From 37c948ce6715df8ecbcda2b64a1e6eee9c5d6bb6 Mon Sep 17 00:00:00 2001 From: Kasper Timm Hansen Date: Mon, 24 Sep 2018 14:07:32 +0200 Subject: Restructure credentials after environment overrides. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Follow up to: e0d3313 - Revert renames from `encrypted` and `encrypted_file` back to `credentials`. They might be using our Encrypted* generators but from that level of abstraction they're still about credentials. - Same vein: extract a `credentials` method for the `encrypted` local variable. But don't call it `encrypted` just because it uses that under the hood. It's about capturing the credentials. It's also useful in `change_credentials_in_system_editor`. - Remove lots of needless argument passing. We've abstracted content_path and key_path into methods for a reason, so they should be used. Also spares a conspicuous rename of content_path into file_path in other methods. - Reorders private methods so they're grouped into: command building blocks, option parsers, and the generators. - Extracts commonality in the credentials application tests. A tad unsure about this. But I do like that we go with key, content thus matching the command and remove the yield which isn't really needed. - Moves test/credentials_test.rb to beneath the test/application directory. It's a Rails application test, so it should be in there. - Uses `root.join` — a neat trick gleaned from the tests! — and composes the configuration private methods such that the building block is below the callers. --- railties/lib/rails/commands/credentials/USAGE | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) (limited to 'railties/lib/rails/commands/credentials/USAGE') diff --git a/railties/lib/rails/commands/credentials/USAGE b/railties/lib/rails/commands/credentials/USAGE index 6b33d1ab74..d235592f46 100644 --- a/railties/lib/rails/commands/credentials/USAGE +++ b/railties/lib/rails/commands/credentials/USAGE @@ -41,9 +41,18 @@ from leaking. === Environment Specific Credentials -It is possible to have credentials for each environment. If the file for current environment exists it will take -precedence over `config/credentials.yml.enc`, thus for `production` environment first look for -`config/credentials/production.yml.enc` that can be decrypted using master key taken from `ENV["RAILS_MASTER_KEY"]` -or stored in `config/credentials/production.key`. -To edit given file use command `rails credentials:edit --environment production` -Default paths can be overwritten by setting `config.credentials.content_path` and `config.credentials.key_path`. +The `credentials` command supports passing an `--environment` option to create an +environment specific override. That override will takes precedence over the +global `config/credentials.yml.enc` file when running in that environment. So: + + rails credentials:edit --environment development + +will create `config/credentials/development.yml.enc` with the corresponding +encryption key in `config/credentials/development.key` if the credentials file +doesn't exist. + +The encryption key can also be put in `ENV["RAILS_MASTER_KEY"]`, which takes +precedence over the file encryption key. + +In addition to that, the default credentials lookup paths can be overriden through +`config.credentials.content_path` and `config.credentials.key_path`. -- cgit v1.2.3