aboutsummaryrefslogtreecommitdiffstats
path: root/railties/lib
diff options
context:
space:
mode:
authorKasper Timm Hansen <kaspth@gmail.com>2018-09-24 14:07:32 +0200
committerKasper Timm Hansen <kaspth@gmail.com>2019-01-14 20:13:00 +0100
commit37c948ce6715df8ecbcda2b64a1e6eee9c5d6bb6 (patch)
tree82478e0ca821b42b3cdc63d22a50da70f4ba4473 /railties/lib
parent3631d7eee4bd034f2eefe1b9892d5fcd565579ac (diff)
downloadrails-37c948ce6715df8ecbcda2b64a1e6eee9c5d6bb6.tar.gz
rails-37c948ce6715df8ecbcda2b64a1e6eee9c5d6bb6.tar.bz2
rails-37c948ce6715df8ecbcda2b64a1e6eee9c5d6bb6.zip
Restructure credentials after environment overrides.
Follow up to: e0d3313 - Revert renames from `encrypted` and `encrypted_file` back to `credentials`. They might be using our Encrypted* generators but from that level of abstraction they're still about credentials. - Same vein: extract a `credentials` method for the `encrypted` local variable. But don't call it `encrypted` just because it uses that under the hood. It's about capturing the credentials. It's also useful in `change_credentials_in_system_editor`. - Remove lots of needless argument passing. We've abstracted content_path and key_path into methods for a reason, so they should be used. Also spares a conspicuous rename of content_path into file_path in other methods. - Reorders private methods so they're grouped into: command building blocks, option parsers, and the generators. - Extracts commonality in the credentials application tests. A tad unsure about this. But I do like that we go with key, content thus matching the command and remove the yield which isn't really needed. - Moves test/credentials_test.rb to beneath the test/application directory. It's a Rails application test, so it should be in there. - Uses `root.join` — a neat trick gleaned from the tests! — and composes the configuration private methods such that the building block is below the callers.
Diffstat (limited to 'railties/lib')
-rw-r--r--railties/lib/rails/application/configuration.rb16
-rw-r--r--railties/lib/rails/commands/credentials/USAGE21
-rw-r--r--railties/lib/rails/commands/credentials/credentials_command.rb56
3 files changed, 51 insertions, 42 deletions
diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb
index 3595f60bf8..c2403c57a7 100644
--- a/railties/lib/rails/application/configuration.rb
+++ b/railties/lib/rails/application/configuration.rb
@@ -293,25 +293,25 @@ module Rails
end
private
- def credentials_available_for_current_env?
- File.exist?("#{root}/config/credentials/#{Rails.env}.yml.enc")
- end
-
def default_credentials_content_path
if credentials_available_for_current_env?
- File.join(root, "config", "credentials", "#{Rails.env}.yml.enc")
+ root.join("config", "credentials", "#{Rails.env}.yml.enc")
else
- File.join(root, "config", "credentials.yml.enc")
+ root.join("config", "credentials.yml.enc")
end
end
def default_credentials_key_path
if credentials_available_for_current_env?
- File.join(root, "config", "credentials", "#{Rails.env}.key")
+ root.join("config", "credentials", "#{Rails.env}.key")
else
- File.join(root, "config", "master.key")
+ root.join("config", "master.key")
end
end
+
+ def credentials_available_for_current_env?
+ File.exist?(root.join("config", "credentials", "#{Rails.env}.yml.enc"))
+ end
end
end
end
diff --git a/railties/lib/rails/commands/credentials/USAGE b/railties/lib/rails/commands/credentials/USAGE
index 6b33d1ab74..d235592f46 100644
--- a/railties/lib/rails/commands/credentials/USAGE
+++ b/railties/lib/rails/commands/credentials/USAGE
@@ -41,9 +41,18 @@ from leaking.
=== Environment Specific Credentials
-It is possible to have credentials for each environment. If the file for current environment exists it will take
-precedence over `config/credentials.yml.enc`, thus for `production` environment first look for
-`config/credentials/production.yml.enc` that can be decrypted using master key taken from `ENV["RAILS_MASTER_KEY"]`
-or stored in `config/credentials/production.key`.
