From 54b53941966ef5d4d6422aca3d3b9d377930fd30 Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Fri, 27 Feb 2015 16:46:52 +0200 Subject: [PATCH] All required env settings are now checkeda and depricated APP_CONFIG --- .gitignore | 4 +- CHANGELOG.md | 5 +++ Gemfile | 3 ++ Gemfile.lock | 3 ++ app/controllers/epp/sessions_controller.rb | 2 +- app/models/api_user_deprecated.rb | 6 +-- app/models/certificate.rb | 20 +++++----- app/models/zonefile_setting.rb | 2 +- app/views/layouts/application.haml | 2 +- config/application-example.yml | 43 ++++++++-------------- config/initializers/app_config.rb | 2 - config/initializers/devise.rb | 2 +- config/initializers/env_required.rb | 13 +++++++ config/initializers/set_secret.rb | 1 + 14 files changed, 61 insertions(+), 47 deletions(-) delete mode 100644 config/initializers/app_config.rb create mode 100644 config/initializers/env_required.rb create mode 100644 config/initializers/set_secret.rb diff --git a/.gitignore b/.gitignore index b7ebd630e..67a64e8d5 100644 --- a/.gitignore +++ b/.gitignore @@ -10,7 +10,6 @@ capybara-*.html /spec/tmp **.orig config/initializers/secret_token.rb -config/application.yml config/secrets.yml config/database.yml /export @@ -25,3 +24,6 @@ config/database.yml # unless supporting rvm < 1.11.0 or doing something fancy, ignore this: .rvmrc + +# Ignore application configuration +/config/application.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index e9fd7e7e8..cc0bd3e74 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +27.02.2015 + +* Simplified config/application-example.yml, + now system will check if all required settings are present in application.yml + 19.02.2015 * Cetrificate only enabled, please setup certificates following doc/certificate.md document. diff --git a/Gemfile b/Gemfile index 68a2b9571..e0bf28b53 100644 --- a/Gemfile +++ b/Gemfile @@ -5,6 +5,9 @@ gem 'rails', '4.2.0' gem 'iso8601', '~> 0.8.2' # for dates and times gem 'hashie_rails', '~> 0.0.1' +# load env +gem 'figaro', '~> 1.1.0' + # model related gem 'pg', '~> 0.18.0' gem 'ransack', '~> 1.5.1' # for searching diff --git a/Gemfile.lock b/Gemfile.lock index b798b512b..478d7604a 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -152,6 +152,8 @@ GEM i18n (~> 0.5) fastercsv (1.5.5) ffi (1.9.6) + figaro (1.1.0) + thor (~> 0.14) flay (2.4.0) ruby_parser (~> 3.0) sexp_processor (~> 4.0) @@ -459,6 +461,7 @@ DEPENDENCIES epp-xml (~> 0.10.4) fabrication (~> 2.12.2) faker (~> 1.3.0) + figaro (~> 1.1.0) grape (~> 0.10.1) guard (~> 2.6.1) guard-rails (~> 0.7.0) diff --git a/app/controllers/epp/sessions_controller.rb b/app/controllers/epp/sessions_controller.rb index f12b2e56d..181cc19ac 100644 --- a/app/controllers/epp/sessions_controller.rb +++ b/app/controllers/epp/sessions_controller.rb @@ -9,7 +9,7 @@ class Epp::SessionsController < EppController # rubocop: disable Metrics/CyclomaticComplexity def login cert_valid = true - if request.ip == APP_CONFIG['webclient_ip'] + if request.ip == ENV['webclient_ip'] @api_user = ApiUser.find_by(login_params) else if request.env['HTTP_SSL_CLIENT_S_DN_CN'] != login_params[:username] diff --git a/app/models/api_user_deprecated.rb b/app/models/api_user_deprecated.rb index f44719fbb..c809564ea 100644 --- a/app/models/api_user_deprecated.rb +++ b/app/models/api_user_deprecated.rb @@ -32,10 +32,10 @@ class ApiUserDeprecated < ActiveRecord::Base csr_file.rewind crt_file = Tempfile.new('client_crt') - _out, err, _st = Open3.capture3("openssl ca -keyfile #{APP_CONFIG['ca_key_path']} \ - -cert #{APP_CONFIG['ca_cert_path']} \ + _out, err, _st = Open3.capture3("openssl ca -keyfile #{ENV['ca_key_path']} \ + -cert #{ENV['ca_cert_path']} \ -extensions usr_cert -notext -md sha256 \ - -in #{csr_file.path} -out #{crt_file.path} -key '#{APP_CONFIG['ca_key_password']}' -batch") + -in #{csr_file.path} -out #{crt_file.path} -key '#{ENV['ca_key_password']}' -batch") if err.match(/Data Base Updated/) crt_file.rewind diff --git a/app/models/certificate.rb b/app/models/certificate.rb index 30cbbe949..51d4ac5e4 100644 --- a/app/models/certificate.rb +++ b/app/models/certificate.rb @@ -33,7 +33,7 @@ class Certificate < ActiveRecord::Base @cached_status = EXPIRED end - crl = OpenSSL::X509::CRL.new(File.open(APP_CONFIG['crl_path']).read) + crl = OpenSSL::X509::CRL.new(File.open(ENV['crl_path']).read) return @cached_status unless crl.revoked.map(&:serial).include?(parsed_crt.serial) @cached_status = REVOKED @@ -45,10 +45,10 @@ class Certificate < ActiveRecord::Base csr_file.rewind crt_file = Tempfile.new('client_crt') - _out, err, _st = Open3.capture3("openssl ca -keyfile #{APP_CONFIG['ca_key_path']} \ - -cert #{APP_CONFIG['ca_cert_path']} \ + _out, err, _st = Open3.capture3("openssl ca -keyfile #{ENV['ca_key_path']} \ + -cert #{ENV['ca_cert_path']} \ -extensions usr_cert -notext -md sha256 \ - -in #{csr_file.path} -out #{crt_file.path} -key '#{APP_CONFIG['ca_key_password']}' -batch") + -in #{csr_file.path} -out #{crt_file.path} -key '#{ENV['ca_key_password']}' -batch") if err.match(/Data Base Updated/) crt_file.rewind @@ -67,9 +67,9 @@ class Certificate < ActiveRecord::Base crt_file.write(crt) crt_file.rewind - _out, err, _st = Open3.capture3("openssl ca -keyfile #{APP_CONFIG['ca_key_path']} \ - -cert #{APP_CONFIG['ca_cert_path']} \ - -revoke #{crt_file.path} -key '#{APP_CONFIG['ca_key_password']}' -batch") + _out, err, _st = Open3.capture3("openssl ca -keyfile #{ENV['ca_key_path']} \ + -cert #{ENV['ca_cert_path']} \ + -revoke #{crt_file.path} -key '#{ENV['ca_key_password']}' -batch") if err.match(/Data Base Updated/) || err.match(/ERROR:Already revoked/) save! @@ -81,8 +81,8 @@ class Certificate < ActiveRecord::Base return false end - _out, _err, _st = Open3.capture3("openssl ca -keyfile #{APP_CONFIG['ca_key_path']} \ - -cert #{APP_CONFIG['ca_cert_path']} \ - -gencrl -out #{APP_CONFIG['crl_path']} -key '#{APP_CONFIG['ca_key_password']}' -batch") + _out, _err, _st = Open3.capture3("openssl ca -keyfile #{ENV['ca_key_path']} \ + -cert #{ENV['ca_cert_path']} \ + -gencrl -out #{ENV['crl_path']} -key '#{ENV['ca_key_password']}' -batch") end end diff --git a/app/models/zonefile_setting.rb b/app/models/zonefile_setting.rb index cdeb8087d..c9cac6154 100644 --- a/app/models/zonefile_setting.rb +++ b/app/models/zonefile_setting.rb @@ -18,7 +18,7 @@ class ZonefileSetting < ActiveRecord::Base "select generate_zonefile('#{origin}')" )[0]['generate_zonefile'] - File.open("#{APP_CONFIG['zonefile_export_dir']}/#{filename}", 'w') { |f| f.write(zf) } + File.open("#{ENV['zonefile_export_dir']}/#{filename}", 'w') { |f| f.write(zf) } STDOUT << "#{Time.now.utc} - Successfully generated zonefile #{filename}\n" end diff --git a/app/views/layouts/application.haml b/app/views/layouts/application.haml index 05e513372..13ab2aab7 100644 --- a/app/views/layouts/application.haml +++ b/app/views/layouts/application.haml @@ -21,7 +21,7 @@ %span.icon-bar %span.icon-bar = link_to admin_dashboard_path, class: 'navbar-brand' do - = APP_CONFIG['app_name'] + = ENV['app_name'] - if unstable_env.present? .text-center %small{style: 'color: #0074B3;'}= unstable_env diff --git a/config/application-example.yml