diff --git a/decidim-accountability/lib/decidim/accountability.rb b/decidim-accountability/lib/decidim/accountability.rb index 12c9d645bd29b..5179d8ca2e12f 100644 --- a/decidim-accountability/lib/decidim/accountability.rb +++ b/decidim-accountability/lib/decidim/accountability.rb @@ -15,7 +15,7 @@ module Accountability # Public Setting that defines whether proposals can be linked to meetings config_accessor :enable_proposal_linking do - Decidim.const_defined?("Proposals") + Decidim::Env.new("ACCOUNTABILITY_ENABLE_PROPOSAL_LINKING", Decidim.const_defined?("Proposals")).present? end end end diff --git a/decidim-api/lib/decidim/api.rb b/decidim-api/lib/decidim/api.rb index 900b2043a7998..ac568ea126d39 100644 --- a/decidim-api/lib/decidim/api.rb +++ b/decidim-api/lib/decidim/api.rb @@ -1,5 +1,6 @@ # frozen_string_literal: true +require "decidim/env" require "decidim/api/engine" require "decidim/api/types" @@ -11,21 +12,21 @@ module Api # defines the schema max_per_page to configure GraphQL pagination config_accessor :schema_max_per_page do - 50 + Decidim::Env.new("API_SCHEMA_MAX_PER_PAGE", 50).to_i end # defines the schema max_complexity to configure GraphQL query complexity config_accessor :schema_max_complexity do - 5000 + Decidim::Env.new("API_SCHEMA_MAX_COMPLEXITY", 5000).to_i end # defines the schema max_depth to configure GraphQL query max_depth config_accessor :schema_max_depth do - 15 + Decidim::Env.new("API_SCHEMA_MAX_DEPTH", 15).to_i end config_accessor :disclose_system_version do - %w(1 true yes).include?(ENV.fetch("DECIDIM_API_DISCLOSE_SYSTEM_VERSION", nil)) + Decidim::Env.new("DECIDIM_API_DISCLOSE_SYSTEM_VERSION").present? end # This declares all the types an interface or union can resolve to. This needs diff --git a/decidim-budgets/lib/decidim/budgets.rb b/decidim-budgets/lib/decidim/budgets.rb index 20a9d5b88659e..579430b0d47f3 100644 --- a/decidim-budgets/lib/decidim/budgets.rb +++ b/decidim-budgets/lib/decidim/budgets.rb @@ -16,7 +16,7 @@ module Budgets # Public Setting that defines whether proposals can be linked to meetings config_accessor :enable_proposal_linking do - Decidim.const_defined?("Proposals") + Decidim::Env.new("BUDGETS_ENABLE_PROPOSAL_LINKING", Decidim.const_defined?("Proposals")).present? end end end diff --git a/decidim-core/app/forms/decidim/notifications_settings_form.rb b/decidim-core/app/forms/decidim/notifications_settings_form.rb index 7cf18c0fc2d4c..ddc5d76a94045 100644 --- a/decidim-core/app/forms/decidim/notifications_settings_form.rb +++ b/decidim-core/app/forms/decidim/notifications_settings_form.rb @@ -46,7 +46,7 @@ def direct_message_types end def meet_push_notifications_requirements? - Rails.application.secrets.dig(:vapid, :enabled) || false + Decidim::Env.new("VAPID_PUBLIC_KEY", nil).present? end end end diff --git a/decidim-core/app/models/decidim/omniauth_provider.rb b/decidim-core/app/models/decidim/omniauth_provider.rb index d0a448bf5589c..5ae0c65cb5f73 100644 --- a/decidim-core/app/models/decidim/omniauth_provider.rb +++ b/decidim-core/app/models/decidim/omniauth_provider.rb @@ -3,7 +3,7 @@ module Decidim class OmniauthProvider def self.available - Rails.application.secrets[:omniauth] || {} + Decidim.omniauth_providers end def self.enabled diff --git a/decidim-core/app/services/decidim/send_push_notification.rb b/decidim-core/app/services/decidim/send_push_notification.rb index 062deeb927bb9..f91f105b6f9f6 100644 --- a/decidim-core/app/services/decidim/send_push_notification.rb +++ b/decidim-core/app/services/decidim/send_push_notification.rb @@ -19,7 +19,7 @@ class SendPushNotification # # @return [Array, nil] the result of the dispatch or nil if user or subscription are empty def perform(notification, title = nil) - return unless Rails.application.secrets.dig(:vapid, :enabled) + return if Decidim::Env.new("VAPID_PUBLIC_KEY").blank? raise ArgumentError, "Need to provide a title if the notification is a PushNotificationMessage" if notification.is_a?(Decidim::PushNotificationMessage) && title.nil? user = notification.user @@ -66,8 +66,8 @@ def build_payload(message_params, subscription) p256dh: subscription["p256dh"], auth: subscription["auth"], vapid: { - public_key: Rails.application.secrets.vapid[:public_key], - private_key: Rails.application.secrets.vapid[:private_key] + public_key: ENV.fetch("VAPID_PUBLIC_KEY", nil), + private_key: ENV.fetch("VAPID_PRIVATE_KEY", nil) } } end diff --git a/decidim-core/app/views/decidim/notifications_settings/show.html.erb b/decidim-core/app/views/decidim/notifications_settings/show.html.erb index c96315ffdb059..da3d20689ba1d 100644 --- a/decidim-core/app/views/decidim/notifications_settings/show.html.erb +++ b/decidim-core/app/views/decidim/notifications_settings/show.html.erb @@ -194,7 +194,7 @@ - + "> <% end %> diff --git a/decidim-core/config/initializers/omniauth.rb b/decidim-core/config/initializers/omniauth.rb index 1f5e730c37b6b..82c9e12be6703 100644 --- a/decidim-core/config/initializers/omniauth.rb +++ b/decidim-core/config/initializers/omniauth.rb @@ -13,7 +13,7 @@ def setup_provider_proc(provider, config_mapping = {}) end Rails.application.config.middleware.use OmniAuth::Builder do - omniauth_config = Rails.application.secrets[:omniauth] + omniauth_config = Decidim.omniauth_providers if omniauth_config if omniauth_config[:developer].present? diff --git a/decidim-core/lib/decidim/asset_router/storage.rb b/decidim-core/lib/decidim/asset_router/storage.rb index 235e88e69251a..c4eb038e69512 100644 --- a/decidim-core/lib/decidim/asset_router/storage.rb +++ b/decidim-core/lib/decidim/asset_router/storage.rb @@ -104,7 +104,7 @@ def default_options # @return [Hash] The remote storage options hash def remote_storage_options @remote_storage_options ||= { - host: Rails.application.secrets.dig(:storage, :cdn_host) + host: ENV.fetch("STORAGE_CDN_HOST", nil) }.compact end diff --git a/decidim-core/lib/decidim/core.rb b/decidim-core/lib/decidim/core.rb index 0df9e5e68dcd7..43ac8c5882a25 100644 --- a/decidim-core/lib/decidim/core.rb +++ b/decidim-core/lib/decidim/core.rb @@ -241,12 +241,16 @@ def self.reset_all_column_information # Whether SSL should be forced or not. config_accessor :force_ssl do - Rails.env.starts_with?("production") || Rails.env.starts_with?("staging") + if Decidim::Env.new("DECIDIM_FORCE_SSL", "auto").default_or_present_if_exists.to_s == "auto" + Rails.env.starts_with?("production") || Rails.env.starts_with?("staging") + else + Decidim::Env.new("DECIDIM_FORCE_SSL").present? + end end # Having this on true will change the way the svg assets are being served. config_accessor :cors_enabled do - false + Decidim::Env.new("DECIDIM_CORS_ENABLED", "false").present? end # Exposes a configuration option: The application available locales. @@ -256,14 +260,14 @@ def self.reset_all_column_information # Exposes a configuration option: The application default locale. config_accessor :default_locale do - :en + (Decidim::Env.new("DECIDIM_DEFAULT_LOCALE", "en").presence || :en).to_s end # Disable the redirection to the external host when performing redirect back # For more details https://github.com/rails/rails/issues/39643 # Additional context: This has been revealed as an issue during a security audit on Future of Europe installation config_accessor :allow_open_redirects do - false + Decidim::Env.new("DECIDIM_ALLOW_OPEN_REDIRECTS").present? end # Exposes a configuration option: an array of symbols representing processors @@ -323,52 +327,60 @@ def self.reset_all_column_information # Exposes a configuration option: the IPs that are allowed to access the system config_accessor :system_accesslist_ips do - [] + Decidim::Env.new("DECIDIM_SYSTEM_ACCESSLIST_IPS").to_array end # Exposes a configuration option: the currency unit config_accessor :currency_unit do - "€" + if Decidim::Env.new("DECIDIM_CURRENCY_UNIT", "€").present? + Decidim::Env.new("DECIDIM_CURRENCY_UNIT", "€").to_s + else + "€" + end end # Exposes a configuration option: The image uploader quality. config_accessor :image_uploader_quality do - 80 + Decidim::Env.new("DECIDIM_IMAGE_UPLOADER_QUALITY", "80").to_i end # The number of reports which a resource can receive before hiding it config_accessor :max_reports_before_hiding do - 3 + Decidim::Env.new("DECIDIM_MAX_REPORTS_BEFORE_HIDING", "3").to_i end # Allow organization's administrators to inject custom HTML into the frontend config_accessor :enable_html_header_snippets do - true + Decidim::Env.new("DECIDIM_ENABLE_HTML_HEADER_SNIPPETS").present? end # Allow organization's administrators to track newsletter links config_accessor :track_newsletter_links do - true + if Decidim::Env.new("DECIDIM_TRACK_NEWSLETTER_LINKS", "auto").default_or_present_if_exists.to_s == "auto" + true + else + Decidim.force_ssl + end end # Time that download your data files are available in server config_accessor :download_your_data_expiry_time do - 7.days + Decidim::Env.new("DECIDIM_DOWNLOAD_YOUR_DATA_EXPIRY_TIME", "7").to_i.days end # Max requests in a time period to prevent DoS attacks. Only applied on production. config_accessor :throttling_max_requests do - 100 + Decidim::Env.new("DECIDIM_THROTTLING_MAX_REQUESTS", "100").to_i end # Time window in which the throttling is applied. config_accessor :throttling_period do - 1.minute + Decidim::Env.new("DECIDIM_THROTTLING_PERIOD", "1").to_i.minutes end # Time window were users can access the website even if their email is not confirmed. config_accessor :unconfirmed_access_for do - 0.days + Decidim::Env.new("DECIDIM_UNCONFIRMED_ACCESS_FOR", "0").to_i.days end # Allow machine translations @@ -379,18 +391,22 @@ def self.reset_all_column_information # How long can a user remained logged in before the session expires. Notice that # this is also maximum time that user can idle before getting automatically signed out. config_accessor :expire_session_after do - 30.minutes + Decidim::Env.new("DECIDIM_EXPIRE_SESSION_AFTER", "30").to_i.minutes end # If set to true, users have option to "remember me". Notice that expire_session_after will not take # effect when the user wants to be remembered. config_accessor :enable_remember_me do - true + if Decidim::Env.new("DECIDIM_ENABLE_REMEMBER_ME", "auto").default_or_present_if_exists.to_s == "auto" + true + else + Decidim::Env.new("DECIDIM_ENABLE_REMEMBER_ME", "auto").default_or_present_if_exists + end end # Defines how often session_timeouter.js checks time between current moment and last request config_accessor :session_timeout_interval do - 10.seconds + Decidim::Env.new("DECIDIM_SESSION_TIMEOUT_INTERVAL", "10").to_i.seconds end # Exposes a configuration option: an object to configure Etherpad @@ -407,7 +423,7 @@ def self.reset_all_column_information # want to use the same uploads place for both staging and production # environments, but in different folders. config_accessor :base_uploads_path do - nil + Decidim::Env.new("DECIDIM_BASE_UPLOADS_PATH").to_s if Decidim::Env.new("DECIDIM_BASE_UPLOADS_PATH").present? end # The name of the class to deliver SMS codes to users. @@ -438,21 +454,29 @@ def self.reset_all_column_information # "MyTranslationService" end + config_accessor :maximum_attachment_size do + Decidim::Env.new("DECIDIM_MAXIMUM_ATTACHMENT_SIZE", "10").to_i.megabytes + end + + config_accessor :maximum_avatar_size do + Decidim::Env.new("DECIDIM_MAXIMUM_AVATAR_SIZE", "5").to_i.megabytes + end + # Social Networking services used for social sharing config_accessor :social_share_services do - %w(X Facebook WhatsApp Telegram) + Decidim::Env.new("DECIDIM_SOCIAL_SHARE_SERVICES", "X, Facebook, WhatsApp, Telegram").to_array end # The Decidim::Exporters::CSV's default column separator config_accessor :default_csv_col_sep do - ";" + Decidim::Env.new("DECIDIM_DEFAULT_CSV_COL_SEP", ";").to_s end # Exposes a configuration option: HTTP_X_FORWARDED_HOST header follow-up. # If a caching system is in place, it can also allow cache and log poisoning attacks, # allowing attackers to control the contents of caches and logs that could be used for other attacks. config_accessor :follow_http_x_forwarded_host do - false + Decidim::Env.new("DECIDIM_FOLLOW_HTTP_X_FORWARDED_HOST").present? end # The list of roles a user can have, not considering the space-specific roles. @@ -474,13 +498,13 @@ def self.reset_all_column_information # Exposes a configuration option: The maximum length for conversation # messages. config_accessor :maximum_conversation_message_length do - 1_000 + Decidim::Env.new("DECIDIM_MAXIMUM_CONVERSATION_MESSAGE_LENGTH", "1000").to_i end # Defines the name of the cookie used to check if the user has given consent # to store local data in their browser. config_accessor :consent_cookie_name do - "decidim-consent" + Decidim::Env.new("DECIDIM_CONSENT_COOKIE_NAME", "decidim-consent").to_s end # Defines data consent categories. Note that when adding an item you need to @@ -526,57 +550,57 @@ def self.reset_all_column_information # Denied passwords. Array may contain strings and regex entries. config_accessor :denied_passwords do - [] + Decidim::Env.new("DECIDIM_DENIED_PASSWORDS").to_array(separator: ", ") end # Ignores strings similar to email / domain on password validation if too short config_accessor :password_similarity_length do - 4 + Decidim::Env.new("DECIDIM_PASSWORD_SIMILARITY_LENGTH", 4).to_i end # Defines if admins are required to have stronger passwords than other users config_accessor :admin_password_strong do - true + Decidim::Env.new("DECIDIM_ADMIN_PASSWORD_STRONG", true).present? end config_accessor :admin_password_expiration_days do - 90 + Decidim::Env.new("DECIDIM_ADMIN_PASSWORD_EXPIRATION_DAYS", 90).to_i end config_accessor :admin_password_min_length do - 15 + Decidim::Env.new("DECIDIM_ADMIN_PASSWORD_MIN_LENGTH", 15).to_i end config_accessor :admin_password_repetition_times do - 5 + Decidim::Env.new("DECIDIM_ADMIN_PASSWORD_REPETITION_TIMES", 5).to_i end # This is an internal key that allow us to properly configure the caching key separator. This is useful for redis cache store # as it creates some namespaces within the cached data. # use `config.cache_key_separator = ":"` in your initializer to have namespaced data config_accessor :cache_key_separator do - "/" + Decidim::Env.new("DECIDIM_CACHE_KEY_SEPARATOR", "/").to_s end # This is the maximum time that the cache will be stored. If nil, the cache will be stored indefinitely. # Currently, cache is applied in the Cells where the method `cache_hash` is defined. config_accessor :cache_expiry_time do - 24.hours + Decidim::Env.new("DECIDIM_CACHE_EXPIRATION_TIME", "1440").to_i.minutes end # Same as before, but specifically for cell displaying stats config_accessor :stats_cache_expiry_time do - 10.minutes + Decidim::Env.new("DECIDIM_STATS_CACHE_EXPIRATION_TIME", 10).to_i.minutes end # Enable/Disable the service worker config_accessor :service_worker_enabled do - Rails.env.exclude?