diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2d4d55bda..7116148f3 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -221,7 +221,7 @@ build-prod-pivcac-image: rules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH variables: - BRANCH_TAGGING_STRING: "--destination ${ECR_REGISTRY}/identity-pivcac/review:main" + BRANCH_TAGGING_STRING: "--destination ${ECR_REGISTRY}/identity-pivcac/pivcac:main" - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH - if: $CI_PIPELINE_SOURCE != "merge_request_event" when: never @@ -260,7 +260,7 @@ build-prod-nginx-image: rules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH variables: - BRANCH_TAGGING_STRING: "--destination ${ECR_REGISTRY}/identity-pivcac/review:main" + BRANCH_TAGGING_STRING: "--destination ${ECR_REGISTRY}/identity-pivcac/nginx:main" - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH - if: $CI_PIPELINE_SOURCE != "merge_request_event" when: never diff --git a/Gemfile b/Gemfile index a5bcb2319..037238440 100644 --- a/Gemfile +++ b/Gemfile @@ -3,7 +3,7 @@ git_source(:github) { |repo_name| "https://github.com/#{repo_name}.git" } ruby '~> 3.3' -gem 'rails', '~> 7.0.8.3' +gem 'rails', '~> 7.1.0' gem 'activerecord-import', '>= 1.0.2' # pod identity requires 3.188.0 @@ -11,6 +11,8 @@ gem 'activerecord-import', '>= 1.0.2' gem 'aws-sdk-core', '>= 3.188.0' gem 'aws-sdk-s3' gem 'bloomfilter-rb' +gem 'csv' +gem 'redis' gem 'identity-hostdata', github: '18F/identity-hostdata', tag: 'v4.0.0' gem 'identity-logging', github: '18F/identity-logging', tag: 'v0.1.0' gem 'mini_cache' @@ -23,11 +25,11 @@ gem 'redacted_struct', '~> 2.0' gem 'rgl' group :development, :test do - gem 'bullet', '~> 7.0' + gem 'bullet', '~> 7.1.2' gem 'brakeman', require: false gem 'listen' gem 'pry-byebug' - gem 'rspec-rails', '>= 3.8.3' + gem 'rspec-rails', '~> 6.0' gem 'rubocop', require: false gem 'rubocop-rails', '>= 2.19.0', require: false gem 'rubocop-performance', '~> 1.17', require: false @@ -38,18 +40,11 @@ group :development do end group :test do - gem 'axe-matchers', '~> 1.3.4' gem 'bundler-audit', require: false - gem 'database_cleaner' gem 'factory_bot_rails', '>= 5.2.0' - gem 'fakefs', require: 'fakefs/safe' gem 'rails-controller-testing', '>= 1.0.4' gem 'rspec_junit_formatter' gem 'shoulda-matchers', '~> 3.1', '>= 3.1.3', require: false gem 'simplecov', '>= 0.13.0' - gem 'timecop' gem 'webmock' - gem 'zonebie' end - -gem 'tzinfo-data', platforms: %i[mingw mswin x64_mingw jruby] diff --git a/Gemfile.lock b/Gemfile.lock index d8fbe290f..89cbb130e 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -20,72 +20,81 @@ GIT GEM remote: https://rubygems.org/ specs: - actioncable (7.0.8.4) - actionpack (= 7.0.8.4) - activesupport (= 7.0.8.4) + actioncable (7.1.4) + actionpack (= 7.1.4) + activesupport (= 7.1.4) nio4r (~> 2.0) websocket-driver (>= 0.6.1) - actionmailbox (7.0.8.4) - actionpack (= 7.0.8.4) - activejob (= 7.0.8.4) - activerecord (= 7.0.8.4) - activestorage (= 7.0.8.4) - activesupport (= 7.0.8.4) + zeitwerk (~> 2.6) + actionmailbox (7.1.4) + actionpack (= 7.1.4) + activejob (= 7.1.4) + activerecord (= 7.1.4) + activestorage (= 7.1.4) + activesupport (= 7.1.4) mail (>= 2.7.1) net-imap net-pop net-smtp - actionmailer (7.0.8.4) - actionpack (= 7.0.8.4) - actionview (= 7.0.8.4) - activejob (= 7.0.8.4) - activesupport (= 