ejson-rails 0.2.0 → 0.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 31b8ead062c2323086dbdaa211878c04ce3cb3ee3203882ca13efa9b6ba8f3a3
-  data.tar.gz: 3bc548e0db8eac2a33ccdf849e0fb2dbcddd7fe7ea0a537cab1e6e153fccb01e
+  metadata.gz: d6d62b4bf362a99bed1a71b0a16cc83bd610157b8e3a06d8998a8c4d1a9479f9
+  data.tar.gz: b74ef1b02227276aed05fc815d876218046bdef4533013d4ca61c0287a79e22a
 SHA512:
-  metadata.gz: 03b463b72d2a9efdf4e8e9f461a4146e60c52ba53a4d0c17554b4ff1582aa34d332310c70f5f73061279486963f199900002d29b23356fc84411b2e230913a58
-  data.tar.gz: 42f3dc896ce52a593c67e65fe7c72dd5b6ec4d3cc22690350cd9a964ee06c6799cc362390e938f8e1dbcee01259c48195aed2632f84342460ab089c9476ef018
+  metadata.gz: d8d136c6ef01aaf7011c0f8edb1f301654e813de2de0cff764422dabb929cea9b8df2e73eea3cb5f5a991a67166004f6bd62f0c0419984071fa8bc8b3009d549
+  data.tar.gz: 325e1a3e46fb0abfdd33b85002359768318dfac8fa6682cc9c09a17130604aa445aa98efcce57156a94cf9abda1d5bbec1315b4178b8830fe1e5e1d0f596f98a

data/.github/workflows/ci.yml

@@ -10,13 +10,13 @@ jobs:
       matrix:
         entry:
           - name: Minimum Rails
-            ruby: '2.7'
+            ruby: '3.1'
             gemfile: Gemfile.rails-min
           - name: Latest Rails
-            ruby: '3.2'
+            ruby: '3.3'
             gemfile: Gemfile.rails-latest
           - name: Edge Rails
-            ruby: '3.2'
+            ruby: '3.3'
             gemfile: "Gemfile.rails-edge"
 
     name: ${{ matrix.entry.name }}

data/.rubocop.yml

@@ -4,6 +4,5 @@ inherit_gem:
 AllCops:
   NewCops: disable
   SuggestExtensions: false
-  TargetRubyVersion: 3.2
   Exclude:
    - vendor/bundle/**/*