("development") + Decidim::Env.new("DECIDIM_SERVICE_WORKER_ENABLED", Rails.env.exclude?("development")).present? end # List of static pages' slugs that can include content blocks config_accessor :page_blocks do - %w(terms-of-service) + Decidim::Env.new("DECIDIM_PAGE_BLOCKS", "terms-of-service").to_array end # The default max last activity users to be shown @@ -591,6 +615,33 @@ def self.reset_all_column_information {} end + config_accessor :omniauth_providers do + { + developer: { + enabled: Rails.env.development? || Rails.env.test?, + icon: "phone-line" + }, + facebook: { + enabled: Decidim::Env.new("OMNIAUTH_FACEBOOK_APP_ID").present?, + app_id: ENV.fetch("OMNIAUTH_FACEBOOK_APP_ID", nil), + app_secret: ENV.fetch("OMNIAUTH_FACEBOOK_APP_SECRET", nil), + icon: "facebook-fill" + }, + twitter: { + enabled: Decidim::Env.new("OMNIAUTH_TWITTER_API_KEY").present?, + api_key: ENV.fetch("OMNIAUTH_TWITTER_API_KEY", nil), + api_secret: ENV.fetch("OMNIAUTH_TWITTER_API_SECRET", nil), + icon: "twitter-x-fill" + }, + google_oauth2: { + enabled: Decidim::Env.new("OMNIAUTH_GOOGLE_CLIENT_ID").present?, + icon: "google-fill", + client_id: ENV.fetch("OMNIAUTH_GOOGLE_CLIENT_ID", nil), + client_secret: ENV.fetch("OMNIAUTH_GOOGLE_CLIENT_SECRET", nil) + } + } + end + CoreDataManifest = Data.define(:name, :collection, :serializer, :include_in_open_data) def self.open_data_manifests @@ -598,8 +649,8 @@ def self.open_data_manifests CoreDataManifest.new( name: :moderated_users, collection: lambda { |organization| - Decidim::UserModeration.joins(:user).where(decidim_users: { decidim_organization_id: organization.id }).where.not(decidim_users: { blocked_at: nil }) - }, + Decidim::UserModeration.joins(:user).where(decidim_users: { decidim_organization_id: organization.id }).where.not(decidim_users: { blocked_at: nil }) + }, serializer: Decidim::Exporters::OpenDataBlockedUserSerializer, include_in_open_data: true ), diff --git a/decidim-core/lib/decidim/env.rb b/decidim-core/lib/decidim/env.rb index fab874fbab631..de501e69efbad 100644 --- a/decidim-core/lib/decidim/env.rb +++ b/decidim-core/lib/decidim/env.rb @@ -16,7 +16,7 @@ def value @value.presence || @default end - delegate :to_s, :to_json, to: :value + delegate :to_json, :to_s, to: :value def blank? value.blank? || FALSE_VALUES.include?(value.to_s.downcase) @@ -52,5 +52,7 @@ def to_array(separator: ",") str = blank? ? @default : value str.to_s.split(separator).map(&:strip) end + + alias to_a to_array end end diff --git a/decidim-core/lib/decidim/organization_settings.rb b/decidim-core/lib/decidim/organization_settings.rb index f0eaf5e03e726..e550b68135b1a 100644 --- a/decidim-core/lib/decidim/organization_settings.rb +++ b/decidim-core/lib/decidim/organization_settings.rb @@ -140,11 +140,11 @@ def defaults_hash end def default_maximum_attachment_size - (Rails.application.secrets.decidim[:maximum_attachment_size].presence || 10).to_f + Decidim::Env.new("DECIDIM_MAXIMUM_ATTACHMENT_SIZE", "10").to_f end def default_maximum_avatar_size - (Rails.application.secrets.decidim[:maximum_avatar_size].presence || 5).to_f + Decidim::Env.new("DECIDIM_MAXIMUM_AVATAR_SIZE", "5").to_f end end diff --git a/decidim-core/spec/forms/notifications_settings_form_spec.rb b/decidim-core/spec/forms/notifications_settings_form_spec.rb index bf0a331b398cb..bc406d2a878f1 100644 --- a/decidim-core/spec/forms/notifications_settings_form_spec.rb +++ b/decidim-core/spec/forms/notifications_settings_form_spec.rb @@ -178,7 +178,8 @@ module Decidim describe "#meet_push_notifications_requirements?" do context "when the notifications requirements are met" do before do - Rails.application.secrets[:vapid] = { enabled: true } + allow(ENV).to receive(:fetch).and_call_original + allow(ENV).to receive(:fetch).with("VAPID_PUBLIC_KEY", nil).and_return("FOO BAR") end it "returns true" do @@ -188,7 +189,8 @@ module Decidim context "when vapid secrets are not present" do before do - Rails.application.secrets.delete(:vapid) + allow(ENV).to receive(:fetch).and_call_original + allow(ENV).to receive(:fetch).with("VAPID_PUBLIC_KEY", nil).and_return("") end it "returns false" do @@ -198,7 +200,8 @@ module Decidim context "when the notifications requirements are not met" do before do - Rails.application.secrets[:vapid] = { enabled: false } + allow(ENV).to receive(:fetch).and_call_original + allow(ENV).to receive(:fetch).with("VAPID_PUBLIC_KEY", nil).and_return(nil) end it "returns false" do diff --git a/decidim-core/spec/lib/asset_router/storage_spec.rb b/decidim-core/spec/lib/asset_router/storage_spec.rb index 7c006394f8100..269c6c81c0f59 100644 --- a/decidim-core/spec/lib/asset_router/storage_spec.rb +++ b/decidim-core/spec/lib/asset_router/storage_spec.rb @@ -189,8 +189,8 @@ module Decidim::AssetRouter context "when the CDN host is defined" do before do - allow(Rails.application.secrets).to receive(:dig).and_call_original - allow(Rails.application.secrets).to receive(:dig).with(:storage, :cdn_host).and_return("https://cdn.example.org") + allow(ENV).to receive(:fetch).and_call_original + allow(ENV).to receive(:fetch).with("STORAGE_CDN_HOST", nil).and_return("https://cdn.example.org") end it "creates the route to the CDN blob" do diff --git a/decidim-core/spec/lib/attribute_encryptor_spec.rb b/decidim-core/spec/lib/attribute_encryptor_spec.rb index cff79b598def6..f6a4cb2ae5809 100644 --- a/decidim-core/spec/lib/attribute_encryptor_spec.rb +++ b/decidim-core/spec/lib/attribute_encryptor_spec.rb @@ -76,9 +76,7 @@ module Decidim before do # Temporarily change the secret so that it matches the secret used # when encrypting the value. - allow(Rails.application.secrets).to receive( - :secret_key_base - ).and_return("testsecret") + allow(Rails.application).to receive(:secret_key_base).and_return("testsecret") end it "returns the decrypted value" do diff --git a/decidim-core/spec/lib/decidim_spec.rb b/decidim-core/spec/lib/decidim_spec.rb index d5104bf2c5924..d0a81204d44c0 100644 --- a/decidim-core/spec/lib/decidim_spec.rb +++ b/decidim-core/spec/lib/decidim_spec.rb @@ -41,9 +41,10 @@ describe ".force_ssl" do let!(:orig_force_ssl) { described_class.force_ssl } let(:rails_env) { "test" } + let(:env) { ActiveSupport::EnvironmentInquirer.new(rails_env) } before do - allow(Rails).to receive(:env).and_return(rails_env) + allow(Rails).to receive(:env).and_return(env) load "#{Decidim::Core::Engine.root}/lib/decidim/core.rb" end diff --git a/decidim-core/spec/lib/organization_settings_spec.rb b/decidim-core/spec/lib/organization_settings_spec.rb index 18d23623dfe22..312ff32353bfb 100644 --- a/decidim-core/spec/lib/organization_settings_spec.rb +++ b/decidim-core/spec/lib/organization_settings_spec.rb @@ -151,8 +151,9 @@ module Decidim let(:maximum_attachment_size) { 20 } before do - allow(Rails.application.secrets.decidim).to receive(:[]).and_call_original - allow(Rails.application.secrets.decidim).to receive(:[]).with(:maximum_attachment_size).and_return(maximum_attachment_size) + allow(ENV).to receive(:fetch).and_call_original + allow(ENV).to receive(:fetch).with("DECIDIM_MAXIMUM_ATTACHMENT_SIZE", nil).and_return(maximum_attachment_size.to_s) + # defaults method is memoized, we need to reset it to make sure it uses the stubbed values described_class.instance_variable_set(:@defaults, nil) end diff --git a/decidim-core/spec/models/decidim/omniauth_provider_spec.rb b/decidim-core/spec/models/decidim/omniauth_provider_spec.rb index 52e28420234a0..8962d0898efb0 100644 --- a/decidim-core/spec/models/decidim/omniauth_provider_spec.rb +++ b/decidim-core/spec/models/decidim/omniauth_provider_spec.rb @@ -29,6 +29,10 @@ module Decidim end describe "available" do + before do + allow(Decidim).to receive(:omniauth_providers).and_return(omniauth_secrets) + end + subject(:available_providers) { Decidim::OmniauthProvider.available } it "returns all providers" do diff --git a/decidim-core/spec/models/decidim/organization_spec.rb b/decidim-core/spec/models/decidim/organization_spec.rb index c31ad90b84a9a..8f8ebc56b90c9 100644 --- a/decidim-core/spec/models/decidim/organization_spec.rb +++ b/decidim-core/spec/models/decidim/organization_spec.rb @@ -11,17 +11,20 @@ module Decidim facebook: { enabled: true, app_id: "fake-facebook-app-id", - app_secret: "fake-facebook-app-secret" + app_secret: "fake-facebook-app-secret", + icon: "phone" }, twitter: { enabled: true, api_key: "fake-twitter-api-key", - api_secret: "fake-twitter-api-secret" + api_secret: "fake-twitter-api-secret", + icon: "phone" }, google_oauth2: { enabled: true, client_id: nil, - client_secret: nil + client_secret: nil, + icon: "phone" }, test: { enabled: true, @@ -90,6 +93,16 @@ module Decidim end describe "enabled omniauth providers" do + let!(:previous_omniauth_secrets) { Decidim.omniauth_providers } + + before do + allow(Decidim).to receive(:omniauth_providers).and_return(omniauth_secrets) + end + + after do + Decidim.omniauth_providers = previous_omniauth_secrets + end + subject(:enabled_providers) { organization.enabled_omniauth_providers } context "when omniauth_settings are nil" do @@ -100,14 +113,8 @@ module Decidim end context "when providers are not enabled in secrets.yml" do - let!(:previous_omniauth_secrets) { Rails.application.secrets[:omniauth] } - before do - Rails.application.secrets[:omniauth] = nil - end - - after do - Rails.application.secrets[:omniauth] = previous_omniauth_secrets + allow(Decidim).to receive(:omniauth_providers).and_return({}) end it "returns no providers" do diff --git a/decidim-core/spec/services/decidim/send_push_notification_spec.rb b/decidim-core/spec/services/decidim/send_push_notification_spec.rb index 880dc0e66c2de..437eef6ed20ad 100644 --- a/decidim-core/spec/services/decidim/send_push_notification_spec.rb +++ b/decidim-core/spec/services/decidim/send_push_notification_spec.rb @@ -9,13 +9,16 @@ let(:user) { create(:user, notification_settings: { subscriptions: }) } before do - Rails.application.secrets[:vapid] = { enabled: true, public_key: "public_key", private_key: "private_key" } + ENV["VAPID_PUBLIC_KEY"] = "public_key" + ENV["VAPID_PRIVATE_KEY"] = "private_key" end shared_examples "send a push notification" do context "without vapid settings config" do before do - Rails.application.secrets.delete(:vapid) + allow(ENV).to receive(:fetch).and_call_original + allow(ENV).to receive(:fetch).with("VAPID_PUBLIC_KEY", nil).and_return("") + allow(ENV).to receive(:fetch).with("VAPID_PRIVATE_KEY", nil).and_return("") end describe "#perform" do @@ -27,7 +30,8 @@ context "without vapid enabled" do before do - Rails.application.secrets[:vapid] = { enabled: false } + allow(ENV).to receive(:fetch).and_call_original + allow(ENV).to receive(:fetch).with("VAPID_PUBLIC_KEY", nil).and_return("") end describe "#perform" do diff --git a/decidim-core/spec/system/account_spec.rb b/decidim-core/spec/system/account_spec.rb index 7b519f36b1d46..6c1b742cd18cd 100644 --- a/decidim-core/spec/system/account_spec.rb +++ b/decidim-core/spec/system/account_spec.rb @@ -353,7 +353,10 @@ context "when VAPID keys are set" do before do - Rails.application.secrets[:vapid] = vapid_keys + allow(ENV).to receive(:fetch).and_call_original + allow(ENV).to receive(:fetch).with("VAPID_PUBLIC_KEY", nil).and_return(vapid_keys[:public_key]) + allow(ENV).to receive(:fetch).with("VAPID_PRIVATE_KEY", nil).and_return(vapid_keys[:private_key]) + driven_by(:pwa_chrome) switch_to_host(organization.host) login_as user, scope: :user @@ -383,7 +386,8 @@ context "when VAPID is disabled" do before do - Rails.application.secrets[:vapid] = { enabled: false } + allow(ENV).to receive(:fetch).and_call_original + allow(ENV).to receive(:fetch).with("VAPID_PUBLIC_KEY", nil).and_return("") driven_by(:pwa_chrome) switch_to_host(organization.host) login_as user, scope: :user @@ -397,7 +401,8 @@ context "when VAPID keys are not set" do before do - Rails.application.secrets.delete(:vapid) + allow(ENV).to receive(:fetch).and_call_original + allow(ENV).to receive(:fetch).with("VAPID_PUBLIC_KEY", nil).and_return(nil) driven_by(:pwa_chrome) switch_to_host(organization.host) login_as user, scope: :user diff --git a/decidim-core/spec/system/authentication_spec.rb b/decidim-core/spec/system/authentication_spec.rb index c535f4cefd6fa..e5a416355e6e4 100644 --- a/decidim-core/spec/system/authentication_spec.rb +++ b/decidim-core/spec/system/authentication_spec.rb @@ -3,14 +3,43 @@ require "spec_helper" describe "Authentication" do + let!