7.0.8.4) + actionmailer (7.1.4) + actionpack (= 7.1.4) + actionview (= 7.1.4) + activejob (= 7.1.4) + activesupport (= 7.1.4) mail (~> 2.5, >= 2.5.4) net-imap net-pop net-smtp - rails-dom-testing (~> 2.0) - actionpack (7.0.8.4) - actionview (= 7.0.8.4) - activesupport (= 7.0.8.4) - rack (~> 2.0, >= 2.2.4) + rails-dom-testing (~> 2.2) + actionpack (7.1.4) + actionview (= 7.1.4) + activesupport (= 7.1.4) + nokogiri (>= 1.8.5) + racc + rack (>= 2.2.4) + rack-session (>= 1.0.1) rack-test (>= 0.6.3) - rails-dom-testing (~> 2.0) - rails-html-sanitizer (~> 1.0, >= 1.2.0) - actiontext (7.0.8.4) - actionpack (= 7.0.8.4) - activerecord (= 7.0.8.4) - activestorage (= 7.0.8.4) - activesupport (= 7.0.8.4) + rails-dom-testing (~> 2.2) + rails-html-sanitizer (~> 1.6) + actiontext (7.1.4) + actionpack (= 7.1.4) + activerecord (= 7.1.4) + activestorage (= 7.1.4) + activesupport (= 7.1.4) globalid (>= 0.6.0) nokogiri (>= 1.8.5) - actionview (7.0.8.4) - activesupport (= 7.0.8.4) + actionview (7.1.4) + activesupport (= 7.1.4) builder (~> 3.1) - erubi (~> 1.4) - rails-dom-testing (~> 2.0) - rails-html-sanitizer (~> 1.1, >= 1.2.0) - activejob (7.0.8.4) - activesupport (= 7.0.8.4) + erubi (~> 1.11) + rails-dom-testing (~> 2.2) + rails-html-sanitizer (~> 1.6) + activejob (7.1.4) + activesupport (= 7.1.4) globalid (>= 0.3.6) - activemodel (7.0.8.4) - activesupport (= 7.0.8.4) - activerecord (7.0.8.4) - activemodel (= 7.0.8.4) - activesupport (= 7.0.8.4) + activemodel (7.1.4) + activesupport (= 7.1.4) + activerecord (7.1.4) + activemodel (= 7.1.4) + activesupport (= 7.1.4) + timeout (>= 0.4.0) activerecord-import (1.5.0) activerecord (>= 4.2) - activestorage (7.0.8.4) - actionpack (= 7.0.8.4) - activejob (= 7.0.8.4) - activerecord (= 7.0.8.4) - activesupport (= 7.0.8.4) + activestorage (7.1.4) + actionpack (= 7.1.4) + activejob (= 7.1.4) + activerecord (= 7.1.4) + activesupport (= 7.1.4) marcel (~> 1.0) - mini_mime (>= 1.1.0) - activesupport (7.0.8.4) + activesupport (7.1.4) + base64 + bigdecimal concurrent-ruby (~> 1.0, >= 1.0.2) + connection_pool (>= 2.2.5) + drb i18n (>= 1.6, < 2) minitest (>= 5.1) + mutex_m tzinfo (~> 2.0) addressable (2.8.0) public_suffix (>= 2.0.2, < 5.0) @@ -106,61 +115,55 @@ GEM aws-sigv4 (~> 1.4) aws-sigv4 (1.8.0) aws-eventstream (~> 1, >= 1.0.2) - axe-matchers (1.3.4) - dumb_delegator (~> 0.8) - virtus (~> 1.0) - axiom-types (0.1.1) - descendants_tracker (~> 0.0.4) - ice_nine (~> 0.11.0) - thread_safe (~> 0.3, >= 0.3.1) + base64 (0.2.0) better_errors (2.9.1) coderay (>= 1.0.0) erubi (>= 1.0.0) rack (>= 0.9.0) + bigdecimal (3.1.8) bloomfilter-rb (2.1.1) redis - bootsnap (1.17.0) + bootsnap (1.18.4) msgpack (~> 1.2) - brakeman (6.0.1) - builder (3.2.4) - bullet (7.0.7) + brakeman (6.2.1) + racc + builder (3.3.0) + bullet (7.1.6) activesupport (>= 3.0.0) uniform_notifier (~> 1.11) - bundler-audit (0.9.1) + bundler-audit (0.9.2) bundler (>= 1.2.0, < 3) thor (~> 1.0) byebug (11.1.3) coderay (1.1.3) - coercible (1.0.0) - descendants_tracker (~> 0.0.1) - concurrent-ruby (1.3.1) + concurrent-ruby (1.3.4) + connection_pool (2.4.1) crack (0.4.5) rexml crass (1.0.6) - database_cleaner (1.8.5) + csv (3.3.0) date (3.3.4) - descendants_tracker (0.0.4) - thread_safe (~> 0.3, >= 0.3.1) - diff-lcs (1.5.0) + diff-lcs (1.5.1) docile (1.4.0) - dumb_delegator (0.8.1) - equalizer (0.0.11) - erubi (1.12.0) - factory_bot (6.1.0) + drb (2.2.1) + erubi (1.13.0) + factory_bot (6.5.0) activesupport (>= 5.0.0) - factory_bot_rails (6.1.0) - factory_bot (~> 6.1.0) + factory_bot_rails (6.4.3) + factory_bot (~> 6.4) railties (>= 5.0.0) - fakefs (2.5.0) - ffi (1.17.0) + ffi (1.17.0-arm64-darwin) globalid (1.2.1) activesupport (>= 6.1) hashdiff (1.0.1) - i18n (1.14.5) + i18n (1.14.6) concurrent-ruby (~> 1.0) - ice_nine (0.11.2) + io-console (0.7.2) + irb (1.14.1) + rdoc (>= 4.0.0) + reline (>= 0.4.2) jmespath (1.6.2) - json (2.6.3) + json (2.7.2) lazy_priority_queue (0.1.1) listen (3.9.0) rb-fsevent (~> 0.10, >= 0.10.3) @@ -179,13 +182,13 @@ GEM net-pop net-smtp marcel (1.0.4) - method_source (1.0.0) + method_source (1.1.0) mini_cache (1.1.0) mini_mime (1.1.5) - mini_portile2 (2.8.7) - minitest (5.23.1) + minitest (5.25.1) msgpack (1.7.2) - net-imap (0.4.12) + mutex_m (0.2.0) + net-imap (0.4.16) date net-protocol net-pop (0.1.2) @@ -195,13 +198,13 @@ GEM net-smtp (0.5.0) net-protocol newrelic_rpm (8.16.0) - nio4r (2.7.0) - nokogiri (1.16.5) - mini_portile2 (~> 2.8.2) + nio4r (2.7.3) + nokogiri (1.16.7-arm64-darwin) racc (~> 1.4) parallel (1.22.1) - parser (3.2.2.0) + parser (3.3.5.0) ast (~> 2.4.1) + racc pg (1.5.3) pry (0.14.2) coderay (~> 1.1) @@ -211,27 +214,34 @@ GEM pry (>= 0.13, < 0.15) pry-rails (0.3.9) pry (>= 0.10.4) + psych (5.1.2) + stringio public_suffix (4.0.6) - puma (6.4.2) + puma (6.4.3) nio4r (~> 2.0) - racc (1.8.0) - rack (2.2.9) + racc (1.8.1) + rack (3.1.7) + rack-session (2.0.0) + rack (>= 3.0.0) rack-test (2.1.0) rack (>= 1.3) - rails (7.0.8.4) - actioncable (= 7.0.8.4) - actionmailbox (= 7.0.8.4) - actionmailer (= 7.0.8.4) - actionpack (= 7.0.8.4) - actiontext (= 7.0.8.4) - actionview (= 7.0.8.4) - activejob (= 7.0.8.4) - activemodel (= 7.0.8.4) - activerecord (= 7.0.8.4) - activestorage (= 7.0.8.4) - activesupport (= 7.0.8.4) + rackup (2.1.0) + rack (>= 3) + webrick (~> 1.8) + rails (7.1.4) + actioncable (= 7.1.4) + actionmailbox (= 7.1.4) + actionmailer (= 7.1.4) + actionpack (= 7.1.4) + actiontext (= 7.1.4) + actionview (= 7.1.4) + activejob (= 7.1.4) + activemodel (= 7.1.4) + activerecord (= 7.1.4) + activestorage (= 7.1.4) + activesupport (= 7.1.4) bundler (>= 1.15.0) - railties (= 7.0.8.4) + railties (= 7.1.4) rails-controller-testing (1.0.5) actionpack (>= 5.0.1.rc1) actionview (>= 5.0.1.rc1) @@ -243,45 +253,52 @@ GEM rails-html-sanitizer (1.6.0) loofah (~> 2.21) nokogiri (~> 1.14) - railties (7.0.8.4) - actionpack (= 7.0.8.4) - activesupport (= 7.0.8.4) - method_source + railties (7.1.4) + actionpack (= 7.1.4) + activesupport (= 7.1.4) + irb + rackup (>= 1.0.0) rake (>= 12.2) - thor (~> 1.0) - zeitwerk (~> 2.5) + thor (~> 1.0, >= 1.2.2) + zeitwerk (~> 2.6) rainbow (3.1.1) - rake (13.0.6) + rake (13.2.1) rb-fsevent (0.11.2) rb-inotify (0.11.1) ffi (~> 1.0) + rdoc (6.7.0) + psych (>= 4.0.0) redacted_struct (2.0.0) - redis (4.2.4) - regexp_parser (2.7.0) + redis (5.2.0) + redis-client (>= 0.22.0) + redis-client (0.22.1) + connection_pool + regexp_parser (2.9.2) + reline (0.5.10) + io-console (~> 0.5) request_store (1.5.1) rack (>= 1.4) - rexml (3.3.6) - strscan + rexml (3.3.7) rgl (0.5.6) lazy_priority_queue (~> 0.1.0) stream (~> 0.5.2) - rspec-core (3.12.2) - rspec-support (~> 3.12.0) - rspec-expectations (3.12.3) + rspec-core (3.13.1) + rspec-support (~> 3.13.0) + rspec-expectations (3.13.3) diff-lcs (>= 1.2.0, < 2.0) - rspec-support (~> 3.12.0) - rspec-mocks (3.12.6) + rspec-support (~> 3.13.0) + rspec-mocks (3.13.1) diff-lcs (>= 1.2.0, < 2.0) - rspec-support (~> 3.12.0) - rspec-rails (4.0.1) - actionpack (>= 4.2) - activesupport (>= 4.2) - railties (>= 4.2) - rspec-core (~> 3.9) - rspec-expectations (~> 3.9) - rspec-mocks (~> 3.9) - rspec-support (~> 3.9) - rspec-support (3.12.1) + rspec-support (~> 3.13.0) + rspec-rails (6.1.5) + actionpack (>= 6.1) + activesupport (>= 6.1) + railties (>= 6.1) + rspec-core (~> 3.13) + rspec-expectations (~> 3.13) + rspec-mocks (~> 3.13) + rspec-support (~> 3.13) + rspec-support (3.13.1) rspec_junit_formatter (0.6.0) rspec-core (>= 2, < 4, != 2.12.0) rubocop (1.50.1) @@ -313,29 +330,22 @@ GEM simplecov-html (0.12.3) simplecov_json_formatter (0.1.4) stream (0.5.2) - strscan (3.1.0) - thor (1.2.2) - thread_safe (0.3.6) - timecop (0.9.2) + stringio (3.1.1) + thor (1.3.2) timeout (0.4.1) tzinfo (2.0.6) concurrent-ruby (~> 1.0) unicode-display_width (2.4.2) uniform_notifier (1.16.0) - virtus (1.0.5) - axiom-types (~> 0.1) - coercible (~> 1.0) - descendants_tracker (~> 0.0, >= 0.0.3) - equalizer (~> 0.0, >= 0.0.9) webmock (3.14.0) addressable (>= 2.8.0) crack (>= 0.3.2) hashdiff (>= 0.4.0, < 2.0.0) + webrick (1.8.2) websocket-driver (0.7.6) websocket-extensions (>= 0.1.0) websocket-extensions (0.1.5) - zeitwerk (2.6.11) - zonebie (0.6.1) + zeitwerk (2.6.18) PLATFORMS ruby @@ -344,16 +354,14 @@ DEPENDENCIES activerecord-import (>= 1.0.2) aws-sdk-core (>= 3.188.0) aws-sdk-s3 - axe-matchers (~> 1.3.4) better_errors (>= 2.5.1) bloomfilter-rb bootsnap (~> 1.0) brakeman - bullet (~> 7.0) + bullet (~> 7.1.2) bundler-audit - database_cleaner + csv factory_bot_rails (>= 5.2.0) - fakefs identity-hostdata! identity-logging! listen @@ -363,24 +371,22 @@ DEPENDENCIES pry-byebug pry-rails puma - rails (~> 7.0.8.3) + rails (~> 7.1.0) rails-controller-testing (>= 1.0.4) redacted_struct (~> 2.0) + redis rgl - rspec-rails (>= 3.8.3) + rspec-rails (~> 6.0) rspec_junit_formatter rubocop rubocop-performance (~> 1.17) rubocop-rails (>= 2.19.0) shoulda-matchers (~> 3.1, >= 3.1.3) simplecov (>= 0.13.0) - timecop - tzinfo-data webmock - zonebie RUBY VERSION - ruby 3.2.2p53 + ruby 3.3.4p94 BUNDLED WITH - 2.5.6 + 2.5.20 diff --git a/app/controllers/identify_controller.rb b/app/controllers/identify_controller.rb index a6c61f433..0885f0a52 100644 --- a/app/controllers/identify_controller.rb +++ b/app/controllers/identify_controller.rb @@ -18,7 +18,8 @@ def create referrer.query = "token=#{token_for_referrer}" # redirect to referer OR redirect to a preconfigured URL template - redirect_to referrer.to_s + # this is safe because we validate that it is an allowed referrer + redirect_to referrer.to_s, allow_other_host: true else render_bad_request('No referrer') end diff --git a/config/application.rb b/config/application.rb index e167df119..3711e1044 100644 --- a/config/application.rb +++ b/config/application.rb @@ -14,10 +14,7 @@ module IdentityPki class Application < Rails::Application # Initialize configuration defaults for originally generated Rails version. - config.load_defaults 6.1 - config.autoloader = :zeitwerk - # Remove once 7.0 has been deployed - config.active_support.cache_format_version = 6.1 + config.load_defaults 7.0 Identity::Hostdata.load_config!