From 4926fb902d3e9c4583c4251415585c8cad14c22f Mon Sep 17 00:00:00 2001
From: "Jose D. Gomez R" <jose.gomez@suse.com>
Date: Thu, 4 Jan 2024 17:58:30 +0100
Subject: [PATCH] Removing rails secrets facilities from RMT (#1065)

- RMT does not use any secret facility (key derivation for singing
  or encrypting data), yet rails requires a valid configuration for
  this to boot fine.

  This is now removed and hardcoded a dummy secret key base in case
  any other component within the rails stack tries to derivate a
  key.
---
 Makefile                                      |  1 -
 config/application.rb                         | 11 +++++++
 config/environments/production.rb             |  5 ---
 config/secrets.yml                            | 32 -------------------
 lib/tasks/encrypted_key.rake                  | 22 -------------
 .../files/update_rmt_app_dir_permissions.sh   |  9 +-----
 package/obs/rmt-server.changes                |  2 +-
 package/obs/rmt-server.spec                   |  5 ---
 8 files changed, 13 insertions(+), 74 deletions(-)
 delete mode 100644 config/secrets.yml
 delete mode 100644 lib/tasks/encrypted_key.rake

diff --git a/Makefile b/Makefile
index 248181b42..2e46640c1 100644
--- a/Makefile
+++ b/Makefile
@@ -53,7 +53,6 @@ dist: clean man
 
 	@rm -rf $(NAME)-$(VERSION)/config/rmt.yml
 	@rm -rf $(NAME)-$(VERSION)/config/rmt.local.yml
-	@rm -rf $(NAME)-$(VERSION)/config/secrets.yml.*
 	@rm -rf $(NAME)-$(VERSION)/config/system_uuid
 
 	# don't package test tasks (fails to load because of rspec dependency)
diff --git a/config/application.rb b/config/application.rb
index 2a0cd161e..581f9eac3 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -72,5 +72,16 @@ class Application < Rails::Application
       g.test_framework :rspec
     end
 
+    # Rails initialization process requires a secret key base present in either:
+    # - SECRET_KEY_BASE env
+    # - credentials.secret_key_base
+    # - secrets.secret_key_base
+    #
+    # Else the boot process will be halted. RMT does not use any of those
+    # facilities. Hardcoding it here keeps rails happy and allows the boot
+    # process to continue.
+    config.require_master_key = false
+    config.read_encrypted_secrets = false
+    config.secret_key_base = 'rmt-does-not-use-this'
   end
 end
diff --git a/config/environments/production.rb b/config/environments/production.rb
index ede54a737..a0be67e85 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -15,11 +15,6 @@
   config.consider_all_requests_local       = false
   config.action_controller.perform_caching = true
 