-To edit given file use command `rails credentials:edit --environment production`
-Default paths can be overwritten by setting `config.credentials.content_path` and `config.credentials.key_path`.
+The `credentials` command supports passing an `--environment` option to create an
+environment specific override. That override will takes precedence over the
+global `config/credentials.yml.enc` file when running in that environment. So:
+
+ rails credentials:edit --environment development
+
+will create `config/credentials/development.yml.enc` with the corresponding
+encryption key in `config/credentials/development.key` if the credentials file
+doesn't exist.
+
+The encryption key can also be put in `ENV["RAILS_MASTER_KEY"]`, which takes
+precedence over the file encryption key.
+
+In addition to that, the default credentials lookup paths can be overriden through
+`config.credentials.content_path` and `config.credentials.key_path`.
diff --git a/railties/lib/rails/commands/credentials/credentials_command.rb b/railties/lib/rails/commands/credentials/credentials_command.rb
index 4b30d208e0..852cd401d7 100644
--- a/railties/lib/rails/commands/credentials/credentials_command.rb
+++ b/railties/lib/rails/commands/credentials/credentials_command.rb
@@ -24,13 +24,11 @@ module Rails
ensure_editor_available(command: "bin/rails credentials:edit") || (return)
- encrypted = Rails.application.encrypted(content_path, key_path: key_path)
-
- ensure_encryption_key_has_been_added(key_path) if encrypted.key.nil?
- ensure_encrypted_file_has_been_added(content_path, key_path)
+ ensure_encryption_key_has_been_added if credentials.key.nil?
+ ensure_credentials_have_been_added
catch_editing_exceptions do
- change_encrypted_file_in_system_editor(content_path, key_path)
+ change_credentials_in_system_editor
end
say "File encrypted and saved."
@@ -41,36 +39,46 @@ module Rails
def show
require_application_and_environment!
- encrypted = Rails.application.encrypted(content_path, key_path: key_path)
-
- say encrypted.read.presence || missing_encrypted_message(key: encrypted.key, key_path: key_path, file_path: content_path)
+ say credentials.read.presence || missing_credentials_message
end
private
- def content_path
- options[:environment] ? "config/credentials/#{options[:environment]}.yml.enc" : "config/credentials.yml.enc"
- end
-
- def key_path
- options[:environment] ? "config/credentials/#{options[:environment]}.key" : "config/master.key"
+ def credentials
+ Rails.application.encrypted(content_path, key_path: key_path)
end
-
- def ensure_encryption_key_has_been_added(key_path)
+ def ensure_encryption_key_has_been_added
encryption_key_file_generator.add_key_file(key_path)
encryption_key_file_generator.ignore_key_file(key_path)
end
- def ensure_encrypted_file_has_been_added(file_path, key_path)
- encrypted_file_generator.add_encrypted_file_silently(file_path, key_path)
+ def ensure_credentials_have_been_added
+ encrypted_file_generator.add_encrypted_file_silently(content_path, key_path)
end
- def change_encrypted_file_in_system_editor(file_path, key_path)
- Rails.application.encrypted(file_path, key_path: key_path).change do |tmp_path|
+ def change_credentials_in_system_editor
+ credentials.change do |tmp_path|
system("#{ENV["EDITOR"]} #{tmp_path}")
end
end
+ def missing_credentials_message
+ if credentials.key.nil?
+ "Missing '#{key_path}' to decrypt credentials. See `rails credentials:help`"
+ else
+ "File '#{content_path}' does not exist. Use `rails credentials:edit` to change that."
+ end
+ end
+
+
+ def content_path
+ options[:environment] ? "config/credentials/#{options[:environment]}.yml.enc" : "config/credentials.yml.enc"
+ end
+
+ def key_path
+ options[:environment] ? "config/credentials/#{options[:environment]}.key" : "config/master.key"
+ end
+
def encryption_key_file_generator
require "rails/generators"
@@ -85,14 +93,6 @@ module Rails
Rails::Generators::EncryptedFileGenerator.new
end
-
- def missing_encrypted_message(key:, key_path:, file_path:)
- if key.nil?
- "Missing '#{key_path}' to decrypt credentials. See `rails credentials:help`"
- else
- "File '#{file_path}' does not exist. Use `rails credentials:edit` to change that."
- end
- end
end
end
end