aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKasper Timm Hansen <kaspth@gmail.com>2017-02-23 18:15:28 +0100
committerGitHub <noreply@github.com>2017-02-23 18:15:28 +0100
commitfbee4e3ce37674eb928298490a35d3dfd1921e67 (patch)
tree53fb0bb589c7351688c711ddc1ecbb10b7415951
parent4734d23c74fb4193aafe7cb04256bb745680d97f (diff)
downloadrails-fbee4e3ce37674eb928298490a35d3dfd1921e67.tar.gz
rails-fbee4e3ce37674eb928298490a35d3dfd1921e67.tar.bz2
rails-fbee4e3ce37674eb928298490a35d3dfd1921e67.zip
Revert "Revert "Add encrypted secrets""
-rw-r--r--railties/lib/rails/application.rb14
-rw-r--r--railties/lib/rails/application/bootstrap.rb6
-rw-r--r--railties/lib/rails/application/configuration.rb6
-rw-r--r--railties/lib/rails/command.rb27
-rw-r--r--railties/lib/rails/command/base.rb10
-rw-r--r--railties/lib/rails/commands/secrets/USAGE52
-rw-r--r--railties/lib/rails/commands/secrets/secrets_command.rb50
-rw-r--r--railties/lib/rails/generators.rb1
-rw-r--r--railties/lib/rails/generators/rails/app/templates/config/environments/production.rb.tt5
-rw-r--r--railties/lib/rails/generators/rails/app/templates/config/secrets.yml6
-rw-r--r--railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb66
-rw-r--r--railties/lib/rails/generators/rails/encrypted_secrets/templates/config/secrets.yml.enc3
-rw-r--r--railties/lib/rails/secrets.rb111
-rw-r--r--railties/test/generators/app_generator_test.rb1
-rw-r--r--railties/test/generators/encrypted_secrets_generator_test.rb42
-rw-r--r--railties/test/isolation/abstract_unit.rb1
-rw-r--r--railties/test/secrets_test.rb108
17 files changed, 482 insertions, 27 deletions
diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb
index 1a6aed7ce4..89f7b5991f 100644
--- a/railties/lib/rails/application.rb
+++ b/railties/lib/rails/application.rb
@@ -4,6 +4,7 @@ require "active_support/core_ext/object/blank"
require "active_support/key_generator"
require "active_support/message_verifier"
require "rails/engine"
+require "rails/secrets"
module Rails
# An Engine with the responsibility of coordinating the whole boot process.
@@ -385,18 +386,7 @@ module Rails
def secrets
@secrets ||= begin
secrets = ActiveSupport::OrderedOptions.new
- yaml = config.paths["config/secrets"].first
-
- if File.exist?(yaml)
- require "erb"
-
- all_secrets = YAML.load(ERB.new(IO.read(yaml)).result) || {}
- shared_secrets = all_secrets["shared"]
- env_secrets = all_secrets[Rails.env]
-
- secrets.merge!(shared_secrets.deep_symbolize_keys) if shared_secrets
- secrets.merge!(env_secrets.deep_symbolize_keys) if env_secrets
- end
+ secrets.merge! Rails::Secrets.parse(config.paths["config/secrets"].existent, env: Rails.env)
# Fallback to config.secret_key_base if secrets.secret_key_base isn't set
secrets.secret_key_base ||= config.secret_key_base
diff --git a/railties/lib/rails/application/bootstrap.rb b/railties/lib/rails/application/bootstrap.rb
index 6102af3fff..4223c38146 100644
--- a/railties/lib/rails/application/bootstrap.rb
+++ b/railties/lib/rails/application/bootstrap.rb
@@ -2,6 +2,7 @@ require "fileutils"
require "active_support/notifications"
require "active_support/dependencies"
require "active_support/descendants_tracker"
+require "rails/secrets"
module Rails
class Application
@@ -77,6 +78,11 @@ INFO
initializer :bootstrap_hook, group: :all do |app|
ActiveSupport.run_load_hooks(:before_initialize, app)
end
+
+ initializer :set_secrets_root, group: :all do
+ Rails::Secrets.root = root
