RubyGems - berkeley_library-docker - Versions diffs - 0.1.1 → 0.2.0.pre.rc2 - Mend

berkeley_library-docker 0.1.1 → 0.2.0.pre.rc2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml +4 -4
data/README.md +8 -2
data/lib/berkeley_library/docker/module_info.rb +1 -1
data/lib/berkeley_library/docker/railtie.rb +21 -3
data/lib/berkeley_library/docker/secret.rb +33 -16
data/spec/berkeley_library/docker/railtie_spec.rb +23 -23
data/spec/berkeley_library/docker/secret_spec.rb +20 -17
data/spec/berkeley_library/docker_spec.rb +1 -1
data/spec/spec_helper.rb +4 -2
data/spec/spec_utils.rb +6 -6
metadata +4 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 75df4187f362680f782f8ce0e4d7a5aa438c4f86f44d1337c0495253e1b4733a
-  data.tar.gz: 51fdf2f4e9f29080bda4d7fe93096c0d314def1649f6a7da70290324ca7f642a
+  metadata.gz: 5fccf11c3452690216d316ab64be7b2e57dc82a51b9d384ec9b1feb0419f7947
+  data.tar.gz: dad729f07dcdc468b82d2ff72d10cfc19899bbea8ef67d06158c1f94722cb0ae
 SHA512:
-  metadata.gz: 24714d86ebb5416d303acca6d31f46e1d3e4c7514afbf2fcee166638c7ba25c64cbc5e1d4fdbc49e97babc5568198d32c09909ab1bc43c0652c56a3140a9ff98
-  data.tar.gz: 31b41f95fe42a25a725c9d8702d00e4a922c41afb8df1b9503ed3efab626a206511ffbe69e925c8d26a0c6779afbb977c4427c4c81ced59e4edb1273c9baced2
+  metadata.gz: 3fcb0b7e40466acef102e32c380db573b7463123d91b5673961654fa449e77a39fcf6f5fce75d9b6d1ab97ce048d7398a90cc431dd02a4b6fffac6377d493d35
+  data.tar.gz: 9a27223955e09e2d76eeecde8b3958821b749676d3d948508a89cb24c4c03b4bf432b2b94b58acfcf6c7208f462a30951ad062bd0e91326ab5520e94f1fa8e8f

data/README.md CHANGED Viewed

@@ -7,14 +7,20 @@ require 'berkeley_library/docker'
 BerkeleyLibrary::Docker::Secret.load_secrets!
 ```
-Secrets are loaded from `/run/secrets` by default. You can override this by passing another path (or glob pattern) to the `load_secrets!` method, or by setting the `UCBLIB_SECRETS_PATH` environment variable. For example:
+---
+> **Note on (Rails) load order:** This gem loads the environment using Rails' `before_configuration` hook, a la the [dotenv](https://github.com/bkeepers/dotenv#note-on-load-order) gem. Manually call `BerkeleyLibrary::Docker::Secret.load_secrets!` if you need to load secrets earlier.
+---
+Secrets are loaded from `/run/secrets` by default. You can override this by passing another path (or glob pattern) to the `load_secrets!` method, or by setting the `UCBLIB_SECRETS_PATTERN` environment variable. For example:
 ```ruby
 # Load any file under /tmp/secrets
 BerkeleyLibrary::Docker::Secret.load_secrets! '/tmp/secrets/**/*'
 # Load only a specific file
-ENV['UCBLIB_SECRETS_PATH'] = '/run/secrets/DB_PASSWORD'
+ENV['UCBLIB_SECRETS_PATTERN'] = '/run/secrets/DB_PASSWORD'
 BerkeleyLibrary::Docker::Secret.load_secrets!
 ```

data/lib/berkeley_library/docker/module_info.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module BerkeleyLibrary
       SUMMARY = 'Utility functions for Dockerizing Ruby apps'.freeze
       DESCRIPTION = 'Utility functions for making Ruby apps "just work" in Docker containers.'.freeze
       LICENSE = 'MIT'.freeze
-      VERSION = '0.1.1'.freeze
+      VERSION = '0.2.0-rc2'.freeze
       HOMEPAGE = 'https://github.com/BerkeleyLibrary/docker'.freeze
       private_class_method :new

data/lib/berkeley_library/docker/railtie.rb CHANGED Viewed

@@ -2,10 +2,28 @@ require 'berkeley_library/docker/secret'
 module BerkeleyLibrary
   module Docker
-    class Railtie < Rails::Railtie
-      NAME = 'berkeley_library-docker.load_secrets'.freeze
+    class Railtie < ::Rails::Railtie
+      include Logging
-      initializer(NAME, after: :initialize_logger) { Secret.load_secrets! }
+      def secrets
+        @secrets ||= {}
+      end
+      def load_secrets!
+        @secrets = Secret.load_secrets!
+      end
+      private
+      config.before_configuration { load_secrets! }
+      # @note Logging occurs later because the Rails logger, which we use to
+      # bootstrap ours, isn't initialized until after `before_configuration`.
