decidim · alecslupu · Jul 31, 2024 · Jul 31, 2024 · Jul 31, 2024 · Jul 31, 2024
diff --git a/decidim-core/app/forms/decidim/notifications_settings_form.rb b/decidim-core/app/forms/decidim/notifications_settings_form.rb
@@ -46,7 +46,7 @@ def direct_message_types
     end
 
     def meet_push_notifications_requirements?
-      Rails.application.secrets.dig(:vapid, :enabled) || false
+      Decidim::Env.new("VAPID_PUBLIC_KEY").present?
     end
   end
 end
diff --git a/decidim-core/app/models/decidim/omniauth_provider.rb b/decidim-core/app/models/decidim/omniauth_provider.rb
@@ -3,7 +3,7 @@
 module Decidim
   class OmniauthProvider
     def self.available
-      Rails.application.secrets[:omniauth] || {}
+      Decidim.omniauth_providers
     end
 
     def self.enabled

diff --git a/decidim-core/app/services/decidim/send_push_notification.rb b/decidim-core/app/services/decidim/send_push_notification.rb
@@ -19,7 +19,7 @@ class SendPushNotification
     #
     # @return [Array<Net::HTTPCreated>, nil] the result of the dispatch or nil if user or subscription are empty
     def perform(notification, title = nil)
-      return unless Rails.application.secrets.dig(:vapid, :enabled)
+      return if Decidim::Env.new("VAPID_PUBLIC_KEY").blank?
       raise ArgumentError, "Need to provide a title if the notification is a PushNotificationMessage" if notification.is_a?(Decidim::PushNotificationMessage) && title.nil?
 
       user = notification.user
@@ -66,8 +66,8 @@ def build_payload(message_params, subscription)
         p256dh: subscription["p256dh"],
         auth: subscription["auth"],
         vapid: {
-          public_key: Rails.application.secrets.vapid[:public_key],
-          private_key: Rails.application.secrets.vapid[:private_key]
+          public_key: ENV.fetch("VAPID_PUBLIC_KEY", nil),
+          private_key: ENV.fetch("VAPID_PRIVATE_KEY", nil)
         }
       }
     end

diff --git a/decidim-core/app/views/decidim/notifications_settings/show.html.erb b/decidim-core/app/views/decidim/notifications_settings/show.html.erb
@@ -194,7 +194,7 @@
           </div>
         </div>
 
-        <input id="vapidPublicKey" name="vapid_public_key" type="hidden" value="<%= Base64.urlsafe_decode64(Rails.application.secrets.vapid[:public_key]).bytes %>">
+        <input id="vapidPublicKey" name="vapid_public_key" type="hidden" value="<%= Base64.urlsafe_decode64(ENV["VAPID_PUBLIC_KEY"]).bytes %>">
         <input id="subKeys" name="sub_key" type="hidden" value="<%= current_user.notifications_subscriptions.keys %>">
       <% end %>
 

diff --git a/decidim-core/config/initializers/omniauth.rb b/decidim-core/config/initializers/omniauth.rb
@@ -13,7 +13,7 @@ def setup_provider_proc(provider, config_mapping = {})
 end
 
 Rails.application.config.middleware.use OmniAuth::Builder do
-  omniauth_config = Rails.application.secrets[:omniauth]
+  omniauth_config = Decidim.omniauth_providers
 
   if omniauth_config
     if omniauth_config[:developer].present?

diff --git a/decidim-core/lib/decidim/asset_router/storage.rb b/decidim-core/lib/decidim/asset_router/storage.rb
@@ -104,7 +104,7 @@ def default_options
       # @return [Hash] The remote storage options hash
       def remote_storage_options
         @remote_storage_options ||= {
-          host: Rails.application.secrets.dig(:storage, :cdn_host)
+          host: ENV.fetch("STORAGE_CDN_HOST", nil)
         }.compact
       end
 

diff --git a/decidim-core/lib/decidim/core.rb b/decidim-core/lib/decidim/core.rb
@@ -573,6 +573,33 @@ def self.reset_all_column_information
     {}
   end
 