+ Rails::Secrets.read_encrypted_secrets = config.read_encrypted_secrets
+ end
end
end
end
diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb
index b0d33f87a3..b0592151b7 100644
--- a/railties/lib/rails/application/configuration.rb
+++ b/railties/lib/rails/application/configuration.rb
@@ -13,7 +13,8 @@ module Rails
:railties_order, :relative_url_root, :secret_key_base, :secret_token,
:ssl_options, :public_file_server,
:session_options, :time_zone, :reload_classes_only_on_change,
- :beginning_of_week, :filter_redirect, :x, :enable_dependency_loading
+ :beginning_of_week, :filter_redirect, :x, :enable_dependency_loading,
+ :read_encrypted_secrets
attr_writer :log_level
attr_reader :encoding, :api_only
@@ -51,6 +52,7 @@ module Rails
@debug_exception_response_format = nil
@x = Custom.new
@enable_dependency_loading = false
+ @read_encrypted_secrets = false
end
def encoding=(value)
@@ -80,7 +82,7 @@ module Rails
@paths ||= begin
paths = super
paths.add "config/database", with: "config/database.yml"
- paths.add "config/secrets", with: "config/secrets.yml"
+ paths.add "config/secrets", with: "config", glob: "secrets.yml{,.enc}"
paths.add "config/environment", with: "config/environment.rb"
paths.add "lib/templates"
paths.add "log", with: "log/#{Rails.env}.log"
diff --git a/railties/lib/rails/command.rb b/railties/lib/rails/command.rb
index 13f3b90b6d..73f9684ca4 100644
--- a/railties/lib/rails/command.rb
+++ b/railties/lib/rails/command.rb
@@ -27,15 +27,22 @@ module Rails
end
# Receives a namespace, arguments and the behavior to invoke the command.
- def invoke(namespace, args = [], **config)
- namespace = namespace.to_s
- namespace = "help" if namespace.blank? || HELP_MAPPINGS.include?(namespace)
- namespace = "version" if %w( -v --version ).include? namespace
+ def invoke(full_namespace, args = [], **config)
+ namespace = full_namespace = full_namespace.to_s
- if command = find_by_namespace(namespace)
- command.perform(namespace, args, config)
+ if char = namespace =~ /:(\w+)$/
+ command_name, namespace = $1, namespace.slice(0, char)
else
- find_by_namespace("rake").perform(namespace, args, config)
+ command_name = namespace
+ end
+
+ command_name = "help" if command_name.blank? || HELP_MAPPINGS.include?(command_name)
+ namespace = "version" if %w( -v --version ).include?(command_name)
+
+ if command = find_by_namespace(namespace, command_name)
+ command.perform(command_name, args, config)
+ else
+ find_by_namespace("rake").perform(full_namespace, args, config)
end
end
@@ -52,8 +59,10 @@ module Rails
#
# Notice that "rails:commands:webrat" could be loaded as well, what
# Rails looks for is the first and last parts of the namespace.
- def find_by_namespace(name) # :nodoc:
- lookups = [ name, "rails:#{name}" ]
+ def find_by_namespace(namespace, command_name = nil) # :nodoc:
+ lookups = [ namespace ]
+ lookups << "#{namespace}:#{command_name}" if command_name
+ lookups.concat lookups.map { |lookup| "rails:#{lookup}" }
lookup(lookups)
diff --git a/railties/lib/rails/command/base.rb b/railties/lib/rails/command/base.rb
index 1435792536..db20c71861 100644
--- a/railties/lib/rails/command/base.rb
+++ b/railties/lib/rails/command/base.rb
@@ -56,7 +56,9 @@ module Rails
end
def perform(command, args, config) # :nodoc:
- command = nil if Rails::Command::HELP_MAPPINGS.include?(args.first)
+ if Rails::Command::HELP_MAPPINGS.include?(args.first)
+ command, args = "help", []
+ end
dispatch(command, args.dup, nil, config)