+      initializer 'berkeley_library-docker.log_loaded_secrets' do
+        secrets.each do |_, secret|
+          log_info "Loaded secret: #{secret.inspect}"
+        end
+      end
     end
   end
 end

data/lib/berkeley_library/docker/secret.rb CHANGED Viewed

@@ -1,4 +1,6 @@
 require 'berkeley_library/docker/logging'
+require 'digest'
+require 'time'
 module BerkeleyLibrary
   module Docker
@@ -6,31 +8,46 @@ module BerkeleyLibrary
       class << self
         include Logging
-        PATH_OVERRIDE_ENVVAR = 'UCBLIB_SECRETS_PATH'
-        DEFAULT_SECRETS_PATH = '/run/secrets'
+        PATH_OVERRIDE_ENVVAR = 'UCBLIB_SECRETS_PATTERN'
+        DEFAULT_SECRETS_PATTERN = '/run/secrets/*'
-        def load_secrets!(glob = nil)
-          files_from(glob).each(&method(:load_secret!))
+        def load_secrets!(glob = nil, reload = false)
+          glob = normalize_glob(glob)
+          files_from(glob).each_with_object({}) do |path, new_secrets|
+            secret_name = File.basename(path)
+            secret_value = File.read(path).strip
+            ENV[secret_name] = secret_value
+            new_secrets[secret_name] = {
+              name: secret_name,
+              file: path,
+              checksum: "sha256:#{Digest::SHA256.hexdigest(secret_value)}",
+              glob: glob,
+              timestamp: Time.now.to_i,
+            }
+          end
         end
         private
-        def load_secret!(filepath)
-          secret = File.basename(filepath)
-          ENV[secret] = File.read(filepath).strip
-          log_info "Loaded secret `ENV['#{secret}']` from #{filepath}"
+        def files_from(glob)
+          Dir[glob].filter_map { |fname| fname if File.file? fname }
         end
-        def files_from(glob = nil)
-          glob ||= ENV[PATH_OVERRIDE_ENVVAR] || DEFAULT_SECRETS_PATH
-          glob = glob.strip
+        def normalize_glob(glob)
+          (glob || ENV[PATH_OVERRIDE_ENVVAR] || DEFAULT_SECRETS_PATTERN)
+            .then(&:strip)
+            .then(&method(:ensure_dir_asterisk))
+        end
-          if File.directory?(glob) && !glob.end_with?('*')
-            glob = File.join(glob, '*')
+        def ensure_dir_asterisk(glob)
+          if !glob.end_with?('*') && File.directory?(glob)
+            File.join(glob, '*')
+          else
+            glob
           end
-          log_info "Searching '#{glob}' for secrets files"
-          Dir[glob].filter_map { |fname| fname if File.file? fname }
         end
       end
     end

data/spec/berkeley_library/docker/railtie_spec.rb CHANGED Viewed

@@ -1,36 +1,36 @@
-require 'rails' # require Rails first to mimic load order
-require 'berkeley_library/docker/railtie'
 require 'spec_helper'
+require 'rails'
+require 'berkeley_library/docker/railtie'
+require 'logger'
 module BerkeleyLibrary
   module Docker
     describe Railtie do
-      class TestApp < Rails::Application; end
+      # @note Simply defining the app class causes railtie
+      # `before_configuration` blocks to run, and we only get to define one
+      # application, hence this one test needs to handle everything.
+      it 'causes rails to load the environment' do
+        with_secret('FOOBAR', 'BAZ') do
+          with_secret('CLIENT_KEY', 'd33db55f') do
+            logger = spy Logger.new(STDOUT)
-      let(:app) { TestApp.create }
-      let(:initializers) { app.initializers.tsort_each.collect(&:name) }
-      let(:railtie_name) { BerkeleyLibrary::Docker::Railtie::NAME }
+            expect(ENV['CLIENT_KEY']).to be nil
-      it 'has the expected initializer name' do
-        expect(railtie_name).to eq 'berkeley_library-docker.load_secrets'
-      end
+            # Use Class.new so that `logger` is within scope
+            @klass = Class.new(Rails::Application) do
+              Rails.logger = logger
+              config.client_key = ENV['CLIENT_KEY']
+            end
-      it 'causes rails to load the environment' do
-        with_secret('API_TOKEN', 'd33db55f') do
-          app = TestApp.create
-          expect(ENV['API_TOKEN']).to be nil
+            expect(ENV['CLIENT_KEY']).to eq 'd33db55f'
-          app.initialize!
-          expect(ENV['API_TOKEN']).to eq 'd33db55f'
-        end
-      end
+            app = @klass.create
+            app.initialize!
