ejson-rails 0.2.1 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 69f79981ad2617db5951c38bdef5d9fb77dedd27e52378f3fa460e5af89435b0
-  data.tar.gz: 7ded0b73fc84ae62c508afa5e2c185f85edd83a12872a326c11a9df91292b577
+  metadata.gz: 3bede97f3d90eb8a1088a761e2bab8c883f07c9262f408a3dbb0578c783b34c0
+  data.tar.gz: 95521f7ebf60e54fb51876f4bedbbf343bac5a9bad08fcb89e3a3c5daac587a7
 SHA512:
-  metadata.gz: bbe4e714ed9a6f110a781e8f8e1fdde6a26695f949798dd8eabdd9ba59a5321a1928dc6d6b2d6f9b685c89232873b4fa00dbfac0daefd10acc7dee09baf8f2c2
-  data.tar.gz: 15e2abb7e802deeaa5358ec6cd10f52576a4402bf490bcae5121152fa1cde54d29cafd2899ccb4244274dd809f61b09331ff7e1d4d77dde38ce0fa9813f9ae1c
+  metadata.gz: 4c402407b30ac8948a9cb8a6e3f36addaebf123e3a06672d8731cebee91a6e412524a51a5028059de56628fc46425b48548b48aab31a2cf5b81228b843bf93a9
+  data.tar.gz: 92f0fe6b5cc46616f83d4952e39c92fb008b707042e4e11c9f8f25418bf373f1c7345454cebe08a27aa6b4645f2acd3af67976472c84796dcaffc35146f688a5

data/.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+- package-ecosystem: bundler
+  directory: /
+  schedule:
+    interval: weekly
+  open-pull-requests-limit: 100

data/.github/workflows/ci.yml

@@ -10,13 +10,13 @@ jobs:
       matrix:
         entry:
           - name: Minimum Rails
-            ruby: '2.7'
+            ruby: '3.1'
             gemfile: Gemfile.rails-min
           - name: Latest Rails
-            ruby: '3.2'
+            ruby: '3.3'
             gemfile: Gemfile.rails-latest
           - name: Edge Rails
-            ruby: '3.2'
+            ruby: '3.3'
             gemfile: "Gemfile.rails-edge"
 
     name: ${{ matrix.entry.name }}

data/.rubocop.yml

@@ -4,6 +4,5 @@ inherit_gem:
 AllCops:
   NewCops: disable
   SuggestExtensions: false
-  TargetRubyVersion: 3.2
   Exclude:
    - vendor/bundle/**/*

