Merge pull request #28128 from rails/revert-28127-revert-28038-encrypted-secrets

Revert "Revert "Add encrypted secrets""

5 files changed, 168 insertions, 12 deletions

diff --git a/railties/test/application/test_runner_test.rb b/railties/test/application/test_runner_test.rb
index ee03d8b86c..e773b52dbb 100644
--- a/railties/test/application/test_runner_test.rb
+++ b/railties/test/application/test_runner_test.rb
@@ -70,16 +70,18 @@ module ApplicationTests
     end
 
     def test_run_units
-      skip "we no longer have the concept of unit tests. Just different directories..."
       create_test_file :models, "foo"
       create_test_file :helpers, "bar_helper"
       create_test_file :unit, "baz_unit"
       create_test_file :controllers, "foobar_controller"
-      run_test_units_command.tap do |output|
-        assert_match "FooTest", output
-        assert_match "BarHelperTest", output
-        assert_match "BazUnitTest", output
-        assert_match "3 runs, 3 assertions, 0 failures", output
+
+      Dir.chdir(app_path) do
+        `bin/rails test:units`.tap do |output|
+          assert_match "FooTest", output
+          assert_match "BarHelperTest", output
+          assert_match "BazUnitTest", output
+          assert_match "3 runs, 3 assertions, 0 failures", output
+        end
       end
     end
 
@@ -117,16 +119,18 @@ module ApplicationTests
     end
 
     def test_run_functionals
-      skip "we no longer have the concept of functional tests. Just different directories..."
       create_test_file :mailers, "foo_mailer"
       create_test_file :controllers, "bar_controller"
       create_test_file :functional, "baz_functional"
       create_test_file :models, "foo"
-      run_test_functionals_command.tap do |output|
-        assert_match "FooMailerTest", output
-        assert_match "BarControllerTest", output
-        assert_match "BazFunctionalTest", output
-        assert_match "3 runs, 3 assertions, 0 failures", output
+
+      Dir.chdir(app_path) do
+        `bin/rails test:functionals`.tap do |output|
+          assert_match "FooMailerTest", output
+          assert_match "BarControllerTest", output
+          assert_match "BazFunctionalTest", output
+          assert_match "3 runs, 3 assertions, 0 failures", output
+        end
       end
     end
 
diff --git a/railties/test/generators/app_generator_test.rb b/railties/test/generators/app_generator_test.rb
index 1ac2b4cde0..986afb6d2a 100644
--- a/railties/test/generators/app_generator_test.rb
+++ b/railties/test/generators/app_generator_test.rb
@@ -335,6 +335,7 @@ class AppGeneratorTest < Rails::Generators::TestCase
     end
     assert_file "config/environments/production.rb" do |content|
       assert_match(/# config\.action_mailer\.raise_delivery_errors = false/, content)
+      assert_match(/^  config\.read_encrypted_secrets = true/, content)
     end
   end
 
diff --git a/railties/test/generators/encrypted_secrets_generator_test.rb b/railties/test/generators/encrypted_secrets_generator_test.rb
new file mode 100644
index 0000000000..747abf19ed
--- /dev/null
+++ b/railties/test/generators/encrypted_secrets_generator_test.rb
@@ -0,0 +1,42 @@
+require "generators/generators_test_helper"
+require "rails/generators/rails/encrypted_secrets/encrypted_secrets_generator"
+
+class EncryptedSecretsGeneratorTest < Rails::Generators::TestCase
+  include GeneratorsTestHelper
+
+  def setup
+    super
+    cd destination_root
+  end
+
+  def test_generates_key_file_and_encrypted_secrets_file
+    run_generator
+
+    assert_file "config/secrets.yml.key", /[\w\d]+/
+
+    assert File.exist?("config/secrets.yml.enc")
+    assert_no_match(/production:\n#  external_api_key: [\w\d]+/, IO.binread("config/secrets.yml.enc"))
+    assert_match(/production:\n#  external_api_key: [\w\d]+/, Rails::Secrets.read)
+  end
+
+  def test_appends_to_gitignore
+    FileUtils.touch(".gitignore")
+
+    run_generator
+
+    assert_file ".gitignore", /config\/secrets.yml.key/, /(?!config\/secrets.yml.enc)/
+  end
+
+  def test_warns_when_ignore_is_missing
+    assert_match(/Add this to your ignore file/i, run_generator)
+  end
+
+  def test_doesnt_generate_a_new_key_file_if_already_opted_in_to_encrypted_secrets
+    FileUtils.mkdir("config")
+    File.open("config/secrets.yml.enc", "w") { |f| f.puts "already secrety" }
+
+    run_generator
+
+    assert_no_file "config/secrets.yml.key"
+  end
+end
diff --git a/railties/test/isolation/abstract_unit.rb b/railties/test/isolation/abstract_unit.rb
index 1902eac862..924503a522 100644
--- a/railties/test/isolation/abstract_unit.rb
+++ b/railties/test/isolation/abstract_unit.rb
@@ -22,6 +22,7 @@ require "active_support/core_ext/object/blank"
 require "active_support/testing/isolation"
 require "active_support/core_ext/kernel/reporting"
 require "tmpdir"
+require "rails/secrets"
 