(:previous_omniauth_secrets) { Decidim.omniauth_providers } + let(:organization) { create(:organization) } let(:last_user) { Decidim::User.last } + let(:omniauth_secrets) do + { + facebook: { + enabled: true, + app_id: "fake-facebook-app-id", + app_secret: "fake-facebook-app-secret", + icon: "phone" + }, + twitter: { + enabled: true, + api_key: "fake-twitter-api-key", + api_secret: "fake-twitter-api-secret", + icon: "phone" + }, + google_oauth2: { + enabled: true, + client_id: nil, + client_secret: nil, + icon: "phone" + } + } + end before do + allow(Decidim).to receive(:omniauth_providers).and_return(omniauth_secrets) switch_to_host(organization.host) visit decidim.root_path end + after do + Decidim.omniauth_providers = previous_omniauth_secrets + end + describe "Create an account" do around do |example| perform_enqueued_jobs { example.run } diff --git a/decidim-core/spec/system/registration_spec.rb b/decidim-core/spec/system/registration_spec.rb index f6de300c74d8d..4ee241ee9cc3d 100644 --- a/decidim-core/spec/system/registration_spec.rb +++ b/decidim-core/spec/system/registration_spec.rb @@ -15,13 +15,26 @@ def fill_registration_form( describe "Registration" do let(:organization) { create(:organization) } let!(:terms_of_service_page) { Decidim::StaticPage.find_by(slug: "terms-of-service", organization:) } + let(:omniauth_secrets) { {} } before do + allow(Decidim).to receive(:omniauth_providers).and_return(omniauth_secrets) switch_to_host(organization.host) visit decidim.new_user_registration_path end context "when signing up" do + let(:omniauth_secrets) do + { + facebook: { + enabled: true, + app_id: "fake-facebook-app-id", + app_secret: "fake-facebook-app-secret", + icon: "phone" + } + } + end + describe "on first sight" do it "shows fields empty" do expect(page).to have_content("Create an account to participate") diff --git a/decidim-core/spec/uploaders/application_uploader_spec.rb b/decidim-core/spec/uploaders/application_uploader_spec.rb index 8e8e8596425aa..a0c76161736ad 100644 --- a/decidim-core/spec/uploaders/application_uploader_spec.rb +++ b/decidim-core/spec/uploaders/application_uploader_spec.rb @@ -195,8 +195,8 @@ module Decidim before do allow(Rails.env).to receive(:development?).and_return(false) allow(Rails.env).to receive(:test?).and_return(false) - allow(Rails.application.secrets).to receive(:dig).and_call_original - allow(Rails.application.secrets).to receive(:dig).with(:storage, :cdn_host).and_return(cdn_host) + allow(ENV).to receive(:fetch).and_call_original + allow(ENV).to receive(:fetch).with("STORAGE_CDN_HOST", nil).and_return(cdn_host) end it "returns a URL containing the CDN configurations" do diff --git a/decidim-generators/lib/decidim/generators.rb b/decidim-generators/lib/decidim/generators.rb index 7b7f275e98768..cf0835ea05c76 100644 --- a/decidim-generators/lib/decidim/generators.rb +++ b/decidim-generators/lib/decidim/generators.rb @@ -6,7 +6,7 @@ module Decidim module Generators def self.edge_git_branch if Decidim::Generators.version.match?(/\.dev$/) - "develop" + "chore/remove-secrets" else "release/#{Decidim::Generators.version.match(/^[0-9]+\.[0-9]+/)[0]}-stable" end diff --git a/decidim-generators/lib/decidim/generators/app_generator.rb b/decidim-generators/lib/decidim/generators/app_generator.rb index e19e514fe7c2d..5f06d4b281a77 100644 --- a/decidim-generators/lib/decidim/generators/app_generator.rb +++ b/decidim-generators/lib/decidim/generators/app_generator.rb @@ -198,7 +198,7 @@ def add_storage_provider abort("#{providers} is not supported as storage provider, please use local, s3, gcs or azure") unless (providers - %w(local s3 gcs azure)).empty? gsub_file "config/environments/production.rb", /config.active_storage.service = :local/, - "config.active_storage.service = Rails.application.secrets.dig(:storage, :provider) || :local" + %{config.active_storage.service = Decidim::Env.new("STORAGE_PROVIDER", "local").to_s} add_production_gems do gem "aws-sdk-s3", require: false if providers.include?("s3") @@ -337,8 +337,8 @@ def decidim_initializer /#{Regexp.escape("# config.available_locales = %w(en ca es)")}/, "config.available_locales = %w(#{options[:locales].gsub(",", " ")})" gsub_file "config/initializers/decidim.rb", - /#{Regexp.escape("config.available_locales = Rails.application.secrets.decidim[:available_locales].presence || [:en]")}/, - "# config.available_locales = Rails.application.secrets.decidim[:available_locales].presence || [:en]" + /#{Regexp.escape("config.available_locales = Decidim::Env.new(\"DECIDIM_AVAILABLE_LOCALES\", \"ca,cs,de,en,es,eu,fi,fr,it,ja,nl,pl,pt,ro\").to_array.to_json")}/, + "# config.available_locales = Decidim::Env.new(\"DECIDIM_AVAILABLE_LOCALES\", \"ca,cs,de,en,es,eu,fi,fr,it,ja,nl,pl,pt,ro\").to_array.to_json" end def dev_performance_config diff --git a/decidim-generators/lib/decidim/generators/app_templates/database.yml.erb b/decidim-generators/lib/decidim/generators/app_templates/database.yml.erb index 4e887b6c23816..58bbb6e2054d3 100644 --- a/decidim-generators/lib/decidim/generators/app_templates/database.yml.erb +++ b/decidim-generators/lib/decidim/generators/app_templates/database.yml.erb @@ -65,9 +65,9 @@ test: <<: *default database: <%= app_name %>_test<%%= ENV.fetch('TEST_ENV_NUMBER', "") %> -# As with config/secrets.yml, you never want to store sensitive information, -# like your database password, in your source code. If your source code is -# ever seen by anyone, they now have access to your database. +# You never want to store sensitive information, like your database password, +# in your source code. If your source code is ever seen by anyone, +# they now have access to your database. # # Instead, provide the password as a unix environment variable when you boot # the app. Read http://guides.rubyonrails.org/configuring.html#configuring-a-database diff --git a/decidim-generators/lib/decidim/generators/app_templates/initializer.rb b/decidim-generators/lib/decidim/generators/app_templates/initializer.rb index 4d4f6ad98f7a7..d1b2701ef9211 100644 --- a/decidim-generators/lib/decidim/generators/app_templates/initializer.rb +++ b/decidim-generators/lib/decidim/generators/app_templates/initializer.rb @@ -2,29 +2,30 @@ Decidim.configure do |config| # The name of the application - config.application_name = Rails.application.secrets.decidim[:application_name] + config.application_name = Decidim::Env.new("DECIDIM_APPLICATION_NAME", "My Application Name").to_s # The email that will be used as sender in all emails from Decidim - config.mailer_sender = Rails.application.secrets.decidim[:mailer_sender] + config.mailer_sender = Decidim::Env.new("DECIDIM_MAILER_SENDER", "change-me@example.org").to_s # Sets the list of available locales for the whole application. # # When an organization is created through the System area, system admins will # be able to choose the available languages for that organization. That list # of languages will be equal or a subset of the list in this file. - config.available_locales = Rails.application.secrets.decidim[:available_locales].presence || [:en] + config.available_locales = (Decidim::Env.new("DECIDIM_AVAILABLE_LOCALES").presence || [:ca, :cs, :de, :en, :es, :eu, :fi, :fr, :it, :ja, :nl, :pl, :pt, :ro]).to_a + # Or block set it up manually and prevent ENV manipulation: # config.available_locales = %w(en ca es) # Sets the default locale for new organizations. When creating a new # organization from the System area, system admins will be able to overwrite # this value for that specific organization. - config.default_locale = Rails.application.secrets.decidim[:default_locale].presence || :en + # config.default_locale = Decidim::Env.new("DECIDIM_DEFAULT_LOCALE", "en").to_s # Restrict access to the system part with an authorized ip list. # You can use a single ip like ("1.2.3.4"), or an ip subnet like ("1.2.3.4/24") # You may specify multiple ip in an array ["1.2.3.4", "1.2.3.4/24"] - config.system_accesslist_ips = Rails.application.secrets.decidim[:system_accesslist_ips] if Rails.application.secrets.decidim[:system_accesslist_ips].present? + # config.system_accesslist_ips = Decidim::Env.new("DECIDIM_SYSTEM_ACCESSLIST_IPS").to_array # Defines a list of custom content processors. They are used to parse and # render specific tags inside some user-provided content. Check the docs for @@ -33,17 +34,19 @@ # Whether SSL should be enabled or not. # if this var is not defined, it is decided automatically per-rails-environment - config.force_ssl = Rails.application.secrets.decidim[:force_ssl].present? unless Rails.application.secrets.decidim[:force_ssl] == "auto" + + # Decidim::Env.new("DECIDIM_FORCE_SSL", "auto").default_or_present_if_exists + # config.force_ssl = Decidim::Env.new("DECIDIM_FORCE_SSL").present? unless Decidim::Env.new("DECIDIM_FORCE_SSL", "auto").default_or_present_if_exists.to_s == "auto" # or set it up manually and prevent any ENV manipulation: # config.force_ssl = true # Enable the service worker. By default is disabled in development and enabled in the rest of environments - config.service_worker_enabled = Rails.application.secrets.decidim[:service_worker_enabled].present? + # config.service_worker_enabled = Decidim::Env.new("DECIDIM_SERVICE_WORKER_ENABLED", Rails.env.exclude?("development")).present? # Sets the list of static pages' slugs that can include content blocks. # By default is only enabled in the terms-of-service static page to allow a summary to be added and include # sections with a two-pane view - config.page_blocks = Rails.application.secrets.decidim[:page_blocks].presence || %w(terms-of-service) + # config.page_blocks = Decidim::Env.new("DECIDIM_PAGE_BLOCKS", "terms-of-service").to_array # Map and Geocoder configuration # @@ -53,7 +56,7 @@ # == HERE Maps == # config.maps = { # provider: :here, - # api_key: Rails.application.secrets.maps[:api_key], + # api_key: ENV["MAPS_API_KEY"], # static: { url: "https://image.maps.ls.hereapi.com/mia/1.6/mapview" } # } # @@ -72,7 +75,7 @@ # # config.maps = { # provider: :osm, - # api_key: Rails.application.secrets.maps[:api_key], + # api_key: ENV["MAPS_API_KEY"], # dynamic: { # tile_layer: { # url: "https://tiles.example.org/{z}/{x}/{y}.png?key={apiKey}&{foo}", @@ -92,10 +95,10 @@ # == Combination (OpenStreetMap default + HERE Maps dynamic map tiles) == # config.maps = { # provider: :osm, - # api_key: Rails.application.secrets.maps[:api_key], + # api_key: ENV["MAPS_API_KEY"], # dynamic: { # provider: :here, - # api_key: Rails.application.secrets.maps[:here_api_key] + # api_key: ENV["MAPS_DYNAMIC_API_KEY"] # }, # static: { url: "https://staticmap.example.org/" }, # geocoding: { host: "nominatim.example.org", use_https: true } @@ -114,27 +117,27 @@ # cache: Redis.new, # cache_prefix: "..." # } - if Rails.application.secrets.maps.present? && Rails.application.secrets.maps[:static_provider].present? - static_provider = Rails.application.secrets.maps[:static_provider] - dynamic_provider = Rails.application.secrets.maps[:dynamic_provider] - dynamic_url = Rails.application.secrets.maps[:dynamic_url] - static_url = Rails.application.secrets.maps[:static_url] + if Decidim::Env.new("MAPS_STATIC_PROVIDER", ENV.fetch("MAPS_PROVIDER", nil)).present? + static_provider = Decidim::Env.new("MAPS_STATIC_PROVIDER", ENV.fetch("MAPS_PROVIDER", nil)).to_s + dynamic_provider = Decidim::Env.new("MAPS_DYNAMIC_PROVIDER", ENV.fetch("MAPS_PROVIDER", nil)).to_s + dynamic_url = ENV.fetch("MAPS_DYNAMIC_URL", nil) + static_url = ENV.fetch("MAPS_STATIC_URL", nil) static_url = "https://image.maps.ls.hereapi.com/mia/1.6/mapview" if static_provider == "here" && static_url.blank? config.maps = { provider: static_provider, - api_key: Rails.application.secrets.maps[:static_api_key], + api_key: Decidim::Env.new("MAPS_STATIC_API_KEY", ENV.fetch("MAPS_API_KEY", nil)).to_s, static: { url: static_url }, dynamic: { provider: dynamic_provider, - api_key: Rails.application.secrets.maps[:dynamic_api_key] + api_key: Decidim::Env.new("MAPS_DYNAMIC_API_KEY", ENV.fetch("MAPS_API_KEY", nil)).to_s } } - config.maps[:geocoding] = { host: Rails.application.secrets.maps[:geocoding_host], use_https: true } if Rails.application.secrets.maps[:geocoding_host] + config.maps[:geocoding] = { host: ENV["MAPS_GEOCODING_HOST"], use_https: true } if ENV["MAPS_GEOCODING_HOST"] config.maps[:dynamic][:tile_layer] = {} config.maps[:dynamic][:tile_layer][:url] = dynamic_url if dynamic_url - config.maps[:dynamic][:tile_layer][:attribution] = Rails.application.secrets.maps[:attribution] if Rails.application.secrets.maps[:attribution] - if Rails.application.secrets.maps[:extra_vars].present? - vars = URI.decode_www_form(Rails.application.secrets.maps[:extra_vars]) + config.maps[:dynamic][:tile_layer][:attribution] = ENV["MAPS_ATTRIBUTION"] if ENV["MAPS_ATTRIBUTION"] + if ENV["MAPS_EXTRA_VARS"].present? + vars = URI.decode_www_form(ENV["MAPS_EXTRA_VARS"]) vars.each do |key, value| # perform a naive type conversion config.maps[:dynamic][:tile_layer][key] = case value @@ -156,20 +159,20 @@ # end # Currency unit - config.currency_unit = Rails.application.secrets.decidim[:currency_unit] if Rails.application.secrets.decidim[:currency_unit].present? + # config.currency_unit = Decidim::Env.new("DECIDIM_CURRENCY_UNIT", "€").to_s # Workaround to enable SVG assets cors - config.cors_enabled = Rails.application.secrets.decidim[:cors_enabled].present? + # config.cors_enabled = Decidim::Env.new("DECIDIM_CORS_ENABLED", "false").present? # Defines the quality of image uploads after processing. Image uploads are # processed by Decidim, this value helps reduce the size of the files. - config.image_uploader_quality = Rails.application.secrets.decidim[:image_uploader_quality].to_i + # config.image_uploader_quality = Decidim::Env.new("DECIDIM_IMAGE_UPLOADER_QUALITY", "80").to_i - config.maximum_attachment_size = Rails.application.secrets.decidim[:maximum_attachment_size].to_i.megabytes - config.maximum_avatar_size = Rails.application.secrets.decidim[:maximum_avatar_size].to_i.megabytes + # config.maximum_attachment_size = Decidim::Env.new("DECIDIM_MAXIMUM_ATTACHMENT_SIZE", "10").to_i.megabytes + # config.maximum_avatar_size = Decidim::Env.new("DECIDIM_MAXIMUM_AVATAR_SIZE", "5").to_i.megabytes # The number of reports which a resource can receive before hiding it - config.max_reports_before_hiding = Rails.application.secrets.decidim[:max_reports_before_hiding].to_i + # config.max_reports_before_hiding = Decidim::Env.new("DECIDIM_MAX_REPORTS_BEFORE_HIDING", "3").to_i # Custom HTML Header snippets # @@ -184,22 +187,24 @@ # that an organization's administrator injects malicious scripts to spy on or # take over user accounts. # - config.enable_html_header_snippets = Rails.application.secrets.decidim[:enable_html_header_snippets].present? + # config.enable_html_header_snippets = Decidim::Env.new("DECIDIM_ENABLE_HTML_HEADER_SNIPPETS").present? # Allow organizations admins to track newsletter links. - config.track_newsletter_links = Rails.application.secrets.decidim[:track_newsletter_links].present? unless Rails.application.secrets.decidim[:track_newsletter_links] == "auto" + # unless Decidim::Env.new("DECIDIM_TRACK_NEWSLETTER_LINKS", "auto").default_or_present_if_exists.to_s == "auto" + # config.track_newsletter_links = Decidim::Env.new("DECIDIM_FORCE_SSL", "auto").default_or_present_if_exists + # end # Amount of time that the download your data files will be available in the server. - config.download_your_data_expiry_time = Rails.application.secrets.decidim[:download_your_data_expiry_time].to_i.days + # config.download_your_data_expiry_time = Decidim::Env.new("DECIDIM_DOWNLOAD_YOUR_DATA_EXPIRY_TIME", "7").to_i.days # Max requests in a time period to prevent DoS attacks. Only applied on production. - config.throttling_max_requests = Rails.application.secrets.decidim[:throttling_max_requests].to_i + # config.throttling_max_requests = Decidim::Env.new("DECIDIM_THROTTLING_MAX_REQUESTS", "100").to_i # Time window in which the throttling is applied. - config.throttling_period = Rails.application.secrets.decidim[:throttling_period].to_i.minutes + # config.throttling_period = Decidim::Env.new("DECIDIM_THROTTLING_PERIOD", "1").to_i.minutes # Time window were users can access the website even if their email is not confirmed. - config.unconfirmed_access_for = Rails.application.secrets.decidim[:unconfirmed_access_for].to_i.days + # config.unconfirmed_access_for = Decidim::Env.new("DECIDIM_UNCONFIRMED_ACCESS_FOR", "0").to_i.days # A base path for the uploads. If set, make sure it ends in a slash. # Uploads will be set to `/uploads/`. This can be useful if you @@ -207,7 +212,7 @@ # environments, but in different folders. # # If not set, it will be ignored. - config.base_uploads_path = Rails.application.secrets.decidim[:base_uploads_path] if Rails.application.secrets.decidim[:base_uploads_path].present? + # config.base_uploads_path = Decidim::Env.new("DECIDIM_BASE_UPLOADS_PATH").to_s if Decidim::Env.new("DECIDIM_BASE_UPLOADS_PATH").present? # SMS gateway configuration # @@ -285,16 +290,16 @@ # Only needed if you want to have Etherpad integration with Decidim. See # Decidim docs at https://docs.decidim.org/en/services/etherpad/ in order to set it up. # - if Rails.application.secrets.etherpad.present? && Rails.application.secrets.etherpad[:server].present? + if Decidim::Env.new("ETHERPAD_SERVER").present? && Decidim::Env.new("ETHERPAD_API_KEY").present? config.etherpad = { - server: Rails.application.secrets.etherpad[:server], - api_key: Rails.application.secrets.etherpad[:api_key], - api_version: Rails.application.secrets.etherpad[:api_version] + server: Decidim::Env.new("ETHERPAD_SERVER").to_s, + api_key: Decidim::Env.new("ETHERPAD_API_KEY").to_s, + api_version: Decidim::Env.new("ETHERPAD_API_VERSION", "1.2.1").to_s } end # Sets Decidim::Exporters::CSV's default column separator - config.default_csv_col_sep = Rails.application.secrets.decidim[:default_csv_col_sep] if Rails.application.secrets.decidim[:default_csv_col_sep].present? + # config.default_csv_col_sep = Decidim::Env.new("DECIDIM_DEFAULT_CSV_COL_SEP", ";").to_s # The list of roles a user can have, not considering the space-specific roles. # config.user_roles = %w(admin user_manager) @@ -342,11 +347,11 @@ # config.machine_translation_service = "MyTranslationService" # Defines the social networking services used for social sharing - config.social_share_services = Rails.application.secrets.decidim[:social_share_services] + # config.social_share_services = Decidim::Env.new("DECIDIM_SOCIAL_SHARE_SERVICES", "X, Facebook, WhatsApp, Telegram").to_array # Defines the name of the cookie used to check if the user allows Decidim to # set cookies. - config.consent_cookie_name = Rails.application.secrets.decidim[:consent_cookie_name] if Rails.application.secrets.decidim[:consent_cookie_name].present? + # config.consent_cookie_name = Decidim::Env.new("DECIDIM_CONSENT_COOKIE_NAME", "decidim-consent").to_s # Defines data consent categories and the data stored in each category. # config.consent_categories = [ @@ -383,92 +388,91 @@ config.content_security_policies_extra = {} # Admin admin password configurations - Rails.application.secrets.dig(:decidim, :admin_password, :strong).tap do |strong_pw| - # When the strong password is not configured, default to true - config.admin_password_strong = strong_pw.nil? ? true : strong_pw.present? - end - config.admin_password_expiration_days = Rails.application.secrets.dig(:decidim, :admin_password, :expiration_days).presence || 90 - config.admin_password_min_length = Rails.application.secrets.dig(:decidim, :admin_password, :min_length).presence || 15 - config.admin_password_repetition_times = Rails.application.secrets.dig(:decidim, :admin_password, :repetition_times).presence || 5 + # config.admin_password_strong = Decidim::Env.new("DECIDIM_ADMIN_PASSWORD_STRONG", true).present? - # Additional optional configurations (see decidim-core/lib/decidim/core.rb) - config.cache_key_separator = Rails.application.secrets.decidim[:cache_key_separator] if Rails.application.secrets.decidim[:cache_key_separator].present? - config.cache_expiry_time = Rails.application.secrets.decidim[:cache_expiry_time].to_i.minutes if Rails.application.secrets.decidim[:cache_expiry_time].present? - config.stats_cache_expiry_time = Rails.application.secrets.decidim[:stats_cache_expiry_time].to_i.minutes if Rails.application.secrets.decidim[:stats_cache_expiry_time].present? - config.expire_session_after = Rails.application.secrets.decidim[:expire_session_after].to_i.minutes if Rails.application.secrets.decidim[:expire_session_after].present? - config.enable_remember_me = Rails.application.secrets.decidim[:enable_remember_me].present? unless Rails.application.secrets.decidim[:enable_remember_me] == "auto" - if Rails.application.secrets.decidim[:session_timeout_interval].present? - config.session_timeout_interval = Rails.application.secrets.decidim[:session_timeout_interval].to_i.seconds - end - config.follow_http_x_forwarded_host = Rails.application.secrets.decidim[:follow_http_x_forwarded_host].present? - config.maximum_conversation_message_length = Rails.application.secrets.decidim[:maximum_conversation_message_length].to_i - config.password_similarity_length = Rails.application.secrets.decidim[:password_similarity_length] if Rails.application.secrets.decidim[:password_similarity_length].present? - config.denied_passwords = Rails.application.secrets.decidim[:denied_passwords] if Rails.application.secrets.decidim[:denied_passwords].present? - config.allow_open_redirects = Rails.application.secrets.decidim[:allow_open_redirects] if Rails.application.secrets.decidim[:allow_open_redirects].present? - config.enable_etiquette_validator = Rails.application.secrets.decidim[:enable_etiquette_validator] if Rails.application.secrets.decidim[:enable_etiquette_validator].present? -end + # config.admin_password_expiration_days = Decidim::Env.new("DECIDIM_ADMIN_PASSWORD_EXPIRATION_DAYS", 90).to_i + # config.admin_password_min_length = Decidim::Env.new("DECIDIM_ADMIN_PASSWORD_MIN_LENGTH", 15).to_i + # config.admin_password_repetition_times = Decidim::Env.new("DECIDIM_ADMIN_PASSWORD_REPETITION_TIMES", 5).to_i -if Decidim.module_installed? :api - Decidim::Api.configure do |config| - config.schema_max_per_page = Rails.application.secrets.dig(:decidim, :api, :schema_max_per_page).presence || 50 - config.schema_max_complexity = Rails.application.secrets.dig(:decidim, :api, :schema_max_complexity).presence || 5000 - config.schema_max_depth = Rails.application.secrets.dig(:decidim, :api, :schema_max_depth).presence || 15 - end -end - -if Decidim.module_installed? :proposals - Decidim::Proposals.configure do |config| - config.participatory_space_highlighted_proposals_limit = Rails.application.secrets.dig(:decidim, :proposals, :participatory_space_highlighted_proposals_limit).presence || 4 - config.process_group_highlighted_proposals_limit = Rails.application.secrets.dig(:decidim, :proposals, :process_group_highlighted_proposals_limit).presence || 3 - end -end - -if Decidim.module_installed? :meetings - Decidim::Meetings.configure do |config| - config.upcoming_meeting_notification = Rails.application.secrets.dig(:decidim, :meetings, :upcoming_meeting_notification).to_i.days - if Rails.application.secrets.dig(:decidim, :meetings, :embeddable_services).present? - config.embeddable_services = Rails.application.secrets.dig(:decidim, :meetings, :embeddable_services) - end - unless Rails.application.secrets.dig(:decidim, :meetings, :enable_proposal_linking) == "auto" - config.enable_proposal_linking = Rails.application.secrets.dig(:decidim, :meetings, :enable_proposal_linking).present? - end - end -end - -if Decidim.module_installed? :budgets - Decidim::Budgets.configure do |config| - unless Rails.application.secrets.dig(:decidim, :budgets, :enable_proposal_linking) == "auto" - config.enable_proposal_linking = Rails.application.secrets.dig(:decidim, :budgets, :enable_proposal_linking).present? - end - end -end + # Additional optional configurations (see decidim-core/lib/decidim/core.rb) + # config.cache_key_separator = Decidim::Env.new("DECIDIM_CACHE_KEY_SEPARATOR", "/").to_s + # config.cache_expiry_time = Decidim::Env.new("DECIDIM_CACHE_EXPIRATION_TIME", "1440").to_i.minutes + # config.stats_cache_expiry_time = Decidim::Env.new("DECIDIM_STATS_CACHE_EXPIRATION_TIME", 10).to_i.minutes + # config.expire_session_after = Decidim::Env.new("DECIDIM_EXPIRE_SESSION_AFTER", "30").to_i.minutes + # unless Decidim::Env.new("DECIDIM_ENABLE_REMEMBER_ME", "auto").default_or_present_if_exists.to_s == "auto" + # config.enable_remember_me = Decidim::Env.new("DECIDIM_ENABLE_REMEMBER_ME", "auto").default_or_present_if_exists + # end -if Decidim.module_installed? :accountability - Decidim::Accountability.configure do |config| - unless Rails.application.secrets.dig(:decidim, :accountability, :enable_proposal_linking) == "auto" - config.enable_proposal_linking = Rails.application.secrets.dig(:decidim, :accountability, :enable_proposal_linking).present? - end - end + # config.session_timeout_interval = Decidim::Env.new("DECIDIM_SESSION_TIMEOUT_INTERVAL", "10").to_i.seconds + # config.follow_http_x_forwarded_host = Decidim::Env.new("DECIDIM_FOLLOW_HTTP_X_FORWARDED_HOST").present? + # config.maximum_conversation_message_length = Decidim::Env.new("DECIDIM_MAXIMUM_CONVERSATION_MESSAGE_LENGTH", "1000").to_i + # config.password_similarity_length = Decidim::Env.new("DECIDIM_PASSWORD_SIMILARITY_LENGTH", 4).to_i + # config.denied_passwords = Decidim::Env.new("DECIDIM_DENIED_PASSWORDS").to_array(separator: ", ") + # config.allow_open_redirects = Decidim::Env.new("DECIDIM_ALLOW_OPEN_REDIRECTS").present? + # config.enable_etiquette_validator = Decidim::Env.new("DECIDIM_ENABLE_ETIQUETTE_VALIDATOR", true).present? end -if Decidim.module_installed? :initiatives - Decidim::Initiatives.configure do |config| - unless Rails.application.secrets.dig(:decidim, :initiatives, :creation_enabled) == "auto" - config.creation_enabled = Rails.application.secrets.dig(:decidim, :initiatives, :creation_enabled).present? - end - config.minimum_committee_members = Rails.application.secrets.dig(:decidim, :initiatives, :minimum_committee_members).presence || 2 - config.default_signature_time_period_length = Rails.application.secrets.dig(:decidim, :initiatives, :default_signature_time_period_length).presence || 120 - config.default_components = Rails.application.secrets.dig(:decidim, :initiatives, :default_components) - config.first_notification_percentage = Rails.application.secrets.dig(:decidim, :initiatives, :first_notification_percentage).presence || 33 - config.second_notification_percentage = Rails.application.secrets.dig(:decidim, :initiatives, :second_notification_percentage).presence || 66 - config.stats_cache_expiration_time = Rails.application.secrets.dig(:decidim, :initiatives, :stats_cache_expiration_time).to_i.minutes - config.max_time_in_validating_state = Rails.application.secrets.dig(:decidim, :initiatives, :max_time_in_validating_state).to_i.days - unless Rails.application.secrets.dig(:decidim, :initiatives, :print_enabled) == "auto" - config.print_enabled = Rails.application.secrets.dig(:decidim, :initiatives, :print_enabled).present? - end - config.do_not_require_authorization = Rails.application.secrets.dig(:decidim, :initiatives, :do_not_require_authorization).present? - end -end +# if Decidim.module_installed? :api +# Decidim::Api.configure do |config| +# config.schema_max_per_page = Decidim::Env.new("API_SCHEMA_MAX_PER_PAGE", 50).to_i +# config.schema_max_complexity = Decidim::Env.new("API_SCHEMA_MAX_COMPLEXITY", 5000).to_i +# config.schema_max_depth = Decidim::Env.new("API_SCHEMA_MAX_DEPTH", 15).to_i +# end +# end + +# if Decidim.module_installed? :proposals +# Decidim::Proposals.configure do |config| +# config.participatory_space_highlighted_proposals_limit = Decidim::Env.new("PROPOSALS_PARTICIPATORY_SPACE_HIGHLIGHTED_PROPOSALS_LIMIT", 4).to_i +# config.process_group_highlighted_proposals_limit = Decidim::Env.new("PROPOSALS_PROCESS_GROUP_HIGHLIGHTED_PROPOSALS_LIMIT", 3).to_i +# end +# end + +# if Decidim.module_installed? :meetings +# Decidim::Meetings.configure do |config| +# config.upcoming_meeting_notification = Decidim::Env.new("MEETINGS_UPCOMING_MEETING_NOTIFICATION", 2).to_i.days +# if Decidim::Env.new("MEETINGS_EMBEDDABLE_SERVICES").to_array(separator: " ").present? +# config.embeddable_services = Decidim::Env.new("MEETINGS_EMBEDDABLE_SERVICES").to_array(separator: " ") +# end +# unless Decidim::Env.new("MEETINGS_ENABLE_PROPOSAL_LINKING", "auto").default_or_present_if_exists.to_s == "auto" +# config.enable_proposal_linking = Decidim::Env.new("MEETINGS_ENABLE_PROPOSAL_LINKING", "auto").default_or_present_if_exists +# end +# end +# end + +# if Decidim.module_installed? :budgets +# Decidim::Budgets.configure do |config| +# unless Decidim::Env.new("BUDGETS_ENABLE_PROPOSAL_LINKING", "auto").default_or_present_if_exists.to_s == "auto" +# config.enable_proposal_linking = Decidim::Env.new("BUDGETS_ENABLE_PROPOSAL_LINKING", "auto").default_or_present_if_exists +# end +# end +# end + +# if Decidim.module_installed? :accountability +# Decidim::Accountability.configure do |config| +# unless Decidim::Env.new("ACCOUNTABILITY_ENABLE_PROPOSAL_LINKING", "auto").default_or_present_if_exists.to_s == "auto" +# config.enable_proposal_linking = Decidim::Env.new("ACCOUNTABILITY_ENABLE_PROPOSAL_LINKING", "auto").default_or_present_if_exists +# end +# end +# end + +# if Decidim.module_installed? :initiatives +# Decidim::Initiatives.configure do |config| +# unless Decidim::Env.new("INITIATIVES_CREATION_ENABLED", "auto").default_or_present_if_exists.to_s == "auto" +# config.creation_enabled = Decidim::Env.new("INITIATIVES_CREATION_ENABLED", "auto").default_or_present_if_exists +# end +# config.minimum_committee_members = Decidim::Env.new("INITIATIVES_MINIMUM_COMMITTEE_MEMBERS", 2).to_i +# config.default_signature_time_period_length = Decidim::Env.new("INITIATIVES_DEFAULT_SIGNATURE_TIME_PERIOD_LENGTH", 120).to_i +# config.default_components = Decidim::Env.new("INITIATIVES_DEFAULT_COMPONENTS", "pages, meetings").to_array +# config.first_notification_percentage = Decidim::Env.new("INITIATIVES_FIRST_NOTIFICATION_PERCENTAGE", 33).to_i +# config.second_notification_percentage = Decidim::Env.new("INITIATIVES_SECOND_NOTIFICATION_PERCENTAGE", 66).to_i +# config.stats_cache_expiration_time = Decidim::Env.new("INITIATIVES_STATS_CACHE_EXPIRATION_TIME", 5).to_i.minutes +# config.max_time_in_validating_state = Decidim::Env.new("INITIATIVES_MAX_TIME_IN_VALIDATING_STATE", 60).to_i.days +# unless Decidim::Env.new("INITIATIVES_PRINT_ENABLED", "auto").default_or_present_if_exists.to_s == "auto" +# config.print_enabled = Decidim::Env.new("INITIATIVES_PRINT_ENABLED", "auto").present? +# end +# config.do_not_require_authorization = Decidim::Env.new("INITIATIVES_DO_NOT_REQUIRE_AUTHORIZATION").present? +# end +# end Rails.application.config.i18n.available_locales = Decidim.available_locales Rails.application.config.i18n.default_locale = Decidim.default_locale diff --git a/decidim-generators/lib/decidim/generators/app_templates/secrets.yml.erb b/decidim-generators/lib/decidim/generators/app_templates/secrets.yml.erb deleted file mode 100644 index 53f3634392bcd..0000000000000 --- a/decidim-generators/lib/decidim/generators/app_templates/secrets.yml.erb +++ /dev/null @@ -1,190 +0,0 @@ -# Be sure to restart your server when you modify this file. - -# Your secret key is used for verifying the integrity of signed cookies. -# If you change this key, all old signed cookies will become invalid! - -# Make sure the secret is at least 30 characters and all random, -# no regular words or you will be exposed to dictionary attacks. -# You can use `rails secret` to generate a secure secret key. - -# Make sure the secrets in this file are kept private -# if you are sharing your code publicly. - -decidim_default: &decidim_default - application_name: <%%= Decidim::Env.new("DECIDIM_APPLICATION_NAME", "My Application Name").to_json %> - mailer_sender: <%%= Decidim::Env.new("DECIDIM_MAILER_SENDER", "change-me@example.org").to_s %> - available_locales: <%%= Decidim::Env.new("DECIDIM_AVAILABLE_LOCALES", "ca,cs,de,en,es,eu,fi,fr,it,ja,nl,pl,pt,ro").to_array.to_json %> - default_locale: <%%= Decidim::Env.new("DECIDIM_DEFAULT_LOCALE", "en").to_s %> - force_ssl: <%%= Decidim::Env.new("DECIDIM_FORCE_SSL", "auto").default_or_present_if_exists.to_s %> - enable_html_header_snippets: <%%= Decidim::Env.new("DECIDIM_ENABLE_HTML_HEADER_SNIPPETS").to_boolean_string %> - currency_unit: <%%= Decidim::Env.new("DECIDIM_CURRENCY_UNIT", "€").to_s %> - cors_enabled: <%%= Decidim::Env.new("DECIDIM_CORS_ENABLED").to_boolean_string %> - image_uploader_quality: <%%= Decidim::Env.new("DECIDIM_IMAGE_UPLOADER_QUALITY", "80").to_i %> - maximum_attachment_size: <%%= Decidim::Env.new("DECIDIM_MAXIMUM_ATTACHMENT_SIZE", "10").to_i %> - maximum_avatar_size: <%%= Decidim::Env.new("DECIDIM_MAXIMUM_AVATAR_SIZE", "5").to_i %> - max_reports_before_hiding: <%%= Decidim::Env.new("DECIDIM_MAX_REPORTS_BEFORE_HIDING", "3").to_i %> - track_newsletter_links: <%%= Decidim::Env.new("DECIDIM_TRACK_NEWSLETTER_LINKS", "auto").default_or_present_if_exists.to_s %> - download_your_data_expiry_time: <%%= Decidim::Env.new("DECIDIM_DOWNLOAD_YOUR_DATA_EXPIRY_TIME", "7").to_i %> - throttling_max_requests: <%%= Decidim::Env.new("DECIDIM_THROTTLING_MAX_REQUESTS", "100").to_i %> - throttling_period: <%%= Decidim::Env.new("DECIDIM_THROTTLING_PERIOD", "1").to_i %> - unconfirmed_access_for: <%%= Decidim::Env.new("DECIDIM_UNCONFIRMED_ACCESS_FOR", "0").to_i %> - system_accesslist_ips: <%%= Decidim::Env.new("DECIDIM_SYSTEM_ACCESSLIST_IPS").to_array.to_json %> - base_uploads_path: <%%= Decidim::Env.new("DECIDIM_BASE_UPLOADS_PATH").to_json %> - default_csv_col_sep: <%%= Decidim::Env.new("DECIDIM_DEFAULT_CSV_COL_SEP", ";").to_json %> - consent_cookie_name: <%%= Decidim::Env.new("DECIDIM_CONSENT_COOKIE_NAME", "decidim-consent").to_json %> - cache_key_separator: <%%= Decidim::Env.new("DECIDIM_CACHE_KEY_SEPARATOR", "/").to_json %> - cache_expiry_time: <%%= Decidim::Env.new("DECIDIM_CACHE_EXPIRATION_TIME", "1440").to_i %> - stats_cache_expiry_time: <%%= Decidim::Env.new("DECIDIM_STATS_CACHE_EXPIRATION_TIME", 10).to_i %> - expire_session_after: <%%= Decidim::Env.new("DECIDIM_EXPIRE_SESSION_AFTER", "30").to_i %> - session_timeout_interval: <%%= Decidim::Env.new("DECIDIM_SESSION_TIMEOUT_INTERVAL", "10").to_i %> - enable_remember_me: <%%= Decidim::Env.new("DECIDIM_ENABLE_REMEMBER_ME", "auto").default_or_present_if_exists.to_s %> - follow_http_x_forwarded_host: <%%= Decidim::Env.new("DECIDIM_FOLLOW_HTTP_X_FORWARDED_HOST").to_boolean_string %> - maximum_conversation_message_length: <%%= Decidim::Env.new("DECIDIM_MAXIMUM_CONVERSATION_MESSAGE_LENGTH", "1000").to_i %> - password_similarity_length: <%%= Decidim::Env.new("DECIDIM_PASSWORD_SIMILARITY_LENGTH", 4).to_i %> - denied_passwords: <%%= Decidim::Env.new("DECIDIM_DENIED_PASSWORDS").to_array(separator: ", ").to_json %> - allow_open_redirects: <%%= Decidim::Env.new("DECIDIM_ALLOW_OPEN_REDIRECTS").to_boolean_string %> - social_share_services: <%%= Decidim::Env.new("DECIDIM_SOCIAL_SHARE_SERVICES", "X, Facebook, WhatsApp, Telegram").to_array.to_json %> - service_worker_enabled: <%%= Decidim::Env.new("DECIDIM_SERVICE_WORKER_ENABLED", Rails.env.exclude?("development")).to_boolean_string %> - page_blocks: <%%= Decidim::Env.new("DECIDIM_PAGE_BLOCKS", "terms-of-service").to_array %> - enable_etiquette_validator: <%%= Decidim::Env.new("DECIDIM_ENABLE_ETIQUETTE_VALIDATOR", true).to_boolean_string %> - admin_password: - expiration_days: <%%= Decidim::Env.new("DECIDIM_ADMIN_PASSWORD_EXPIRATION_DAYS", 90).to_i %> - min_length: <%%= Decidim::Env.new("DECIDIM_ADMIN_PASSWORD_MIN_LENGTH", 15).to_i %> - repetition_times: <%%= Decidim::Env.new("DECIDIM_ADMIN_PASSWORD_REPETITION_TIMES", 5).to_i %> - strong: <%%= Decidim::Env.new("DECIDIM_ADMIN_PASSWORD_STRONG", true).to_boolean_string %> - api: - schema_max_per_page: <%%= Decidim::Env.new("API_SCHEMA_MAX_PER_PAGE", 50).to_i %> - schema_max_complexity: <%%= Decidim::Env.new("API_SCHEMA_MAX_COMPLEXITY", 5000).to_i %> - schema_max_depth: <%%= Decidim::Env.new("API_SCHEMA_MAX_DEPTH", 15).to_i %> - proposals: - participatory_space_highlighted_proposals_limit: <%%= Decidim::Env.new("PROPOSALS_PARTICIPATORY_SPACE_HIGHLIGHTED_PROPOSALS_LIMIT", 4).to_i %> - process_group_highlighted_proposals_limit: <%%= Decidim::Env.new("PROPOSALS_PROCESS_GROUP_HIGHLIGHTED_PROPOSALS_LIMIT", 3).to_i %> - meetings: - upcoming_meeting_notification: <%%= Decidim::Env.new("MEETINGS_UPCOMING_MEETING_NOTIFICATION", 2).to_i %> - enable_proposal_linking: <%%= Decidim::Env.new("MEETINGS_ENABLE_PROPOSAL_LINKING", "auto").default_or_present_if_exists.to_s %> - embeddable_services: <%%= Decidim::Env.new("MEETINGS_EMBEDDABLE_SERVICES").to_array(separator: " ").to_json %> - budgets: - enable_proposal_linking: <%%= Decidim::Env.new("BUDGETS_ENABLE_PROPOSAL_LINKING", "auto").default_or_present_if_exists.to_s %> - accountability: - enable_proposal_linking: <%%= Decidim::Env.new("ACCOUNTABILITY_ENABLE_PROPOSAL_LINKING", "auto").default_or_present_if_exists.to_s %> - initiatives: - creation_enabled: <%%= Decidim::Env.new("INITIATIVES_CREATION_ENABLED", "auto").default_or_present_if_exists.to_s %> - minimum_committee_members: <%%= Decidim::Env.new("INITIATIVES_MINIMUM_COMMITTEE_MEMBERS", 2).to_i %> - default_signature_time_period_length: <%%= Decidim::Env.new("INITIATIVES_DEFAULT_SIGNATURE_TIME_PERIOD_LENGTH", 120).to_i %> - default_components: <%%= Decidim::Env.new("INITIATIVES_DEFAULT_COMPONENTS", "pages, meetings").to_array.to_json %> - first_notification_percentage: <%%= Decidim::Env.new("INITIATIVES_FIRST_NOTIFICATION_PERCENTAGE", 33).to_i %> - second_notification_percentage: <%%= Decidim::Env.new("INITIATIVES_SECOND_NOTIFICATION_PERCENTAGE", 