data/.ruby-version

@@ -1 +1 @@
-3.2.0
+3.3.0

data/Gemfile.lock

@@ -1,74 +1,77 @@
 PATH
   remote: .
   specs:
-    ejson-rails (0.2.1)
+    ejson-rails (1.0.0)
       ejson
-      railties (>= 5.2)
+      railties (>= 6.1)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionpack (7.1.2)
-      actionview (= 7.1.2)
-      activesupport (= 7.1.2)
+    actionpack (7.2.0)
+      actionview (= 7.2.0)
+      activesupport (= 7.2.0)
       nokogiri (>= 1.8.5)
       racc
-      rack (>= 2.2.4)
+      rack (>= 2.2.4, < 3.2)
       rack-session (>= 1.0.1)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    actionview (7.1.2)
-      activesupport (= 7.1.2)
+      useragent (~> 0.16)
+    actionview (7.2.0)
+      activesupport (= 7.2.0)
       builder (~> 3.1)
       erubi (~> 1.11)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    activesupport (7.1.2)
+    activesupport (7.2.0)
       base64
       bigdecimal
-      concurrent-ruby (~> 1.0, >= 1.0.2)
+      concurrent-ruby (~> 1.0, >= 1.3.1)
       connection_pool (>= 2.2.5)
       drb
       i18n (>= 1.6, < 2)
+      logger (>= 1.4.2)
       minitest (>= 5.1)
-      mutex_m
-      tzinfo (~> 2.0)
+      securerandom (>= 0.3)
+      tzinfo (~> 2.0, >= 2.0.5)
     ast (2.4.2)
     base64 (0.2.0)
-    bigdecimal (3.1.4)
-    builder (3.2.4)
-    concurrent-ruby (1.2.2)
+    bigdecimal (3.1.8)
+    builder (3.3.0)
+    concurrent-ruby (1.3.4)
     connection_pool (2.4.1)
     crass (1.0.6)
-    diff-lcs (1.4.4)
-    drb (2.2.0)
-      ruby2_keywords
+    diff-lcs (1.5.1)
+    drb (2.2.1)
     ejson (1.4.1)
-    erubi (1.12.0)
-    i18n (1.14.1)
+    erubi (1.13.0)
+    i18n (1.14.5)
       concurrent-ruby (~> 1.0)
-    io-console (0.6.0)
-    irb (1.10.0)
-      rdoc
-      reline (>= 0.3.8)
-    json (2.6.3)
+    io-console (0.7.2)
+    irb (1.14.0)
+      rdoc (>= 4.0.0)
+      reline (>= 0.4.2)
+    json (2.7.2)
+    language_server-protocol (3.17.0.3)
+    logger (1.6.0)
     loofah (2.22.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
-    mini_portile2 (2.8.5)
-    minitest (5.20.0)
-    mutex_m (0.2.0)
-    nokogiri (1.15.5)
+    mini_portile2 (2.8.7)
+    minitest (5.25.0)
+    nokogiri (1.16.7)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    parallel (1.22.1)
-    parser (3.2.0.0)
+    parallel (1.25.1)
+    parser (3.3.4.0)
       ast (~> 2.4.1)
-    psych (5.1.1.1)
+      racc
+    psych (5.1.2)
       stringio
-    racc (1.7.3)
-    rack (3.0.8)
+    racc (1.8.1)
+    rack (3.1.7)
     rack-session (2.0.0)
       rack (>= 3.0.0)
     rack-test (2.1.0)
@@ -83,58 +86,62 @@ GEM
     rails-html-sanitizer (1.6.0)
       loofah (~> 2.21)
       nokogiri (~> 1.14)
-    railties (7.1.2)
-      actionpack (= 7.1.2)
-      activesupport (= 7.1.2)
-      irb
+    railties (7.2.0)
+      actionpack (= 7.2.0)
+      activesupport (= 7.2.0)
+      irb (~> 1.13)
       rackup (>= 1.0.0)
       rake (>= 12.2)
       thor (~> 1.0, >= 1.2.2)
       zeitwerk (~> 2.6)
     rainbow (3.1.1)
-    rake (13.0.6)
-    rdoc (6.6.0)
+    rake (13.2.1)
+    rdoc (6.7.0)
       psych (>= 4.0.0)
-    regexp_parser (2.6.1)
-    reline (0.4.1)
+    regexp_parser (2.9.2)
+    reline (0.5.9)
       io-console (~> 0.5)
-    rexml (3.2.5)
-    rspec (3.10.0)
-      rspec-core (~> 3.10.0)
-      rspec-expectations (~> 3.10.0)
-      rspec-mocks (~> 3.10.0)
-    rspec-core (3.10.1)
-      rspec-support (~> 3.10.0)
-    rspec-expectations (3.10.1)
+    rexml (3.3.4)
+      strscan
+    rspec (3.13.0)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.0)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-mocks (3.10.2)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-support (3.10.2)
-    rubocop (1.43.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.1)
+    rubocop (1.65.1)
       json (~> 2.3)
+      language_server-protocol (>= 3.17.0)
       parallel (~> 1.10)
-      parser (>= 3.2.0.0)
+      parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8, < 3.0)
+      regexp_parser (>= 2.4, < 3.0)
       rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.24.1, < 2.0)
+      rubocop-ast (>= 1.31.1, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.24.1)
-      parser (>= 3.1.1.0)
-    rubocop-shopify (2.11.1)
-      rubocop (~> 1.42)
-    ruby-progressbar (1.11.0)
-    ruby2_keywords (0.0.5)
-    stringio (3.1.0)
-    thor (1.3.0)
+    rubocop-ast (1.31.3)
+      parser (>= 3.3.1.0)
+    rubocop-shopify (2.15.1)
+      rubocop (~> 1.51)
+    ruby-progressbar (1.13.0)
+    securerandom (0.3.1)
+    stringio (3.1.1)
+    strscan (3.1.0)
+    thor (1.3.1)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (2.4.2)
+    unicode-display_width (2.5.0)
+    useragent (0.16.10)
     webrick (1.8.1)
-    zeitwerk (2.6.12)
+    zeitwerk (2.6.17)
 