data/.ruby-version

@@ -1 +1 @@
-3.2.0
+3.3.0

data/Gemfile.lock

@@ -1,108 +1,141 @@
 PATH
   remote: .
   specs:
-    ejson-rails (0.2.0)
+    ejson-rails (0.2.2)
       ejson
-      railties (>= 5.2)
+      railties (>= 6.1)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionpack (7.0.6)
-      actionview (= 7.0.6)
-      activesupport (= 7.0.6)
-      rack (~> 2.0, >= 2.2.4)
+    actionpack (7.1.3.2)
+      actionview (= 7.1.3.2)
+      activesupport (= 7.1.3.2)
+      nokogiri (>= 1.8.5)
+      racc
+      rack (>= 2.2.4)
+      rack-session (>= 1.0.1)
       rack-test (>= 0.6.3)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (7.0.6)
-      activesupport (= 7.0.6)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    actionview (7.1.3.2)
+      activesupport (= 7.1.3.2)
       builder (~> 3.1)
-      erubi (~> 1.4)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activesupport (7.0.6)
+      erubi (~> 1.11)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    activesupport (7.1.3.2)
+      base64
+      bigdecimal
       concurrent-ruby (~> 1.0, >= 1.0.2)
+      connection_pool (>= 2.2.5)
+      drb
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
+      mutex_m
       tzinfo (~> 2.0)
     ast (2.4.2)
+    base64 (0.2.0)
+    bigdecimal (3.1.6)
     builder (3.2.4)
-    concurrent-ruby (1.2.2)
+    concurrent-ruby (1.2.3)
+    connection_pool (2.4.1)
     crass (1.0.6)
-    diff-lcs (1.4.4)
-    ejson (1.3.1)
+    diff-lcs (1.5.1)
+    drb (2.2.1)
+    ejson (1.4.1)
     erubi (1.12.0)
     i18n (1.14.1)
       concurrent-ruby (~> 1.0)
-    json (2.6.3)
-    loofah (2.21.3)
+    io-console (0.6.0)
+    irb (1.10.0)
+      rdoc
+      reline (>= 0.3.8)
+    json (2.7.1)
+    language_server-protocol (3.17.0.3)
+    loofah (2.22.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
-    method_source (1.0.0)
-    mini_portile2 (2.8.4)
-    minitest (5.18.1)
-    nokogiri (1.15.3)
+    mini_portile2 (2.8.5)
+    minitest (5.22.2)
+    mutex_m (0.2.0)
+    nokogiri (1.15.6)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    parallel (1.22.1)
-    parser (3.2.0.0)
+    parallel (1.24.0)
+    parser (3.3.0.5)
       ast (~> 2.4.1)
-    racc (1.7.1)
-    rack (2.2.7)
+      racc
+    psych (5.1.2)
+      stringio
+    racc (1.7.3)
+    rack (3.0.9.1)
+    rack-session (2.0.0)
+      rack (>= 3.0.0)
     rack-test (2.1.0)
       rack (>= 1.3)
-    rails-dom-testing (2.1.1)
+    rackup (2.1.0)
+      rack (>= 3)
+      webrick (~> 1.8)
+    rails-dom-testing (2.2.0)
       activesupport (>= 5.0.0)
       minitest
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.6.0)
       loofah (~> 2.21)
       nokogiri (~> 1.14)
-    railties (7.0.6)
-      actionpack (= 7.0.6)
-      activesupport (= 7.0.6)
-      method_source
+    railties (7.1.3.2)
+      actionpack (= 7.1.3.2)
+      activesupport (= 7.1.3.2)
+      irb
+      rackup (>= 1.0.0)
       rake (>= 12.2)
-      thor (~> 1.0)
-      zeitwerk (~> 2.5)
+      thor (~> 1.0, >= 1.2.2)
+      zeitwerk (~> 2.6)
     rainbow (3.1.1)
     rake (13.0.6)
-    regexp_parser (2.6.1)
-    rexml (3.2.5)
-    rspec (3.10.0)
-      rspec-core (~> 3.10.0)
-      rspec-expectations (~> 3.10.0)
-      rspec-mocks (~> 3.10.0)
-    rspec-core (3.10.1)
-      rspec-support (~> 3.10.0)
-    rspec-expectations (3.10.1)
+    rdoc (6.6.3.1)
+      psych (>= 4.0.0)
+    regexp_parser (2.9.0)
+    reline (0.4.1)
+      io-console (~> 0.5)
+    rexml (3.2.6)
+    rspec (3.12.0)
+      rspec-core (~> 3.12.0)
+      rspec-expectations (~> 3.12.0)
+      rspec-mocks (~> 3.12.0)
+    rspec-core (3.12.2)
+      rspec-support (~> 3.12.0)
+    rspec-expectations (3.12.3)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-mocks (3.10.2)
+      rspec-support (~> 3.12.0)
+    rspec-mocks (3.12.6)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-support (3.10.2)
-    rubocop (1.43.0)
+      rspec-support (~> 3.12.0)
+    rspec-support (3.12.1)
+    rubocop (1.62.1)
       json (~> 2.3)
+      language_server-protocol (>= 3.17.0)
       parallel (~> 1.10)
-      parser (>= 3.2.0.0)
+      parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
       rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.24.1, < 2.0)
+      rubocop-ast (>= 1.31.1, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.24.1)
-      parser (>= 3.1.1.0)
+    rubocop-ast (1.31.2)
+      parser (>= 3.3.0.4)
     rubocop-shopify (2.11.1)
       rubocop (~> 1.42)
-    ruby-progressbar (1.11.0)
-    thor (1.2.2)
+    ruby-progressbar (1.13.0)
+    stringio (3.1.0)
+    thor (1.3.0)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (2.4.2)
-    zeitwerk (2.6.8)
+    unicode-display_width (2.5.0)
+    webrick (1.8.1)
+    zeitwerk (2.6.12)
 
 PLATFORMS
   ruby
@@ -115,4 +148,4 @@ DEPENDENCIES
   rubocop-shopify
 
 BUNDLED WITH
-   2.3.17
+   2.5.7

data/README.md

@@ -20,39 +20,90 @@ Or install it yourself as:
 
     $ gem install ejson-rails
 
+## Configuration
+
+By default, the gem will look for decrypted secrets in `project/config/secrets.json` or `project/config/secrets.{current_rails_environment}.json` if that doesn't exist.
+
+If your application or environment has a unique way of retrieving decrypted secrets, you can do so by setting `EJSON::Rails::Railtie.ejson_secret_source` to a callable object in `config/application.rb`. For example:
+
+```ruby
+# config/application.rb
+
+# This must be placed BEFORE your application constant which inherits from Rails::Application
+EJSON::Rails::Railtie.ejson_secret_source = FooBar::SecretCredentialReader
+
+# Custom credential reader that lives somewhere else
+module FooBar
+  class SecretCredentialReader
+    class << self
+      def call
+        '{"secret": "secret_from_ejson_secret_source"}'
+      end
+    end
+  end
+end
+```
+
+For simple cases, you can use a `proc`:
+
+```ruby
+EJSON::Rails::Railtie.ejson_secret_source = proc { '{"secret": "secret_from_ejson_secret_source"}' }
+```
+
 ## Usage
 