end
@@ -111,7 +113,7 @@ module Rails
# For a `Rails::Command::TestCommand` placed in `rails/command/test_command.rb`
# would return `rails/test`.
def default_command_root
- path = File.expand_path(File.join("../commands", command_name), __dir__)
+ path = File.expand_path(File.join("../commands", command_root_namespace), __dir__)
path if File.exist?(path)
end
@@ -129,6 +131,10 @@ module Rails
super
end
end
+
+ def command_root_namespace
+ (namespace.split(":") - %w( rails )).first
+ end
end
def help
diff --git a/railties/lib/rails/commands/secrets/USAGE b/railties/lib/rails/commands/secrets/USAGE
new file mode 100644
index 0000000000..4b7deb4e2a
--- /dev/null
+++ b/railties/lib/rails/commands/secrets/USAGE
@@ -0,0 +1,52 @@
+=== Storing Encrypted Secrets in Source Control
+
+The Rails `secrets` commands helps encrypting secrets to slim a production
+environment's `ENV` hash. It's also useful for atomic deploys: no need to
+coordinate key changes to get everything working as the keys are shipped
+with the code.
+
+=== Setup
+
+Run `bin/rails secrets:setup` to opt in and generate the `config/secrets.yml.key`
+and `config/secrets.yml.enc` files.
+
+The latter contains all the keys to be encrypted while the former holds the
+encryption key.
+
+Don't lose the key! Put it in a password manager your team can access.
+Should you lose it no one, including you, will be able to access any encrypted
+secrets.
+Don't commit the key! Add `config/secrets.yml.key` to your source control's
+ignore file. If you use Git, Rails handles this for you.
+
+Rails also looks for the key in `ENV["RAILS_MASTER_KEY"]` if that's easier to
+manage.
+
+You could prepend that to your server's start command like this:
+
+ RAILS_MASTER_KEY="im-the-master-now-hahaha" server.start
+
+
+The `config/secrets.yml.enc` has much the same format as `config/secrets.yml`:
+
+ production:
+ secret_key_base: so-secret-very-hidden-wow
+ payment_processing_gateway_key: much-safe-very-gaedwey-wow
+
+But that's where the similarities between `secrets.yml` and `secrets.yml.enc`
+end, e.g. no keys from `secrets.yml` will be moved to `secrets.yml.enc` and
+be encrypted.
+
+A `shared:` top level key is also supported such that any keys there is merged
+into the other environments.
+
+=== Editing Secrets
+
+After `bin/rails secrets:setup`, run `bin/rails secrets:edit`.
+
+That command opens a temporary file in `$EDITOR` with the decrypted contents of
+`config/secrets.yml.enc` to edit the encrypted secrets.
+
+When the temporary file is next saved the contents are encrypted and written to
+`config/secrets.yml.enc` while the file itself is destroyed to prevent secrets
+from leaking.
diff --git a/railties/lib/rails/commands/secrets/secrets_command.rb b/railties/lib/rails/commands/secrets/secrets_command.rb
new file mode 100644
index 0000000000..05e0c228e8
--- /dev/null
+++ b/railties/lib/rails/commands/secrets/secrets_command.rb
@@ -0,0 +1,50 @@
+require "active_support"
+require "rails/secrets"
+
+module Rails
+ module Command
+ class SecretsCommand < Rails::Command::Base # :nodoc:
+ def help
+ say "Usage:\n #{self.class.banner}"
+ say ""
+ say self.class.desc
+ end
+
+ def setup
+ require "rails/generators"
+ require "rails/generators/rails/encrypted_secrets/encrypted_secrets_generator"
+
+ Rails::Generators::EncryptedSecretsGenerator.start
+ end
+
+ def edit
+ require_application_and_environment!
