forked from zendesk/samson
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathapplication.rb
236 lines (195 loc) · 9.67 KB
/
application.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
# frozen_string_literal: true
require_relative 'boot'
require 'active_record/railtie'
require 'action_controller/railtie'
require 'action_view/railtie'
require 'action_mailer/railtie'
require 'action_cable/engine'
require 'rails/test_unit/railtie'
require 'sprockets/railtie'
abort "Do not run server with PRECOMPILE env var set" if ENV["SERVER_MODE"] && ENV["PRECOMPILE"]
begin
require 'pry-rails'
rescue LoadError
# ignore if pry-rails is not included in bundle
end
if (google_domain = ENV["GOOGLE_DOMAIN"]) && !ENV['EMAIL_DOMAIN']
Rails.logger.warn "Stop using deprecated GOOGLE_DOMAIN"
ENV["EMAIL_DOMAIN"] = google_domain.sub('@', '')
end
Bundler.require(:preload)
Bundler.require(:assets) if Rails.env.development? || ENV["PRECOMPILE"]
###
# Railties need to be loaded before the application is initialized
require 'omniauth'
require 'omniauth/rails_csrf_protection'
if ['development', 'staging'].include?(Rails.env) && ENV["SERVER_MODE"]
require 'rack-mini-profiler' # side effect: removes expires headers
Rack::MiniProfiler.config.authorization_mode = :allow_all
end
# END Railties
###
require_relative "../lib/samson/env_check"
# other requires should live at the bottom of the file
module Samson
class Application < Rails::Application
# Settings in config/environments/* take precedence over those specified here.
# Application configuration should go into files in config/initializers
config.load_defaults 6.1
# the new default of `true` breaks test/models/user_test.rb see https://github.com/rails/rails/issues/40867
config.active_record.has_many_inversing = false
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
config.force_ssl = (ENV["FORCE_SSL"] == "1")
config.ssl_options = {redirect: {exclude: ->(request) { request.path.match?(/^\/ping(\/|$)/) }}}
class ApplicationConfiguration
def self.deprecated_url(var)
url = ENV[var].presence
return url if !url || url.start_with?('http')
raise "Using deprecated url without protocol for #{var}"
end
end
config.eager_load_paths << "#{config.root}/lib"
case ENV["CACHE_STORE"]
when "memory"
config.cache_store = :memory_store # to debug cache keys, bundle open activesupport -> active_support/cache.rb#log
when "memcached"
require_relative "initializers/sockify"
options = {
value_max_bytes: 3000000,
compress: true,
expires_in: 7.days,
namespace: "samson-#{Rails.version}-#{RUBY_VERSION}",
pool_size: [Integer(ENV.fetch('RAILS_MAX_THREADS', '250')) / 10, 2].max # 1/10 th of threads, see puma.rb
}
# support memcachier env used by heroku
# https://devcenter.heroku.com/articles/memcachier#rails-3-and-4
if ENV["MEMCACHIER_SERVERS"]
servers = (ENV["MEMCACHIER_SERVERS"]).split(",")
options.merge!(
username: ENV["MEMCACHIER_USERNAME"],
password: ENV["MEMCACHIER_PASSWORD"],
failover: true,
socket_timeout: 1.5,
socket_failure_delay: 0.2
)
else
servers = ["localhost:11211"]
end
config.cache_store = :mem_cache_store, servers, options
else
raise "Set CACHE_STORE environment variable to either memory or memcached"
end
# Allow streaming
config.preload_frameworks = true
config.allow_concurrency = true
# TODO: allow ping-controller to not need ssl
config.force_ssl = (ENV['FORCE_SSL'] == '1')
# https://github.com/collectiveidea/audited/issues/631
# List of classes deemed safe to load by YAML, and required by the Audited
# gem when deserialized audit records.
# As of Rails 6.0.5.1, YAML safe-loading method does not allow all classes
# to be deserialized by default: https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
config.active_record.yaml_column_permitted_classes = [
ActiveSupport::TimeWithZone,
ActiveSupport::TimeZone,
Date,
Time,
ActiveSupport::HashWithIndifferentAccess,
BigDecimal,
Symbol
]
# Used for all Samson specific configuration.
config.samson = ActiveSupport::OrderedOptions.new
# Email prefix e.g. [PREFIX] Someone deployed PROJECT to STAGE (REF)
config.samson.email = ActiveSupport::OrderedOptions.new
config.samson.email.prefix = ENV["EMAIL_PREFIX"].presence || "DEPLOY"
config.samson.email.sender_domain = ENV["EMAIL_SENDER_DOMAIN"].presence || "samson-deployment.com"