66).to_i %> - stats_cache_expiration_time: <%%= Decidim::Env.new("INITIATIVES_STATS_CACHE_EXPIRATION_TIME", 5).to_i %> - max_time_in_validating_state: <%%= Decidim::Env.new("INITIATIVES_MAX_TIME_IN_VALIDATING_STATE", 60).to_i %> - print_enabled: <%%= Decidim::Env.new("INITIATIVES_PRINT_ENABLED", "auto").default_or_present_if_exists.to_s %> - do_not_require_authorization: <%%= Decidim::Env.new("INITIATIVES_DO_NOT_REQUIRE_AUTHORIZATION").to_boolean_string %> - verifications: - document_types: <%%= Decidim::Env.new("VERIFICATIONS_DOCUMENT_TYPES", "identification_number,passport").to_array %> - -storage_default: &storage_default - provider: <%%= Decidim::Env.new("STORAGE_PROVIDER", "local").to_s %> - cdn_host: <%%= ENV["STORAGE_CDN_HOST"] %> - s3: - access_key_id: <%%= ENV["AWS_ACCESS_KEY_ID"] %> - secret_access_key: <%%= ENV["AWS_SECRET_ACCESS_KEY"] %> - region: <%%= ENV["AWS_REGION"] %> - bucket: <%%= ENV["AWS_BUCKET"] %> - endpoint: <%%= ENV["AWS_ENDPOINT"] %> - azure: - storage_access_key: <%%= ENV["AZURE_STORAGE_ACCESS_KEY"] %> - storage_account_name: <%%= ENV["AZURE_STORAGE_ACCOUNT_NAME"] %> - container: <%%= ENV["AZURE_CONTAINER"] %> - gcs: - project: <%%= ENV["GCS_PROJECT"] %> - bucket: <%%= ENV["GCS_BUCKET"] %> - type: <%%= Decidim::Env.new("GCS_TYPE", "service_account").to_s %> - project_id: <%%= Decidim::Env.new("GCS_PROJECT_ID").to_s %> - private_key_id: <%%= Decidim::Env.new("GCS_PRIVATE_KEY_ID").to_s %> - private_key: <%%= Decidim::Env.new("GCS_PRIVATE_KEY").to_s %> - client_email: <%%= Decidim::Env.new("GCS_CLIENT_EMAIL").to_s %> - client_id: <%%= Decidim::Env.new("GCS_CLIENT_ID").to_s %> - auth_uri: <%%= Decidim::Env.new("GCS_AUTH_URI", "https://accounts.google.com/o/oauth2/auth").to_s %> - token_uri: <%%= Decidim::Env.new("GCS_TOKEN_URI", "https://accounts.google.com/o/oauth2/token").to_s %> - auth_provider_x509_cert_url: <%%= Decidim::Env.new("GCS_AUTH_PROVIDER_X509_CERT_URL", "https://www.googleapis.com/oauth2/v1/certs").to_s %> - client_x509_cert_url: <%%= Decidim::Env.new("GCS_CLIENT_X509_CERT_URL").to_s %> - -default: &default - decidim: - <<: *decidim_default - omniauth: - facebook: - enabled: <%%= Decidim::Env.new("OMNIAUTH_FACEBOOK_APP_ID").to_boolean_string %> - app_id: <%%= ENV["OMNIAUTH_FACEBOOK_APP_ID"] %> - app_secret: <%%= ENV["OMNIAUTH_FACEBOOK_APP_SECRET"] %> - icon: facebook-fill - twitter: - enabled: <%%= Decidim::Env.new("OMNIAUTH_TWITTER_API_KEY").to_boolean_string %> - api_key: <%%= ENV["OMNIAUTH_TWITTER_API_KEY"] %> - api_secret: <%%= ENV["OMNIAUTH_TWITTER_API_SECRET"] %> - icon: twitter-x-fill - google_oauth2: - enabled: <%%= Decidim::Env.new("OMNIAUTH_GOOGLE_CLIENT_ID").to_boolean_string %> - icon: google-fill - client_id: <%%= ENV["OMNIAUTH_GOOGLE_CLIENT_ID"] %> - client_secret: <%%= ENV["OMNIAUTH_GOOGLE_CLIENT_SECRET"] %> - maps: - dynamic_provider: <%%= Decidim::Env.new("MAPS_DYNAMIC_PROVIDER", ENV["MAPS_PROVIDER"]).to_s %> - static_provider: <%%= Decidim::Env.new("MAPS_STATIC_PROVIDER", ENV["MAPS_PROVIDER"]).to_s %> - static_api_key: <%%= Decidim::Env.new("MAPS_STATIC_API_KEY", ENV["MAPS_API_KEY"]).to_s %> - dynamic_api_key: <%%= Decidim::Env.new("MAPS_DYNAMIC_API_KEY", ENV["MAPS_API_KEY"]).to_s %> - dynamic_url: <%%= ENV["MAPS_DYNAMIC_URL"] %> - static_url: <%%= ENV["MAPS_STATIC_URL"] %> - attribution: <%%= ENV["MAPS_ATTRIBUTION"].to_json %> - extra_vars: <%%= ENV["MAPS_EXTRA_VARS"].to_json %> - geocoding_host: <%%= ENV["MAPS_GEOCODING_HOST"] %> - etherpad: - server: <%%= ENV["ETHERPAD_SERVER"] %> - api_key: <%%= ENV["ETHERPAD_API_KEY"] %> - api_version: <%%= Decidim::Env.new("ETHERPAD_API_VERSION", "1.2.1") %> - storage: - <<: *storage_default - vapid: - enabled: <%%= Decidim::Env.new("VAPID_PUBLIC_KEY").to_boolean_string %> - public_key: <%%= ENV["VAPID_PUBLIC_KEY"] %> - private_key: <%%= ENV["VAPID_PRIVATE_KEY"] %> - -development: - <<: *default - secret_key_base: <%= SecureRandom.hex(64) %> - omniauth: - developer: - enabled: true - icon: phone-line - -test: - <<: *default - secret_key_base: <%= SecureRandom.hex(64) %> - omniauth: - facebook: - enabled: true - app_id: fake-facebook-app-id - app_secret: fake-facebook-app-secret - twitter: - enabled: true - api_key: fake-twitter-api-key - api_secret: fake-twitter-api-secret - google_oauth2: - enabled: true - client_id: - client_secret: - test: - enabled: true - icon: tools-line - -# Do not keep production secrets in the repository, -# instead read values from the environment. -production: - <<: *default - secret_key_base: <%%= ENV["SECRET_KEY_BASE"] %> - smtp_username: <%%= ENV["SMTP_USERNAME"] %> - smtp_password: <%%= ENV["SMTP_PASSWORD"] %> - smtp_address: <%%= ENV["SMTP_ADDRESS"] %> - smtp_domain: <%%= ENV["SMTP_DOMAIN"] %> - smtp_port: <%%= Decidim::Env.new("SMTP_PORT", 587).to_i %> - smtp_starttls_auto: <%%= Decidim::Env.new("SMTP_STARTTLS_AUTO").to_boolean_string %> - smtp_authentication: <%%= Decidim::Env.new("SMTP_AUTHENTICATION", "plain").to_s %> diff --git a/decidim-generators/lib/decidim/generators/app_templates/storage.yml.erb b/decidim-generators/lib/decidim/generators/app_templates/storage.yml.erb index 0354d61650d6a..4c2c9b15ee1bf 100644 --- a/decidim-generators/lib/decidim/generators/app_templates/storage.yml.erb +++ b/decidim-generators/lib/decidim/generators/app_templates/storage.yml.erb @@ -8,33 +8,33 @@ local: s3: service: S3 - access_key_id: <%%= Rails.application.secrets.dig(:storage, :s3, :access_key_id) %> - secret_access_key: <%%= Rails.application.secrets.dig(:storage, :s3, :secret_access_key) %> - bucket: <%%= Rails.application.secrets.dig(:storage, :s3, :bucket) %> - <%%= "region: #{Rails.application.secrets.dig(:storage, :s3, :region)}" if Rails.application.secrets.dig(:storage, :s3, :region) %> - <%%= "endpoint: #{Rails.application.secrets.dig(:storage, :s3, :endpoint)}" if Rails.application.secrets.dig(:storage, :s3, :endpoint) %> + access_key_id: <%%= ENV["AWS_ACCESS_KEY_ID"] %> + secret_access_key: <%%= ENV["AWS_SECRET_ACCESS_KEY"] %> + bucket: <%%= ENV["AWS_BUCKET"] %> + <%%= "region: #{ENV["AWS_REGION"]}" if ENV["AWS_REGION"] %> + <%%= "endpoint: #{ ENV["AWS_ENDPOINT"]}" if ENV["AWS_ENDPOINT"] %> azure: service: AzureStorage - storage_account_name: <%%= Rails.application.secrets.dig(:storage, :azure, :storage_account_name) %> - storage_access_key: <%%= Rails.application.secrets.dig(:storage, :azure, :storage_access_key) %> - container: <%%= Rails.application.secrets.dig(:storage, :azure, :container) %> + storage_account_name: <%%= ENV["AZURE_STORAGE_ACCOUNT_NAME"] %> + storage_access_key: <%%= ENV["AZURE_STORAGE_ACCESS_KEY"] %> + container: <%%= ENV["AZURE_CONTAINER"] %> gcs: service: GCS - project: <%%= Rails.application.secrets.dig(:storage, :gcs, :project) %> - bucket: <%%= Rails.application.secrets.dig(:storage, :gcs, :bucket) %> + project: <%%= ENV["GCS_PROJECT"] %> + bucket: <%%= ENV["GCS_BUCKET"] %> credentials: - type: <%%= Rails.application.secrets.dig(:storage, :gcs, :type) %> - project_id: <%%= Rails.application.secrets.dig(:storage, :gcs, :project_id) %> - private_key_id: <%%= Rails.application.secrets.dig(:storage, :gcs, :private_key_id) %> - private_key: <%%= Rails.application.secrets.dig(:storage, :gcs, :private_key) %> - client_email: <%%= Rails.application.secrets.dig(:storage, :gcs, :client_email) %> - client_id: <%%= Rails.application.secrets.dig(:storage, :gcs, :client_id) %> - auth_uri: <%%= Rails.application.secrets.dig(:storage, :gcs, :auth_uri) %> - token_uri: <%%= Rails.application.secrets.dig(:storage, :gcs, :token_uri) %> - auth_provider_x509_cert_url: <%%= Rails.application.secrets.dig(:storage, :gcs, :auth_provider_x509_cert_url) %> - client_x509_cert_url: <%%= Rails.application.secrets.dig(:storage, :gcs, :client_x509_cert_url) %> + type: <%%= Decidim::Env.new("GCS_TYPE", "service_account").to_s %> + project_id: <%%= Decidim::Env.new("GCS_PROJECT_ID").to_s %> + private_key_id: <%%= Decidim::Env.new("GCS_PRIVATE_KEY_ID").to_s %> + private_key: <%%= Decidim::Env.new("GCS_PRIVATE_KEY").to_s %> + client_email: <%%= Decidim::Env.new("GCS_CLIENT_EMAIL").to_s %> + client_id: <%%= Decidim::Env.new("GCS_CLIENT_ID").to_s %> + auth_uri: <%%= Decidim::Env.new("GCS_AUTH_URI", "https://accounts.google.com/o/oauth2/auth").to_s %> + token_uri: <%%= Decidim::Env.new("GCS_TOKEN_URI", "https://accounts.google.com/o/oauth2/token").to_s %> + auth_provider_x509_cert_url: <%%= Decidim::Env.new("GCS_AUTH_PROVIDER_X509_CERT_URL", "https://www.googleapis.com/oauth2/v1/certs").to_s %> + client_x509_cert_url: <%%= Decidim::Env.new("GCS_CLIENT_X509_CERT_URL").to_s %> # mirror: # service: Mirror diff --git a/decidim-generators/lib/decidim/generators/install_generator.rb b/decidim-generators/lib/decidim/generators/install_generator.rb index f9cc2c92432be..d29172cc94fc2 100644 --- a/decidim-generators/lib/decidim/generators/install_generator.rb +++ b/decidim-generators/lib/decidim/generators/install_generator.rb @@ -45,10 +45,6 @@ def add_seeds RUBY end - def secrets - template "secrets.yml.erb", "config/secrets.yml", force: true - end - def remove_layout remove_file "app/views/layouts/application.html.erb" remove_file "app/views/layouts/mailer.text.erb" @@ -57,19 +53,19 @@ def remove_layout def smtp_environment inject_into_file "config/environments/production.rb", after: "config.log_formatter = ::Logger::Formatter.new" do - cut <<~RUBY + cut <<~HERE | | config.action_mailer.smtp_settings = { - | :address => Rails.application.secrets.smtp_address, - | :port => Rails.application.secrets.smtp_port, - | :authentication => Rails.application.secrets.smtp_authentication, - | :user_name => Rails.application.secrets.smtp_username, - | :password => Rails.application.secrets.smtp_password, - | :domain => Rails.application.secrets.smtp_domain, - | :enable_starttls_auto => Rails.application.secrets.smtp_starttls_auto, + | :address => ENV["SMTP_ADDRESS"], + | :port => Decidim::Env.new("SMTP_PORT", 587).to_i, + | :authentication => Decidim::Env.new("SMTP_AUTHENTICATION", "plain").to_s, + | :user_name => ENV["SMTP_USERNAME"], + | :password => ENV["SMTP_PASSWORD"], + | :domain => ENV["SMTP_DOMAIN"], + | :enable_starttls_auto => Decidim::Env.new("SMTP_STARTTLS_AUTO").to_boolean_string, | :openssl_verify_mode => 'none' | } - RUBY + HERE end end @@ -124,11 +120,11 @@ def letter_opener_web inject_into_file "config/environments/development.rb", after: "config.action_mailer.raise_delivery_errors = false" do - cut <<~RUBY + cut <<~HERE | | config.action_mailer.delivery_method = :letter_opener_web | config.action_mailer.default_url_options = { port: 3000 } - RUBY + HERE end end diff --git a/decidim-generators/lib/decidim/generators/test/generator_examples.rb b/decidim-generators/lib/decidim/generators/test/generator_examples.rb index 13a1c14af800b..202ee4538139a 100644 --- a/decidim-generators/lib/decidim/generators/test/generator_examples.rb +++ b/decidim-generators/lib/decidim/generators/test/generator_examples.rb @@ -275,184 +275,6 @@ shared_examples_for "an application with configurable env vars" do include_context "with application env vars" - let(:secrets_off) do - { - %w(omniauth facebook enabled) => false, - %w(omniauth twitter enabled) => false, - %w(omniauth google_oauth2 enabled) => false, - %w(decidim application_name) => "My Application Name", - %w(decidim mailer_sender) => "change-me@example.org", - %w(decidim available_locales) => %w(ca cs de en es eu fi fr it ja nl pl pt ro), - %w(decidim default_locale) => "en", - %w(decidim force_ssl) => "auto", - %w(decidim enable_html_header_snippets) => false, - %w(decidim currency_unit) => "€", - %w(decidim image_uploader_quality) => 80, - %w(decidim maximum_attachment_size) => 10, - %w(decidim maximum_avatar_size) => 5, - %w(decidim max_reports_before_hiding) => 3, - %w(decidim track_newsletter_links) => "auto", - %w(decidim download_your_data_expiry_time) => 7, - %w(decidim throttling_max_requests) => 100, - %w(decidim throttling_period) => 1, - %w(decidim unconfirmed_access_for) => 0, - %w(decidim system_accesslist_ips) => [], - %w(decidim base_uploads_path) => nil, - %w(decidim default_csv_col_sep) => ";", - %w(decidim cors_enabled) => false, - %w(decidim service_worker_enabled) => true, - %w(decidim consent_cookie_name) => "decidim-consent", - %w(decidim cache_key_separator) => "/", - %w(decidim cache_expiry_time) => 1440, - %w(decidim stats_cache_expiry_time) => 10, - %w(decidim expire_session_after) => 30, - %w(decidim enable_remember_me) => "auto", - %w(decidim session_timeout_interval) => 10, - %w(decidim follow_http_x_forwarded_host) => false, - %w(decidim maximum_conversation_message_length) => 1000, - %w(decidim password_similarity_length) => 4, - %w(decidim denied_passwords) => [], - %w(decidim allow_open_redirects) => false, - %w(decidim admin_password expiration_days) => 90, - %w(decidim admin_password min_length) => 15, - %w(decidim admin_password repetition_times) => 5, - %w(decidim admin_password strong) => true, - %w(etherpad server) => nil, - %w(etherpad api_key) => nil, - %w(etherpad api_version) => "1.2.1", - %w(maps