+
+ Rails::Secrets.read_for_editing do |tmp_path|
+ watch tmp_path do
+ puts "Waiting for secrets file to be saved. Abort with Ctrl-C."
+ system("\$EDITOR #{tmp_path}")
+ end
+ end
+
+ puts "New secrets encrypted and saved."
+ rescue Interrupt
+ puts "Aborted changing encrypted secrets: nothing saved."
+ rescue Rails::Secrets::MissingKeyError => error
+ say error.message
+ end
+
+ private
+ def watch(tmp_path)
+ mtime, start_time = File.mtime(tmp_path), Time.now
+
+ yield
+
+ editor_exits_after_open = $?.success? && (Time.now - start_time) < 1
+ if editor_exits_after_open
+ sleep 0.250 until File.mtime(tmp_path) != mtime
+ end
+ end
+ end
+ end
+end
diff --git a/railties/lib/rails/generators.rb b/railties/lib/rails/generators.rb
index 85f66cc416..3f1bf6a5bb 100644
--- a/railties/lib/rails/generators.rb
+++ b/railties/lib/rails/generators.rb
@@ -214,6 +214,7 @@ module Rails
rails.map! { |n| n.sub(/^rails:/, "") }
rails.delete("app")
rails.delete("plugin")
+ rails.delete("encrypted_secrets")
hidden_namespaces.each { |n| groups.delete(n.to_s) }
diff --git a/railties/lib/rails/generators/rails/app/templates/config/environments/production.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/environments/production.rb.tt
index 4a39e43e57..9c4a77fd1d 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/environments/production.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/config/environments/production.rb.tt
@@ -14,6 +14,11 @@ Rails.application.configure do
config.consider_all_requests_local = false
config.action_controller.perform_caching = true
+ # Attempt to read encrypted secrets from `config/secrets.yml.enc`.
+ # Requires an encryption key in `ENV["RAILS_MASTER_KEY"]` or
+ # `config/secrets.yml.key`.
+ config.read_encrypted_secrets = true
+
# Disable serving static files from the `/public` folder by default since
# Apache or NGINX already handles this.
config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present?
diff --git a/railties/lib/rails/generators/rails/app/templates/config/secrets.yml b/railties/lib/rails/generators/rails/app/templates/config/secrets.yml
index 8e995a5df1..816efcc5b1 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/secrets.yml
+++ b/railties/lib/rails/generators/rails/app/templates/config/secrets.yml
@@ -23,8 +23,10 @@ development:
test:
secret_key_base: <%= app_secret %>
-# Do not keep production secrets in the repository,
-# instead read values from the environment.
+# Do not keep production secrets in the unencrypted secrets file.
+# Instead, either read values from the environment.
+# Or, use `bin/rails secrets:setup` to configure encrypted secrets
+# and move the `production:` environment over there.
production:
secret_key_base: <%%= ENV["SECRET_KEY_BASE"] %>
diff --git a/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb b/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb
new file mode 100644
index 0000000000..8b29213610
--- /dev/null
+++ b/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb
@@ -0,0 +1,66 @@
+require "rails/generators/base"
+require "rails/secrets"
+
+module Rails
+ module Generators
+ class EncryptedSecretsGenerator < Base
+ def add_secrets_key_file
+ unless File.exist?("config/secrets.yml.key") || File.exist?("config/secrets.yml.enc")
+ key = Rails::Secrets.generate_key
+
+ say "Adding config/secrets.yml.key to store the encryption key: #{key}"
+ say ""
+ say "Save this in a password manager your team can access."
+ say ""
+ say "If you lose the key, no one, including you, can access any encrypted secrets."
