From 0e1110c947caf31ae650c73ef35adedebc16b28a Mon Sep 17 00:00:00 2001 From: Matt Jankowski Date: Mon, 10 Jun 2024 16:08:04 -0400 Subject: [PATCH] Use `SECRET_KEY_BASE_DUMMY` feature as placeholder during asset compilation (#30505) --- .github/workflows/test-ruby.yml | 6 +----- Dockerfile | 6 +----- config/environments/production.rb | 6 +++++- config/initializers/active_record_encryption.rb | 5 +++++ 4 files changed, 12 insertions(+), 11 deletions(-) diff --git a/.github/workflows/test-ruby.yml b/.github/workflows/test-ruby.yml index 5f2297381..8f05dcab3 100644 --- a/.github/workflows/test-ruby.yml +++ b/.github/workflows/test-ruby.yml @@ -28,11 +28,7 @@ jobs: env: RAILS_ENV: ${{ matrix.mode }} BUNDLE_WITH: ${{ matrix.mode }} - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: precompile_placeholder - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: precompile_placeholder - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: precompile_placeholder - OTP_SECRET: precompile_placeholder - SECRET_KEY_BASE: precompile_placeholder + SECRET_KEY_BASE_DUMMY: 1 steps: - uses: actions/checkout@v4 diff --git a/Dockerfile b/Dockerfile index cb5b87205..2dc7602b2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -212,11 +212,7 @@ ARG TARGETPLATFORM RUN \ # Use Ruby on Rails to create Mastodon assets - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=precompile_placeholder \ - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=precompile_placeholder \ - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=precompile_placeholder \ - OTP_SECRET=precompile_placeholder \ - SECRET_KEY_BASE=precompile_placeholder \ + SECRET_KEY_BASE_DUMMY=1 \ bundle exec rails assets:precompile; \ # Cleanup temporary files rm -fr /opt/mastodon/tmp; diff --git a/config/environments/production.rb b/config/environments/production.rb index a39843e95..6686a23d6 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -156,7 +156,11 @@ Rails.application.configure do } # TODO: Remove once devise-two-factor data migration complete - config.x.otp_secret = ENV.fetch('OTP_SECRET') + config.x.otp_secret = if ENV['SECRET_KEY_BASE_DUMMY'] + SecureRandom.hex(64) + else + ENV.fetch('OTP_SECRET') + end # Enable DNS rebinding protection and other `Host` header attacks. # config.hosts = [ diff --git a/config/initializers/active_record_encryption.rb b/config/initializers/active_record_encryption.rb index 900f3c68f..a83ca8076 100644 --- a/config/initializers/active_record_encryption.rb +++ b/config/initializers/active_record_encryption.rb @@ -5,6 +5,11 @@ ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY ).each do |key| + if ENV['SECRET_KEY_BASE_DUMMY'] + # Use placeholder value during production env asset compilation + ENV[key] = SecureRandom.hex(64) + end + value = ENV.fetch(key) do abort <<~MESSAGE