What should be removed from public source control in Ruby on Rails? -
i've been searching web, , can't find good/recent examples of exclude new public rails app. i'm looking open source app on github , wondering types of info should removed source control.
from can tell, there should config/config.yml file has private information. i've been looking through other files, , looks config/database.yml, config/intializers/secret_token.rb , config/initializers/session_store.rb should excluded?
is best practice exclude of these files separately? or there way have info defined in config/config.yml , called in each of files? additionally, files , info should kept private , hidden? of them?
i'm wondering approach should take , best practice. help!
i've been looking well; wanted maintain sensitive info hidden throughout process of pushing open source code github, automatically pushed travis ci testing, travis beingness automatically deployed heroku. here details of i've found far looking @ various stackoverflow q&as, blogs etc, serve reference you, if config within rails app (omit {{ ... }} see)
disclaimer: i'm no means expert here, please maintain in mind there improve ways i'm trying. i'd love able larn new tricks in q&a thread.
inside rails appi utilize figaro gem hide sensitive info in env environment variables. in (.gitignored) config/application.yml, maintain next information:
# app keys secret_token: # rake secret generated token development: db_name: # dev db name here db_user: # dev db username here db_password: # dev db password here test: db_name: # test db name here db_user: # test db username here db_password: # test db password here production: db_name: # prod db name here db_user: # prod db username here db_password: # prod db password here # 3rd party keys reference in relevant files third_party_api_or_license_key: # list of whatever api/license keys utilize (db_name, db_user, , db_password used dynamically depending on environment app running in).
an empty version of above file (config/application.example.yml) gets pushed github instructions on how fill in.
the files pushed github , reference these variables this:
config/database.yml (postgresql used here, should able alter settings whatever database use)
postgresql: &postgresql adapter: postgresql database: <%= env['db_name'] %> username: <%= env['db_user'] %> password: <%= env['db_password'] %> min_messages: error defaults: &defaults pool: 5 timeout: 5000 host: localhost <<: *<%= env['db'] || "postgresql" %> development: <<: *defaults test: <<: *defaults production: <<: *defaults config/initializers/secret_token.rb
if rails.env.production? && env['secret_token'].blank? raise 'secret_token environment variable must set!' end yourapp::application.config.secret_token = env['secret_token'] || {{whatever_secret_token_rails_generated_by_default}} (plus, whatever files referencing third_party_api_or_license_key-type keys.)
create encrypted travis variables using travis gem. heroku api key , heroku git url needed if deploy direct heroku travis worker (see this stackoverflow q&a details), otherwise can omit them if utilize testing:
$ gem install travis $ travis encrypt your_username/your_repo heroku_api_key={{your_heroku_api_key}} $ travis encrypt heroku_git_url={{your_heroku_git_url}} # eg git@heroku.com:your_app.git $ travis encrypt db_name={{your_db_name_under_test}} # eg your_app_test $ travis encrypt db_user={{your_db_user_under_test}} $ travis encrypt db_password={{your_db_password_under_test}} (plus, encrypt other keys may need during testing, if any...)
then add together them .travis.yml (once 1 time again postgresql-focused, should able alter settings whatever database use)
env: global: - secure: {{your_encrypted_heroku_api_key}} - secure: {{your_encrypted_heroku_git_url}} - secure: {{your_encrypted_db_name}} - secure: {{your_encrypted_db_user}} - secure: {{your_encrypted_db_password}} matrix: - db: postgresql before_script: - psql -c "create database $db_name;" -u $db_user - rails_env=test bundle exec rake db:migrate script: - bundle exec rspec spec/ after_success: - gem install heroku - git remote add together heroku $heroku_git_url # ... see link above rest of config content multiple variables marked same name of secure fine; they'll show in config heroku_api_key=[secure] heroku_git_url=[secure] etc.
use figaro's heroku rake task automatically set environment variables heroku needs see in production:
$ rake figaro:heroku or, set them manually:
$ heroku config:set secret_token={{your_secret_token}} $ heroku config:set db_name={{your_db_name_under_production}} # eg your_app_production $ heroku config:set db_user={{your_db_user_under_production}} $ heroku config:set db_password={{your_db_password_under_production}} $ heroku config:set third_party_api_or_license_key={{your_third_party_api_or_license_key}} then, effort deployment.
that's have now. not sure @ moment if should hiding more info or if i'm not hiding enough, it's work in progress.
ruby-on-rails ruby ruby-on-rails-3 security
No comments:
Post a Comment