+  config_accessor :omniauth_providers do
+    {
+      developer: {
+        enabled: Rails.env.development? || Rails.env.test?,
+        icon: "phone-line"
+      },
+      facebook: {
+        enabled: Decidim::Env.new("OMNIAUTH_FACEBOOK_APP_ID").present?,
+        app_id: ENV.fetch("OMNIAUTH_FACEBOOK_APP_ID", nil),
+        app_secret: ENV.fetch("OMNIAUTH_FACEBOOK_APP_SECRET", nil),
+        icon: "facebook-fill"
+      },
+      twitter: {
+        enabled: Decidim::Env.new("OMNIAUTH_TWITTER_API_KEY").present?,
+        api_key: ENV.fetch("OMNIAUTH_TWITTER_API_KEY", nil),
+        api_secret: ENV.fetch("OMNIAUTH_TWITTER_API_SECRET", nil),
+        icon: "twitter-x-fill"
+      },
+      google_oauth2: {
+        enabled: Decidim::Env.new("OMNIAUTH_GOOGLE_CLIENT_ID").present?,
+        icon: "google-fill",
+        client_id: ENV.fetch("OMNIAUTH_GOOGLE_CLIENT_ID", nil),
+        client_secret: ENV.fetch("OMNIAUTH_GOOGLE_CLIENT_SECRET", nil)
+      }
+    }
+  end
+
   # Public: Registers a global engine. This method is intended to be used
   # by component engines that also offer unscoped functionality
   #

diff --git a/decidim-core/lib/decidim/organization_settings.rb b/decidim-core/lib/decidim/organization_settings.rb
@@ -137,11 +137,11 @@ def defaults_hash
       end
 
       def default_maximum_attachment_size
-        (Rails.application.secrets.decidim[:maximum_attachment_size].presence || 10).to_f
+        Decidim::Env.new("DECIDIM_MAXIMUM_ATTACHMENT_SIZE", "10").to_f
       end
 
       def default_maximum_avatar_size
-        (Rails.application.secrets.decidim[:maximum_avatar_size].presence || 5).to_f
+        Decidim::Env.new("DECIDIM_MAXIMUM_AVATAR_SIZE", "5").to_f
       end
     end
 

diff --git a/decidim-core/spec/forms/notifications_settings_form_spec.rb b/decidim-core/spec/forms/notifications_settings_form_spec.rb
@@ -178,7 +178,7 @@ module Decidim
     describe "#meet_push_notifications_requirements?" do
       context "when the notifications requirements are met" do
         before do
-          Rails.application.secrets[:vapid] = { enabled: true }
+          ENV["VAPID_PUBLIC_KEY"] = "FOO BAR"
         end
 
         it "returns true" do
@@ -188,7 +188,7 @@ module Decidim
 
       context "when vapid secrets are not present" do
         before do
-          Rails.application.secrets.delete(:vapid)
+          ENV["VAPID_PUBLIC_KEY"] = ""
         end
 
         it "returns false" do
@@ -198,7 +198,7 @@ module Decidim
 
       context "when the notifications requirements are not met" do
         before do
-          Rails.application.secrets[:vapid] = { enabled: false }
+          ENV["VAPID_PUBLIC_KEY"] = nil
         end
 
         it "returns false" do

diff --git a/decidim-core/spec/lib/asset_router/storage_spec.rb b/decidim-core/spec/lib/asset_router/storage_spec.rb
@@ -189,8 +189,7 @@ module Decidim::AssetRouter
 
       context "when the CDN host is defined" do
         before do
-          allow(Rails.application.secrets).to receive(:dig).and_call_original
-          allow(Rails.application.secrets).to receive(:dig).with(:storage, :cdn_host).and_return("https://cdn.example.org")
+          ENV["STORAGE_CDN_HOST"] = "https://cdn.example.org"
         end
 
         it "creates the route to the CDN blob" do

diff --git a/decidim-core/spec/lib/attribute_encryptor_spec.rb b/decidim-core/spec/lib/attribute_encryptor_spec.rb
@@ -76,9 +76,7 @@ module Decidim
         before do
           # Temporarily change the secret so that it matches the secret used
           # when encrypting the value.
-          allow(Rails.application.secrets).to receive(
-            :secret_key_base
-          ).and_return("testsecret")
+          allow(Rails.application).to receive(:secret_key_base).and_return("testsecret")
         end
 
