G-Research · suprjinx · Oct 3, 2024 · Oct 3, 2024 · Oct 3, 2024
diff --git a/app/lib/audit_logger.rb b/app/lib/audit_logger.rb
@@ -1,6 +1,6 @@
 class AuditLogger < ActiveSupport::Logger
   def initialize
-    super(Rails.configuration.astral[:audit_log_file])
+    super(Config[:audit_log_file])
     self.formatter = AuditLogFormatter.new
   end
 end
diff --git a/app/lib/clients/app_registry.rb b/app/lib/clients/app_registry.rb
@@ -11,8 +11,8 @@ def get_domain_info(fqdn)
       private
 
       def client
-        Faraday.new(ssl: ssl_opts, url: Rails.configuration.astral[:app_registry_addr]) do |faraday|
-          faraday.request :authorization, "Bearer", -> { Rails.configuration.astral[:app_registry_token] }
+        Faraday.new(ssl: ssl_opts, url: Config[:app_registry_addr]) do |faraday|
+          faraday.request :authorization, "Bearer", -> { Config[:app_registry_token] }
           faraday.request :retry, retry_opts
           faraday.response :json
           faraday.response :raise_error, include_request: true
@@ -34,9 +34,9 @@ def convert(domain_info)
 
       def ssl_opts
         {
-          ca_file: Rails.configuration.astral[:app_registry_ca_file],
-          client_cert: Rails.configuration.astral[:app_registry_client_cert],
-          client_key: Rails.configuration.astral[:app_registry_client_key]
+          ca_file: Config[:app_registry_ca_file],
+          client_cert: Config[:app_registry_client_cert],
+          client_key: Config[:app_registry_client_key]
         }
       end
 

diff --git a/app/lib/clients/vault.rb b/app/lib/clients/vault.rb
@@ -11,11 +11,11 @@ def client
       end
 
       def vault_address
-        Rails.configuration.astral[:vault_addr]
+        Config[:vault_addr]
       end
 
       def vault_token
-        Rails.configuration.astral[:vault_token]
+        Config[:vault_token]
       end
 
       def enable_engine(mount, type)

diff --git a/app/lib/clients/vault/certificate.rb b/app/lib/clients/vault/certificate.rb
@@ -28,16 +28,16 @@ def cert_path
       end
 
       def create_root?
-        create_root_config = Rails.configuration.astral[:vault_create_root]
+        create_root_config = Config[:vault_create_root]
         !!ActiveModel::Type::Boolean.new.cast(create_root_config)
       end
 
       def root_ca_ref
-        Rails.configuration.astral[:vault_root_ca_ref]
+        Config[:vault_root_ca_ref]
       end
 
       def root_ca_mount
-        Rails.configuration.astral[:vault_root_ca_mount]
+        Config[:vault_root_ca_mount]
       end
 
       def cert_engine_type

diff --git a/app/lib/config.rb b/app/lib/config.rb
@@ -0,0 +1,19 @@
+class Config
+  class << self
+    def get(key)
+      ENV[key.to_s.upcase] || Rails.configuration.astral[key.to_s.downcase.to_sym]
+    end
+
+    def set(key, value)
+      ENV[key.to_s.upcase] = value
+    end
+
+    def [](key)
+      get(key)
+    end
+
+    def []=(key, value)
+      set(key, value)
+    end
+  end
+end
diff --git a/app/lib/requests/cert_issue_request.rb b/app/lib/requests/cert_issue_request.rb
@@ -11,7 +11,7 @@ class CertIssueRequest
     attribute :other_sans, :string
     attribute :private_key_format, :string, default: "pem"
     attribute :remove_roots_from_chain, :boolean, default: false
-    attribute :ttl, :integer, default: Rails.configuration.astral[:cert_ttl]
+    attribute :ttl, :integer, default: Config[:cert_ttl]
     attribute :uri_sans, :string
     attribute :ip_sans, :string
     attribute :serial_number, :integer
@@ -24,7 +24,7 @@ class CertIssueRequest
     validates :format, presence: true, inclusion: { in: %w[pem der pem_bundle] }
     validates :private_key_format, presence: true, inclusion: { in: %w[pem der pkcs8] }
     validates :ttl, numericality: {
-                less_than_or_equal_to: Rails.configuration.astral[:cert_ttl],
+                less_than_or_equal_to: Config[:cert_ttl],
                 greater_than: 0
               }
     validate :validate_no_wildcards

diff --git a/app/lib/services/auth.rb b/app/lib/services/auth.rb
@@ -12,7 +12,7 @@ def authenticate!(token)
 
       def decode(token)
         # Decode a JWT access token using the configured base.
-        body = JWT.decode(token, Rails.configuration.astral[:jwt_signing_key])[0]
+        body = JWT.decode(token, Config[:jwt_signing_key])[0]
         Identity.new(body)
       rescue => e
         Rails.logger.warn "Unable to decode token: #{e}"

diff --git a/config/astral.yml b/config/astral.yml
@@ -1,26 +1,27 @@
 shared:
-  vault_addr: <%= ENV["VAULT_ADDR"] %>
-  vault_token: <%= ENV["VAULT_TOKEN"] %>
+  vault_addr: 
+  vault_token:
 