( app_root: Rails.root, @@ -26,6 +23,9 @@ class Application < Rails::Application &IdentityConfig::CONFIG_BUILDER ) + # Don't generate system test files. + config.generators.system_tests = nil + # Settings in config/environments/* take precedence over those specified here. # Application configuration should go into files in config/initializers # -- all .rb files in that directory are automatically loaded. diff --git a/config/application.yml.default b/config/application.yml.default index 7fae4e04a..b47ce71ff 100644 --- a/config/application.yml.default +++ b/config/application.yml.default @@ -30,7 +30,6 @@ nonce_bloom_filter_server: 'redis://localhost/' nonce_bloom_filter_size: '100_000' nonce_bloom_filter_ttl: '300' piv_cac_verify_token_secret: '' -secret_key_base: '' token_encryption_key_pepper_old: '' token_encryption_key_salt_old: '' @@ -57,6 +56,7 @@ development: token_encryption_key_salt_old: de+hXqHqjAIIKq+mgdbUdTfvOZQP7ya1MPsUKgy1/ueEl+Yw1w7ZzaObENqDD4DhrWD3zXUgI3UQm9ZISzOwpEk8lq/azWg8Pw9lPL1yBUR2easxcgbAl6gjPB+8fAFD token_encryption_key_pepper_old: 1HkCB/IADCORWlBAUmeM9S+KBBv0eWzxJG8NM6+A1/f7K3KoVpa2HTED4pTNf8DGp834etYxOL+NdjvH88Lk1s5u401Hu3d3nPbnI11nWTfhaBCz6foOfS/3KGBd/8hz certificate_store_directory: 'config/certs' + secret_key_base: development_secret_key_base test: aws_region: 'us-east-1' @@ -70,6 +70,7 @@ test: token_encryption_key_pepper_old: 1HkCB/IADCORWlBAUmeM9S+KBBv0eWzxJG8NM6+A1/f7K3KoVpa2HTED4pTNf8DGp834etYxOL+NdjvH88Lk1s5u401Hu3d3nPbnI11nWTfhaBCz6foOfS/3KGBd/8hz certificate_store_directory: 'config/test-certs' ca_issuer_host_allow_list: 'uri1.example.com,uri2.example.com' + secret_key_base: test_secret_key_base production: @@ -83,3 +84,4 @@ production: nonce_bloom_filter_enabled: 'false' token_encryption_key_salt: '' token_encryption_key_pepper: '' + secret_key_base: diff --git a/config/environments/development.rb b/config/environments/development.rb index 827ef5f06..e642f8bea 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -7,6 +7,7 @@ # every request. This slows down response time but is perfect for development # since you don't have to restart the web server when you make code changes. config.cache_classes = false + config.enable_reloading = true # This allows nginx to make a request config.hosts << 'rails_upstream' @@ -26,7 +27,7 @@ config.cache_store = :memory_store config.public_file_server.headers = { - 'Cache-Control' => "public, max-age=#{2.days.seconds.to_i}", + 'Cache-Control' => "public, max-age=#{2.days.to_i}", } else config.action_controller.perform_caching = false @@ -59,6 +60,6 @@ # Annotate rendered view with file names. # config.action_view.annotate_rendered_view_with_filenames = true - # Uncomment if you wish to allow Action Cable access from any origin. - # config.action_cable.disable_request_forgery_protection = true + # Raise error when a before_action's only/except options reference missing action + config.action_controller.raise_on_missing_callback_actions = true end diff --git a/config/environments/production.rb b/config/environments/production.rb index 2d627c41d..c75ca5de7 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -1,8 +1,10 @@ +require 'active_support/core_ext/integer/time' Rails.application.configure do # Settings specified here will take precedence over