Merge pull request glitch-soc#2712 from ClearlyClaire/glitch-soc/merg…

…e-upstream Merge upstream changes up to 12472e7
Ember-ruby · May 20, 2024 · c6a87d2 · c6a87d2
1 parent 81c579b
commit c6a87d2
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 4 deletions.
diff --git a/.env.test b/.env.test
@@ -3,3 +3,9 @@ NODE_ENV=production
 # Federation
 LOCAL_DOMAIN=cb6e6126.ngrok.io
 LOCAL_HTTPS=true
+
+# Secret values required by ActiveRecord encryption feature
+# Use `bin/rails db:encryption:init` to generate fresh secrets
+ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=test_determinist_key_DO_NOT_USE_IN_PRODUCTION
+ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=test_salt_DO_NOT_USE_IN_PRODUCTION
+ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=test_primary_key_DO_NOT_USE_IN_PRODUCTION
diff --git a/config/initializers/active_record_encryption.rb b/config/initializers/active_record_encryption.rb
@@ -5,7 +5,7 @@
   ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
   ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
 ).each do |key|
-  ENV.fetch(key) do
+  value = ENV.fetch(key) do
     abort <<~MESSAGE
 
       Mastodon now requires that these variables are set:
@@ -14,9 +14,18 @@
         - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
         - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
 
-      Run `bin/rails db:encryption:init` to generate values and then assign the environment variables.
+      Run `bin/rails db:encryption:init` to generate new secrets and then assign the environment variables.
     MESSAGE
   end
+
+  next unless Rails.env.production? && value.end_with?('DO_NOT_USE_IN_PRODUCTION')
+
+  abort <<~MESSAGE
+
+    It looks like you are trying to run Mastodon in production with a #{key} value from the test environment.
+
+    Please generate fresh secrets using `bin/rails db:encryption:init` and use them instead.
+  MESSAGE
 end
 
 Rails.application.configure do

diff --git a/lib/tasks/db.rake b/lib/tasks/db.rake
@@ -8,7 +8,7 @@ namespace :db do
     desc 'Generate a set of keys for configuring Active Record encryption in a given environment'
     task :init do # rubocop:disable Rails/RakeEnvironment
       puts <<~MSG
-        Add these environment variables to your Mastodon environment:#{' '}
+        Add these secret environment variables to your Mastodon environment (e.g. .env.production):#{' '}
 
         ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=#{SecureRandom.alphanumeric(32)}
         ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=#{SecureRandom.alphanumeric(32)}

diff --git a/package.json b/package.json
@@ -49,7 +49,7 @@
     "@formatjs/intl-pluralrules": "^5.2.2",
     "@gamestdio/websocket": "^0.3.2",
     "@github/webauthn-json": "^2.1.1",
-    "@rails/ujs": "7.1.3-2",
+    "@rails/ujs": "7.1.3-3",
     "@reduxjs/toolkit": "^2.0.1",
     "@svgr/webpack": "^5.5.0",
     "arrow-key-navigation": "^1.2.0",