 PLATFORMS
   ruby
@@ -147,4 +154,4 @@ DEPENDENCIES
   rubocop-shopify
 
 BUNDLED WITH
-   2.3.17
+   2.5.10

data/README.md

@@ -2,7 +2,7 @@
 
 [![Build Status](https://github.com/Shopify/ejson-rails/workflows/CI/badge.svg?branch=main)](https://github.com/Shopify/ejson-rails/actions?query=branch%3Amain)
 
-Automatically injects [`ejson`](https://github.com/Shopify/ejson) decrypted secrets into your `Rails.application.secrets`.
+Automatically injects [`ejson`](https://github.com/Shopify/ejson) decrypted secrets into your `Rails.application.credentials`.
 
 ## Installation
 
@@ -20,124 +20,57 @@ Or install it yourself as:
 
     $ gem install ejson-rails
 
-## Usage
-
-Decrypted secrets and credentials from `project/config/secrets.json` (or `project/config/secrets.{current_rails_environment}.json` if that doesn't exist) will be accessible via `Rails.application.secrets`. For example:
-
-`# project/config/secrets.json`
-```json
-{ "some_secret": "key" }
-```
-
-will be accessible via `Rails.application.secrets.some_secret` or `Rails.application.secrets[:some_secret]` upon booting. JSON files are loaded once and contents are `deep_merge`'d into your app's existing rails secrets.
-
-Secrets will also be accessible via `Rails.application.credentials`, e.g. `Rails.application.credentials.some_secret` or `Rails.application.credentials[:some_secret]`. To avoid subtle compatibility issues, if a credential already exists, an error will occur.
-
-If you set the `EJSON_RAILS_DELETE_SECRETS` environment variable to `true` the gem will automatically delete the secrets from the filesystem after loading them into Rails. It will delete both paths (`project/config/secrets.json` and `project/config/secrets.{current_rails_environment}.json`) if the files exist and are writable.
-
-NOTE: This gem does not decrypt ejson for you. You will need to configure this as part of your deployment pipeline.
-
-## Migrating to credentials
-
-Rails 7.1 has deprecated application secrets in favor of credentials. ejson-rails can migrate secrets to application credentials.
-
-Even before running Rails 7.1, you can migrate your secrets in several steps:
-1. Convert secrets from YAML to JSON
-2. Move any ERB embedded within the YAML to the corresponding environment file
-3. Use `Rails.application.credentials` in place of Rails secrets
-
-### 1. Convert secrets from config/secrets.yml to config/secrets.json
-
-Typically, secrets share the same structure across different environments. While test secrets are often placeholders, development secrets may sometimes use environment variables to communicate with external services.
-In that case, the easiest way to migrate is to use the test secrets in all local environments, and override for development as needed:
-
-```sh-session
-# Recommended
-bin/rails runner -e test 'Rails.root.join("config/secrets.json").write(JSON.pretty_generate(Rails.application.secrets.to_h.without(:secret_key_base)))'
-```
-
-> [!NOTE]
-> Alternatively, if its necessary to configure distinct values between the development/test environment, you can use separate JSON files for the development/test environments:
->
-> ```sh-session
-> bin/rails runner 'Rails.root.join("config/secrets.#{Rails.env}.json").write(JSON.pretty_generate(Rails.application.secrets.to_h.without(:secret_key_base)))'
-> bin/rails runner -e test 'Rails.root.join("config/secrets.#{Rails.env}.json").write(JSON.pretty_generate(Rails.application.secrets.to_h.without(:secret_key_base)))'
-> ```
+## Configuration
 
-### 2. Move any ERB into the corresponding environment files
+By default, the gem will look for decrypted secrets in `project/config/secrets.json` or `project/config/secrets.{current_rails_environment}.json` if that doesn't exist.
 