b/config/application-example.yml index e31d63bec..61f154688 100644 --- a/config/application-example.yml +++ b/config/application-example.yml @@ -1,34 +1,23 @@ -defaults: &defaults - app_name: .EE Registry - zonefile_export_dir: 'export/zonefiles' +# Application configuration values - # You can use `rake secret` to generate a secure secret key. - # Your secret key is used for verifying the integrity of signed cookies. - # If you change this key, all old signed cookies will become invalid! - secret_key_base: please-change-it-you-can-generate-it-with-rake-secret - devise_secret: please-change-it-you-can-generate-it-with-rake-secret +app_name: .EE Registry +zonefile_export_dir: 'export/zonefiles' - # Used by registry admin server: - crl_path: '/home/registry/registry/shared/ca/crl/crl.pem' - ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem' - ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem' - ca_key_password: 'your-root-key-password' +# You can use `rake secret` to generate a secure secret key. +# Your secret key is used for verifying the integrity of signed cookies. +# If you change this key, all old signed cookies will become invalid! +secret_key_base: please-change-it-you-can-generate-it-with-rake-secret +devise_secret: please-change-it-you-can-generate-it-with-rake-secret - # Used by EPP server - webclient_ip: '127.0.0.1' +# Used by admin server, you can leave those empty for when running EPP server: +crl_path: '/home/registry/registry/shared/ca/crl/crl.pem' +ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem' +ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem' +ca_key_password: 'your-root-key-password' -development: - <<: *defaults +# Used only by EPP server, you can leave it empty when running admin server: +webclient_ip: '127.0.0.1' +# autotest config overwrites test: webclient_ip: '127.0.0.1' # it should match to localhost ip address - <<: *defaults - -alpha: - <<: *defaults - -staging: - <<: *defaults - -production: - <<: *defaults diff --git a/config/initializers/app_config.rb b/config/initializers/app_config.rb deleted file mode 100644 index d76066b1a..000000000 --- a/config/initializers/app_config.rb +++ /dev/null @@ -1,2 +0,0 @@ -APP_CONFIG = YAML.load_file("#{Rails.root}/config/application.yml")[Rails.env] -Registry::Application.config.secret_token = APP_CONFIG['secret_key_base'] diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index 8bbe137e2..6415ada3d 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -4,7 +4,7 @@ Devise.setup do |config| # The secret key used by Devise. Devise uses this key to generate # random tokens. Changing this key will render invalid all existing # confirmation, reset password and unlock tokens in the database. - config.secret_key = APP_CONFIG['devise_secret'] + config.secret_key = ENV['devise_secret'] # ==> Mailer Configuration # Configure the e-mail address which will be shown in Devise::Mailer, diff --git a/config/initializers/env_required.rb b/config/initializers/env_required.rb new file mode 100644 index 000000000..c79520166 --- /dev/null +++ b/config/initializers/env_required.rb @@ -0,0 +1,13 @@ +required = %w( + app_name + zonefile_export_dir + secret_key_base + devise_secret + crl_path + ca_cert_path + ca_key_path + ca_key_password + webclient_ip +) + +Figaro.require_keys(required) diff --git a/config/initializers/set_secret.rb b/config/initializers/set_secret.rb new file mode 100644 index 000000000..ed1dbae7f --- /dev/null +++ b/config/initializers/set_secret.rb @@ -0,0 +1 @@ +Registry::Application.config.secret_token = ENV['secret_key_base']