-      it 'loads after the logger and before configuration' do
-        railtie_index = initializers.find_index(railtie_name)
-        logger_index = initializers.find_index(:initialize_logger)
-        config_index = initializers.find_index(:load_config_initializers)
-        expect(railtie_index).to be_between(logger_index, config_index)
+            expect(app.config.client_key).to eq 'd33db55f'
+            expect(logger).to have_received(:info).twice.with(/Loaded secret:.*/)
+          end
+        end
       end
     end
   end

data/spec/berkeley_library/docker/secret_spec.rb CHANGED Viewed

@@ -7,42 +7,45 @@ module BerkeleyLibrary
     describe Secret do
       it 'loads secrets into the environment' do
         with_secret('DB_PASSWORD', 'f00BarbAz') do
-          expect(ENV['DB_PASSWORD']).to be nil
-          Secret.load_secrets!
-          expect(ENV['DB_PASSWORD']).to eq 'f00BarbAz'
+          expect { Secret.load_secrets! }
+            .to change { ENV['DB_PASSWORD'] }
+            .from(nil).to('f00BarbAz')
         end
       end
       it 'reads multiline secrets' do
         with_secret('SSH_PRIVATE_KEY', "d33db55f\nd33db55f") do
-          expect(ENV['SSH_PRIVATE_KEY']).to be nil
-          Secret.load_secrets!
-          expect(ENV['SSH_PRIVATE_KEY']).to eq "d33db55f\nd33db55f"
+          expect { Secret.load_secrets! }
+            .to change { ENV['SSH_PRIVATE_KEY'] }
+            .from(nil).to("d33db55f\nd33db55f")
         end
       end
       it 'strips trailing whitespace' do
         with_secret('API_TOKEN', "d33db55f\n") do
-          expect(ENV['API_TOKEN']).to be nil
-          Secret.load_secrets!
-          expect(ENV['API_TOKEN']).to eq 'd33db55f'
+          expect { Secret.load_secrets! }
+            .to change { ENV['API_TOKEN'] }
+            .from(nil).to('d33db55f')
         end
       end
       it 'ignores subdirectories in the secrets directory' do
         FileUtils.mkdir_p(File.join(SPEC_SECRETS_PATH, 'some-dir'))
-        expect{ Secret.load_secrets! }.not_to raise_error
+        expect { Secret.load_secrets! }.not_to raise_error
+        expect { Secret.load_secrets! }.not_to change { ENV }
       end
-      it 'searches ENV["UCBLIB_SECRETS_PATH"] by default' do
-        with_secret('MASTER_KEY', 'd33db55f', '/tmp/super-secrets') do
-          Secret.load_secrets!
-          expect(ENV['MASTER_KEY']).to be nil
+      it 'searches ENV["UCBLIB_SECRETS_PATTERN"] by default' do
+        secrets_subdir = File.join(SPEC_SECRETS_PATH, 'super-secrets')
-          ENV['UCBLIB_SECRETS_PATH'] = '/tmp/super-secrets'
+        with_secret('MASTER_KEY', 'd33db55f', secrets_subdir) do
+          expect { Secret.load_secrets! }.not_to change { ENV }
-          Secret.load_secrets!
-          expect(ENV['MASTER_KEY']).to eq 'd33db55f'
+          ENV['UCBLIB_SECRETS_PATTERN'] = secrets_subdir
+          expect { Secret.load_secrets! }
+            .to change { ENV['MASTER_KEY'] }
+            .from(nil).to('d33db55f')
         end
       end
     end

data/spec/berkeley_library/docker_spec.rb CHANGED Viewed

@@ -1,6 +1,6 @@
+require 'spec_helper'
 require 'rails' # require Rails first to mimic load order
 require 'berkeley_library/docker'
-require 'spec_helper'
 module BerkeleyLibrary
   describe Docker do

data/spec/spec_helper.rb CHANGED Viewed

@@ -1,7 +1,9 @@
 require_relative './spec_utils.rb'
+require 'tmpdir'
-# Avoid issues with `/run` being read-only on MacOS
-SPEC_SECRETS_PATH = ENV['UCBLIB_SECRETS_PATH'] = '/tmp/secrets'
+# Avoid issues with `/run` being read-only on MacOS. Also ensures that
+# tests always start with a clean secrets directory.
+SPEC_SECRETS_PATH = ENV['UCBLIB_SECRETS_PATTERN'] = Dir.mktmpdir
 RSpec.configure do |config|
   config.include SpecUtils

data/spec/spec_utils.rb CHANGED Viewed

@@ -3,12 +3,12 @@ require 'fileutils'
 module SpecUtils
   def rollback_environment(&block)
-    old_envvars = ENV.keys
-    begin
-      yield
-    ensure
-      ENV.select! { |k, _| old_envvars.include? k }
+    ENV.to_h.tap do |old_env|
+      begin
+        yield
+      ensure
+        ENV.replace(old_env)
+      end
     end
   end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: berkeley_library-docker
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0.pre.rc2
 platform: ruby
 authors:
 - Dan Schmidt
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-11-14 00:00:00.000000000 Z
+date: 2022-11-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -120,9 +120,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.7.6
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubygems_version: 3.1.6
 signing_key: