From bb30f05f3858f97791f0e1530e625b7ea2c6c5e2 Mon Sep 17 00:00:00 2001 From: Kasper Timm Hansen Date: Sun, 12 Nov 2017 17:32:52 +0100 Subject: Deprecate encrypted secrets in favor of credentials. Allow edits of existing encrypted secrets generated on Rails 5.1, but refer to credentials when attempting to setup. This also removes the need for any of the setup code, so the generator can be ripped out altogether. --- railties/test/commands/secrets_test.rb | 49 +++++++++++++++++++++++++--------- 1 file changed, 37 insertions(+), 12 deletions(-) (limited to 'railties/test/commands') diff --git a/railties/test/commands/secrets_test.rb b/railties/test/commands/secrets_test.rb index 66a81826e3..6b9f284a0c 100644 --- a/railties/test/commands/secrets_test.rb +++ b/railties/test/commands/secrets_test.rb @@ -8,21 +8,38 @@ require "rails/commands/secrets/secrets_command" class Rails::Command::SecretsCommandTest < ActiveSupport::TestCase include ActiveSupport::Testing::Isolation, EnvHelpers - def setup - build_app + setup :build_app + teardown :teardown_app + + test "edit without editor gives hint" do + assert_match "No $EDITOR to open decrypted secrets in", run_edit_command(editor: "") end - def teardown - teardown_app + test "encrypted secrets are deprecated when using credentials" do + assert_match "Encrypted secrets is deprecated", run_setup_command + assert_equal 1, $?.exitstatus + assert_not File.exist?("config/secrets.yml.enc") end - test "edit without editor gives hint" do - assert_match "No $EDITOR to open decrypted secrets in", run_edit_command(editor: "") + test "encrypted secrets are deprecated when running edit without setup" do + assert_match "Encrypted secrets is deprecated", run_setup_command + assert_equal 1, $?.exitstatus + assert_not File.exist?("config/secrets.yml.enc") + end + + test "encrypted secrets are deprecated for 5.1 config/secrets.yml apps" do + Dir.chdir(app_path) do + FileUtils.rm("config/credentials.yml.enc") + FileUtils.touch("config/secrets.yml") + + assert_match "Encrypted secrets is deprecated", run_setup_command + assert_equal 1, $?.exitstatus + assert_not File.exist?("config/secrets.yml.enc") + end end test "edit secrets" do - # Runs setup before first edit. - assert_match(/Adding config\/secrets\.yml\.key to store the encryption key/, run_edit_command) + prevent_deprecation # Run twice to ensure encrypted secrets can be reread after first edit pass. 2.times do @@ -31,22 +48,30 @@ class Rails::Command::SecretsCommandTest < ActiveSupport::TestCase end test "show secrets" do - run_setup_command + prevent_deprecation + assert_match(/external_api_key: 1466aac22e6a869134be3d09b9e89232fc2c2289/, run_show_command) end private + def prevent_deprecation + Dir.chdir(app_path) do + File.write("config/secrets.yml.key", "f731758c639da2604dfb6bf3d1025de8") + File.write("config/secrets.yml.enc", "sEB0mHxDbeP1/KdnMk00wyzPFACl9K6t0cZWn5/Mfx/YbTHvnI07vrneqHg9kaH3wOS7L6pIQteu1P077OtE4BSx/ZRc/sgQPHyWu/tXsrfHqnPNpayOF/XZqizE91JacSFItNMWpuPsp9ynbzz+7cGhoB1S4aPNIU6u0doMrzdngDbijsaAFJmsHIQh6t/QHoJx--8aMoE0PvUWmw1Iqz--ldFqnM/K0g9k17M8PKoN/Q==") + end + end + def run_edit_command(editor: "cat") switch_env("EDITOR", editor) do - rails "secrets:edit" + rails "secrets:edit", allow_failure: true end end def run_show_command - rails "secrets:show" + rails "secrets:show", allow_failure: true end def run_setup_command - rails "secrets:setup" + rails "secrets:setup", allow_failure: true end end -- cgit v1.2.3 From 7a8728a03986489e1c843ed850afc2c16fb6eb06 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wojciech=20Wn=C4=99trzak?