Explicitly check for secrets and credential files

So we prioritize credential files over secret files and only look for credential files from rails 7.2 onwards.
cheddar-me · Feb 14, 2024 · 7a7a39a · 7a7a39a
1 parent 8f3806e
commit 7a7a39a
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 9 deletions.
diff --git a/lib/eyaml/railtie.rb b/lib/eyaml/railtie.rb
@@ -9,13 +9,22 @@ class Railtie < Rails::Railtie
       PRIVATE_KEY_ENV_VAR = "EJSON_PRIVATE_KEY"
 
       config.before_configuration do
-        secrets_or_credentials = if Rails.version.start_with?("7.2") || Dir.glob(Rails.root.join("config", "credentials.*")).any?
-          :credentials
+        secret_files_present = Dir.glob(auth_files(:secrets)).any?
+        credential_files_present = Dir.glob(auth_files(:credentials)).any?
+
+        secrets_or_credentials = if Rails.version >= "7.2"
+          if credential_files_present
+            :credentials
+          end
         else
-          :secrets
+          if credential_files_present
+            :credentials
+          elsif secret_files_present
+            :secrets
+          end
         end
 
-        secrets_files(secrets_or_credentials).each do |file|
+        auth_files(secrets_or_credentials).each do |file|
           next unless valid?(file)
 
           # If private_key is nil (i.e. when $EJSON_PRIVATE_KEY is not set), EYAML will search
@@ -36,13 +45,13 @@ def valid?(pathname)
           pathname.exist?
         end
 
-        def secrets_files(secrets_or_credentials)
-          EYAML::SUPPORTED_EXTENSIONS.map do |ext|
+        def auth_files(secrets_or_credentials)
+          EYAML::SUPPORTED_EXTENSIONS.flat_map do |ext|
             [
               Rails.root.join("config", "#{secrets_or_credentials}.#{ext}"),
               Rails.root.join("config", "#{secrets_or_credentials}.#{Rails.env}.#{ext}")
             ]
-          end.flatten
+          end
         end
       end
     end

diff --git a/spec/eyaml/railtie_spec.rb b/spec/eyaml/railtie_spec.rb
@@ -12,7 +12,7 @@
     is_expected.to(be_a(::Rails::Railtie))
   end
 
-  context "with credentials" do
+  context "with only credentials" do
     let(:credentials) { credentials_class.new }
 
     before(:each) do
@@ -123,7 +123,7 @@
     end
   end
 
-  context "with secrets" do
+  context "with only secrets" do
     let(:secrets) { secrets_class.new }
 
     before(:each) do
@@ -233,4 +233,45 @@
       end
     end
   end
+
+  context "with both credentials and secrets" do
+    let(:secrets) { secrets_class.new }
+    let(:credentials) { credentials_class.new }
+
+    before(:each) do
+      FakeFS::FileSystem.clone(fixtures_root)
+
+      supported_extensions.each do |ext|
+        FakeFS::FileUtils.copy_file(
+          fixtures_root.join("data.#{ext}"),
+          config_root.join("secrets.env.#{ext}")
+        )
+
+        FakeFS::FileUtils.copy_file(
+          fixtures_root.join("data.#{ext}"),
+          config_root.join("secrets.#{ext}")
+        )
+
+        FakeFS::FileUtils.copy_file(
+          fixtures_root.join("data.#{ext}"),
+          config_root.join("credentials.env.#{ext}")
+        )
+
+        FakeFS::FileUtils.copy_file(
+          fixtures_root.join("data.#{ext}"),
+          config_root.join("credentials.#{ext}")
+        )
+      end
+
+      allow_rails.to(receive(:root).and_return(fixtures_root))
+      allow_rails.to(receive_message_chain("application.secrets").and_return(secrets))
+      allow_rails.to(receive_message_chain("application.credentials").and_return(credentials))
+    end
+
+    it "prioritizes credential files over secret files" do
+      run_load_hooks
+      expect(credentials).to(include(secret: "password"))
+      expect(secrets).to(be_empty)
+    end
+  end
 end