Render AlaveteliConfiguration on admin debug page

Makes it easier for less technical users to look up specific configuration values – or indeed, save technical users opening an ssh session. Fixes #1636
mysociety · Jun 14, 2024 · 16fe5b1 · 16fe5b1
1 parent 23512b0
commit 16fe5b1
Show file tree

Hide file tree

Showing 9 changed files with 60 additions and 7 deletions.
diff --git a/app/controllers/admin/debug_controller.rb b/app/controllers/admin/debug_controller.rb
@@ -7,5 +7,6 @@ def index
     repo = `git remote show origin -n | perl -ne 'print $1 if m{Fetch URL: .*github\\.com[:/](.*)\\.git}'`
     @github_origin = "https://github.com/#{repo}/tree/"
     @request_env = request.env
+    @alaveteli_configuration = AlaveteliConfiguration.to_sanitized_hash
   end
 end
diff --git a/app/views/admin/debug/index.html.erb b/app/views/admin/debug/index.html.erb
@@ -45,6 +45,18 @@
 
 <h2>Configuration</h2>
 
+<div class="help-block">
+  <p>
+    See the <a href="https://alaveteli.org/docs/customising/config/">
+    documentation</a> for more information about configuring Alaveteli.
+  </p>
+
+  <p>
+    Sensitive values are replaced with <tt>[FILTERED]</tt>. Use the
+    <tt>config/general.yml</tt> configuration file to view these.
+  </p>
+</div>
+
 <table class="table table-condensed table-debug">
   <tr>
     <td>Rails env:</td>
@@ -56,6 +68,15 @@
   </tr>
 </table>
 
+<table class="table table-condensed table-debug">
+  <% @alaveteli_configuration.each do |k,v| %>
+    <tr>
+      <td><%= k %></td>
+      <td><%= v %></td>
+    </tr>
+  <% end %>
+</table>
+
 <h2>Environment variables</h2>
 
 <table class="table table-condensed table-debug">

diff --git a/app/views/admin_general/_admin_navbar.html.erb b/app/views/admin_general/_admin_navbar.html.erb
@@ -18,7 +18,7 @@
               <li><%= link_to 'Summary', admin_general_index_path %></li>
               <li><%= link_to 'Timeline', admin_timeline_path %></li>
               <li><%= link_to 'Stats', admin_stats_path %></li>
-              <li><%= link_to 'Debug', admin_debug_path %></li>
+              <li><%= link_to 'Debug', admin_debug_index_path %></li>
             </ul>
           </li>
 

diff --git a/config/general.yml-example b/config/general.yml-example
@@ -12,6 +12,13 @@
 # Default values for these settings can be found in
 # RAILS_ROOT/lib/configuration.rb
 #
+#
+# WARNING: AlaveteliConfiguration is rendered to admin users in
+#          Admin::DebugController.
+#
+# Ensure any sensitive values are matched by
+# AlaveteliConfiguration.sensitive_key_patterns
+#
 # ==============================================================================
 
 # Site name appears in various places throughout the site

diff --git a/config/routes.rb b/config/routes.rb
@@ -528,10 +528,7 @@ def matches?(request)
 
   #### Admin::Debug controller
   namespace :admin do
-    # FIXME: For some reason the resources call is generating the route as
-    # admin_debug_index_path rather than the standard admin_debug_path.
-    # resources :debug, only: [:index]
-    get 'debug', to: 'debug#index', as: :debug
+    resources :debug, only: :index
   end
   ####
 

diff --git a/doc/CHANGES.md b/doc/CHANGES.md
@@ -2,6 +2,7 @@
 
 ## Highlighted Features
 
+* Render Alaveteli configuration values on admin debug page (Gareth Rees)
 * View user profile photos from admin list of users (Gareth Rees)
 * Update user email to be sent from the blackhole address (Graeme Porteous)
 * Remove ability to publicly view authority contact email addresses to prevent

diff --git a/lib/configuration.rb b/lib/configuration.rb
@@ -13,6 +13,14 @@
 # TODO: Make this return different values depending on the current rails environment
 
 module AlaveteliConfiguration
+  # WARNING: AlaveteliConfiguration is rendered to admin users in
+  #          Admin::DebugController.
+  #
+  # Ensure any sensitive values match this pattern, or add to the pattern if
+  # adding a new value that doesn't fit.
+  mattr_accessor :sensitive_key_patterns,
+                 default: /SECRET|PASSWORD|LICENSE_KEY/
+
   unless const_defined?(:DEFAULTS)
 
     # rubocop:disable Layout/LineLength
@@ -150,4 +158,12 @@ def self.method_missing(name)
       super
     end
   end
+
+  def self.to_sanitized_hash
+    DEFAULTS.keys.each_with_object({}) do |key, memo|
+      value = send(key)
+      value = '[FILTERED]' if value.present? && key =~ sensitive_key_patterns
+      memo[key] = value
+    end
+  end
 end
diff --git a/spec/integration/admin_spec.rb b/spec/integration/admin_spec.rb
@@ -99,14 +99,14 @@
   describe "the debug page" do
     it "should show the current user name" do
       using_session(@admin) do
-        visit admin_debug_path
+        visit admin_debug_index_path
         expect(page).to have_content "joe_admin"
       end
     end
 
     it "should show the current Alaveteli version" do
       using_session(@admin) do
-        visit admin_debug_path
+        visit admin_debug_index_path
         expect(page).to have_content ALAVETELI_VERSION
       end
     end

diff --git a/spec/lib/configuration_spec.rb b/spec/lib/configuration_spec.rb
@@ -0,0 +1,10 @@
+require 'spec_helper'
+
+RSpec.describe AlaveteliConfiguration do
+  include AlaveteliConfiguration
+
+  describe '#to_sanitized_hash' do
+    subject { described_class.to_sanitized_hash }
+    it { is_expected.to include(:INCOMING_EMAIL_SECRET => '[FILTERED]') }
+  end
+end