 module TestHelpers
   module Paths
diff --git a/railties/test/secrets_test.rb b/railties/test/secrets_test.rb
new file mode 100644
index 0000000000..36e42cf1f9
--- /dev/null
+++ b/railties/test/secrets_test.rb
@@ -0,0 +1,108 @@
+require "abstract_unit"
+require "isolation/abstract_unit"
+require "rails/generators"
+require "rails/generators/rails/encrypted_secrets/encrypted_secrets_generator"
+require "rails/secrets"
+
+class Rails::SecretsTest < ActiveSupport::TestCase
+  include ActiveSupport::Testing::Isolation
+
+  def setup
+    build_app
+
+    @old_read_encrypted_secrets, Rails::Secrets.read_encrypted_secrets =
+      Rails::Secrets.read_encrypted_secrets, true
+  end
+
+  def teardown
+    Rails::Secrets.read_encrypted_secrets = @old_read_encrypted_secrets
+
+    teardown_app
+  end
+
+  test "setting read to false skips parsing" do
+    Rails::Secrets.read_encrypted_secrets = false
+
+    Dir.chdir(app_path) do
+      assert_equal Hash.new, Rails::Secrets.parse(%w( config/secrets.yml.enc ), env: "production")
+    end
+  end
+
+  test "raises when reading secrets without a key" do
+    run_secrets_generator do
+      FileUtils.rm("config/secrets.yml.key")
+
+      assert_raises Rails::Secrets::MissingKeyError do
+        Rails::Secrets.key
+      end
+    end
+  end
+
+  test "reading with ENV variable" do
+    run_secrets_generator do
+      begin
+        old_key = ENV["RAILS_MASTER_KEY"]
+        ENV["RAILS_MASTER_KEY"] = IO.binread("config/secrets.yml.key").strip
+        FileUtils.rm("config/secrets.yml.key")
+
+        assert_match "production:\n#  external_api_key", Rails::Secrets.read
+      ensure
+        ENV["RAILS_MASTER_KEY"] = old_key
+      end
+    end
+  end
+
+  test "reading from key file" do
+    run_secrets_generator do
+      File.binwrite("config/secrets.yml.key", "How do I know you feel it?")
+
+      assert_equal "How do I know you feel it?", Rails::Secrets.key
+    end
+  end
+
+  test "editing" do
+    run_secrets_generator do
+      decrypted_path = nil
+
+      Rails::Secrets.read_for_editing do |tmp_path|
+        decrypted_path = tmp_path
+
+        assert_match(/production:\n#  external_api_key/, File.read(tmp_path))
+
+        File.write(tmp_path, "Empty streets, empty nights. The Downtown Lights.")
+      end
+
+      assert_not File.exist?(decrypted_path)
+      assert_equal "Empty streets, empty nights. The Downtown Lights.", Rails::Secrets.read
+    end
+  end
+
+  test "merging secrets with encrypted precedence" do
+    run_secrets_generator do
+      File.write("config/secrets.yml", <<-end_of_secrets)
+        test:
+          yeah_yeah: lets-go-walking-down-this-empty-street
+      end_of_secrets
+
+      Rails::Secrets.write(<<-end_of_secrets)
+        test:
+          yeah_yeah: lets-walk-in-the-cool-evening-light
+      end_of_secrets
+
+      Rails.application.config.root = app_path
+      Rails.application.instance_variable_set(:@secrets, nil) # Dance around caching 💃🕺
+      assert_equal "lets-walk-in-the-cool-evening-light", Rails.application.secrets.yeah_yeah
+    end
+  end
+
+  private
+    def run_secrets_generator
+      Dir.chdir(app_path) do
+        capture(:stdout) do
+          Rails::Generators::EncryptedSecretsGenerator.start
+        end
+
+        yield
+      end
+    end
+end