1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
require "abstract_unit"
require "isolation/abstract_unit"
require "rails/generators"
require "rails/generators/rails/encrypted_secrets/encrypted_secrets_generator"
require "rails/secrets"
class Rails::SecretsTest < ActiveSupport::TestCase
include ActiveSupport::Testing::Isolation
def setup
build_app
end
def teardown
teardown_app
end
test "setting read to false skips parsing" do
run_secrets_generator do
Rails::Secrets.write(<<-end_of_secrets)
test:
yeah_yeah: lets-walk-in-the-cool-evening-light
end_of_secrets
Rails.application.config.read_encrypted_secrets = false
Rails.application.instance_variable_set(:@secrets, nil) # Dance around caching 💃🕺
assert_not Rails.application.secrets.yeah_yeah
end
end
test "raises when reading secrets without a key" do
run_secrets_generator do
FileUtils.rm("config/secrets.yml.key")
assert_raises Rails::Secrets::MissingKeyError do
Rails::Secrets.key
end
end
end
test "reading with ENV variable" do
run_secrets_generator do
begin
old_key = ENV["RAILS_MASTER_KEY"]
ENV["RAILS_MASTER_KEY"] = IO.binread("config/secrets.yml.key").strip
FileUtils.rm("config/secrets.yml.key")
assert_match "production:\n# external_api_key", Rails::Secrets.read
ensure
ENV["RAILS_MASTER_KEY"] = old_key
end
end
end
test "reading from key file" do
run_secrets_generator do
File.binwrite("config/secrets.yml.key", "00112233445566778899aabbccddeeff")
assert_equal "00112233445566778899aabbccddeeff", Rails::Secrets.key
end
end
test "editing" do
run_secrets_generator do
decrypted_path = nil
Rails::Secrets.read_for_editing do |tmp_path|
decrypted_path = tmp_path
assert_match(/production:\n# external_api_key/, File.read(tmp_path))
File.write(tmp_path, "Empty streets, empty nights. The Downtown Lights.")
end
assert_not File.exist?(decrypted_path)
assert_equal "Empty streets, empty nights. The Downtown Lights.", Rails::Secrets.read
end
end
test "merging secrets with encrypted precedence" do
run_secrets_generator do
File.write("config/secrets.yml", <<-end_of_secrets)
test:
yeah_yeah: lets-go-walking-down-this-empty-street
end_of_secrets
Rails::Secrets.write(<<-end_of_secrets)
test:
yeah_yeah: lets-walk-in-the-cool-evening-light
end_of_secrets
Rails.application.config.root = app_path
Rails.application.config.read_encrypted_secrets = true
Rails.application.instance_variable_set(:@secrets, nil) # Dance around caching 💃🕺
assert_equal "lets-walk-in-the-cool-evening-light", Rails.application.secrets.yeah_yeah
end
end
test "refer secrets inside env config" do
run_secrets_generator do
Rails::Secrets.write(<<-end_of_yaml)
production:
some_secret: yeah yeah
end_of_yaml
add_to_env_config "production", <<-end_of_config
config.dereferenced_secret = Rails.application.secrets.some_secret
end_of_config
assert_equal "yeah yeah\n", `bin/rails runner -e production "puts Rails.application.config.dereferenced_secret"`
end
end
private
def run_secrets_generator
Dir.chdir(app_path) do
capture(:stdout) do
Rails::Generators::EncryptedSecretsGenerator.start
end
yield
end
end
end
|
