feat: add rails credentials support #355
Conversation
noxasch
force-pushed
the
feat/add-rails-credentials-support
branch
from
a24c238 to
61810ff
Compare
|
I'm currently having trouble with different ruby version in the test, any clue ? |
|
Not 100% sure what's going on with the tests on CI. Tests pass for me locally. I suspect it has something to do with Rails 7.0 or 7.1 because we don't run tests for those Rails versions when running the test suite for Ruby 2.7, jruby, or truffleruby. I merged in a change that address the deprecation warnings for |
noxasch
force-pushed
the
feat/add-rails-credentials-support
branch
9 times, most recently
from
075d284 to
ef7ccc8
Compare
|
Update: Rebased to latest master I look around and found the solution for rails 7.1 fail test. For Rails 7.1 and above it seems we need to use All test should pass now. |
lib/config.rb
Outdated
| @@ -48,6 +49,14 @@ def self.load_files(*sources) | |||
|
|
|||
| config.add_source!(Sources::EnvSource.new(ENV)) if Config.use_env | |||
|
|
|||
| if defined?(::Rails::Railtie) && Config.use_rails_credentials | |||
| if Rails.version < '7.1' | |||
There was a problem hiding this comment.
Because the version numbers are represented as strings here, this comparison can lead to unexpected results. For example, if Rails.version is 10.0.0, then '10.0.0' < '7.1' == true
To compare version numbers correctly, I think we need to either use something like
if [Rails::VERSION::MAJOR, Rails::VERSION::MINOR] < [7, 1]or
if Gem::Version.new(Rails.version) < Gem::Version.new('7.1')
lib/config.rb
Outdated
| if Rails.version < '7.1' | ||
| config.add_source!(Sources::HashSource.new(secret: Rails.application.secrets.to_h.deep_stringify_keys)) | ||
| else | ||
| config.add_source!(Sources::HashSource.new(secret: Rails.application.credentials.config)) |
There was a problem hiding this comment.
I think Rails.application.credentials.config returns a hash with symbol keys. I think for merging to work correctly, we need to .deep_stringify_keys here.
lib/config.rb
Outdated
| @@ -48,6 +49,14 @@ def self.load_files(*sources) | |||
|
|
|||
| config.add_source!(Sources::EnvSource.new(ENV)) if Config.use_env | |||
There was a problem hiding this comment.
Let's load credentials before the environment. My expectation is usually that env vars should "win" against every other configuration source.
noxasch
force-pushed
the
feat/add-rails-credentials-support
branch
8 times, most recently
from
36b06f6 to
f67fadf
Compare
|
Update:
aws:
secret_access_key: '123456'Apparently we don't need to check for rails version, just need to require the master_key in test environment and for rails5.2 untiil 6.1 need test.key and master.key, otherwise it somehow ignore the |
|
@noxasch are you still interested in moving forward with this PR? |
|
Hi @pkuczynski , sure. im happy. would you like me to take a look at the fail test ? |
Great! It would be a shame to waste so much work you put in this already. I succesfully fixed most of the failing tests in #371, except JRuby. It would be great if you could help me fix remaining one... |
pkuczynski
changed the title
|
@pkuczynski I see all the test pass already, guess you fix all the test ? |
pkuczynski
requested review from
fredwu and
Nuzair46
and removed request for
toncid
|
Doubt: Rails credentials doesn't evaluate ERB anymore in the credentials file unlike secrets.yml before. I mean doing something like this token: <%= ENV['TOKEN'] %>With Rails credentials now token: 'must_be_hardcoded_as_file_will_be_encrytped'Does making it load with this gem bring back this functionality? Must be nice if it does and would be better to document it somewhere/test against it. I think it might be working as you are using add_source to load a Hash source. So as long as Rails will encrypt and decrypt the file, it should work fine |
|
@Nuzair46 not sure what you mean by that. What this does it will read rails credentials merge it with existing config from your |
|
@noxasch I was wondering if this pr enables evaluating the credentials file. api_key: '12345'
api_key_env: ENV['API_KEY'] # this will be evaluated and load the variable provided in the envBut after Rails credentials, this won't work anymore. And I have seen people wanting this feature like being able to have some env variable load from vault or other env managers. I thought this change to config gem will also make this possible, but it seems like it doesn't. tokyo(dev)> Rails.application.credentials.api_key
=> "12345"
tokyo(dev)> Rails.application.credentials.api_key_env
=> "<%= ENV[\"API_KEY\"] %>"
tokyo(dev)> exit
╭─Red@Red ~/Miqor/Tokyo ‹main●›
╰─$ rails c
Loading development environment (Rails 8.0.2)
tokyo(dev)> Settings.api_key
=> "12345"
tokyo(dev)> Settings.api_key_env
=> "<%= ENV[\"API_KEY\"] %>"
tokyo(dev)> exit
╭─Red@Red ~/Miqor/Tokyo ‹main●›
╰─$ API_KEY=123 rails c
Loading development environment (Rails 8.0.2)
tokyo(dev)> Settings.api_key_env
=> "<%= ENV[\"API_KEY\"] %>"
tokyo(dev)> Settings.api_key
=> "12345"
tokyo(dev)> Rails.application.credentials.api_key_env
=> "<%= ENV[\"API_KEY\"] %>" |
|
@Nuzair46 Understand. I supposed that is how it previously work that it only change if the setting is nil, if we want to achieve this should be a different change require there. |
Yea it will require us to evaluate the env and then attach it. But I think it might be out of scope for this repo. |
Nuzair46
dismissed
their stale review
Condition in lib/config.rb should be addressed
|
@noxasch Can you address the review comments. |
Added rails credentials support with config flag addressing #68