Change ActiveRecordEncryption variable to be more explicit (#30151)

main-rebase-security-fix
Claire 2024-05-03 11:26:24 +02:00 committed by GitHub
parent 9aa31be8d3
commit 33368e3e79
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 18 additions and 2 deletions

View File

@ -6,9 +6,9 @@
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
).each do |key|
ENV.fetch(key) do
raise <<~MESSAGE
abort <<~MESSAGE
The ActiveRecord encryption feature requires that these variables are set:
Mastodon now requires that these variables are set:
- ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
- ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT

View File

@ -1,6 +1,22 @@
# frozen_string_literal: true
# We are providing our own task with our own format
Rake::Task['db:encryption:init'].clear
namespace :db do
namespace :encryption do
desc 'Generate a set of keys for configuring Active Record encryption in a given environment'
task init: :environment do
puts <<~MSG
Add these environment variables to your Mastodon environment:#{' '}
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=#{SecureRandom.alphanumeric(32)}
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=#{SecureRandom.alphanumeric(32)}
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=#{SecureRandom.alphanumeric(32)}
MSG
end
end
namespace :migrate do
desc 'Setup the db or migrate depending on state of db'
task setup: :environment do