Encrypted credentials for appliance

[alexskr]

Problem: The presence of encrypted credentials config/credentials.yml.enc in the GitHub repo creates deployment issues for the appliance. We do not want to distribute our master.key with the appliance so assets:precompile task fails because of mismatched credentials unless I remove config/credentials.yml.enc file.

Currently we have encrypted credentials config/credentials.yml.enc file checked into bioportal_web_ui git repo. It can be decrypted by master.key which we keep private.
We have per-environment encrypted credentials files for staging, appliance, development and test stored in the config/credentials. We do not have credentials file for the production env because I assume production defaults to config/credentials.yml.enc?

Do we really need to have config/credentials/appliance.yml.enc file? Currently it contains kgcl github_access_token and secret_key_base. When a new appliance instance is deployed in the wild the secret_key_base must be reset so we don’t need to keep it checked in in our repo. I do not think we need to distribute kgcl GitHub access token to all appliances. If kgcl functionality is needed then a dedicated GH access token would need to be created for that appliance deployment.

I propose:

1. Generate encrypted credentials for production environment similar to the setup of staging environment.
2. Remove config/credentials.yml.enc from bioportal_web_ui repo
3. Remove credential files for the appliance environment. Appliance would need to generate that on first boot.
4. Consider creating a native ruby script or rake task for resetting encrypted credentials instead of relying on a shell script.

[syphax-bouazzouni]

Hi @alexskr, I think also that you should remove the master.key because it was the Rails 5 proposed way to do encrypted secrets, but the new way to do it is to use environment encrypted files (from Rails 6). (production.key to decrypt production.yml.enc, ...); The 'config/credentials.yml.enc' is only used now for global credentials (not environment-specific) but I don't think we do have them currently.

Agree also to removeappliance.yml.enc file, and generate at the appliance booting (there is already this task: EDITOR="touch" rails credentials:edit --environment appliance )

See this https://blog.saeloun.com/2019/10/10/rails-6-adds-support-for-multi-environment-credentials/, if needed for more details.

In the credentials, we do have ReCaptcha keys and KGCL GitHub tokens; both of these features need to be disabled by default in the appliance mode, and add a section in the appliance installation documentation to tell how to update and enable them. (A better solution I think in the future would be to add a configuration object to our models and store them in the triple store, this way, in the first boot of the appliance, we can give the users a UI to configure their appliance)

Hope I was helpful Bye.

[alexskr]

@syphax-bouazzouni we don't have master.key checked into our repo so you might want to remove/reset it on your end.

[jvendetti]

@alexskr, @syphax-bouazzouni - I performed the suggested changes in a branch, i.e.:

• removed appliance.yml.enc
• created production.yml.enc
• removed config/credentials.yml.enc

However, this solution is proving to be problematic. If I want to test the application locally in appliance mode, the server won't start:

➜  bioportal_web_ui git:(bugfix/265_encrypted-credentials-for-appliance) RAILS_ENV=appliance RAILS_SERVE_STATIC_FILES=true rails s
=> Booting Thin
=> Rails 6.1.5.1 application starting in appliance http://0.0.0.0:3000
=> Run `bin/rails server --help` for more startup options
Missing encryption key to decrypt file with. Ask your team for your master key and write it to /Users/vendetti/Development/GitHub/ncbo/bioportal_web_ui/config/master.key or put it in the ENV['RAILS_MASTER_KEY'].
Exiting

If I disable the master key requirement:

# config/environments/appliance.rb
config.require_master_key = false

... then the server errors out with:

Missing `secret_key_base` for 'appliance' environment, set this string with `bin/rails credentials:edit` (ArgumentError)

I generated a new application with the latest version of Rails (7.0.5), and noticed that by default, the framework includes a global credentials files (config/credentials.yml.enc and config/master.key) configured with a secret key base. From what I can tell, if you don't have an environment-specific credentials files, Rails will fall back to the global credentials file to look for the secret key base. As I said above, when I try to run in appliance mode locally with the suggested changes, I have neither present, and the server won't function.