-Decrypted secrets from `project/config/secrets.json` (or `project/config/secrets.{current_rails_environment}.json` if that doesn't exist) will be accessible via `Rails.application.secrets`. For example:
+Decrypted secrets and credentials will be accessible via `Rails.application.secrets`. For example:
+
+`# project/config/secrets.json`
 
 ```json
-// project/config/secrets.json
 { "some_secret": "key" }
 ```
 
-will be accessible via `Rails.application.secrets.some_secret` or `Rails.application.secrets[:some_secret]` on boot. JSON files are loaded once and contents are `deep_merge`'d into your app's existing rails secrets.
+will be accessible via `Rails.application.secrets.some_secret` or `Rails.application.secrets[:some_secret]` upon booting. JSON files are loaded once and contents are `deep_merge`'d into your app's existing rails secrets.
 
 Secrets will also be accessible via `Rails.application.credentials`, e.g. `Rails.application.credentials.some_secret` or `Rails.application.credentials[:some_secret]`. To avoid subtle compatibility issues, if a credential already exists, an error will occur.
 
+If you set the `EJSON_RAILS_DELETE_SECRETS` environment variable to `true` the gem will automatically delete the secrets from the filesystem after loading them into Rails. It will delete both paths (`project/config/secrets.json` and `project/config/secrets.{current_rails_environment}.json`) if the files exist and are writable.
+
 NOTE: This gem does not decrypt ejson for you. You will need to configure this as part of your deployment pipeline.
 
 ## Migrating to credentials
 
 Rails 7.1 has deprecated application secrets in favor of credentials. ejson-rails can migrate secrets to application credentials.
 
-Even before running Rails 7.1, you can migrate your secrets in a few steps.
+Even before running Rails 7.1, you can migrate your secrets in several steps:
+
+1. Convert secrets from YAML to JSON
+2. Move any ERB embedded within the YAML to the corresponding environment file
+3. Use `Rails.application.credentials` in place of Rails secrets
+
+### 1. Convert secrets from config/secrets.yml to config/secrets.json
 
-First, move the development and test secrets to JSON secrets:
+Typically, secrets share the same structure across different environments. While test secrets are often placeholders, development secrets may sometimes use environment variables to communicate with external services.
+In that case, the easiest way to migrate is to use the test secrets in all local environments, and override for development as needed:
 
 ```sh-session
-bin/rails runner 'Rails.root.join("config/secrets.#{Rails.env}.json").write(JSON.pretty_generate(Rails.application.secrets.to_h.without(:secret_key_base)))'
-bin/rails runner -e test 'Rails.root.join("config/secrets.#{Rails.env}.json").write(JSON.pretty_generate(Rails.application.secrets.to_h.without(:secret_key_base)))'
+# Recommended
+bin/rails runner -e test 'Rails.root.join("config/secrets.json").write(JSON.pretty_generate(Rails.application.secrets.to_h.without(:secret_key_base)))'
 ```
 
-Secrets support ERB while EJSON secrets don't, so if your secrets contain ERB, you will need to move that logic to the environment configurations:
+> [!NOTE]
+> Alternatively, if its necessary to configure distinct values between the development/test environment, you can use separate JSON files for the development/test environments:
+>
+> ```sh-session
+> bin/rails runner 'Rails.root.join("config/secrets.#{Rails.env}.json").write(JSON.pretty_generate(Rails.application.secrets.to_h.without(:secret_key_base)))'
+> bin/rails runner -e test 'Rails.root.join("config/secrets.#{Rails.env}.json").write(JSON.pretty_generate(Rails.application.secrets.to_h.without(:secret_key_base)))'
+> ```
+
+### 2. Move any ERB into the corresponding environment files
+
+YAML supports ERB while JSON secrets do not. If your secrets contain ERB, you will need to move that logic to the corresponding environment file:
 
 **Before**:
 
 `config/secrets.yml`
+
 ```yaml
 development:
   some_external_service:
@@ -61,7 +112,8 @@ development:
 
 **After**:
 
-`config/secrets.development.json` as generated by the command above.
+`config/secrets.json` as generated by the _recommended_ command above.
+
 ```json
 {
   "some_external_service": {
@@ -72,19 +124,20 @@ development:
 ```
 
 `config/environments/development.rb`
+
 ```ruby
 Rails.application.configure do
   # elided
 