# Tired of the i18n deprecation warning
config.i18n.enforce_available_locales = true
# The directory in which repositories should be cached.
config.samson.cached_repos_dir = Rails.root.join("cached_repos")
# The Github teams and organizations used for permissions
config.samson.github = ActiveSupport::OrderedOptions.new
config.samson.github.organization = ENV["GITHUB_ORGANIZATION"].presence
config.samson.github.admin_team = ENV["GITHUB_ADMIN_TEAM"].presence
config.samson.github.deploy_team = ENV["GITHUB_DEPLOY_TEAM"].presence
config.samson.github.web_url = ApplicationConfiguration.deprecated_url("GITHUB_WEB_URL") || 'https://github.com'
config.samson.github.api_url = ApplicationConfiguration.deprecated_url("GITHUB_API_URL") || 'https://api.github.com'
# Configuration for LDAP
config.samson.ldap = ActiveSupport::OrderedOptions.new
config.samson.ldap.title = ENV["LDAP_TITLE"].presence
config.samson.ldap.host = ENV["LDAP_HOST"].presence
config.samson.ldap.port = ENV["LDAP_PORT"].presence
config.samson.ldap.base = ENV["LDAP_BASE"].presence
config.samson.ldap.uid = ENV["LDAP_UID"].presence
config.samson.ldap.bind_dn = ENV["LDAP_BINDDN"].presence
config.samson.ldap.password = ENV["LDAP_PASSWORD"].presence
config.samson.gitlab = ActiveSupport::OrderedOptions.new
config.samson.gitlab.web_url = ApplicationConfiguration.deprecated_url("GITLAB_URL") || 'https://gitlab.com'
config.samson.auth = ActiveSupport::OrderedOptions.new
config.samson.auth.github = Samson::EnvCheck.set?("AUTH_GITHUB")
config.samson.auth.google = Samson::EnvCheck.set?("AUTH_GOOGLE")
config.samson.auth.ldap = Samson::EnvCheck.set?("AUTH_LDAP")
config.samson.auth.gitlab = Samson::EnvCheck.set?("AUTH_GITLAB")
config.samson.auth.bitbucket = Samson::EnvCheck.set?("AUTH_BITBUCKET")
config.samson.uri = URI(
ENV["DEFAULT_URL"] ||
((app = ENV["HEROKU_APP_NAME"]) && "https://#{app}.herokuapp.com") ||
'http://localhost:3000'
)
raise if ENV['STREAM_ORIGIN'] || ENV['DEPLOY_ORIGIN'] # alert users with deprecated options, remove 2019-05-01
config.samson.deploy_timeout = Integer(ENV["DEPLOY_TIMEOUT"] || 2.hours.to_i)
self.default_url_options = {
host: config.samson.uri.host,
protocol: config.samson.uri.scheme
}
config.action_controller.action_on_unpermitted_parameters = :raise
config.action_view.default_form_builder = 'Samson::FormBuilder' # string so we can auto-reload it
config.samson.export_job = ActiveSupport::OrderedOptions.new
config.samson.export_job.downloaded_age = Integer(ENV['EXPORT_JOB_DOWNLOADED_AGE'] || 12.hours)
config.samson.export_job.max_age = Integer(ENV['EXPORT_JOB_MAX_AGE'] || 1.day)
config.samson.start_time = Time.now
# flowdock uses routes: run after the routes are loaded which happens after after_initialize
# config.ru sets SERVER_MODE after application.rb is loaded when using `rails s`
initializer :execute_job, after: :set_routes_reloader_hook do
if !Rails.env.test? && ENV['SERVER_MODE'] && !ENV['PRECOMPILE']
RestartSignalHandler.after_restart
RestartSignalHandler.listen
end
# Samson::BootCheck.check if Rails.env.development? # TODO: re-enable
end
unless ENV['PRECOMPILE']
config.after_initialize do
require_relative "../lib/samson/mapped_database_exceptions"
# Token used to request badges
config.samson.badge_token = \
Digest::MD5.hexdigest("badge_token#{ENV['BADGE_TOKEN_BASE'] || Samson::Application.config.secret_key_base}")
end
end
config.active_support.deprecation = :raise
# avoid permission errors in production and cleanliness test failures in test
config.active_record.dump_schema_after_migration = Rails.env.development? && ENV["RAILS_DUMP_SCHEMA"] != "false"
end
RELEASE_NUMBER = '\d+(:?\.\d+)*'
end
# Configure sensitive parameters which will be filtered from the log files + errors
# Must be here instead of in an initializer because plugin initializers run before app initializers
# Used in plugins/airbrake + rollbar which do not support the 'foo.bar' syntax as rails does
# https://github.com/airbrake/airbrake-ruby/issues/137
Samson::Application.config.session_key = :"_samson_session_#{Rails.env}"
Rails.application.config.filter_parameters.concat [
:password, :value, :value_hashed, :token, :access_token, Samson::Application.config.session_key, 'HTTP_AUTHORIZATION'
]
# Avoid starting up another background thread if we don't need it, see lib/samson/boot_check.rb
if ["test", "development"].include?(Rails.env)
ActiveRecord::ConnectionAdapters::ConnectionPool::Reaper.define_method(:run) {}
end
require 'samson/hooks'
require_relative "logging"
require_relative "../app/models/job_queue" # need to load early or dev reload will lose the .enabled
# remove initializers that use the database, this triggers initializer building so needs to come after all engines
if ENV["PRECOMPILE"]
bad = ["active_record.check_schema_cache_dump", "active_record.set_configs"]
Rails.application.initializers.find { |a| bad.include?(a.name) }.
context_class.instance.initializers.reject! { |a| bad.include?(a.name) }
end