can manually set them:
heroku config:set SECRET_KEY=my_secret_key
Finally, access them in your app as:
ENV['SECRET_KEY']

Heroku app id within the application environment

Is it possible to retrieve the app id (app123#heroku.com) within the application environment?
I know, that I can manually set a config var, but I figured such info could be exposed by Heroku?
If you have an add-on like SendGrid or Memcache installed, you can access the environment variables for the username of one of those add-ons. For example, if you were using Ruby, you can log into the console and output the value of ENV['SENDGRID_USERNAME'] or ENV['MEMCACHE_USERNAME']. It's easy to extract the app id from there. I'm not sure which other add-ons also expose that value in an environment variable but you can output the entire ENV global hash and find out what's available.
I used Jared's solution for over a year.
Today I ran into an issue when ENV['SENDGRID_USERNAME'] was not there yet (during deployment).
Heroku recommends to set a config var for this yourself, so I set:
heroku config:add APP_NAME=<myappname> --app <myappname>
And enable lab feature that allows you to use them during compile
heroku labs:enable user-env-compile -a myapp
And now I have my app name available here:
ENV["APP_NAME"] # '<myappname>'
So I won't run into the issue again, though I would like to get this kind of info set from Heroku instead.
This is straight from my support ticket with Heroku:
You cannot retrieve that value yourself. This is a value that SendGrid support requires that only Heroku support can supply to them.
So you will need to ask Heroku for it via a support ticket
UPDATE
Somewhat contradictorily, I found I could access my Heroku app id by running:
heroku config:get SENDGRID_USERNAME
app171441466#heroku.com

How do I open source my Rails' apps without giving away the app's secret keys and credentials

I have a number of Rails apps hosted on GitHub. They are all currently private, and I often will deploy them from their GitHub repository. I'd like to be able to make some of them open source, just like the ones you can find on http://opensourcerails.com.
My question is: How can I make these repositories public without giving away super secret credentials?
For example, I can look in /config/initializers/cookie_verification_secret.rb and see the cookie secret for nearly every one of them. I don't understand how this is acceptable. Are these users all changing these values in their deploy environments somehow?
Some users even expose their AWS secret and key! Others will instead set their AWS secret to something like:
ENV['aws-secret']
although I'm not sure at what point they're setting that value.
So, what are the best practices for open sourcing your Rails app without compromising your app's security.
I recently went through this with one of my own apps. My solution was to store anything secret in a git-ignored YAML config file, and then to access that file using a simple class in the initializers directory. The config file is stored in the 'shared' folder for the Capistrano deployment and copied to config at each deploy.
Config store: http://github.com/tsigo/jugglf/blob/master/config/initializers/juggernaut.rb
Example usage: https://github.com/tsigo/jugglf/blob/6b91baae72fbe4b1f7efa2759bb472541546f7cf/config/initializers/session_store.rb
You may also want to remove from source control all history of the file that used these secret values. Here's a guide for doing this in Git that I used: http://help.github.com/removing-sensitive-data/
If you're using foreman, put an .env file in the root of your app. (foreman docs)
.env will have
AWS_SECRET=xxx
AWS_ACCESS=yyy
Then when you need to use the keys, insert:
ENV['AWS_SECRET']
ENV['AWS_ACCESS']
Though it's important that you don't commit this .env to your version control. So if you're using git, add the .env to your .gitignore.
Bonus round! - Heroku
If deploying to Heroku, these environment variables need to be configured in the Heroku environment, too. There are two options:
Manually add the keys through the heroku config:add command
Use the heroku-config gem to synchronize your local environment variables, both ways.
Not storing any secret value at all. At any point in the history of a Git repo.
Those values should be stored elsewhere, leaving only template config files versioned, along with a script able:
to read the right values from the external repo
and build the final config file complete (with the secret values in it)
By keeping the tow set of data separate (sources on one side, secret values on the other), you can then open source the sources repo without comprising any secrets.
I actually took a hint from your question, using ENV.
I had three different secret values that I didn't want made available. They're the app's secret token of course, and Twitter's consumer key and secret. In my secret token initializer:
KinTwit::Application.config.secret_token = ENV['SECRET_TOKEN']
Twitter.consumer_key = ENV['CONSUMER_KEY']
Twitter.consumer_secret = ENV['CONSUMER_SECRET']
I'm hosting my project on Heroku, so I added these as configuration variables to Heroku.
[03:07:48] [william#enterprise ~/dev/rwc/kintwit]$ heroku config:add CONSUMER_KEY=ub3rs3cr3tk3y
Adding config vars and restarting app... done, v7
CONSUMER_KEY => ub3rs3cr3tk3y
[03:08:40] [william#enterprise ~/dev/rwc/kintwit]$ heroku config:add CONSUMER_SECRET=ub3rs3cr3tk3y
Adding config vars and restarting app... done, v8
CONSUMER_SECRET => ub3rs3cr3tk3y
[03:08:57] [william#enterprise ~/dev/rwc/kintwit]$ heroku config:add SECRET_TOKEN=ub3rs3cr3tk3y
Adding config vars and restarting app... done, v9
SECRET_TOKEN => ub3rs3cr3tk3y
Now, the values are ready on my next push. But, what if you aren't using Heroku? I'm obviously not an expert on every single rails deployment (jeesh, not even a Heroku pro), but an example of this would be doing a db:migrate for testing.
$ RAILS_ENV=test rake db:migrate
The KEY=value pair before the command sets the environment variable, so running this command, echo ENV['RAILS_ENV'] would print test. So however this is set up in your environment is how you would do it. But, the environment variables aren't in your code, so that's the trick.
[EDIT - The following method has the annoyance of having to switch to the Production branch to run "rails server" in order to include necessary cookies. Thus, making edits while the server is difficult... and I'm still looking for a good solution]
After further investigation, I think the solution I was looking for was to exclude anything that stored a secret value from my Git repo's master branch (just as #VonC said). But instead of then reading from those files in a separate repo, I simply create a new "production" branch and add them to that.
This way they're excluded from Master and I can push that to Github or some other public repo just fine. When I'm ready to deploy, I can checkout the Production branch and merge Master into it and deploy Production.
I need to be able to do this because Heroku and other hosts require a single git repo to be pushed to their servers.
More information here:
http://groups.google.com/group/heroku/browse_thread/thread/d7b1aecb42696568/26d5249204c70574

Resources