+
+ say ""
+ create_file "config/secrets.yml.key", key
+ say ""
+ end
+ end
+
+ def ignore_key_file
+ if File.exist?(".gitignore")
+ unless File.read(".gitignore").include?(key_ignore)
+ say "Ignoring config/secrets.yml.key so it won't end up in Git history:"
+ say ""
+ append_to_file ".gitignore", key_ignore
+ say ""
+ end
+ else
+ say "IMPORTANT: Don't commit config/secrets.yml.key. Add this to your ignore file:"
+ say key_ignore, :on_green
+ say ""
+ end
+ end
+
+ def add_encrypted_secrets_file
+ unless File.exist?("config/secrets.yml.enc")
+ say "Adding config/secrets.yml.enc to store secrets that needs to be encrypted."
+ say ""
+
+ template "config/secrets.yml.enc" do |prefill|
+ say ""
+ say "For now the file contains this but it's been encrypted with the generated key:"
+ say ""
+ say prefill, :on_green
+ say ""
+
+ Secrets.encrypt(prefill)
+ end
+
+ say "You can edit encrypted secrets with `bin/rails secrets:edit`."
+
+ say "Add this to your config/environments/production.rb:"
+ say "config.read_encrypted_secrets = true"
+ end
+ end
+
+ private
+ def key_ignore
+ [ "", "# Ignore encrypted secrets key file.", "config/secrets.yml.key", "" ].join("\n")
+ end
+ end
+ end
+end
diff --git a/railties/lib/rails/generators/rails/encrypted_secrets/templates/config/secrets.yml.enc b/railties/lib/rails/generators/rails/encrypted_secrets/templates/config/secrets.yml.enc
new file mode 100644
index 0000000000..70426a66a5
--- /dev/null
+++ b/railties/lib/rails/generators/rails/encrypted_secrets/templates/config/secrets.yml.enc
@@ -0,0 +1,3 @@
+# See `secrets.yml` for tips on generating suitable keys.
+# production:
+# external_api_key: 1466aac22e6a869134be3d09b9e89232fc2c2289…
diff --git a/railties/lib/rails/secrets.rb b/railties/lib/rails/secrets.rb
new file mode 100644
index 0000000000..a083914109
--- /dev/null
+++ b/railties/lib/rails/secrets.rb
@@ -0,0 +1,111 @@
+require "yaml"
+
+module Rails
+ # Greatly inspired by Ara T. Howard's magnificent sekrets gem. 😘
+ class Secrets # :nodoc:
+ class MissingKeyError < RuntimeError
+ def initialize
+ super(<<-end_of_message.squish)
+ Missing encryption key to decrypt secrets with.
+ Ask your team for your master key and put it in ENV["RAILS_MASTER_KEY"]
+ end_of_message
+ end
+ end
+
+ @read_encrypted_secrets = false
+ @root = File # Wonky, but ensures `join` uses the current directory.
+
+ class << self
+ attr_writer :root
+ attr_accessor :read_encrypted_secrets
+
+ def parse(paths, env:)
+ paths.each_with_object(Hash.new) do |path, all_secrets|
+ require "erb"
+
+ secrets = YAML.load(ERB.new(preprocess(path)).result) || {}
+ all_secrets.merge!(secrets["shared"].deep_symbolize_keys) if secrets["shared"]
+ all_secrets.merge!(secrets[env].deep_symbolize_keys) if secrets[env]
+ end
+ end
+
+ def generate_key
+ cipher = new_cipher
+ SecureRandom.hex(cipher.key_len)[0, cipher.key_len]
+ end
+
+ def key
+ ENV["RAILS_MASTER_KEY"] || read_key_file || handle_missing_key
+ end
+
+ def encrypt(text)
+ cipher(:encrypt, text)
+ end
+
+ def decrypt(data)
+ cipher(:decrypt, data)
+ end
+
+ def read
+ decrypt(IO.binread(path))
+ end
+
+ def write(contents)
+ IO.binwrite("#{path}.tmp", encrypt(contents))