dynamic_provider) => nil, - %w(maps static_provider) => nil, - %w(maps static_api_key) => nil, - %w(maps dynamic_api_key) => nil, - %w(maps static_url) => nil, - %w(maps dynamic_url) => nil, - %w(maps attribution) => nil, - %w(maps extra_vars) => nil, - %w(maps geocoding_host) => nil, - %w(vapid enabled) => false, - %w(vapid public_key) => nil, - %w(vapid private_key) => nil, - %w(storage provider) => "local", - %w(storage cdn_host) => nil, - %w(decidim api schema_max_per_page) => 50, - %w(decidim api schema_max_complexity) => 5000, - %w(decidim api schema_max_depth) => 15, - %w(decidim proposals participatory_space_highlighted_proposals_limit) => 4, - %w(decidim proposals process_group_highlighted_proposals_limit) => 3, - %w(decidim meetings upcoming_meeting_notification) => 2, - %w(decidim meetings enable_proposal_linking) => "auto", - %w(decidim meetings embeddable_services) => [], - %w(decidim budgets enable_proposal_linking) => "auto", - %w(decidim accountability enable_proposal_linking) => "auto", - %w(decidim initiatives creation_enabled) => "auto", - %w(decidim initiatives minimum_committee_members) => 2, - %w(decidim initiatives default_signature_time_period_length) => 120, - %w(decidim initiatives default_components) => %w(pages meetings), - %w(decidim initiatives first_notification_percentage) => 33, - %w(decidim initiatives second_notification_percentage) => 66, - %w(decidim initiatives stats_cache_expiration_time) => 5, - %w(decidim initiatives max_time_in_validating_state) => 60, - %w(decidim initiatives print_enabled) => "auto", - %w(decidim initiatives do_not_require_authorization) => false - } - end - - let(:secrets_on) do - { - %w(omniauth facebook enabled) => true, - %w(omniauth facebook app_id) => "a-facebook-id", - %w(omniauth facebook app_secret) => "a-facebook-secret", - %w(omniauth twitter enabled) => true, - %w(omniauth twitter api_key) => "a-twitter-api-key", - %w(omniauth twitter api_secret) => "a-twitter-api-secret", - %w(omniauth google_oauth2 enabled) => true, - %w(omniauth google_oauth2 client_id) => "a-google-client-id", - %w(omniauth google_oauth2 client_secret) => "a-google-client-secret", - %w(secret_key_base) => "a-secret-key-base", - %w(smtp_username) => "a-smtp-username", - %w(smtp_password) => "a-smtp-password", - %w(smtp_address) => "a-smtp-address", - %w(smtp_domain) => "a-smtp-domain", - %w(smtp_port) => 12_345, - %w(smtp_starttls_auto) => true, - %w(smtp_authentication) => "a-smtp-authentication", - %w(decidim application_name) => "\"A test\" {application}", - %w(decidim mailer_sender) => "noreply@example.org", - %w(decidim available_locales) => %w(de fr zh-CN), - %w(decidim default_locale) => "zh-CN", - %w(decidim force_ssl) => false, - %w(decidim enable_html_header_snippets) => true, - %w(decidim currency_unit) => "$", - %w(decidim image_uploader_quality) => 91, - %w(decidim maximum_attachment_size) => 25, - %w(decidim maximum_avatar_size) => 11, - %w(decidim max_reports_before_hiding) => 4, - %w(decidim track_newsletter_links) => false, - %w(decidim download_your_data_expiry_time) => 2, - %w(decidim throttling_max_requests) => 99, - %w(decidim throttling_period) => 2, - %w(decidim unconfirmed_access_for) => 3, - %w(decidim system_accesslist_ips) => ["127.0.0.1", "172.26.0.1/24"], - %w(decidim base_uploads_path) => "some-path/", - %w(decidim default_csv_col_sep) => ",", - %w(decidim cors_enabled) => true, - %w(decidim service_worker_enabled) => true, - %w(decidim consent_cookie_name) => ":weird-consent-cookie-name:", - %w(decidim cache_key_separator) => ":", - %w(decidim cache_expiry_time) => 33, - %w(decidim stats_cache_expiry_time) => 15, - %w(decidim expire_session_after) => 45, - %w(decidim enable_remember_me) => false, - %w(decidim session_timeout_interval) => 33, - %w(decidim follow_http_x_forwarded_host) => true, - %w(decidim maximum_conversation_message_length) => 1234, - %w(decidim password_similarity_length) => 4, - %w(decidim denied_passwords) => ["i-do-not-like-this-password", "i-do-not,like,this,one,either", "password123456"], - %w(decidim allow_open_redirects) => true, - %w(decidim admin_password expiration_days) => 93, - %w(decidim admin_password min_length) => 18, - %w(decidim admin_password repetition_times) => 8, - %w(decidim admin_password strong) => false, - %w(etherpad server) => "http://a-etherpad-server.com", - %w(etherpad api_key) => "an-etherpad-key", - %w(etherpad api_version) => "1.2.2", - %w(maps dynamic_provider) => "here", - %w(maps static_provider) => "here", - %w(maps static_api_key) => "a-maps-api-key", - %w(maps dynamic_api_key) => "a-maps-api-key", - %w(maps static_url) => nil, - %w(maps dynamic_url) => nil, - %w(maps attribution) => nil, - %w(maps extra_vars) => nil, - %w(maps geocoding_host) => nil, - %w(vapid enabled) => true, - %w(vapid public_key) => "a-vapid-public-key", - %w(vapid private_key) => "a-vapid-private-key", - %w(storage provider) => "test", - %w(storage cdn_host) => "https://cdn.example.org", - %w(decidim api schema_max_per_page) => 31, - %w(decidim api schema_max_complexity) => 3001, - %w(decidim api schema_max_depth) => 11, - %w(decidim proposals participatory_space_highlighted_proposals_limit) => 6, - %w(decidim proposals process_group_highlighted_proposals_limit) => 5, - %w(decidim meetings upcoming_meeting_notification) => 3, - %w(decidim meetings enable_proposal_linking) => false, - %w(decidim meetings embeddable_services) => %w(www.youtube.com www.twitch.tv meet.jit.si 8x8.vc), - %w(decidim budgets enable_proposal_linking) => false, - %w(decidim accountability enable_proposal_linking) => false, - %w(decidim initiatives creation_enabled) => false, - %w(decidim initiatives minimum_committee_members) => 3, - %w(decidim initiatives default_signature_time_period_length) => 133, - %w(decidim initiatives default_components) => %w(pages proposals budgets), - %w(decidim initiatives first_notification_percentage) => 10, - %w(decidim initiatives second_notification_percentage) => 70, - %w(decidim initiatives stats_cache_expiration_time) => 7, - %w(decidim initiatives max_time_in_validating_state) => 50, - %w(decidim initiatives print_enabled) => false, - %w(decidim initiatives do_not_require_authorization) => true - } - end - let(:initializer_off) do { "application_name" => "My Application Name", @@ -695,19 +517,6 @@ # This is using a big example to avoid recreating the application every time it "env vars generate secrets application" do expect(result[1]).to be_success, result[0] - # Test onto the secret generated when ENV vars are empty strings or undefined - json_off = json_secrets_for(test_app, env_off) - secrets_off.each do |keys, value| - current = json_off.dig(*keys) - expect(current).to eq(value), "Secret #{keys} = (#{current}) expected to match Env:OFF (#{value})" - end - - # Test onto the secret generated when ENV vars are set - json_on = json_secrets_for(test_app, env_on) - secrets_on.each do |keys, value| - current = json_on.dig(*keys) - expect(current).to eq(value), "Secret #{keys} = (#{current}) expected to match Env:ON (#{value})" - end # Test onto the initializer when ENV vars are empty strings or undefined json_off = initializer_config_for(test_app, env_off) @@ -957,10 +766,6 @@ end end -def json_secrets_for(path, env) - JSON.parse cmd_capture(path, "bin/rails runner 'puts Rails.application.secrets.to_json'", env:) -end - def initializer_config_for(path, env, mod = "Decidim") JSON.parse cmd_capture(path, "bin/rails runner 'puts #{mod}.config.to_json'", env:) end diff --git a/decidim-generators/spec/lib/generators_spec.rb b/decidim-generators/spec/lib/generators_spec.rb index efd6d93fed8a4..65e236ad312d4 100644 --- a/decidim-generators/spec/lib/generators_spec.rb +++ b/decidim-generators/spec/lib/generators_spec.rb @@ -17,7 +17,7 @@ module Decidim let(:test_version) { "0.27.0.dev" } it "returns the develop branch" do - expect(subject.edge_git_branch).to eq("develop") + expect(subject.edge_git_branch).to eq("chore/remove-secrets") end end diff --git a/decidim-initiatives/lib/decidim/initiatives.rb b/decidim-initiatives/lib/decidim/initiatives.rb index 92a4110794305..ca22cf0cf6403 100644 --- a/decidim-initiatives/lib/decidim/initiatives.rb +++ b/decidim-initiatives/lib/decidim/initiatives.rb @@ -20,56 +20,56 @@ module Initiatives # Public setting that defines whether creation is allowed to any validated # user or not. Defaults to true. config_accessor :creation_enabled do - true + Decidim::Env.new("INITIATIVES_CREATION_ENABLED", "auto").present? end # Minimum number of committee members required to pass the initiative to # technical validation phase. Only applies to initiatives created by # individuals. config_accessor :minimum_committee_members do - 2 + Decidim::Env.new("INITIATIVES_MINIMUM_COMMITTEE_MEMBERS", 2).to_i end # Number of days available to collect supports after an initiative has been # published. config_accessor :default_signature_time_period_length do - 120 + Decidim::Env.new("INITIATIVES_DEFAULT_SIGNATURE_TIME_PERIOD_LENGTH", 120).to_i end # Components enabled for a new initiative config_accessor :default_components do - [:pages, :meetings] + Decidim::Env.new("INITIATIVES_DEFAULT_COMPONENTS", "pages, meetings").to_array end # Notifies when the given percentage of supports is reached for an # initiative. config_accessor :first_notification_percentage do - 33 + Decidim::Env.new("INITIATIVES_FIRST_NOTIFICATION_PERCENTAGE", 33).to_i end # Notifies when the given percentage of supports is reached for an # initiative. config_accessor :second_notification_percentage do - 66 + Decidim::Env.new("INITIATIVES_SECOND_NOTIFICATION_PERCENTAGE", 66).to_i end # Sets the expiration time for the statistic data. config_accessor :stats_cache_expiration_time do - 5.minutes + Decidim::Env.new("INITIATIVES_STATS_CACHE_EXPIRATION_TIME", 5).to_i.minutes end # Maximum amount of time in validating state. # After this time the initiative will be moved to # discarded state. config_accessor :max_time_in_validating_state do - 60.days + Decidim::Env.new("INITIATIVES_MAX_TIME_IN_VALIDATING_STATE", 60).to_i.days end # Print functionality enabled. Allows the user to get # a printed version of the initiative from the administration # panel. config_accessor :print_enabled do - false + Decidim::Env.new("INITIATIVES_PRINT_ENABLED", "auto").to_s == "true" end # Set a service to generate a timestamp on each vote. The @@ -86,7 +86,7 @@ module Initiatives # This flag allows creating authorizations to unauthorized users. config_accessor :do_not_require_authorization do - false + Decidim::Env.new("INITIATIVES_DO_NOT_REQUIRE_AUTHORIZATION").present? end end end diff --git a/decidim-meetings/lib/decidim/meetings.rb b/decidim-meetings/lib/decidim/meetings.rb index 7f621a4f1cfca..e2886e88e01a1 100644 --- a/decidim-meetings/lib/decidim/meetings.rb +++ b/decidim-meetings/lib/decidim/meetings.rb @@ -22,16 +22,16 @@ module Meetings # Public Setting that defines whether proposals can be linked to meetings config_accessor :enable_proposal_linking do - Decidim.const_defined?("Proposals") + Decidim::Env.new("MEETINGS_ENABLE_PROPOSAL_LINKING", Decidim.const_defined?("Proposals")).present? end # Public Setting that defines the interval when the upcoming meeting will be sent config_accessor :upcoming_meeting_notification do - 2.days + Decidim::Env.new("MEETINGS_UPCOMING_MEETING_NOTIFICATION", 2).to_i.days end config_accessor :embeddable_services do - %w(www.youtube.com www.twitch.tv meet.jit.si) + Decidim::Env.new("MEETINGS_EMBEDDABLE_SERVICES", "www.youtube.com www.twitch.tv meet.jit.si").to_array(separator: " ") end end diff --git a/decidim-proposals/lib/decidim/proposals.rb b/decidim-proposals/lib/decidim/proposals.rb index ac9d7cc921c54..091a1d69e813a 100644 --- a/decidim-proposals/lib/decidim/proposals.rb +++ b/decidim-proposals/lib/decidim/proposals.rb @@ -25,13 +25,13 @@ module Proposals # Public Setting that defines how many proposals will be shown in the # participatory_space_highlighted_elements view hook config_accessor :participatory_space_highlighted_proposals_limit do - 4 + Decidim::Env.new("PROPOSALS_PARTICIPATORY_SPACE_HIGHLIGHTED_PROPOSALS_LIMIT", 4).to_i end # Public Setting that defines how many proposals will be shown in the # process_group_highlighted_elements view hook config_accessor :process_group_highlighted_proposals_limit do - 3 + Decidim::Env.new("PROPOSALS_PROCESS_GROUP_HIGHLIGHTED_PROPOSALS_LIMIT", 3).to_i end def self.proposal_states_colors diff --git a/decidim-system/app/controllers/decidim/system/organizations_controller.rb b/decidim-system/app/controllers/decidim/system/organizations_controller.rb index 18da2d798ba41..fcec12b4d08d2 100644 --- a/decidim-system/app/controllers/decidim/system/organizations_controller.rb +++ b/decidim-system/app/controllers/decidim/system/organizations_controller.rb @@ -96,7 +96,7 @@ def current_organization end def provider_enabled?