aboutsummaryrefslogblamecommitdiffstats
path: root/railties/test/commands/credentials_test.rb
blob: 3dec6fbe104a4cb35f487d721be0fccd6fcf8844 (plain) (tree)
1
2
3
4
5
6
7
8





                                                        
                   
                  







                                                                      
                                          

                                                       
                                                   
       








                                                                          








                                                                                







                                                                                    





                                                                                      
                                                            




                                                   







                                                                                   
                                                            






                                                                             
                                                                                                    






                                                                           
                                                                             







                                                          




















                                                                                             
                                            















                                                                                                        
               


                                                                           
                                            







                                               
               

     



                                                        










































                                                                                                                 
                                                                                                 









                                                                                                            






                                                                                          

     
                                                            

                                               


                                                  

     
         
                                                                    
                                     

                                                                

         
 
                                                                 
                                                              
                        
                                               
       
   
# frozen_string_literal: true

require "isolation/abstract_unit"
require "env_helpers"
require "rails/command"
require "rails/commands/credentials/credentials_command"
require "fileutils"
require "tempfile"

class Rails::Command::CredentialsCommandTest < ActiveSupport::TestCase
  include ActiveSupport::Testing::Isolation, EnvHelpers

  setup { build_app }

  teardown { teardown_app }

  test "edit without editor gives hint" do
    run_edit_command(editor: "").tap do |output|
      assert_match "No $EDITOR to open file in", output
      assert_match "rails credentials:edit", output
    end
  end

  test "edit credentials" do
    # Run twice to ensure credentials can be reread after first edit pass.
    2.times do
      assert_match(/access_key_id: 123/, run_edit_command)
    end
  end

  test "edit command does not add master key to gitignore when already exist" do
    run_edit_command

    Dir.chdir(app_path) do
      gitignore = File.read(".gitignore")
      assert_equal 1, gitignore.scan(%r|config/master\.key|).length
    end
  end

  test "edit command does not overwrite by default if credentials already exists" do
    run_edit_command(editor: "eval echo api_key: abc >")
    assert_match(/api_key: abc/, run_show_command)

    run_edit_command
    assert_match(/api_key: abc/, run_show_command)
  end

  test "edit command does not add master key when `RAILS_MASTER_KEY` env specified" do
    Dir.chdir(app_path) do
      key = IO.binread("config/master.key").strip
      FileUtils.rm("config/master.key")

      switch_env("RAILS_MASTER_KEY", key) do
        assert_match(/access_key_id: 123/, run_edit_command)
        assert_not File.exist?("config/master.key")
      end
    end
  end

  test "edit command modifies file specified by environment option" do
    assert_match(/access_key_id: 123/, run_edit_command(environment: "production"))
    Dir.chdir(app_path) do
      assert File.exist?("config/credentials/production.key")
      assert File.exist?("config/credentials/production.yml.enc")
    end
  end

  test "edit command properly expands environment option" do
    assert_match(/access_key_id: 123/, run_edit_command(environment: "prod"))
    Dir.chdir(app_path) do
      assert File.exist?("config/credentials/production.key")
      assert File.exist?("config/credentials/production.yml.enc")
    end
  end

  test "edit command does not raise when an initializer tries to access non-existent credentials" do
    app_file "config/initializers/raise_when_loaded.rb", <<-RUBY
      Rails.application.credentials.missing_key!
    RUBY

    assert_match(/access_key_id: 123/, run_edit_command(environment: "qa"))
  end

  test "edit command generates template file when the file does not exist" do
    FileUtils.rm("#{app_path}/config/credentials.yml.enc")
    run_edit_command

    output = run_show_command
    assert_match(/access_key_id: 123/, output)
    assert_match(/secret_key_base/, output)
  end

  test "edit ask the user to opt in to pretty credentials" do
    assert_match(/Would you like to make the credentials diff from git/, run_edit_command)
  end

  test "edit doesn't ask the user to opt in to pretty credentials when alreasy asked" do
    app_file("tmp/rails_pretty_credentials", "")

    assert_no_match(/Would you like to make the credentials diff from git/, run_edit_command)
  end