+ FileUtils.mv("#{path}.tmp", path)
+ end
+
+ def read_for_editing
+ tmp_path = File.join(Dir.tmpdir, File.basename(path))
+ IO.binwrite(tmp_path, read)
+
+ yield tmp_path
+
+ write(IO.binread(tmp_path))
+ ensure
+ FileUtils.rm(tmp_path) if File.exist?(tmp_path)
+ end
+
+ private
+ def handle_missing_key
+ raise MissingKeyError
+ end
+
+ def read_key_file
+ if File.exist?(key_path)
+ IO.binread(key_path).strip
+ end
+ end
+
+ def key_path
+ @root.join("config", "secrets.yml.key")
+ end
+
+ def path
+ @root.join("config", "secrets.yml.enc").to_s
+ end
+
+ def preprocess(path)
+ if path.end_with?(".enc")
+ if @read_encrypted_secrets
+ decrypt(IO.binread(path))
+ else
+ ""
+ end
+ else
+ IO.read(path)
+ end
+ end
+
+ def new_cipher
+ OpenSSL::Cipher.new("aes-256-cbc")
+ end
+
+ def cipher(mode, data)
+ cipher = new_cipher.public_send(mode)
+ cipher.key = key
+ cipher.update(data) << cipher.final
+ end
+ end
+ end
+end
diff --git a/railties/test/generators/app_generator_test.rb b/railties/test/generators/app_generator_test.rb
index 1ac2b4cde0..986afb6d2a 100644
--- a/railties/test/generators/app_generator_test.rb
+++ b/railties/test/generators/app_generator_test.rb
@@ -335,6 +335,7 @@ class AppGeneratorTest < Rails::Generators::TestCase
end
assert_file "config/environments/production.rb" do |content|
assert_match(/# config\.action_mailer\.raise_delivery_errors = false/, content)
+ assert_match(/^ config\.read_encrypted_secrets = true/, content)
end
end
diff --git a/railties/test/generators/encrypted_secrets_generator_test.rb b/railties/test/generators/encrypted_secrets_generator_test.rb
new file mode 100644
index 0000000000..747abf19ed
--- /dev/null
+++ b/railties/test/generators/encrypted_secrets_generator_test.rb
@@ -0,0 +1,42 @@
+require "generators/generators_test_helper"
+require "rails/generators/rails/encrypted_secrets/encrypted_secrets_generator"
+
+class EncryptedSecretsGeneratorTest < Rails::Generators::TestCase
+ include GeneratorsTestHelper
+
+ def setup
+ super
+ cd destination_root
+ end
+
+ def test_generates_key_file_and_encrypted_secrets_file
+ run_generator
+
+ assert_file "config/secrets.yml.key", /[\w\d]+/
+
+ assert File.exist?("config/secrets.yml.enc")
+ assert_no_match(/production:\n# external_api_key: [\w\d]+/, IO.binread("config/secrets.yml.enc"))
+ assert_match(/production:\n# external_api_key: [\w\d]+/, Rails::Secrets.read)
+ end
+
+ def test_appends_to_gitignore
+ FileUtils.touch(".gitignore")
+
+ run_generator
+
+ assert_file ".gitignore", /config\/secrets.yml.key/, /(?!config\/secrets.yml.enc)/
+ end
+
+ def test_warns_when_ignore_is_missing
+ assert_match(/Add this to your ignore file/i, run_generator)
+ end
+
+ def test_doesnt_generate_a_new_key_file_if_already_opted_in_to_encrypted_secrets
+ FileUtils.mkdir("config")
+ File.open("config/secrets.yml.enc", "w") { |f| f.puts "already secrety" }
+
+ run_generator
+
+ assert_no_file "config/secrets.yml.key"
+ end
+end
diff --git a/railties/test/isolation/abstract_unit.rb b/railties/test/isolation/abstract_unit.rb
index 1902eac862..924503a522 100644
--- a/railties/test/isolation/abstract_unit.rb
+++ b/railties/test/isolation/abstract_unit.rb