those in config/application.rb. # Code is not reloaded between requests. config.cache_classes = true + config.enable_reloading = false # Eager load code on boot. This eager loads most of Rails and # your application in memory, allowing both threaded web servers @@ -24,21 +26,19 @@ config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present? # Enable serving of images, stylesheets, and JavaScripts from an asset server. - # config.action_controller.asset_host = 'http://assets.example.com' + # config.asset_host = 'http://assets.example.com' # Specifies the header that your server uses for sending files. # config.action_dispatch.x_sendfile_header = 'X-Sendfile' # for Apache # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX - # Mount Action Cable outside main process or domain - # config.action_cable.mount_path = nil - # config.action_cable.url = 'wss://example.com/cable' - # config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ] + # Assume all access to the app is happening through a SSL-terminating reverse proxy. + # Can be used together with config.force_ssl for Strict-Transport-Security and secure cookies. + # config.assume_ssl = true # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies. # config.force_ssl = true - config.log_level = :info # Use a different cache store in production. # config.cache_store = :mem_cache_store @@ -54,12 +54,25 @@ # require 'syslog/logger' # config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new 'app-name') + config.log_level = :info + if IdentityConfig.store.log_to_stdout logger = ActiveSupport::Logger.new(STDOUT) logger.formatter = config.log_formatter config.logger = ActiveSupport::TaggedLogging.new(logger) end + # Prepend all log lines with the following tags. + # config.log_tags = [ :request_id ] + # Do not dump schema after migrations. config.active_record.dump_schema_after_migration = false + + # Enable DNS rebinding protection and other `Host` header attacks. + # config.hosts = [ + # "example.com", # Allow requests from example.com + # /.*\.example\.com/ # Allow requests from subdomains like `www.example.com` + # ] + # Skip DNS rebinding protection for the default health check endpoint. + # config.host_authorization = { exclude: ->(request) { request.path == "/up" } } end diff --git a/config/environments/test.rb b/config/environments/test.rb index 4819cd667..3927989f3 100644 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -40,6 +40,15 @@ # Tell Active Support which deprecation messages to disallow. config.active_support.disallowed_deprecation_warnings = [] + config.time_zone = ActiveSupport::TimeZone::MAPPING.keys.sample + config.active_record.default_timezone = :local + # Raises error for missing translations - # config.action_view.raise_on_missing_translations = true + # cconfig.i18n.raise_on_missing_translations = true + + # Annotate rendered view with file names. + # config.action_view.annotate_rendered_view_with_filenames = true + + # Raise error when a before_action's only/except options reference missing actions + # config.action_controller.raise_on_missing_callback_actions = true end diff --git a/config/initializers/filter_parameter_logging.rb b/config/initializers/filter_parameter_logging.rb index 4a994e1e7..6a02e6264 100644 --- a/config/initializers/filter_parameter_logging.rb +++ b/config/initializers/filter_parameter_logging.rb @@ -1,4 +1,8 @@ # Be sure to restart your server when you modify this file. -# Configure sensitive parameters which will be filtered from the log file. -Rails.application.config.filter_parameters += [:password] +# Configure parameters to be partially matched (e.g. passw matches password) and filtered from the log file. +# Use this to limit dissemination of sensitive information. +# See the ActiveSupport::ParameterFilter documentation for supported notations and behaviors. +Rails.application.config.filter_parameters += [ + :passw #, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn +] diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb new file mode 100644 index 000000000..833a6b1df --- /dev/null +++ b/config/initializers/secret_token.rb @@ -0,0 +1 @@ +Rails.application.config.secret_key_base = IdentityConfig.store.secret_key_base diff --git a/config/secrets.yml b/config/secrets.yml deleted file mode 100644 index 718bc8dfe..000000000 --- a/config/secrets.yml +++ /dev/null @@ -1,32 +0,0 @@ -# Be sure to restart your server when you modify this file. - -# Your secret key is used for verifying the integrity of signed cookies. -# If you change this key, all old signed cookies will become invalid! - -# Make sure the secret is at least 30 characters and all random, -# no regular words or you'll be exposed to dictionary attacks. -# You can use `rails secret` to generate a secure secret key. - -# Make sure the secrets in this file are kept private -# if you're sharing your code publicly. - -# Shared secrets are available across all environments. - -# shared: -# api_key: a1B2c3D4e5F6 - -# Environmental secrets are only available for that specific environment. - -development: - secret_key_base: 8f01a81e53ddaed01a4c7aa6b920078f9701a913f826c9fa43aaf8a3dff216c7e07713ba7be10d13c540608ca4a0b41d2cbfc338438bf670d02fb54ecdcb605b - -test: - secret_key_base: 1158a3d8bb5846ed70cc384de608d9e4759f501e391dac319b6ec5c246a34df709828dbdbfb6a3ffaa2b4de086460f31dd3d0e5639db7fc53f96690330c8cf19 - -# Do not keep production secrets in the unencrypted secrets file. -# Instead, either read values from the environment. -# Or, use `bin/rails secrets:setup` to configure encrypted secrets -# and move the `production:` environment over there. - -production: - secret_key_base: <%= IdentityConfig.store.secret_key_base %> diff --git a/db/schema.rb b/db/schema.rb index 94863af40..4581949d8 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -2,16 +2,15 @@ # of editing this file, please use the migrations feature of Active Record to # incrementally modify your database, and then regenerate this schema definition. # -# Note that this schema.rb definition is the authoritative source for your -# database schema. If you need to create the application database on another -# system, you should be using db:schema:load, not running all the migrations -# from scratch. The latter is a flawed and unsustainable approach (the more migrations -# you'll amass, the slower it'll run and the greater likelihood for issues). +# This file is the source Rails uses to define your schema when running `bin/rails +# db:schema:load`. When creating a new database, `bin/rails db:schema:load` tends to +# be faster and is potentially less error prone than running all of your +# migrations from