-
-
Notifications
You must be signed in to change notification settings - Fork 235
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add rails credentials support #355
base: master
Are you sure you want to change the base?
Add rails credentials support #355
Conversation
a24c238
to
61810ff
Compare
I'm currently having trouble with different ruby version in the test, any clue ? |
Not 100% sure what's going on with the tests on CI. Tests pass for me locally. I suspect it has something to do with Rails 7.0 or 7.1 because we don't run tests for those Rails versions when running the test suite for Ruby 2.7, jruby, or truffleruby. I merged in a change that address the deprecation warnings for |
075d284
to
ef7ccc8
Compare
Update: Rebased to latest master I look around and found the solution for rails 7.1 fail test. For Rails 7.1 and above it seems we need to use All test should pass now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome work! Requested a few changes
lib/config.rb
Outdated
@@ -48,6 +49,14 @@ def self.load_files(*sources) | |||
|
|||
config.add_source!(Sources::EnvSource.new(ENV)) if Config.use_env | |||
|
|||
if defined?(::Rails::Railtie) && Config.use_rails_credentials | |||
if Rails.version < '7.1' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because the version numbers are represented as strings here, this comparison can lead to unexpected results. For example, if Rails.version
is 10.0.0
, then '10.0.0' < '7.1' == true
To compare version numbers correctly, I think we need to either use something like
if [Rails::VERSION::MAJOR, Rails::VERSION::MINOR] < [7, 1]
or
if Gem::Version.new(Rails.version) < Gem::Version.new('7.1')
lib/config.rb
Outdated
@@ -48,6 +49,14 @@ def self.load_files(*sources) | |||
|
|||
config.add_source!(Sources::EnvSource.new(ENV)) if Config.use_env | |||
|
|||
if defined?(::Rails::Railtie) && Config.use_rails_credentials | |||
if Rails.version < '7.1' | |||
config.add_source!(Sources::HashSource.new(secret: Rails.application.secrets.to_h.deep_stringify_keys)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's remove the nesting of the credentials under the top-level secret
key. I think that'll be more useful as the default behavior in order to support merging with other config sources. For example, if my config.yaml file has
aws:
region: 'us-west-1'
And my Rails credentials has
aws:
secret_access_key: '123456'
...then I'd want to be able to access Settings.aws
, which would contain both region
and secret_access_key
.
If someone really wants to keep their secrets in a separate key, they can always turn off use_rails_credentials
add it themselves in an initializer
Settings.add_source!({ secret: Rails.application.credentials.config.deep_stringify_keys })
Settings.reload!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, agree on this.
lib/config.rb
Outdated
if Rails.version < '7.1' | ||
config.add_source!(Sources::HashSource.new(secret: Rails.application.secrets.to_h.deep_stringify_keys)) | ||
else | ||
config.add_source!(Sources::HashSource.new(secret: Rails.application.credentials.config)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think Rails.application.credentials.config
returns a hash with symbol keys. I think for merging to work correctly, we need to .deep_stringify_keys
here.
lib/config.rb
Outdated
@@ -48,6 +49,14 @@ def self.load_files(*sources) | |||
|
|||
config.add_source!(Sources::EnvSource.new(ENV)) if Config.use_env |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's load credentials before the environment. My expectation is usually that env vars should "win" against every other configuration source.
@@ -0,0 +1 @@ | |||
qU0cAsjfKz4lnoJPU36JuM7Yh3qm6B2YV7LhqJROKCu4AsOW0AfFY9FM+aTeRsZOIdIBHyyargCI1xmq3N5o4rdVZRXxWIt2PD93xZPlcMrlAb645m8hyni1cW4=--dPokgPsIyoKhzMzD--nb/fnuH1FaTNT5iF8J3TfQ== |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried looking at these values locally with
cd spec/app/rails_7.1
RAILS_MASTER_KEY='0e29551e5c31acf7c769d64397af54e4' bundle exec rails credentials:edit
but I got an error
Editing config/credentials.yml.enc...
Couldn't decrypt config/credentials.yml.enc. Perhaps you passed the wrong key?
...but it seems to work on CI, so it's a little weird. Any idea how I can look at these values locally?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cjlarose just remove the single quotes
36b06f6
to
f67fadf
Compare
Update:
aws:
secret_access_key: '123456' Apparently we don't need to check for rails version, just need to require the master_key in test environment and for rails5.2 untiil 6.1 need test.key and master.key, otherwise it somehow ignore the |
@cjlarose let me know if there is anything else require. |
utilize ActiveSupport::EncryptedConfiguration config method
4eddca8
to
de1bb93
Compare
Added rails credentials support with config flag addressing #68