Protect site if UNLOCK_KEY is present

swrobel · Jan 14, 2018 · b32f115 · b32f115
1 parent 8877229
commit b32f115
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 27 deletions.
diff --git a/.gitignore b/.gitignore
@@ -23,3 +23,6 @@
 /public/packs
 /public/packs-test
 /node_modules
+
+# Ignore master key for decrypting credentials and more.
+/config/master.key
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -4,4 +4,18 @@ class ApplicationController < ActionController::Base
   # Prevent CSRF attacks by raising an exception.
   # For APIs, you may want to use :null_session instead.
   protect_from_forgery with: :exception
+
+  before_action :check_unlocked, except: :unlock
+
+  def unlock
+    cookies[:unlock] = { value: Rails.application.credentials.unlock_secret, expires: 5.years.from_now }
+    redirect_to :root
+  end
+
+private
+
+  def check_unlocked
+    return unless ENV['UNLOCK_KEY'] && cookies[:unlock] != Rails.application.credentials.unlock_secret!
+    raise ActionController::RoutingError, 'Not Found'
+  end
 end
diff --git a/config/credentials.yml.enc b/config/credentials.yml.enc
@@ -0,0 +1 @@
+9cW2qryP6xnL+H00ZBjLfyqbBqd/W9l2WQWRM+nR2lkcCqxTWOeSyhiXWM6hzIx7iZoSMmMNEchcG19ldvBjI3ZKzVL554WNbdGXEkaIaSWUNx0fKPG8hrrZGl/KiJSKzJxu++7qm3OmS4cQ/8gsUaJDefj4ZOsavbU8bbsaXr1g3VbqpUlDFNR82HgExhKXk+ya8lN3vwPGn2n/7PIYGZxcJAjk7J5fft8RfYiDM9KMm2eUwI1dgbmP/HYnmkd6yqVrqPejKWMAWYms/EqLt5SRzVUHbFjMErwfkoBO/+IqZTgLaYMz6YLNv+X84Aah8jE3ogQsGZIJBzQKNUD/HLmTcc1LNI3LgjoDaoAlcPp4DO+qgrl5k6Hm/tVjEmgDoruPbB3xekJpPX31vVfSgKK8F8azp4JRCaffJ/hGGm65X/UnESXAx7Ma2Dq1meQKx6TuJvv2ZZSdpKUP0t1AtgSWh1CE1656pCM7xJXKU1fM4LH3cvBxUDnNU65Zd9wJ83DBgk9AdMgYwQ8I--YOKzVH+s+Sjy8dKo--V96OsKdFZBokhA/qS0I7UQ==
diff --git a/config/environments/production.rb b/config/environments/production.rb
@@ -24,6 +24,10 @@
   # config.assets.js_compressor = :uglifier
   # config.assets.css_compressor = :sass
 
+  # Ensures that a master key has been made available in either ENV["RAILS_MASTER_KEY"]
+  # or in config/master.key. This key is used to decrypt credentials (and other encrypted files).
+  config.require_master_key = true
+
   # Do not fallback to assets pipeline if a precompiled asset is missed.
   config.assets.compile = false
 

diff --git a/config/routes.rb b/config/routes.rb
@@ -5,6 +5,8 @@
     get '/(*path)' => redirect { |_params, req| "https://#{ENV['DOMAIN']}#{req.fullpath}" } if ENV['HOST'].present?
   end
 
+  get "/#{ENV['UNLOCK_KEY']}", to: 'application#unlock'
+
   get '/regions/:id', to: redirect('/california/%{id}')
   get '/:region_id/:subregion_id', to: 'subregions#show', as: 'subregion'
   get '/:region_id/:subregion_id/:spot_id', to: 'spots#show', as: 'spot'

diff --git a/config/secrets.yml b/config/secrets.yml
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		9cW2qryP6xnL+H00ZBjLfyqbBqd/W9l2WQWRM+nR2lkcCqxTWOeSyhiXWM6hzIx7iZoSMmMNEchcG19ldvBjI3ZKzVL554WNbdGXEkaIaSWUNx0fKPG8hrrZGl/KiJSKzJxu++7qm3OmS4cQ/8gsUaJDefj4ZOsavbU8bbsaXr1g3VbqpUlDFNR82HgExhKXk+ya8lN3vwPGn2n/7PIYGZxcJAjk7J5fft8RfYiDM9KMm2eUwI1dgbmP/HYnmkd6yqVrqPejKWMAWYms/EqLt5SRzVUHbFjMErwfkoBO/+IqZTgLaYMz6YLNv+X84Aah8jE3ogQsGZIJBzQKNUD/HLmTcc1LNI3LgjoDaoAlcPp4DO+qgrl5k6Hm/tVjEmgDoruPbB3xekJpPX31vVfSgKK8F8azp4JRCaffJ/hGGm65X/UnESXAx7Ma2Dq1meQKx6TuJvv2ZZSdpKUP0t1AtgSWh1CE1656pCM7xJXKU1fM4LH3cvBxUDnNU65Zd9wJ83DBgk9AdMgYwQ8I--YOKzVH+s+Sjy8dKo--V96OsKdFZBokhA/qS0I7UQ==