Blog


Apr

My Craftsman Swap with Bendyworks


Last week I flew from Sweden to Madison, WI to work for a week together with the developers at Bendyworks, or as they call themselves, Bendyworkers.

After the 23 hour flight I was met by Stephen who didn’t hesitate for a moment to welcome me to Madison in the middle of the night on a Sunday. Over the week I’ve learned that a great talent for hospitality is something that all the Bendyworkers have in common. Even though it was late Stephen gave me a quick tour around the beautiful Capitol building located right next to Bendywork’s office.

Capitol building

Bendyworkers perform their craft in a rustic triangle-shaped building built before the 1900’s. The office is located right downtown and is surrounded by a bursting number of cafés, restaurants, and even a theatre. Inside I found that the rooms are all very open and people are moving naturally between desks and programming pairs. During Bendywork’s monthly “release valve” meeting I learned that not even the owners Stephen, Brad, and Jim take a dedicated office for granted. To me this illustrates well how flat and transparent the company structure is at Bendyworks.

I had the opportunity to work on two different projects over the week. On Monday I worked together with Chris on a CMS for Internet Week New York. The project was wrapping up, since all the major features already were delivered we got some time to spend on refactoring a few acceptance tests and have them execute faster. Tuesday through Thursday I paired up with Josh on work for SEOmoz. Josh has some serious shell and terminal vim skills going on, while I’m more of a mvim user depending a bit more on Mac OS X to do window handling for me. The SEOmoz work spanned across three different Rails-based applications with a very heavy emphasis on client side JavaScript.

Office

Bendyworkers all have a genuine passion for their craft. When they don’t attend meetups they’re working on numerous open source projects or catching up with their self-assigned book club related homework. Lunches are spent preparing for the book club or sharing knowledge through more organized presentations, like when Joe had a great walkthrough of his blogpost on giving yourself a security makeover.

With all that time spent on perfecting their craft you’d think Bendyworkers wouldn’t know how to have fun. Well, you’re wrong. Ping-pong games, comedy clubs, taco-tuesdays, arcade halls, great food and drinks just to name a few of the activities Bendyworkers have treated me to over the week.

With that, I’d like to thank Bendyworks for a week full of fun, productive, and educational experiences!

Mar

Handle secret credentials in Ruby On Rails


This blog post aims to lay out a simple and concrete strategy for handling sensitive data in your Ruby On Rails applications, and to explain the importance of such a strategy.

Never, ever check them into source control

Even if your project is closed source and your trusted colleagues are the only ones with access, you never know when a freelancer or consultant might be joining the project. Even if that never occurs, how do you keep track of all the locations where that repository is checked out? Who knows on how many hard drives your company's credit card transaction secret API key might be stored. What happens when someone with a weak login password forgets their laptop on the bus or at the airport?

Also note that it's not always as simple as removing secrets after the fact, especially with version control. It's usually impossible to do this without drastically changing your entire project's history!

Do it right

For a long time, we've been using YAML files to store our application configuration. It's easy to manage and can be configured for different Rails environments. These YAML files could look like the following:

config/app.yml:

development: &defaults
  awesomeness_score: 3
  host: "localhost:3000"
  s3_bucket: "example-development-us"

production:
  <<: *defaults
  host: "example.com"
  s3_bucket: "example-production-us"

test:
  <<: *defaults

config/app_secret.yml.example:

  development: &defaults
  aws_access_key_id: ""
  aws_secret_access_key_id: ""

production:
  <<: *defaults

test:
  <<: *defaults

config/app_secret.yml:

development: &defaults
  aws_access_key_id: "ACTUAL-ID-WOULD-GO-HERE"
  aws_secret_access_key_id: "ACTUAL-SECRET-WOULD-GO-HERE"

production:
  <<: *defaults

test:
  <<: *defaults

Only the first two files would be checked in to source control, and the application's README would instruct developers to cp config/app_secret.yml.example config/app_secret.yml and fill in the gaps from the company keychain.

To make sure we never check in the secrets by mistake, we ignore the app_secret.yml file:

.gitignore:

# ...
/config/app_secret.yml

We then use the econfig gem written by Jonas Nicklas to easily merge them together:

Gemfile

# ...
gem "econfig", require: "econfig/rails"

config/application.rb

# ...
module YourApp
  extend Econfig::Shortcut
  # ...
end

Now we can access any configuration variable and secret credential:

YourApp.host # => "localhost:3000"
YourApp.aws_secret_access_key_id # => "ACTUAL-SECRET-WOULD-GO-HERE"

Deploy

When you deploy the application, you must manually manage the secrets on the server(s).