-YAML supports ERB while JSON secrets do not. If your secrets contain ERB, you will need to move that logic to the corresponding environment file:
+If your application or environment has a unique way of retrieving decrypted secrets, you can do so by setting `EJSON::Rails::Railtie.ejson_secret_source` to a callable object in `config/application.rb`. For example:
 
-**Before**:
-
-`config/secrets.yml`
-```yaml
-development:
-  some_external_service:
-    api_token: <%= ENV.fetch(SOME_EXTERNAL_SERVICE_API_TOKEN, "12345") %>
-```
-
-**After**:
-
-`config/secrets.json` as generated by the *recommended* command above.
-```json
-{
-  "some_external_service": {
-    "api_token": "12345"
-  },
-  "something_else_entirely": "abc"
-}
-```
-
-`config/environments/development.rb`
 ```ruby
-Rails.application.configure do
-  # elided
-
-  credentials.some_external_service.api_token = ENV.fetch("SOME_EXTERNAL_SERVICE_API_TOKEN", "12345")
-  credentials.something_else_entirely = ENV.fetch("SOMETHING_ELSE_ENTIRELY", "abc")
+# config/application.rb
+
+# This must be placed BEFORE your application constant which inherits from Rails::Application
+EJSON::Rails::Railtie.ejson_secret_source = FooBar::SecretCredentialReader
+
+# Custom credential reader that lives somewhere else
+module FooBar
+  class SecretCredentialReader
+    class << self
+      def call
+        '{"secret": "secret_from_ejson_secret_source"}'
+      end
+    end
+  end
 end
 ```
 
-#### Rails 7.0 Note
-> [!NOTE]
-> In Rails 7.0, credentials are accessed as a Hash with [] and []=.. This is important because the dynamic accessor methods will set values in a different object, and credentials will behave inconsistently after that:
+For simple cases, you can use a `proc`:
 
 ```ruby
-Rails.application.credentials.some_external_service.api_token = "foo"
-Rails.application.credentials[:some_external_service][:api_token] # => "12345"
+EJSON::Rails::Railtie.ejson_secret_source = proc { '{"secret": "secret_from_ejson_secret_source"}' }
 ```
 
-Also note the code sets top-level values through `credentials.config`, because `credentials#[]=(key, value)` sets values in a different object.
+## Usage
 
-```ruby
-Rails.application.credentials[:something_else_entirely] = "foo"
-Rails.application.credentials[:something_else_entirely] # => "abc"
-```
+Decrypted secrets will be accessible via `Rails.application.credentials`. For example:
 
-Make sure there's no code using the dynamic accessors before setting the configuration in the Hash, or the values won't be accessible from the dynamic accessor:
+`# project/config/secrets.json`
 
