Add emphasis on ActiveRecord Encryption configuration values being se…

…cret (mastodon#30340)
glitch-soc · May 17, 2024 · 12472e7 · 12472e7
1 parent a627219
commit 12472e7
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 7 deletions.
diff --git a/.env.test b/.env.test
@@ -4,7 +4,8 @@ NODE_ENV=production
 LOCAL_DOMAIN=cb6e6126.ngrok.io
 LOCAL_HTTPS=true
 
-# Required by ActiveRecord encryption feature
-ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=fkSxKD2bF396kdQbrP1EJ7WbU7ZgNokR
-ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=r0hvVmzBVsjxC7AMlwhOzmtc36ZCOS1E
-ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=PhdFyyfy5xJ7WVd2lWBpcPScRQHzRTNr
+# Secret values required by ActiveRecord encryption feature
+# Use `bin/rails db:encryption:init` to generate fresh secrets
+ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=test_determinist_key_DO_NOT_USE_IN_PRODUCTION
+ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=test_salt_DO_NOT_USE_IN_PRODUCTION
+ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=test_primary_key_DO_NOT_USE_IN_PRODUCTION
diff --git a/config/initializers/active_record_encryption.rb b/config/initializers/active_record_encryption.rb
@@ -5,7 +5,7 @@
   ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
   ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
 ).each do |key|
-  ENV.fetch(key) do
+  value = ENV.fetch(key) do
     abort <<~MESSAGE
 
       Mastodon now requires that these variables are set:
@@ -14,9 +14,18 @@
         - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
         - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
 
-      Run `bin/rails db:encryption:init` to generate values and then assign the environment variables.
+      Run `bin/rails db:encryption:init` to generate new secrets and then assign the environment variables.
     MESSAGE
   end
+
+  next unless Rails.env.production? && value.end_with?('DO_NOT_USE_IN_PRODUCTION')
+
+  abort <<~MESSAGE
+
+    It looks like you are trying to run Mastodon in production with a #{key} value from the test environment.
+
+    Please generate fresh secrets using `bin/rails db:encryption:init` and use them instead.
+  MESSAGE
 end
 
 Rails.application.configure do

diff --git a/lib/tasks/db.rake b/lib/tasks/db.rake
@@ -8,7 +8,7 @@ namespace :db do
     desc 'Generate a set of keys for configuring Active Record encryption in a given environment'
     task :init do # rubocop:disable Rails/RakeEnvironment
       puts <<~MSG
-        Add these environment variables to your Mastodon environment:#{' '}
+        Add these secret environment variables to your Mastodon environment (e.g. .env.production):#{' '}
 
         ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=#{SecureRandom.alphanumeric(32)}
         ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=#{SecureRandom.alphanumeric(32)}