DGNum/demarches-normaliennes
13
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

chore: setup active record encryption from secrets

Browse source
This commit is contained in:
Colin Darie 2023-05-02 14:48:58 +02:00
parent 2144c69e22
commit eb88c5e9de
No known key found for this signature in database
GPG key ID: 4FB865FDBCA4BCC4
3 changed files with 13 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
config/application.rb
View file

@ -98,8 +98,9 @@ module TPS
html_tag.html_safe # this is generated by rails
end
# rubocop:enable Rails/OutputSafety
#
config.active_record.encryption.key_derivation_salt = Rails.application.secrets.encryption_service_salt
config.active_record.encryption.primary_key = Rails.application.secrets.otp_secret_key
config.active_record.encryption.primary_key = Rails.application.secrets.active_record_encryption.fetch(:primary_key)
config.active_record.encryption.key_derivation_salt = Rails.application.secrets.active_record_encryption.fetch(:key_derivation_salt)
end
end

4
config/env.example
View file

@ -142,6 +142,10 @@ API_EDUCATION_URL="https://data.education.gouv.fr/api/records/1.0"
# Encryption key for sensitive columns in the database
ENCRYPTION_SERVICE_SALT=""
# ActiveRecord encryption keys. Generate them with bin/rails db:encryption:init (you can omit deterministic_key)
AR_ENCRYPTION_PRIMARY_KEY=""
AR_ENCRYPTION_KEY_DERIVATION_SALT=""
# Salt for invisible_captcha session data.
# Must be the same value for all app instances behind a load-balancer.
INVISIBLE_CAPTCHA_SECRET="kikooloool"

6
config/secrets.yml
View file

@ -13,6 +13,9 @@ defaults: &defaults
secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
encryption_service_salt: <%= ENV["ENCRYPTION_SERVICE_SALT"] %>
otp_secret_key: <%= ENV["OTP_SECRET_KEY"] %>
active_record_encryption:
primary_key: <%= ENV["AR_ENCRYPTION_PRIMARY_KEY"] %>
key_derivation_salt: <%= ENV["AR_ENCRYPTION_KEY_DERIVATION_SALT"] %>
basic_auth:
username: <%= ENV['BASIC_AUTH_USERNAME'] %>
password: <%= ENV['BASIC_AUTH_PASSWORD'] %>
@ -103,6 +106,9 @@ test:
secret_key_base: aa52abc3f3a629d04a61e9899a24c12f52b24c679cbf45f8ec0cdcc64ab9526d673adca84212882dff3911ac98e0c32ec4729ca7b3429ba18ef4dfd1bd18bc7a # ggignore
encryption_service_salt: QUDyMoXyw2YXU8pHnpts3w9MyMpsMQ6BgP62obgCf7PQv # ggignore
otp_secret_key: 78ddda3679dc0ba2c99f50bcff04f49d862358dbeb7ead50368fdd6de14392be884ee10a204a0375b4b382e1a842fafe40d7858b7ab4796ec3a67c518d31112b # ggignore
active_record_encryption:
primary_key: test-RgUyzplf0kehB5fyZpmCd37uvgb # ggignore
key_derivation_salt: test-yyMmzM9cTSD1rs3Fq3hwt3hMNg4 # ggignore
api_entreprise:
key: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ik9oIHllYWgiLCJpYXQiOjE1MTYyMzkwMjJ9.f06sBo3q2Yxnw_TYPFUEs0CozBmcV-XniH_DeKNWzKE" # ggignore
pipedrive: