aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKasper Timm Hansen <kaspth@gmail.com>2017-05-23 21:54:01 +0200
committerKasper Timm Hansen <kaspth@gmail.com>2017-05-25 15:56:55 +0200
commit0338c81dc2ab6ef35fe68461e39c0bad0af5bb95 (patch)
tree61b3d298cc76ddf4e01995b15462d8d2c4285266
parentf50471751942730e3311f8c04ae4d97365ab3243 (diff)
downloadrails-0338c81dc2ab6ef35fe68461e39c0bad0af5bb95.tar.gz
rails-0338c81dc2ab6ef35fe68461e39c0bad0af5bb95.tar.bz2
rails-0338c81dc2ab6ef35fe68461e39c0bad0af5bb95.zip
Reorder first secrets edit flow.
Setup config/secrets.yml.enc with template contents for people to edit. Then generate encryption key and encrypt the initial secrets.
-rw-r--r--railties/lib/rails/commands/secrets/secrets_command.rb20
-rw-r--r--railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb30
-rw-r--r--railties/lib/rails/generators/rails/encrypted_secrets/templates/config/secrets.yml.enc3
-rw-r--r--railties/lib/rails/secrets.rb34
-rw-r--r--railties/test/commands/secrets_test.rb7
5 files changed, 61 insertions, 33 deletions
diff --git a/railties/lib/rails/commands/secrets/secrets_command.rb b/railties/lib/rails/commands/secrets/secrets_command.rb
index 76e13a6e49..651411d444 100644
--- a/railties/lib/rails/commands/secrets/secrets_command.rb
+++ b/railties/lib/rails/commands/secrets/secrets_command.rb
@@ -13,10 +13,7 @@ module Rails
end
def setup
- require "rails/generators"
- require "rails/generators/rails/encrypted_secrets/encrypted_secrets_generator"
-
- Rails::Generators::EncryptedSecretsGenerator.start
+ generator.start
end
def edit
@@ -42,7 +39,22 @@ module Rails
say "Aborted changing encrypted secrets: nothing saved."
rescue Rails::Secrets::MissingKeyError => error
say error.message
+ rescue Errno::ENOENT => error
+ raise unless error.message =~ /secrets\.yml\.enc/
+
+ Rails::Secrets.read_template_for_editing do |tmp_path|
+ system("\$EDITOR #{tmp_path}")
+ generator.skip_secrets_file { setup }
+ end
end
+
+ private
+ def generator
+ require "rails/generators"
+ require "rails/generators/rails/encrypted_secrets/encrypted_secrets_generator"
+
+ Rails::Generators::EncryptedSecretsGenerator
+ end
end
end
end
diff --git a/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb b/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb
index 8b29213610..1da2fbc1a5 100644
--- a/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb
+++ b/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb
@@ -36,25 +36,29 @@ module Rails
end
def add_encrypted_secrets_file
- unless File.exist?("config/secrets.yml.enc")
+ unless (defined?(@@skip_secrets_file) && @@skip_secrets_file) || File.exist?("config/secrets.yml.enc")
say "Adding config/secrets.yml.enc to store secrets that needs to be encrypted."
say ""
+ say "For now the file contains this but it's been encrypted with the generated key:"
+ say ""
+ say Secrets.template, :on_green
+ say ""
- template "config/secrets.yml.enc" do |prefill|
- say ""
- say "For now the file contains this but it's been encrypted with the generated key:"
- say ""
- say prefill, :on_green
- say ""
-
- Secrets.encrypt(prefill)
- end
+ Secrets.write(Secrets.template)
say "You can edit encrypted secrets with `bin/rails secrets:edit`."
-
- say "Add this to your config/environments/production.rb:"
- say "config.read_encrypted_secrets = true"
+ say ""
end
+
+ say "Add this to your config/environments/production.rb:"
+ say "config.read_encrypted_secrets = true"
+ end
+
+ def self.skip_secrets_file
+ @@skip_secrets_file = true
+ yield
+ ensure
+ @@skip_secrets_file = false
end
private
diff --git a/railties/lib/rails/generators/rails/encrypted_secrets/templates/config/secrets.yml.enc b/railties/lib/rails/generators/rails/encrypted_secrets/templates/config/secrets.yml.enc
deleted file mode 100644
index 70426a66a5..0000000000
--- a/railties/lib/rails/generators/rails/encrypted_secrets/templates/config/secrets.yml.enc
+++ /dev/null
@@ -1,3 +0,0 @@
-# See `secrets.yml` for tips on generating suitable keys.
-# production:
-# external_api_key: 1466aac22e6a869134be3d09b9e89232fc2c2289…
diff --git a/railties/lib/rails/secrets.rb b/railties/lib/rails/secrets.rb
index 8b644f212c..20c20cb9f1 100644
--- a/railties/lib/rails/secrets.rb
+++ b/railties/lib/rails/secrets.rb
@@ -1,5 +1,6 @@
require "yaml"
require "active_support/message_encryptor"
+require "active_support/core_ext/string/strip"
module Rails
# Greatly inspired by Ara T. Howard's magnificent sekrets gem. 😘
@@ -37,6 +38,15 @@ module Rails
ENV["RAILS_MASTER_KEY"] || read_key_file || handle_missing_key
end
+ def template
+ <<-end_of_template.strip_heredoc
+ # See `secrets.yml` for tips on generating suitable keys.
+ # production:
+ # external_api_key: 1466aac22e6a869134be3d09b9e89232fc2c2289…
+
+ end_of_template
+ end
+
def encrypt(data)
encryptor.encrypt_and_sign(data)
end
@@ -54,15 +64,12 @@ module Rails
FileUtils.mv("#{path}.tmp", path)
end
- def read_for_editing
- tmp_path = File.join(Dir.tmpdir, File.basename(path))
- IO.binwrite(tmp_path, read)
-
- yield tmp_path
+ def read_for_editing(&block)
+ writing(read, &block)
+ end
- write(IO.binread(tmp_path))
- ensure
- FileUtils.rm(tmp_path) if File.exist?(tmp_path)
+ def read_template_for_editing(&block)
+ writing(template, &block)
end
private
@@ -92,6 +99,17 @@ module Rails
end
end
+ def writing(contents)
+ tmp_path = File.join(Dir.tmpdir, File.basename(path))
+ File.write(tmp_path, contents)
+
+ yield tmp_path
+
+ write(File.read(tmp_path))
+ ensure
+ FileUtils.rm(tmp_path) if File.exist?(tmp_path)
+ end
+
def encryptor
@encryptor ||= ActiveSupport::MessageEncryptor.new([ key ].pack("H*"), cipher: @cipher)
end
diff --git a/railties/test/commands/secrets_test.rb b/railties/test/commands/secrets_test.rb
index 00b0343397..fb8fd2325e 100644
--- a/railties/test/commands/secrets_test.rb
+++ b/railties/test/commands/secrets_test.rb
@@ -18,7 +18,8 @@ class Rails::Command::SecretsCommandTest < ActiveSupport::TestCase
end
test "edit secrets" do
- run_setup_command
+ # Runs setup before first edit.
+ assert_match(/Adding config\/secrets\.yml\.key to store the encryption key/, run_edit_command)
# Run twice to ensure encrypted secrets can be reread after first edit pass.
2.times do
@@ -30,8 +31,4 @@ class Rails::Command::SecretsCommandTest < ActiveSupport::TestCase
def run_edit_command(editor: "cat")
Dir.chdir(app_path) { `EDITOR="#{editor}" bin/rails secrets:edit` }
end
-
- def run_setup_command
- Dir.chdir(app_path) { `bin/rails secrets:setup` }
- end
end