scratch. Old migrations may fail to apply correctly if those +# migrations use external dependencies or application code. # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema[6.1].define(version: 2018_05_23_205303) do - +ActiveRecord::Schema[7.1].define(version: 2018_05_23_205303) do # These are extensions that must be enabled in order to support this database enable_extension "plpgsql" @@ -19,10 +18,10 @@ t.string "key", null: false t.string "dn", null: false t.string "crl_http_url" - t.datetime "valid_not_before", null: false - t.datetime "valid_not_after", null: false - t.datetime "created_at", null: false - t.datetime "updated_at", null: false + t.datetime "valid_not_before", precision: nil, null: false + t.datetime "valid_not_after", precision: nil, null: false + t.datetime "created_at", precision: nil, null: false + t.datetime "updated_at", precision: nil, null: false t.string "ocsp_http_url" t.index ["key"], name: "index_certificate_authorities_on_key", unique: true end @@ -30,8 +29,8 @@ create_table "certificate_revocations", force: :cascade do |t| t.bigint "certificate_authority_id", null: false t.string "serial", null: false - t.datetime "created_at", null: false - t.datetime "updated_at", null: false + t.datetime "created_at", precision: nil, null: false + t.datetime "updated_at", precision: nil, null: false t.index ["certificate_authority_id", "serial"], name: "index_certificate_revocations_on_cert_auth_id_and_serial", unique: true end @@ -48,8 +47,8 @@ t.string "crl_http_url" t.string "ocsp_url" t.string "ca_issuer_url" - t.datetime "created_at", null: false - t.datetime "updated_at", null: false + t.datetime "created_at", precision: nil, null: false + t.datetime "updated_at", precision: nil, null: false t.index ["key"], name: "index_unrecognized_certificate_authorities_on_key", unique: true end diff --git a/spec/rails_helper.rb b/spec/rails_helper.rb index 637b9c767..2166f39c9 100644 --- a/spec/rails_helper.rb +++ b/spec/rails_helper.rb @@ -17,7 +17,7 @@ Dir[Rails.root.join('spec', 'support', '**', '*.rb')].each { |f| require f } RSpec.configure do |config| - config.use_transactional_fixtures = false + config.use_transactional_fixtures = true config.infer_spec_type_from_file_location! config.before(:suite) do diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 8612ff2fd..0b5cd29be 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -35,5 +35,3 @@ require 'webmock/rspec' WebMock.disable_net_connect!(allow: [/localhost/, /127\.0\.0\.1/]) - -require 'zonebie/rspec' diff --git a/spec/support/database_cleaner.rb b/spec/support/database_cleaner.rb deleted file mode 100644 index 6ce44134a..000000000 --- a/spec/support/database_cleaner.rb +++ /dev/null @@ -1,26 +0,0 @@ -RSpec.configure do |config| - config.before(:suite) do - DatabaseCleaner.clean_with(:truncation) - end - - config.before(:each) do - # set the default - DatabaseCleaner.strategy = :transaction - end - - config.before(:each, js: true) do - DatabaseCleaner.strategy = :truncation, { except: %w[app_settings service_providers] } - end - - config.before(:each, truncate: true) do - DatabaseCleaner.strategy = :truncation, { except: %w[app_settings service_providers] } - end - - config.before(:each) do - DatabaseCleaner.start - end - - config.append_after(:each) do - DatabaseCleaner.clean - end -end