Store OTP secret key in secrets.yml

.secret stores the secret token used for both encrypting login cookies
and for encrypting stored OTP secrets. We can't rotate this, because
that would invalidate all existing OTP secrets.

If the secret token is present in the .secret file or an environment
variable, save it as otp_key_base in secrets.yml. Now .secret can be
rotated without invalidating OTP secrets.

If the secret token isn't present (initial setup), then just generate a
separate otp_key_base and save in secrets.yml.

Update the docs to reflect that secrets.yml needs to be retained past
upgrades, but .secret doesn't.

1 files changed, 45 insertions, 36 deletions

diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb
index dae3a4a9a93..40c93c32dca 100644
--- a/config/initializers/secret_token.rb
+++ b/config/initializers/secret_token.rb
@@ -2,49 +2,58 @@
 
 require 'securerandom'
 
-# Your secret key for verifying the integrity of signed cookies.
-# If you change this key, all old signed cookies will become invalid!
-# Make sure the secret is at least 30 characters and all random,
-# no regular words or you'll be exposed to dictionary attacks.
-
-def find_secure_token
-  token_file = Rails.root.join('.secret')
-  if ENV.key?('SECRET_KEY_BASE')
-    ENV['SECRET_KEY_BASE']
-  elsif File.exist? token_file
-    # Use the existing token.
-    File.read(token_file).chomp
-  else
-    # Generate a new token of 64 random hexadecimal characters and store it in token_file.
-    token = SecureRandom.hex(64)
-    File.write(token_file, token)
-    token
-  end
-end
-
-Rails.application.config.secret_token = find_secure_token
-Rails.application.config.secret_key_base = find_secure_token
-
-# CI
 def generate_new_secure_token
   SecureRandom.hex(64)
 end
 
-if Rails.application.secrets.db_key_base.blank?
-  warn "Missing `db_key_base` for '#{Rails.env}' environment. The secrets will be generated and stored in `config/secrets.yml`"
+def warn_missing_secret(secret)
+  warn "Missing `#{secret}` for '#{Rails.env}' environment. The secret will be generated and stored in `config/secrets.yml`"
+end
+
+def create_tokens
+  secret_file = Rails.root.join('.secret')
+  file_key = File.read(secret_file).chomp if File.exist?(secret_file)
+  env_key = ENV['SECRET_KEY_BASE']
+  secret_key_base = env_key.present? ? env_key : file_key
+
+  if secret_key_base.blank?
+    secret_key_base = generate_new_secure_token
+    File.write(secret_file, secret_key_base)
+  end
+
+  Rails.application.config.secret_key_base = secret_key_base
 
-  all_secrets = YAML.load_file('config/secrets.yml') if File.exist?('config/secrets.yml')
-  all_secrets ||= {}
+  otp_key_base = Rails.application.secrets.otp_key_base
+  db_key_base = Rails.application.secrets.db_key_base
+  yaml_additions = {}
 
-  # generate secrets
-  env_secrets = all_secrets[Rails.env.to_s] || {}
-  env_secrets['db_key_base'] ||= generate_new_secure_token
-  all_secrets[Rails.env.to_s] = env_secrets
+  if otp_key_base.blank?
+    warn_missing_secret('otp_key_base')
 
-  # save secrets
-  File.open('config/secrets.yml', 'w', 0600) do |file|
-    file.write(YAML.dump(all_secrets))
+    otp_key_base ||= env_key || file_key || generate_new_secure_token
+    yaml_additions['otp_key_base'] = otp_key_base
   end
 
-  Rails.application.secrets.db_key_base = env_secrets['db_key_base']
+  Rails.application.secrets.otp_key_base = otp_key_base
+
+  if db_key_base.blank?
+    warn_missing_secret('db_key_base')
+
+    yaml_additions['db_key_base'] = db_key_base = generate_new_secure_token
+  end
+
+  Rails.application.secrets.db_key_base = db_key_base
+
+  unless yaml_additions.empty?
+    secrets_yml = Rails.root.join('config/secrets.yml')
+    all_secrets = YAML.load_file(secrets_yml) if File.exist?(secrets_yml)
+    all_secrets ||= {}
+
+    env_secrets = all_secrets[Rails.env.to_s] || {}
+    all_secrets[Rails.env.to_s] = env_secrets.merge(yaml_additions)
+
+    File.write(secrets_yml, YAML.dump(all_secrets), mode: 'w', perm: 0600)
+  end
 end
+
+create_tokens