[#140196, #140197] extract secrets from settings.yml (#1453)

meara · web-flow · commit 407c0c928a63 · 2018-03-20T16:05:29.000-05:00
Release Notes
Secret information such as API keys should exist in secrets.yml rather than in settings.yml or by being overridden in settings.local.yml.

Deploy Note
Will need to update settings.yml and secrets.yml to match the updated templates on staging and production servers in conjunction with the release.
diff --git a/app/models/concerns/downloadable_file.rb b/app/models/concerns/downloadable_file.rb
@@ -3,14 +3,14 @@ module DownloadableFile
   extend ActiveSupport::Concern
 
   included do
-    has_attached_file :file, Settings.paperclip.to_hash.merge(validate_media_type: false)
+    has_attached_file :file, PaperclipSettings.config.merge(validate_media_type: false)
 
     # TODO: Limit attachment types for safe uploads
     do_not_validate_attachment_file_type :file
   end
 
   def download_url
-    if fog?
+    if PaperclipSettings.fog?
       # This is a workaround due to a bug or limitation in fog to generate a
       # private, expiring URL and have it force a download.
       #
@@ -31,10 +31,4 @@ def download_url
     end
   end
 
-  private
-
-  def fog?
-    Settings.paperclip.storage == "fog"
-  end
-
 end
diff --git a/config/initializers/paperclip.rb b/config/initializers/paperclip.rb
@@ -13,3 +13,16 @@
 Paperclip.options[:content_type_mappings] = {
   xls: "CDF V2 Document, No summary info",
 }
+
+class PaperclipSettings
+
+  def self.config
+    secrets = Hash(Rails.application.secrets.paperclip).symbolize_keys
+    Settings.paperclip.to_hash.merge(secrets)
+  end
+
+  def self.fog?
+    config[:storage] == "fog"
+  end
+
+end
diff --git a/config/secrets.yml.template b/config/secrets.yml.template
@@ -1,6 +1,28 @@
 development:
   secret_key_base: ~
 
+  # You should change this if you want to be able to access the API
+  api:
+    basic_auth_name: <%= SecureRandom.hex %>
+    basic_auth_password: <%= SecureRandom.hex %>
+
+  # You should change this if you want to be able to access the SecureRooms API
+  secure_rooms_api:
+    basic_auth_name: <%= SecureRandom.hex %>
+    basic_auth_password: <%= SecureRandom.hex %>
+
+  # Uncomment these lines if you wish to use S3 in your application.
+  # paperclip:
+  #   storage: fog
+  #   fog_credentials:
+  #     provider: AWS
+  #     aws_access_key_id: Your-Key-Here
+  #     aws_secret_access_key: Your-Key-Here
+  #   fog_directory: Your-Bucket-Name-Here
+  #   fog_public: false
+  #   path: ":class/:attachment/:id_partition/:style/:safe_filename"
+
+
 test:
   secret_key_base: needs_a_value_for_ci
 
diff --git a/config/settings.local.yml.template b/config/settings.local.yml.template
diff --git a/config/settings.yml b/config/settings.yml
@@ -86,16 +86,6 @@ relays:
     admin_enabled: true
     reservation_enabled: true
 
-# You should change this if you want to be able to access the API
-api:
-  basic_auth_name: <%= SecureRandom.hex %>
-  basic_auth_password: <%= SecureRandom.hex %>
-
-# You should change this if you want to be able to access the SecureRooms API
-secure_rooms_api:
-  basic_auth_name: <%= SecureRandom.hex %>
-  basic_auth_password: <%= SecureRandom.hex %>
-
 #
 # For these settings use SettingsHelper#feature_on?
 feature:
@@ -135,7 +125,7 @@ split_accounts:
     - administrator
     # - account_manager
 
-# This may be overridden in settings.local.yml if your fork is using S3, so
+# This may be overridden in secrets.yml if your fork is using S3, so
 # be sure to check there for configuration
 paperclip:
   storage: filesystem