@@ -22,6 +22,7 @@ require "active_support/core_ext/object/blank"
require "active_support/testing/isolation"
require "active_support/core_ext/kernel/reporting"
require "tmpdir"
+require "rails/secrets"
module TestHelpers
module Paths
diff --git a/railties/test/secrets_test.rb b/railties/test/secrets_test.rb
new file mode 100644
index 0000000000..36e42cf1f9
--- /dev/null
+++ b/railties/test/secrets_test.rb
@@ -0,0 +1,108 @@
+require "abstract_unit"
+require "isolation/abstract_unit"
+require "rails/generators"
+require "rails/generators/rails/encrypted_secrets/encrypted_secrets_generator"
+require "rails/secrets"
+
+class Rails::SecretsTest < ActiveSupport::TestCase
+ include ActiveSupport::Testing::Isolation
+
+ def setup
+ build_app
+
+ @old_read_encrypted_secrets, Rails::Secrets.read_encrypted_secrets =
+ Rails::Secrets.read_encrypted_secrets, true
+ end
+
+ def teardown
+ Rails::Secrets.read_encrypted_secrets = @old_read_encrypted_secrets
+
+ teardown_app
+ end
+
+ test "setting read to false skips parsing" do
+ Rails::Secrets.read_encrypted_secrets = false
+
+ Dir.chdir(app_path) do
+ assert_equal Hash.new, Rails::Secrets.parse(%w( config/secrets.yml.enc ), env: "production")
+ end
+ end
+
+ test "raises when reading secrets without a key" do
+ run_secrets_generator do
+ FileUtils.rm("config/secrets.yml.key")
+
+ assert_raises Rails::Secrets::MissingKeyError do
+ Rails::Secrets.key
+ end
+ end
+ end
+
+ test "reading with ENV variable" do
+ run_secrets_generator do
+ begin
+ old_key = ENV["RAILS_MASTER_KEY"]
+ ENV["RAILS_MASTER_KEY"] = IO.binread("config/secrets.yml.key").strip
+ FileUtils.rm("config/secrets.yml.key")
+
+ assert_match "production:\n# external_api_key", Rails::Secrets.read
+ ensure
+ ENV["RAILS_MASTER_KEY"] = old_key
+ end
+ end
+ end
+
+ test "reading from key file" do
+ run_secrets_generator do
+ File.binwrite("config/secrets.yml.key", "How do I know you feel it?")
+
+ assert_equal "How do I know you feel it?", Rails::Secrets.key
+ end
+ end
+
+ test "editing" do
+ run_secrets_generator do
+ decrypted_path = nil
+
+ Rails::Secrets.read_for_editing do |tmp_path|
+ decrypted_path = tmp_path
+
+ assert_match(/production:\n# external_api_key/, File.read(tmp_path))
+
+ File.write(tmp_path, "Empty streets, empty nights. The Downtown Lights.")
+ end
+
+ assert_not File.exist?(decrypted_path)
+ assert_equal "Empty streets, empty nights. The Downtown Lights.", Rails::Secrets.read
+ end
+ end
+
+ test "merging secrets with encrypted precedence" do
+ run_secrets_generator do
+ File.write("config/secrets.yml", <<-end_of_secrets)
+ test:
+ yeah_yeah: lets-go-walking-down-this-empty-street
+ end_of_secrets
+
+ Rails::Secrets.write(<<-end_of_secrets)
+ test:
+ yeah_yeah: lets-walk-in-the-cool-evening-light
+ end_of_secrets
+
+ Rails.application.config.root = app_path
+ Rails.application.instance_variable_set(:@secrets, nil) # Dance around caching 💃🕺
+ assert_equal "lets-walk-in-the-cool-evening-light", Rails.application.secrets.yeah_yeah
+ end
+ end
+
+ private
+ def run_secrets_generator
+ Dir.chdir(app_path) do
+ capture(:stdout) do
+ Rails::Generators::EncryptedSecretsGenerator.start
+ end
+
+ yield
+ end
+ end
+end