   # Pre-existing root CA, or create new if requested
-  vault_create_root: <%= ENV["VAULT_CREATE_ROOT"] || "true" %>
-  vault_root_ca_ref: <%= ENV["VAULT_ROOT_CA_REF"] || "root-ca" %>
-  vault_root_ca_mount: <%= ENV["VAULT_ROOT_CA_MOUNT"] || "pki_root" %>
+  vault_create_root: true
+  vault_root_ca_ref: root_ca
+  vault_root_ca_mount: pki_root
 
-  jwt_signing_key: <%= ENV["JWT_SIGNING_KEY"] %>
-  cert_ttl: <%= ENV["CERT_TTL"] %>
+  jwt_signing_key:
+  cert_ttl:
 
-  app_registry_addr: <%= ENV["APP_REGISTRY_ADDR"] %>
-  app_registry_token: <%= ENV["APP_REGISTRY_TOKEN"] %>
-  app_registry_ca_file: <%= ENV["APP_REGISTRY_CA_FILE"] %>
-  app_registry_client_cert: <%= ENV["APP_REGISTRY_CLIENT_CERT"] %>
-  app_registry_client_key: <%= ENV["APP_REGISTRY_CLIENT_KEY"] %>
+  app_registry_addr:
+  app_registry_token:
+  app_registry_ca_file:
+  app_registry_client_cert:
+  app_registry_client_key:
 
-  audit_log_file: <%= ENV["AUDIT_LOG_FILE"] || "#{Rails.root.join('log')}/astral-audit.log" %>
+  audit_log_file: <%= "#{Rails.root.join('log')}/astral-audit.log" %>
 
 test:
   cert_ttl: <%= 24.hours.in_seconds %>
 
 development:
 
 production:
+  vault_create_root: false
diff --git a/test/interactors/application_interactor_test.rb b/test/interactors/application_interactor_test.rb
@@ -6,7 +6,7 @@ def setup
     @identity = Identity.new(subject: @domain.users_array.first)
     @cr = Requests::CertIssueRequest.new(common_name: @domain.fqdn)
     @log = Tempfile.new("log-test")
-    Rails.configuration.astral[:audit_log_file] = @log.path
+    Config[:audit_log_file] = @log.path
   end
 
   def teardown

diff --git a/test/lib/clients/vault_test.rb b/test/lib/clients/vault_test.rb
@@ -99,11 +99,11 @@ class VaultTest < ActiveSupport::TestCase
   def vault_client
     ::Vault::Client.new(
           address: vault_addr,
-          token: Rails.configuration.astral[:vault_token]
+          token: Config[:vault_token]
     )
   end
 
   def vault_addr
-    Rails.configuration.astral[:vault_addr]
+    Config[:vault_addr]
   end
 end
diff --git a/test/lib/requests/cert_isssue_request_test.rb b/test/lib/requests/cert_isssue_request_test.rb
@@ -59,9 +59,9 @@ def setup
   end
 
   test "#valid? should require a ttl less than configured max" do
-    @cert_issue_request.ttl = Rails.configuration.astral[:cert_ttl] + 1
+    @cert_issue_request.ttl = Config[:cert_ttl] + 1
     assert_not @cert_issue_request.valid?
-    assert_includes @cert_issue_request.errors[:ttl], "must be less than or equal to #{Rails.configuration.astral[:cert_ttl]}"
+    assert_includes @cert_issue_request.errors[:ttl], "must be less than or equal to #{Config[:cert_ttl]}"
   end
 
   test "#valid? should prevent wildcard common_name" do
@@ -82,7 +82,7 @@ def setup
     assert_equal "pem", @cert_issue_request.format
     assert_equal "pem", @cert_issue_request.private_key_format
     assert_equal false, @cert_issue_request.remove_roots_from_chain
-    assert_equal Rails.configuration.astral[:cert_ttl], @cert_issue_request.ttl
+    assert_equal Config[:cert_ttl], @cert_issue_request.ttl
     assert_equal true, @cert_issue_request.client_flag
     assert_equal false, @cert_issue_request.code_signing_flag
     assert_equal false, @cert_issue_request.email_protection_flag