[alexskr]

@jvendetti, you could create appliance credentials in your dev environment, just don't check that in.

[jvendetti]

Yes, I understand that. I'm still unsure about the proposed solution because:

• It's error prone. Every time I need to test appliance mode locally, I'll have to generate credentials, then remember not to commit those files.
• It feels like we're doing something contrary to the standard when we delete files that are automatically added and configured with a default secret key base value when you generate a new Rails application
• The Securing Rails Applications guide still lists config/credentials.yml.enc as the de-facto location for encrypted secrets. Using environment-specific makes life easier, but they're optional.
• The article that Syphax linked to doesn't advocate for deletion of the global configuration files. They're using global configuration for test and development modes, and they use environment-specific for production.

All of that said, I don't know what to suggest as the "best" solution. If you and Syphax don't have any other thoughts on this and want to go in this direction, let me know and I'll merge the branch to master.

[alexskr]

It is not possible to use config/credentials.yml.enc anywhere but in BioPortal instance because that file is encrypted using master.key which we do not distribute with the code. BioPortal web ui as it is will not start in development mode for anyone except for the BioPortal team who has access to the master.key. For external contributors to work with our code base they have to manually remove config/credentials.yml.enc and config/credentials/applience.yml.enc files and then generate their own keys and credentials.

I propose to remove those files and add instructions on how to generate credentials for dev/appliance env.

If we (BioPortal team) choose to continue using global credentials.yml.enc file instead of production.yml.enc we can check in that file into our private config repository. I understand that it more or less diminishes the purpose of having encrypted credentials but I don't know of any other way to get it to work for distributed teams who do not have access to the same master.key

Currently I am removing those files in my appliance deployment scripts but think optimally we should do that in the code base.

[syphax-bouazzouni]

@syphax-bouazzouni we don't have master.key checked into our repo so you might want to remove/reset it on your end.

Ah yes, I will remove it when I merge your new release. Thanks for preventing me ( I think it was just a development one, so no big worry about it).

[jvendetti]

This issue is closed, but I'm following up with documentation of the inconvenience that exists for the BioPortal team when we need to test how something works in appliance mode. The global and appliance environment credentials are now absent from the source tree. Today I needed to test the application in appliance mode to make sure the adjustments I made for the migration to Google Analytics 4 didn't cause any issues. The server doesn't start:

➜  bioportal_web_ui git:(feature/ga4-migration/270) ✗ RAILS_ENV=appliance RAILS_SERVE_STATIC_FILES=true rails s
=> Booting Thin
=> Rails 6.1.5.1 application starting in appliance http://0.0.0.0:3000
=> Run `bin/rails server --help` for more startup options
Missing encryption key to decrypt file with. Ask your team for your master key and write it to /Users/vendetti/Development/GitHub/ncbo/bioportal_web_ui/config/master.key or put it in the ENV['RAILS_MASTER_KEY'].
Exiting

So, now I have to regenerate the credentials and remember not to commit them to the source tree. This is one of a few reasons that I continue to lean toward a viewpoint that appliance distributions should be generated / coming from the parent "ontoportal" repository.

[jvendetti]

... and generating the credentials isn't sufficient because the credentials files needs a secret_key_base, otherwise the server won't start:

application.rb:603:in `validate_secret_key_base': Missing `secret_key_base` for 'appliance' environment, set this string with `bin/rails credentials:edit` (ArgumentError)

[alexskr]

this is what i usually do:

EDITOR='echo "secret_key_base: $(bundle exec rake secret)" > ' bundle exec rails credentials:edit --environment appliance

Im not sure if there is a better way to do it

https://github.com/ncbo/virtual_appliance/blob/0c7b54f49b09d35c48454c95fb65ba2c5a6063b4/utils/bootstrap/reset_ui_encrypted_credentials.sh#L13