= Date: Tue, 14 Nov 2017 11:44:23 +0100 Subject: Add CLI to manage encrypted files/configs. To edit/show encrypted file: ``` bin/rails encrypted:edit config/staging_tokens.yml.enc bin/rails encrypted:edit config/staging_tokens.yml.enc --key config/staging.key bin/rails encrypted:show config/staging_tokens.yml.enc ``` Also provides a backing Rails.application.encrypted API for Ruby access: ```ruby Rails.application.encrypted("config/staging_tokens.yml.enc").read Rails.application.encrypted("config/staging_tokens.yml.enc").config Rails.application.encrypted("config/staging_tokens.yml.enc", key: "config/staging.key") ``` --- railties/test/commands/credentials_test.rb | 5 +- railties/test/commands/encrypted_test.rb | 80 ++++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 railties/test/commands/encrypted_test.rb (limited to 'railties/test/commands') diff --git a/railties/test/commands/credentials_test.rb b/railties/test/commands/credentials_test.rb index 743fb5f788..4ef827fcf1 100644 --- a/railties/test/commands/credentials_test.rb +++ b/railties/test/commands/credentials_test.rb @@ -13,7 +13,10 @@ class Rails::Command::CredentialsCommandTest < ActiveSupport::TestCase teardown { teardown_app } test "edit without editor gives hint" do - assert_match "No $EDITOR to open credentials in", run_edit_command(editor: "") + run_edit_command(editor: "").tap do |output| + assert_match "No $EDITOR to open file in", output + assert_match "bin/rails credentials:edit", output + end end test "edit credentials" do diff --git a/railties/test/commands/encrypted_test.rb b/railties/test/commands/encrypted_test.rb new file mode 100644 index 0000000000..0461493f2a --- /dev/null +++ b/railties/test/commands/encrypted_test.rb @@ -0,0 +1,80 @@ +# frozen_string_literal: true + +require "isolation/abstract_unit" +require "env_helpers" +require "rails/command" +require "rails/commands/encrypted/encrypted_command" + +class Rails::Command::EncryptedCommandTest < ActiveSupport::TestCase + include ActiveSupport::Testing::Isolation, EnvHelpers + + setup :build_app + teardown :teardown_app + + test "edit without editor gives hint" do + run_edit_command("config/tokens.yml.enc", editor: "").tap do |output| + assert_match "No $EDITOR to open file in", output + assert_match "bin/rails encrypted:edit", output + end + end + + test "edit encrypted file" do + # Run twice to ensure file can be reread after first edit pass. + 2.times do + assert_match(/access_key_id: 123/, run_edit_command("config/tokens.yml.enc")) + end + end + + test "edit command does not add master key to gitignore when already exist" do + run_edit_command("config/tokens.yml.enc") + + Dir.chdir(app_path) do + assert_match "/config/master.key", File.read(".gitignore") + end + end + + test "edit encrypts file with custom key" do + run_edit_command("config/tokens.yml.enc", key: "config/tokens.key") + + Dir.chdir(app_path) do + assert File.exist?("config/tokens.yml.enc") + assert File.exist?("config/tokens.key") + + assert_match "/config/tokens.key", File.read(".gitignore") + end + + assert_match(/access_key_id: 123/, run_edit_command("config/tokens.yml.enc", key: "config/tokens.key")) + end + + test "show encrypted file with custom key" do + run_edit_command("config/tokens.yml.enc", key: "config/tokens.key") + + assert_match(/access_key_id: 123/, run_show_command("config/tokens.yml.enc", key: "config/tokens.key")) + end + + test "won't corrupt encrypted file when passed wrong key" do + run_edit_command("config/tokens.yml.enc", key: "config/tokens.key") + + assert_match "passed the wrong key", + run_edit_command("config/tokens.yml.enc", allow_failure: true) + + assert_match(/access_key_id: 123/, run_show_command("config/tokens.yml.enc", key: "config/tokens.key")) + end + + private + def run_edit_command(file, key: nil, editor: "cat", **options) + switch_env("EDITOR", editor) do + rails "encrypted:edit", prepare_args(file, key), **options + end + end + + def run_show_command(file, key: nil) + rails "encrypted:show", prepare_args(file, key) + end + + def prepare_args(file, key) + args = [ file ] + args.push("--key", key) if key + args + end +end -- cgit v1.2.3