Capistrano

If you deploy with Capistrano, you'll want to place the app_secret.yml in your /shared folder. Once that's done, it can be copied to each release with symlink task:

deploy.rb

# ...
namespace :config do
  desc "Symlink application config files."
  task :symlink do
    run "ln -s {#{shared_path},#{release_path}}/config/app_secret.yml"  
  end
end

after "deploy", "config:symlink"

Heroku

If you're deploying your application where you don't have file access, such as Heroku, you're better off storing this kind of information in ENV. The econfig gem has built in support for this and a few other storage backends, but that's another blog post.

Conclusion

With this method, we now have a clear separation of sensitive and non-sensitive data. There's no risk of checking in any sensitive data, since we have only one place to put it all and it's hidden from source control. Data access within the application hasn't changed, and we no longer have to concern ourselves with how sensitive it is.

We can now be sure that giving access to a repository does not imply giving access to other systems.

Epilogue

If you have any feedback on how the blog post can be improved, or if you spot any errors, please let me know by posting a comment below!

Dec

The Year 2011 — A Summary


Wow, another year over already. It feels like it was just recently that I wrote a summary of 2010. Tomorrow is Christmas Eve, so it's about time that I try to sum up this year. And what a year it's been.

One of the highlights this year, just like last year, was our conference Nordic Ruby. I feel like this year was even better than last year, with amazing speakers such as Chad Fowler and Aaron Patterson, a party on an 18th century style ship, and 150 fantastic attendees. Next year we're trying something quite different, and I think it's going to be awesome. Keep a look out for the new web site for Nordic Ruby 2012.

Aaron Patterson at Nordic Ruby 2011

Aaron Patterson at Nordic Ruby 2011. Photo by Athega.

Right around the same time as Nordic Ruby, we said goodbye to our partners at Edithouse, and moved to our own space. Our new office is in a fantastic 19th century building, the old offices of the famous Gothenburg camera makers Hasselblad. We love our new office, and others seem to like it too, as we made the finals in a competition for Sweden's nicest office. Feel free to come visit us, we love having guests. If you can't make it, check out the pictures of our new office.

Our new office, in the Hasselblad building

We didn't just move out from Edithouse's office, but we also bought back their shares in Elabs. Right now I'm the full owner of the company. The main reason for this was that the collaboration that we envisioned when I started Elabs together with Edithouse never happened. In 2008 and 2009 Edithouse's business changed, and we set our own course. Our own office and ownership reflects our independence, and that feels great. Personally, I still want to say Thank you to Edithouse for helping get Elabs off the ground in 2008.

Another side of our move was that we decided to close down our Stockholm office. While we had some great projects there, for clients like Bonnier's Mag+ and TV4 Play, it was hard having people spread out. One of the best things about Elabs is our culture. Our way of working together, and our camaraderie. Extending that across the country wasn't easy, and it didn't feel fair to Ingemar and Dennis, working by themselves in Stockholm. We asked them if they wanted to join us in Gothenburg, but they decided to stay in Stockholm, and are now working for our clients Mynewsdesk and Mag+. I wish them the best of luck there.

To make up for the loss of Ingemar and Dennis, we've started hiring again! In August, we welcomed Kim Burgestrand to our team. Kim had been freelancing with us while he was on a break from his studies, and we're very happy that he decided to join us full-time. We'll be hiring more developers next year, so if you're interested in joining a fantastic team, let us know!

In 2011, we really ramped up our public speaking. We spoke at a whole bunch of different conferences all over the world. Here's a list, with links to videos of most of them:

Phew! Quite intense! In between working on client projects and speaking at conferences, our developers still found time to release some great open source projects. Nicklas released his Rails account management engine bento, and Anders released the model factory jay_z and the restful HTTP library resto. Kim did a bunch of work on Hallon, his delicious Ruby bindings to the official Spotify API. Jonas released capybara 1.0, an integration testing library used by most Ruby developers. Later in the year, he also released the brand new library turnip, an alternative to Cucumber.

In recognition for his outstanding open source efforts, Jonas received a Ruby Hero Award at RailsConf in May. We're so proud of him!

Jonas Nicklas, one of the Ruby Heroes 2011

During the year we've had the opportunity to work with some fantastic people. We've worked with some great companies in the US (such as Engine Yard, Stackmob, and LivingSocial), as well as some cool Swedish startups (like Naturkartan and Saltside), and some big established companies like TV4 and Bonnier. A big thank you to all of our clients! We're looking forward to more great projects next year.

Yesterday, our last day of work this year, we said goodbye to Antony. Antony's been working with us for almost two years, and he's been a fantastic part of the team. Now he's striking out on his own with a project related to his other big passion, photography, and we wish him the best of luck. Thank you Antony for all your great work, and for keeping our spirits high at the office. We'll miss you!

Now were taking a break over the holidays, and we'll be back on January 2nd, ready for another exciting year.

Happy holidays!

/ CJ & the Elabs team

Merry Christmas from Elabs

PS. If you want to keep up with what we're doing, follow us on Twitter or check out our Facebook page. Thanks!