-  # credential should be set using []=, not the dynamic accessors
-  credentials[:some_external_service][:api_token] = ENV.fetch("SOME_EXTERNAL_SERVICE_API_TOKEN", "12345")
-
-  # top-level values must be set through `credentials.config`
-  credentials.config[:something_else_entirely] = ENV.fetch("SOMETHING_ELSE_ENTIRELY", "abc")
+  credentials.some_external_service.api_token = ENV.fetch("SOME_EXTERNAL_SERVICE_API_TOKEN", "12345")
+  credentials.something_else_entirely = ENV.fetch("SOMETHING_ELSE_ENTIRELY", "abc")
 end
 ```
 
-Note that the code accesses the credentials as a Hash with `[]` and `[]=`. This is important because the dynamic accessor methods will set values in a different object, and credentials will behave inconsistently after that:
+#### Rails 7.0 Note
+
+> [!NOTE]
+> In Rails 7.0, credentials are accessed as a Hash with [] and []=.. This is important because the dynamic accessor methods will set values in a different object, and credentials will behave inconsistently after that:
 
 ```ruby
 Rails.application.credentials.some_external_service.api_token = "foo"
@@ -106,7 +159,9 @@ Rails.application.credentials[:some_external_service][:api_token] = "foo"
 Rails.application.credentials.some_external_service.api_token # => "12345"
 ```
 
-You're now ready to use credentials instead of secrets:
+### 3. Use `Rails.application.credentials`
+
+You are now ready to replace Rails secrets with Rails credentials:
 
 ```sh-session
 git ls-files | xargs ruby -pi -e 'gsub("Rails.application.secrets", "Rails.application.credentials")' --
@@ -118,7 +173,7 @@ To avoid the deprecation warning from the use of secrets in `ejson-rails` once y
 gem 'ejson-rails', require: 'ejson/rails/skip_secrets'
 ```
 
-This will no longer merge secrets from JSON in `Rails.application.secrets`. This will be the default in the next major version.
+With this require, ejson-rails will no longer merge secrets from JSON into `Rails.application.secrets`. This will be the default in the next major version.
 
 ## Development
 

data/ejson-rails.gemspec

@@ -23,10 +23,10 @@ Gem::Specification.new do |spec|
 
   spec.metadata = { "allowed_push_host" => "https://rubygems.org" }
 
-  spec.required_ruby_version = ">= 2.7.0"
+  spec.required_ruby_version = ">= 3.1.0"
 
   spec.add_dependency("ejson")
-  spec.add_dependency("railties", ">= 5.2")
+  spec.add_dependency("railties", ">= 6.1")
 
   spec.add_development_dependency("rake", "~> 13.0")
   spec.add_development_dependency("rspec", "~> 3.0")

data/gemfiles/Gemfile.rails-min

@@ -2,4 +2,4 @@ source 'https://rubygems.org'
 
 eval_gemfile('../Gemfile')
 
-gem 'railties', '5.2'
+gem 'railties', '6.1'

data/lib/ejson/rails/railtie.rb

@@ -6,25 +6,41 @@ module EJSON
     private_constant :Rails
 
     class Railtie < Rails::Railtie
-      singleton_class.attr_accessor(:set_secrets)
+      singleton_class.attr_accessor(:ejson_secret_source, :set_secrets)
       @set_secrets = true
 
       config.before_configuration do
-        json_file = json_files.detect { |file| valid?(file) }
-        next unless json_file
+        secrets = load_secrets_from_config || load_secrets_from_disk
+        next unless secrets
+
+        secrets = JSON.parse(secrets, symbolize_names: true)
 
-        secrets = JSON.parse(json_file.read, symbolize_names: true)
         Rails.application.secrets.deep_merge!(secrets) if set_secrets
         # Merging into `credentials.config` because in Rails 7.0, reading a credential with
         # Rails.application.credentials[:some_credential] won't work otherwise.
         Rails.application.credentials.config.deep_merge!(secrets) do |key|
           raise "A credential already exists with the same name: #{key}"
         end
+
+        # Delete the loaded JSON files so they are no longer readable by the app.
+        if ENV["EJSON_RAILS_DELETE_SECRETS"] == "true"
+          json_files.each do |pathname|
+            File.delete(pathname) if File.writable?(pathname)
+          end
+        end
       end
 
       class << self
         private
 
+        def load_secrets_from_config
+          ejson_secret_source&.call
+        end
+
+        def load_secrets_from_disk
+          json_files.detect { |file| valid?(file) }&.read
+        end
+
         def valid?(pathname)
           pathname.exist?
         end

data/lib/ejson/rails/version.rb

@@ -2,6 +2,6 @@
 
 module EJSON
   module Rails
-    VERSION = "0.2.0"
+    VERSION = "0.2.2"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ejson-rails
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.2
 platform: ruby
 authors:
 - Gannon McGibbon
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-07-24 00:00:00.000000000 Z
+date: 2024-05-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ejson
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.2'
+        version: '6.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.2'
+        version: '6.1'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -109,14 +109,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.7.0
+      version: 3.1.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.16
+rubygems_version: 3.5.10
 signing_key: 
 specification_version: 4
 summary: Asymmetric keywise encryption for JSON on Rails