         it "returns the decrypted value" do

diff --git a/decidim-core/spec/lib/decidim_spec.rb b/decidim-core/spec/lib/decidim_spec.rb
@@ -41,9 +41,10 @@
   describe ".force_ssl" do
     let!(:orig_force_ssl) { described_class.force_ssl }
     let(:rails_env) { "test" }
+    let(:env) { ActiveSupport::EnvironmentInquirer.new(rails_env) }
 
     before do
-      allow(Rails).to receive(:env).and_return(rails_env)
+      allow(Rails).to receive(:env).and_return(env)
       load "#{Decidim::Core::Engine.root}/lib/decidim/core.rb"
     end
 

diff --git a/decidim-core/spec/lib/organization_settings_spec.rb b/decidim-core/spec/lib/organization_settings_spec.rb
@@ -148,8 +148,9 @@ module Decidim
         let(:maximum_attachment_size) { 20 }
 
         before do
-          allow(Rails.application.secrets.decidim).to receive(:[]).and_call_original
-          allow(Rails.application.secrets.decidim).to receive(:[]).with(:maximum_attachment_size).and_return(maximum_attachment_size)
+          allow(ENV).to receive(:fetch).and_call_original
+          allow(ENV).to receive(:fetch).with("DECIDIM_MAXIMUM_ATTACHMENT_SIZE", nil).and_return(maximum_attachment_size.to_s)
+
           # defaults method is memoized, we need to reset it to make sure it uses the stubbed values
           described_class.instance_variable_set(:@defaults, nil)
         end

diff --git a/decidim-core/spec/models/decidim/organization_spec.rb b/decidim-core/spec/models/decidim/organization_spec.rb
@@ -11,17 +11,20 @@ module Decidim
         facebook: {
           enabled: true,
           app_id: "fake-facebook-app-id",
-          app_secret: "fake-facebook-app-secret"
+          app_secret: "fake-facebook-app-secret",
+          icon: "phone"
         },
         twitter: {
           enabled: true,
           api_key: "fake-twitter-api-key",
-          api_secret: "fake-twitter-api-secret"
+          api_secret: "fake-twitter-api-secret",
+          icon: "phone"
         },
         google_oauth2: {
           enabled: true,
           client_id: nil,
-          client_secret: nil
+          client_secret: nil,
+          icon: "phone"
         }
       }
     end
@@ -96,14 +99,14 @@ module Decidim
         end
 
         context "when providers are not enabled in secrets.yml" do
-          let!(:previous_omniauth_secrets) { Rails.application.secrets[:omniauth] }
+          let!(:previous_omniauth_secrets) { Decidim.omniauth_providers }
 
           before do
-            Rails.application.secrets[:omniauth] = nil
+            Decidim.omniauth_providers = {}
           end
 
           after do
-            Rails.application.secrets[:omniauth] = previous_omniauth_secrets
+            Decidim.omniauth_providers = previous_omniauth_secrets
           end
 
           it "returns no providers" do

diff --git a/decidim-core/spec/services/decidim/send_push_notification_spec.rb b/decidim-core/spec/services/decidim/send_push_notification_spec.rb
@@ -9,13 +9,15 @@
   let(:user) { create(:user, notification_settings: { subscriptions: }) }
 
   before do
-    Rails.application.secrets[:vapid] = { enabled: true, public_key: "public_key", private_key: "private_key" }
+    ENV["VAPID_PUBLIC_KEY"] = "public_key"
+    ENV["VAPID_PRIVATE_KEY"] = "private_key"
   end
 
   shared_examples "send a push notification" do
     context "without vapid settings config" do
       before do
-        Rails.application.secrets.delete(:vapid)
+        ENV["VAPID_PUBLIC_KEY"] = ""
+        ENV["VAPID_PRIVATE_KEY"] = ""
       end
 
       describe "#perform" do
@@ -27,7 +29,7 @@
 
     context "without vapid enabled" do
       before do
-        Rails.application.secrets[:vapid] = { enabled: false }
+        ENV["VAPID_PUBLIC_KEY"] = ""
       end
 
       describe "#perform" do

diff --git a/decidim-core/spec/system/account_spec.rb b/decidim-core/spec/system/account_spec.rb
@@ -353,7 +353,9 @@
 