-  # Ensures that a master key has been made available in either ENV["RAILS_MASTER_KEY"]
-  # or in config/master.key. This key is used to decrypt credentials (and other encrypted files).
-  # config.require_master_key = true
-  config.read_encrypted_secrets = true
-
   # Disable serving static files from the `/public` folder by default since
   # Apache or NGINX already handles this.
   config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present?
diff --git a/config/secrets.yml b/config/secrets.yml
deleted file mode 100644
index bb9d2d61a..000000000
--- a/config/secrets.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-# Be sure to restart your server when you modify this file.
-
-# Your secret key is used for verifying the integrity of signed cookies.
-# If you change this key, all old signed cookies will become invalid!
-
-# Make sure the secret is at least 30 characters and all random,
-# no regular words or you'll be exposed to dictionary attacks.
-# You can use `rails secret` to generate a secure secret key.
-
-# Make sure the secrets in this file are kept private
-# if you're sharing your code publicly.
-
-# Shared secrets are available across all environments.
-
-# shared:
-#   api_key: a1B2c3D4e5F6
-
-# Environmental secrets are only available for that specific environment.
-
-development:
-  secret_key_base: 8ea53ad3bc6c03923e376c8bdd85059c1885524947a7efe53d5e9c9d4e39861106ffd6a2ece82b803072ed701e6c960bade91644979e679416c5f255007237ae
-
-test:
-  secret_key_base: 331f21cb85f289f795d784286954bb7254552e10dd79872bd561d247409b74c925eea0ad22f174b80ac2b73b3318f41630a8827aa08ff9904e1b84df2c28ba15
-
-# Do not keep production secrets in the unencrypted secrets file.
-# Instead, either read values from the environment.
-# Or, use `bin/rails secrets:setup` to configure encrypted secrets
-# and move the `production:` environment over there.
-
-production:
-  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
diff --git a/lib/tasks/encrypted_key.rake b/lib/tasks/encrypted_key.rake
deleted file mode 100644
index ed27c3adf..000000000
--- a/lib/tasks/encrypted_key.rake
+++ /dev/null
@@ -1,22 +0,0 @@
-namespace :rmt do
-  namespace :secrets do
-    desc 'Create encryption key for Rails secrets'
-    task create_encryption_key: :environment do
-      require 'rails/generators/rails/encryption_key_file/encryption_key_file_generator'
-
-      Rails::Generators::EncryptionKeyFileGenerator
-        .new.add_key_file('config/secrets.yml.key')
-
-      FileUtils.chmod(0o640, 'config/secrets.yml.key')
-    end
-
-    desc 'Create the `secret_key_base` for Rails'
-    task create_secret_key_base: :environment do
-      Rails::Secrets.write(
-        { 'production' => { 'secret_key_base' => SecureRandom.hex(64) } }.to_yaml
-      )
-
-      FileUtils.chmod(0o640, 'config/secrets.yml.enc')
-    end
-  end
-end
diff --git a/package/files/update_rmt_app_dir_permissions.sh b/package/files/update_rmt_app_dir_permissions.sh
index 16e8f9951..16dcb1c9f 100644
--- a/package/files/update_rmt_app_dir_permissions.sh
+++ b/package/files/update_rmt_app_dir_permissions.sh
@@ -21,12 +21,5 @@ fi
 secret_key_files=('config/secrets.yml.key' 'config/secrets.yml.enc')
 
 for secretFile in ${secret_key_files[@]}; do
-  file_path="$app_dir/$secretFile"
-  if [[ -e $file_path ]]; then
-    if [[ "$(stat -c "%U %G" $file_path)" == "root root" ]]; then
-      chmod 0640 $file_path
-      chown -h root:nginx $file_path
-    fi
-  fi
-
+  rm -f "$app_dir/$secretFile"
 done
diff --git a/package/obs/rmt-server.changes b/package/obs/rmt-server.changes
index faf742ed6..a156bb354 100644
--- a/package/obs/rmt-server.changes
+++ b/package/obs/rmt-server.changes
@@ -4,7 +4,7 @@ Wed Oct 04 13:23:00 UTC 2023 - Felix Schnizlein <fschnizlein@suse.com>
 - Version 2.15:
   * Moving system hardware information to systems database table to
     allow transmitting system information dynamically. (jsc#PED-3734)
-  * Fix secrets access for server user (bsc#1215176)
+  * Dropping Rails Secrets facilities and related config files (bsc#1215176)
   * rmt-client-setup-res script: fix for CentOS8 clients (bsc#1214709)
   * Updated supportconfig script (bsc#1216389)
 
diff --git a/package/obs/rmt-server.spec b/package/obs/rmt-server.spec
index aeba35522..28c84df55 100644
--- a/package/obs/rmt-server.spec
+++ b/package/obs/rmt-server.spec
@@ -322,11 +322,6 @@ getent passwd %{rmt_user} >/dev/null || \
 %post
 %service_add_post rmt-server.target rmt-server.service rmt-server-migration.service rmt-server-mirror.service rmt-server-sync.service rmt-server-systems-scc-sync.service
 
-# Rails by default creates `secrets.yml.key` with `0600` file mode, see here
-# https://github.com/rails/rails/blob/6-0-stable/railties/lib/rails/generators/rails/encryption_key_file/encryption_key_file_generator.rb
-cd %{_datadir}/rmt && runuser -u root -g %{rmt_group} -- bin/rails rmt:secrets:create_encryption_key >/dev/null RAILS_ENV=production && \
-cd %{_datadir}/rmt && runuser -u root -g %{rmt_group} -- bin/rails rmt:secrets:create_secret_key_base >/dev/null RAILS_ENV=production && \
-
 # Run only on install
 if [ $1 -eq 1 ]; then
   echo "Please run the YaST RMT module (or 'yast2 rmt' from the command line) to complete the configuration of your RMT" >> /dev/stdout