From 7a7a39a7d5dd88d4f59dc2d0da9eaae1f99e7f5e Mon Sep 17 00:00:00 2001 From: Sebastian van Hesteren Date: Wed, 14 Feb 2024 17:39:27 +0100 Subject: [PATCH] Explicitly check for secrets and credential files So we prioritize credential files over secret files and only look for credential files from rails 7.2 onwards. --- lib/eyaml/railtie.rb | 23 +++++++++++++------ spec/eyaml/railtie_spec.rb | 45 ++++++++++++++++++++++++++++++++++++-- 2 files changed, 59 insertions(+), 9 deletions(-) diff --git a/lib/eyaml/railtie.rb b/lib/eyaml/railtie.rb index d16bbfb..439c53d 100644 --- a/lib/eyaml/railtie.rb +++ b/lib/eyaml/railtie.rb @@ -9,13 +9,22 @@ class Railtie < Rails::Railtie PRIVATE_KEY_ENV_VAR = "EJSON_PRIVATE_KEY" config.before_configuration do - secrets_or_credentials = if Rails.version.start_with?("7.2") || Dir.glob(Rails.root.join("config", "credentials.*")).any? - :credentials + secret_files_present = Dir.glob(auth_files(:secrets)).any? + credential_files_present = Dir.glob(auth_files(:credentials)).any? + + secrets_or_credentials = if Rails.version >= "7.2" + if credential_files_present + :credentials + end else - :secrets + if credential_files_present + :credentials + elsif secret_files_present + :secrets + end end - secrets_files(secrets_or_credentials).each do |file| + auth_files(secrets_or_credentials).each do |file| next unless valid?(file) # If private_key is nil (i.e. when $EJSON_PRIVATE_KEY is not set), EYAML will search @@ -36,13 +45,13 @@ def valid?(pathname) pathname.exist? end - def secrets_files(secrets_or_credentials) - EYAML::SUPPORTED_EXTENSIONS.map do |ext| + def auth_files(secrets_or_credentials) + EYAML::SUPPORTED_EXTENSIONS.flat_map do |ext| [ Rails.root.join("config", "#{secrets_or_credentials}.#{ext}"), Rails.root.join("config", "#{secrets_or_credentials}.#{Rails.env}.#{ext}") ] - end.flatten + end end end end diff --git a/spec/eyaml/railtie_spec.rb b/spec/eyaml/railtie_spec.rb index 17d6070..1f06603 100644 --- a/spec/eyaml/railtie_spec.rb +++ b/spec/eyaml/railtie_spec.rb @@ -12,7 +12,7 @@ is_expected.to(be_a(::Rails::Railtie)) end - context "with credentials" do + context "with only credentials" do let(:credentials) { credentials_class.new } before(:each) do @@ -123,7 +123,7 @@ end end - context "with secrets" do + context "with only secrets" do let(:secrets) { secrets_class.new } before(:each) do @@ -233,4 +233,45 @@ end end end + + context "with both credentials and secrets" do + let(:secrets) { secrets_class.new } + let(:credentials) { credentials_class.new } + + before(:each) do + FakeFS::FileSystem.clone(fixtures_root) + + supported_extensions.each do |ext| + FakeFS::FileUtils.copy_file( + fixtures_root.join("data.#{ext}"), + config_root.join("secrets.env.#{ext}") + ) + + FakeFS::FileUtils.copy_file( + fixtures_root.join("data.#{ext}"), + config_root.join("secrets.#{ext}") + ) + + FakeFS::FileUtils.copy_file( + fixtures_root.join("data.#{ext}"), + config_root.join("credentials.env.#{ext}") + ) + + FakeFS::FileUtils.copy_file( + fixtures_root.join("data.#{ext}"), + config_root.join("credentials.#{ext}") + ) + end + + allow_rails.to(receive(:root).and_return(fixtures_root)) + allow_rails.to(receive_message_chain("application.secrets").and_return(secrets)) + allow_rails.to(receive_message_chain("application.credentials").and_return(credentials)) + end + + it "prioritizes credential files over secret files" do + run_load_hooks + expect(credentials).to(include(secret: "password")) + expect(secrets).to(be_empty) + end + end end