(provider) - Rails.application.secrets.dig(:omniauth, provider, :enabled) + Decidim.omniauth_providers.dig(provider, :enabled) end end end diff --git a/decidim-system/app/forms/decidim/system/base_organization_form.rb b/decidim-system/app/forms/decidim/system/base_organization_form.rb index 2fd0ff18cc8df..f706edff1d8a7 100644 --- a/decidim-system/app/forms/decidim/system/base_organization_form.rb +++ b/decidim-system/app/forms/decidim/system/base_organization_form.rb @@ -46,7 +46,7 @@ class BaseOrganizationForm < Form attribute :file_upload_settings, FileUploadSettingsForm OMNIATH_PROVIDERS_ATTRIBUTES = Decidim::OmniauthProvider.available.keys.map do |provider| - Rails.application.secrets.dig(:omniauth, provider).keys.map do |setting| + Decidim.omniauth_providers[provider].keys.map do |setting| if setting == :enabled [:"omniauth_settings_#{provider}_enabled", Boolean] else diff --git a/decidim-system/app/views/decidim/system/organizations/_omniauth_provider.html.erb b/decidim-system/app/views/decidim/system/organizations/_omniauth_provider.html.erb index 32916496cc6e4..2b99fbba83c88 100644 --- a/decidim-system/app/views/decidim/system/organizations/_omniauth_provider.html.erb +++ b/decidim-system/app/views/decidim/system/organizations/_omniauth_provider.html.erb @@ -11,7 +11,7 @@ label_options: { class: "form__wrapper-checkbox-label" } ) %> - <% Rails.application.secrets.dig(:omniauth, provider.to_sym).keys.select { |k| k != :enabled }.each do |setting| %> + <% Decidim.omniauth_providers.dig(provider.to_sym).keys.select { |k| k != :enabled }.each do |setting| %> <%= f.text_field("omniauth_settings_#{provider}_#{setting}", label: I18n.t( ".#{setting}", scope: [:icon, :icon_path].include?(setting) ? i18n_scope : "#{i18n_scope}.#{provider}" diff --git a/decidim-system/spec/cells/decidim/system/system_checks_cell_spec.rb b/decidim-system/spec/cells/decidim/system/system_checks_cell_spec.rb index 8cc9b3a693df2..92bdc25f2ff2f 100644 --- a/decidim-system/spec/cells/decidim/system/system_checks_cell_spec.rb +++ b/decidim-system/spec/cells/decidim/system/system_checks_cell_spec.rb @@ -24,7 +24,7 @@ describe "secret_key_check" do before do - allow(Rails.application.secrets).to receive(:secret_key_base).and_return(secret_key) + allow(Rails.application).to receive(:secret_key_base).and_return(secret_key) end context "when the secret key is correct" do diff --git a/decidim-system/spec/system/organizations_spec.rb b/decidim-system/spec/system/organizations_spec.rb index 9dac63a50d4cd..85d5c9105636c 100644 --- a/decidim-system/spec/system/organizations_spec.rb +++ b/decidim-system/spec/system/organizations_spec.rb @@ -73,7 +73,7 @@ context "without the secret key defined" do before do - allow(Rails.application.secrets).to receive(:secret_key_base).and_return(nil) + allow(Rails.application).to receive(:secret_key_base).and_return(nil) end it "does not create an organization" do @@ -192,7 +192,7 @@ context "without the secret key defined" do before do - allow(Rails.application.secrets).to receive(:secret_key_base).and_return(nil) + allow(Rails.application).to receive(:secret_key_base).and_return(nil) end it "shows the error message" do @@ -210,37 +210,38 @@ let!(:organization) do create(:organization, name: { ca: "", en: "Citizen Corp", es: "" }, default_locale: :es, available_locales: ["es"], description: { es: "Un texto largo" }) end + let!(:previous_omniauth_secrets) { Decidim.omniauth_providers } before do - secrets = Rails.application.secrets - allow(Rails.application).to receive(:secrets).and_return( - secrets.merge( - omniauth: { - facebook: { - enabled: true, - app_id: "fake-facebook-app-id", - app_secret: "fake-facebook-app-secret" - }, - twitter: { - enabled: true, - api_key: "fake-twitter-api-key", - api_secret: "fake-twitter-api-secret" - }, - google_oauth2: { - enabled: true, - client_id: "", - client_secret: "" - }, - developer: { - enabled: false, - icon: "phone" - }, - test: { - enabled: false, - icon: "tools-line" - } + allow(Decidim).to receive(:omniauth_providers).and_return( + { + facebook: { + enabled: true, + app_id: "fake-facebook-app-id", + app_secret: "fake-facebook-app-secret", + icon: "phone" + }, + twitter: { + enabled: true, + api_key: "fake-twitter-api-key", + api_secret: "fake-twitter-api-secret", + icon: "phone" + }, + google_oauth2: { + enabled: true, + client_id: "", + client_secret: "", + icon: "phone" + }, + developer: { + enabled: false, + icon: "phone" + }, + test: { + enabled: false, + icon: "tools-line" } - ) + } ) # Reload the UpdateOrganizationForm @@ -258,6 +259,7 @@ end after do + Decidim.omniauth_providers = previous_omniauth_secrets # Reload the UpdateOrganizationForm Decidim::System.send(:remove_const, :BaseOrganizationForm) Decidim::System.send(:remove_const, :UpdateOrganizationForm) diff --git a/decidim-verifications/lib/decidim/verifications.rb b/decidim-verifications/lib/decidim/verifications.rb index e51eae948f192..e77044817f288 100644 --- a/decidim-verifications/lib/decidim/verifications.rb +++ b/decidim-verifications/lib/decidim/verifications.rb @@ -29,7 +29,7 @@ def self.authorization_handlers module Verifications include ActiveSupport::Configurable config_accessor :document_types do - %w(identification_number passport) + Decidim::Env.new("VERIFICATIONS_DOCUMENT_TYPES", "identification_number,passport").to_array end end end diff --git a/docs/modules/configure/pages/index.adoc b/docs/modules/configure/pages/index.adoc index 731d0c031468a..a52ec09fb16b8 100644 --- a/docs/modules/configure/pages/index.adoc +++ b/docs/modules/configure/pages/index.adoc @@ -45,7 +45,6 @@ Then make use of the related xref:configure:environment_variables.adoc[Environme Just as a reminder, these files are important: * config/database.yml -* config/secrets.yml Although most of these settings you can change them through xref:configure:environment_variables.adoc[Environment Variables]. diff --git a/docs/modules/configure/pages/initializer.adoc b/docs/modules/configure/pages/initializer.adoc index 637591b930786..d73bd665a9052 100644 --- a/docs/modules/configure/pages/initializer.adoc +++ b/docs/modules/configure/pages/initializer.adoc @@ -107,7 +107,7 @@ Allows to make geographical mapping in some components, like Proposals or Meetin .... config.geocoder = { static_map_url: "https://image.maps.ls.hereapi.com/mia/1.6/mapview", - here_api_key: Rails.application.secrets.geocoder[:here_api_key] + here_api_key: ENV["MAPS_API_KEY"] } .... @@ -357,9 +357,9 @@ xref:services:etherpad.adoc[Etherpad's Decidim docs] in order to set it up. [source,ruby] .... config.etherpad = { - server: Rails.application.secrets.etherpad[:server], - api_key: Rails.application.secrets.etherpad[:api_key], - api_version: Rails.application.secrets.etherpad[:api_version] + server: ENV["ETHERPAD_SERVER"], + api_key: ENV["ETHERPAD_API_KEY"], + api_version: Decidim::Env.new("ETHERPAD_API_VERSION", "1.2.1") } .... diff --git a/docs/modules/develop/pages/maps.adoc b/docs/modules/develop/pages/maps.adoc index a297442f37f71..cef417b47edeb 100644 --- a/docs/modules/develop/pages/maps.adoc +++ b/docs/modules/develop/pages/maps.adoc @@ -95,7 +95,7 @@ In order to provide configuration options for the Geocoder gem's lookup, you can ---- config.maps = { provider: :your_provider, - api_key: Rails.application.secrets.maps[:api_key], + api_key: ENV["MAPS_API_KEY"], geocoding: { extra_option: "value", another_option: "value" } } ---- @@ -106,7 +106,7 @@ This would equal to configuring the Geocoder gem with the following code: ---- Geocoder.configure( your_provider: { - api_key: Rails.application.secrets.maps[:api_key], + api_key: ENV["MAPS_API_KEY"], extra_option: "value", another_option: "value" } @@ -152,8 +152,8 @@ In order to provide configuration options for the geocoding autocompletion, you [source,ruby] ---- config.maps = { - provider: :your_provider, - api_key: Rails.application.secrets.maps[:api_key], + provider: ENV["MAPS_PROVIDER"], + api_key: ENV["MAPS_API_KEY"], autocomplete: { url: "https://photon.example.org/api/" } @@ -353,7 +353,7 @@ In order to provide configuration options for the dynamic maps, you can pass the ---- config.maps = { provider: :your_provider, - api_key: Rails.application.secrets.maps[:api_key], + api_key: ENV["MAPS_API_KEY"], dynamic: { tile_layer: { url: "https://tiles.example.org/{z}/{x}/{y}.png?key={apiKey}&{foo}&style={style}", @@ -376,7 +376,7 @@ This will cause the following options to be available for the builder instance b tile_layer: { url: "https://tiles.example.org/{z}/{x}/{y}.png?key={apiKey}&{foo}&style={style}", configuration: { - api_key: Rails.application.secrets.maps[:api_key], + api_key: ENV["MAPS_API_KEY"], foo: "bar=baz", style: "bright", attribution: %{ @@ -450,7 +450,7 @@ In order to provide configuration options for the static maps, you can pass them ---- config.maps = { provider: :your_provider, - api_key: Rails.application.secrets.maps[:api_key], + api_key: ENV["MAPS_API_KEY"], static: { url: "https://staticmap.example.org/", foo: "bar", @@ -485,7 +485,7 @@ If you want to use the dynamic map replacements for the static map images, do no ---- config.maps = { provider: :your_provider, - api_key: Rails.application.secrets.maps[:api_key] + api_key: ENV["MAPS_API_KEY"] # static: { ... } # LEAVE THIS OUT } ---- diff --git a/docs/modules/services/pages/etherpad.adoc b/docs/modules/services/pages/etherpad.adoc index 480fd7ae805e9..7e130bb89e562 100644 --- a/docs/modules/services/pages/etherpad.adoc +++ b/docs/modules/services/pages/etherpad.adoc @@ -19,29 +19,19 @@ docker stack deploy --compose-file docker-compose-etherpad.yml decidim-etherpad ---- After deploying Etherpad, you should get back to Decidim's server and set the Etherpad host and API Key at -`config/initializers/decidim.rb` and `config/secrets.yml` +`config/initializers/decidim.rb` An example snippet in `config/initializers/decidim.rb` may be: [source,ruby] ---- config.etherpad = { - server: Rails.application.secrets.etherpad[:server], - api_key: Rails.application.secrets.etherpad[:api_key], - api_version: Rails.application.secrets.etherpad[:api_version] + server: ENV["ETHERPAD_SERVER"], + api_key: ENV["ETHERPAD_API_KEY"], + api_version: Decidim::Env.new("ETHERPAD_API_VERSION", "1.2.1") } ---- -and then in `config/secrets.yml`: - -[source,yaml] ----- - etherpad: - server: <%= ENV["ETHERPAD_SERVER"] %> - api_key: <%= ENV["ETHERPAD_API_KEY"] %> - api_version: <%= ENV["ETHERPAD_API_VERSION"] %> ----- - == How is Etherpad Lite integrated in Meetings? To better understand this feature, the final idea is to have the three moments of a meeting covered on Decidim itself by default: diff --git a/docs/modules/services/pages/maps.adoc b/docs/modules/services/pages/maps.adoc index 64bacc24ca66a..443e0a6176e00 100644 --- a/docs/modules/services/pages/maps.adoc +++ b/docs/modules/services/pages/maps.adoc @@ -43,8 +43,6 @@ If you want to enable geocoding in your app: . Select a service provider for the maps functionality and register an account with that provider . Uncomment or add the code under the selected service provider in your `config/initializers/decidim.rb`. -. Make sure your `config/secrets.yml` file has the needed section (it should be added by the generator automatically). -. Configure the service provider credentials in `config/secrets.yml` and refer to them from your `config/initializers/decidim.rb`. . If you had your Rails server running, restart it so the changes apply. === Configuring HERE Maps @@ -59,21 +57,11 @@ Use the following configuration for HERE Maps: # == HERE Maps == config.maps = { provider: :here, - api_key: Rails.application.secrets.maps[:api_key], + api_key: ENV["MAPS_API_KEY"], static: { url: "https://image.maps.ls.hereapi.com/mia/1.6/mapview" } } ---- -`config/secrets.yml`: - -[source,yaml] ----- -default: &default - # ... - maps: - api_key: <%= ENV["MAPS_API_KEY"] %> ----- - `.env`: [source,bash] @@ -94,7 +82,7 @@ Use the following configuration for Open Street Maps based service providers: # == OpenStreetMap (OSM) services == config.maps = { provider: :osm, - api_key: Rails.application.secrets.maps[:api_key], + api_key: ENV["MAPS_API_KEY"], dynamic: { tile_layer: { url: "https://tiles.example.org/{z}/{x}/{y}.png?key={apiKey}", @@ -112,16 +100,6 @@ config.maps = { } ---- -`config/secrets.yml`: - -[source,yaml] ----- -default: &default - # ... - maps: - api_key: <%= ENV["MAPS_API_KEY"] %> ----- - `.env`: [source,bash] @@ -144,7 +122,7 @@ config.maps = { provider: :osm, dynamic: { provider: :here, - api_key: Rails.application.secrets.maps[:here_api_key] + api_key: ENV["MAPS_API_KEY"] }, static: { url: "https://staticmap.example.org/" }, geocoding: { host: "nominatim.example.org", use_https: true }, @@ -152,16 +130,6 @@ config.maps = { } ---- -`config/secrets.yml`: - -[source,yaml] ----- -default: &default - # ... - maps: - here_api_key: <%= ENV["MAPS_HERE_API_KEY"] %> ----- - `.env`: [source,bash] @@ -181,7 +149,7 @@ For example, if you want to use HERE Maps as your default but disable the static ---- config.maps = { provider: :here, - api_key: Rails.application.secrets.maps[:api_key], + api_key: ENV["MAPS_API_KEY"], static: false, autocomplete: false }