     context "when VAPID keys are set" do
       before do
-        Rails.application.secrets[:vapid] = vapid_keys
+        ENV["VAPID_PUBLIC_KEY"] = vapid_keys[:public_key]
+        ENV["VAPID_PRIVATE_KEY"] = vapid_keys[:private_key]
+
         driven_by(:pwa_chrome)
         switch_to_host(organization.host)
         login_as user, scope: :user
@@ -383,7 +385,7 @@
 
     context "when VAPID is disabled" do
       before do
-        Rails.application.secrets[:vapid] = { enabled: false }
+        ENV["VAPID_PUBLIC_KEY"] = ""
         driven_by(:pwa_chrome)
         switch_to_host(organization.host)
         login_as user, scope: :user
@@ -397,7 +399,7 @@
 
     context "when VAPID keys are not set" do
       before do
-        Rails.application.secrets.delete(:vapid)
+        ENV["VAPID_PUBLIC_KEY"] = nil
         driven_by(:pwa_chrome)
         switch_to_host(organization.host)
         login_as user, scope: :user

diff --git a/decidim-core/spec/uploaders/application_uploader_spec.rb b/decidim-core/spec/uploaders/application_uploader_spec.rb
@@ -195,8 +195,8 @@ module Decidim
         before do
           allow(Rails.env).to receive(:development?).and_return(false)
           allow(Rails.env).to receive(:test?).and_return(false)
-          allow(Rails.application.secrets).to receive(:dig).and_call_original
-          allow(Rails.application.secrets).to receive(:dig).with(:storage, :cdn_host).and_return(cdn_host)
+          allow(ENV).to receive(:fetch).and_call_original
+          allow(ENV).to receive(:fetch).with("STORAGE_CDN_HOST", nil).and_return(cdn_host)
         end
 
         it "returns a URL containing the CDN configurations" do

diff --git a/decidim-generators/lib/decidim/generators/app_generator.rb b/decidim-generators/lib/decidim/generators/app_generator.rb
@@ -198,7 +198,7 @@ def add_storage_provider
         abort("#{providers} is not supported as storage provider, please use local, s3, gcs or azure") unless (providers - %w(local s3 gcs azure)).empty?
         gsub_file "config/environments/production.rb",
                   /config.active_storage.service = :local/,
-                  "config.active_storage.service = Rails.application.secrets.dig(:storage, :provider) || :local"
+                  %{config.active_storage.service = Decidim::Env.new("STORAGE_PROVIDER", "local").to_s}
 
         add_production_gems do
           gem "aws-sdk-s3", require: false if providers.include?("s3")
@@ -335,8 +335,8 @@ def decidim_initializer
                   /#{Regexp.escape("# config.available_locales = %w(en ca es)")}/,
                   "config.available_locales = %w(#{options[:locales].gsub(",", " ")})"
         gsub_file "config/initializers/decidim.rb",
-                  /#{Regexp.escape("config.available_locales = Rails.application.secrets.decidim[:available_locales].presence || [:en]")}/,
-                  "# config.available_locales = Rails.application.secrets.decidim[:available_locales].presence || [:en]"
+                  /#{Regexp.escape("config.available_locales = Decidim::Env.new(\"DECIDIM_AVAILABLE_LOCALES\", \"ca,cs,de,en,es,eu,fi,fr,it,ja,nl,pl,pt,ro\").to_array.to_json")}/,
+                  "# config.available_locales = Decidim::Env.new(\"DECIDIM_AVAILABLE_LOCALES\", \"ca,cs,de,en,es,eu,fi,fr,it,ja,nl,pl,pt,ro\").to_array.to_json"
       end
 
       def dev_performance_config

diff --git a/decidim-generators/lib/decidim/generators/app_templates/database.yml.erb b/decidim-generators/lib/decidim/generators/app_templates/database.yml.erb
@@ -65,9 +65,9 @@ test:
   <<: *default
   database: <%= app_name %>_test<%%= ENV.fetch('TEST_ENV_NUMBER', "") %>
 
-# As with config/secrets.yml, you never want to store sensitive information,
-# like your database password, in your source code. If your source code is
-# ever seen by anyone, they now have access to your database.
+# You never want to store sensitive information, like your database password,
+# in your source code. If your source code is ever seen by anyone,
+# they now have access to your database.
 #
 # Instead, provide the password as a unix environment variable when you boot
 # the app. Read http://guides.rubyonrails.org/configuring.html#configuring-a-database