Removing rails secrets facilities from RMT (#1065)

- RMT does not use any secret facility (key derivation for singing
  or encrypting data), yet rails requires a valid configuration for
  this to boot fine.

  This is now removed and hardcoded a dummy secret key base in case
  any other component within the rails stack tries to derivate a
  key.

Makefile

@@ -53,7 +53,6 @@ dist: clean man
 
 	@rm -rf $(NAME)-$(VERSION)/config/rmt.yml
 	@rm -rf $(NAME)-$(VERSION)/config/rmt.local.yml
-	@rm -rf $(NAME)-$(VERSION)/config/secrets.yml.*
 	@rm -rf $(NAME)-$(VERSION)/config/system_uuid
 
 	# don't package test tasks (fails to load because of rspec dependency)

config/application.rb

@@ -72,5 +72,16 @@ class Application < Rails::Application
       g.test_framework :rspec
     end
 
+    # Rails initialization process requires a secret key base present in either:
+    # - SECRET_KEY_BASE env
+    # - credentials.secret_key_base
+    # - secrets.secret_key_base
+    #
+    # Else the boot process will be halted. RMT does not use any of those
+    # facilities. Hardcoding it here keeps rails happy and allows the boot
+    # process to continue.
+    config.require_master_key = false
+    config.read_encrypted_secrets = false
+    config.secret_key_base = 'rmt-does-not-use-this'
   end
 end

config/environments/production.rb

@@ -15,11 +15,6 @@
   config.consider_all_requests_local       = false
   config.action_controller.perform_caching = true
 
-  # Ensures that a master key has been made available in either ENV["RAILS_MASTER_KEY"]
-  # or in config/master.key. This key is used to decrypt credentials (and other encrypted files).
-  # config.require_master_key = true
-  config.read_encrypted_secrets = true
-
   # Disable serving static files from the `/public` folder by default since
   # Apache or NGINX already handles this.
   config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present?

package/files/update_rmt_app_dir_permissions.sh

@@ -21,12 +21,5 @@ fi
 secret_key_files=('config/secrets.yml.key' 'config/secrets.yml.enc')
 
 for secretFile in ${secret_key_files[@]}; do
-  file_path="$app_dir/$secretFile"
-  if [[ -e $file_path ]]; then
-    if [[ "$(stat -c "%U %G" $file_path)" == "root root" ]]; then
-      chmod 0640 $file_path
-      chown -h root:nginx $file_path
-    fi
-  fi
-
+  rm -f "$app_dir/$secretFile"
 done

package/obs/rmt-server.changes

@@ -4,7 +4,7 @@ Wed Oct 04 13:23:00 UTC 2023 - Felix Schnizlein <fschnizlein@suse.com>
 - Version 2.15:
   * Moving system hardware information to systems database table to
     allow transmitting system information dynamically. (jsc#PED-3734)
-  * Fix secrets access for server user (bsc#1215176)
+  * Dropping Rails Secrets facilities and related config files (bsc#1215176)
   * rmt-client-setup-res script: fix for CentOS8 clients (bsc#1214709)
   * Updated supportconfig script (bsc#1216389)
 

package/obs/rmt-server.spec

@@ -322,11 +322,6 @@ getent passwd %{rmt_user} >/dev/null || \
 %post
 %service_add_post rmt-server.target rmt-server.service rmt-server-migration.service rmt-server-mirror.service rmt-server-sync.service rmt-server-systems-scc-sync.service
 
-# Rails by default creates `secrets.yml.key` with `0600` file mode, see here
-# https://github.com/rails/rails/blob/6-0-stable/railties/lib/rails/generators/rails/encryption_key_file/encryption_key_file_generator.rb
-cd %{_datadir}/rmt && runuser -u root -g %{rmt_group} -- bin/rails rmt:secrets:create_encryption_key >/dev/null RAILS_ENV=production && \
-cd %{_datadir}/rmt && runuser -u root -g %{rmt_group} -- bin/rails rmt:secrets:create_secret_key_base >/dev/null RAILS_ENV=production && \
-
 # Run only on install
 if [ $1 -eq 1 ]; then
   echo "Please run the YaST RMT module (or 'yast2 rmt' from the command line) to complete the configuration of your RMT" >> /dev/stdout