  test "edit doesn't ask the user to opt in when user already opted in" do
    content = <<~EOM
      [diff "rails_credentials"]
          textconv = bin/rails credentials:show
    EOM
    app_file(".git/config", content)

    assert_no_match(/Would you like to make the credentials diff from git/, run_edit_command)
  end

  test "edit ask the user to opt in to pretty credentials, user accepts" do
    file = Tempfile.open("credentials_test")
    file.write("y")
    file.rewind

    run_edit_command(stdin: file.path)

    git_attributes = app_path(".gitattributes")
    expected = <<~EOM
      config/credentials/*.yml.enc diff=rails_credentials
      config/credentials.yml.enc diff=rails_credentials
    EOM
    assert(File.exist?(git_attributes))
    assert_equal(expected, File.read(git_attributes))
    Dir.chdir(app_path) do
      assert_equal("bin/rails credentials:show\n", `git config --get 'diff.rails_credentials.textconv'`)
    end
  ensure
    file.close!
  end

  test "edit ask the user to opt in to pretty credentials, user refuses" do
    file = Tempfile.open("credentials_test")
    file.write("n")
    file.rewind

    run_edit_command(stdin: file.path)

    git_attributes = app_path(".gitattributes")
    assert_not(File.exist?(git_attributes))
  ensure
    file.close!
  end

  test "show credentials" do
    assert_match(/access_key_id: 123/, run_show_command)
  end

  test "show command when argument is provided (from git diff left file)" do
    run_edit_command(environment: "development")

    assert_match(/access_key_id: 123/, run_show_command("config/credentials/development.yml.enc"))
  end

  test "show command when argument is provided (from git diff right file)" do
    run_edit_command(environment: "development")

    dir = Dir.mktmpdir
    file_path = File.join(dir, "KnAM4a_development.yml.enc")
    file_content = File.read(app_path("config", "credentials", "development.yml.enc"))
    File.write(file_path, file_content)

    assert_match(/access_key_id: 123/, run_show_command(file_path))
  ensure
    FileUtils.rm_rf(dir)
  end

  test "show command when argument is provided (git diff) and filename is the master credentials" do
    assert_match(/access_key_id: 123/, run_show_command("config/credentials.yml.enc"))
  end

  test "show command when argument is provided (git diff) and master key is not available" do
    remove_file "config/master.key"

    raw_content = File.read(app_path("config", "credentials.yml.enc"))
    assert_match(raw_content, run_show_command("config/credentials.yml.enc"))
  end

  test "show command when argument is provided (git diff) return the raw encrypted content in an error occurs" do
    run_edit_command(environment: "development")

    dir = Dir.mktmpdir
    file_path = File.join(dir, "20190807development.yml.enc")
    file_content = File.read(app_path("config", "credentials", "development.yml.enc"))
    File.write(file_path, file_content)

    assert_match(file_content, run_show_command(file_path))
  ensure
    FileUtils.rm_rf(dir)
  end

  test "show command raises error when require_master_key is specified and key does not exist" do
    remove_file "config/master.key"
    add_to_config "config.require_master_key = true"

    assert_match(/Missing encryption key to decrypt file with/, run_show_command(allow_failure: true))
  end

  test "show command does not raise error when require_master_key is false and master key does not exist" do
    remove_file "config/master.key"
    add_to_config "config.require_master_key = false"

    assert_match(/Missing 'config\/master\.key' to decrypt credentials/, run_show_command)
  end

  test "show command displays content specified by environment option" do
    run_edit_command(environment: "production")

    assert_match(/access_key_id: 123/, run_show_command(environment: "production"))
  end

  test "show command properly expands environment option" do
    run_edit_command(environment: "production")

    output = run_show_command(environment: "prod")
    assert_match(/access_key_id: 123/, output)
    assert_no_match(/secret_key_base/, output)
  end

  private
    def run_edit_command(editor: "cat", environment: nil, **options)
      switch_env("EDITOR", editor) do
        args = environment ? ["--environment", environment] : []
        rails "credentials:edit", args, **options
      end
    end

    def run_show_command(path = nil, environment: nil, **options)
      args = environment ? ["--environment", environment] : []
      args.unshift(path)
      rails "credentials:show", args, **options
    end
end