-```ruby
-Rails.application.credentials.something_else_entirely # just accessing is enough to cause the issue
-Rails.application.credentials[:some_external_service][:api_token] = "foo"
-Rails.application.credentials.some_external_service.api_token # => "12345"
+```json
+{ "some_secret": "key" }
 ```
 
-### 3. Use `Rails.application.credentials`
+will be accessible via `Rails.application.credentials.some_secret` or `Rails.application.credentials[:some_secret]` upon booting. JSON files are loaded once and contents are `deep_merge`'d into your app's existing Rails credentials.
 
-You are now ready to replace Rails secrets with Rails credentials:
+To avoid subtle compatibility issues, if a credential already exists, an error will occur.
 
-```sh-session
-git ls-files | xargs ruby -pi -e 'gsub("Rails.application.secrets", "Rails.application.credentials")' --
-```
+If you set the `EJSON_RAILS_DELETE_SECRETS` environment variable to `true` the gem will automatically delete the secrets from the filesystem after loading them into Rails. It will delete both paths (`project/config/secrets.json` and `project/config/secrets.{current_rails_environment}.json`) if the files exist and are writable.
 
-To avoid the deprecation warning from the use of secrets in `ejson-rails` once you're running Rails 7.1, require another file from your Gemfile:
+NOTE: This gem does not decrypt ejson for you. You will need to configure this as part of your deployment pipeline.
 
-```ruby
-gem 'ejson-rails', require: 'ejson/rails/skip_secrets'
-```
+## Migrating to credentials
 
-With this require, ejson-rails will no longer merge secrets from JSON into `Rails.application.secrets`. This will be the default in the next major version.
+Rails 7.1 has deprecated application secrets in favor of credentials. `ejson-rails` no longer writes to Rails secrets to avoid crashing given Rails 7.2 removal of the feature. See the README for the last version that supports secrets to read more about migrating: [`ejson-rails` v0.2.2 – Migrating to credentials](https://github.com/Shopify/ejson-rails/tree/v0.2.2#migrating-to-credentials).
 
 ## Development
 

data/ejson-rails.gemspec

@@ -23,10 +23,10 @@ Gem::Specification.new do |spec|
 
   spec.metadata = { "allowed_push_host" => "https://rubygems.org" }
 
-  spec.required_ruby_version = ">= 2.7.0"
+  spec.required_ruby_version = ">= 3.1.0"
 
   spec.add_dependency("ejson")
-  spec.add_dependency("railties", ">= 5.2")
+  spec.add_dependency("railties", ">= 6.1")
 
   spec.add_development_dependency("rake", "~> 13.0")
   spec.add_development_dependency("rspec", "~> 3.0")

data/gemfiles/Gemfile.rails-min

@@ -2,4 +2,4 @@ source 'https://rubygems.org'
 
 eval_gemfile('../Gemfile')
 
-gem 'railties', '5.2'
+gem 'railties', '6.1'

data/lib/ejson/rails/railtie.rb

@@ -6,15 +6,14 @@ module EJSON
     private_constant :Rails
 
     class Railtie < Rails::Railtie
-      singleton_class.attr_accessor(:set_secrets)
-      @set_secrets = true
+      singleton_class.attr_accessor(:ejson_secret_source)
 
       config.before_configuration do
-        json_file = json_files.detect { |file| valid?(file) }
-        next unless json_file
+        secrets = load_secrets_from_config || load_secrets_from_disk
+        next unless secrets
+
+        secrets = JSON.parse(secrets, symbolize_names: true)
 
-        secrets = JSON.parse(json_file.read, symbolize_names: true)
-        Rails.application.secrets.deep_merge!(secrets) if set_secrets
         # Merging into `credentials.config` because in Rails 7.0, reading a credential with
         # Rails.application.credentials[:some_credential] won't work otherwise.
         Rails.application.credentials.config.deep_merge!(secrets) do |key|
@@ -32,6 +31,14 @@ module EJSON
       class << self
         private
 
+        def load_secrets_from_config
+          ejson_secret_source&.call
+        end
+
+        def load_secrets_from_disk
+          json_files.detect { |file| valid?(file) }&.read
+        end
+
         def valid?(pathname)
           pathname.exist?
         end

data/lib/ejson/rails/skip_secrets.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
+warn 'Requiring "ejson/rails/skip_secrets" is deprecated. ' \
+  'Use `require "ejson/rails" or remove the `:require` option from your Gemfile.'
 require "ejson/rails"
-
-EJSON::Rails::Railtie.set_secrets = false

data/lib/ejson/rails/version.rb

@@ -2,6 +2,6 @@
 
 module EJSON
   module Rails
-    VERSION = "0.2.1"
+    VERSION = "1.0.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ejson-rails
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 1.0.0
 platform: ruby
 authors:
 - Gannon McGibbon
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-12-04 00:00:00.000000000 Z
+date: 2024-08-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ejson
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.2'
+        version: '6.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.2'
+        version: '6.1'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -74,6 +74,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/dependabot.yml"
 - ".github/workflows/ci.yml"
 - ".github/workflows/cla.yml"
 - ".gitignore"
@@ -101,7 +102,7 @@ licenses:
 - MIT
 metadata:
   allowed_push_host: https://rubygems.org
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -109,15 +110,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.7.0
+      version: 3.1.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.21
-signing_key: 
+rubygems_version: 3.5.17
+signing_key:
 specification_version: 4
 summary: Asymmetric keywise encryption for JSON on Rails
 test_files: []