ravioli 0.1.3 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 572198c31192d87b63d13d1e672813f7c9e37c9cc3a9f9e17622b5f86c882b34
-  data.tar.gz: 626a0d7ec6f697f00fabc011884fefec7fed2c0a55141638f3096a657fcb0a82
+  metadata.gz: 8f4bb7ba56c32614b3b2be61de6c94648e3ff2fbb54692f84c56bbacdbb1db4e
+  data.tar.gz: bafd93a46a25071127c09c19231af5545749ea18b63eaa94d7ac2e67e2642fdd
 SHA512:
-  metadata.gz: cfb0f8416dd26cb6150a6d0c3cb93a908fd75d7571ccbccc138f5141ff5b888d75a90cfe9dd3438748519f6078ba300875600aa0b3f7cb980ab426c3e2223330
-  data.tar.gz: e1316a4be7b03f9825f7324f70798c2c41ce937b04da209fc2df59a3fa4d1730efb94de12f74b53636ef6069faa27564bc9388951b7ed29f26b1ab73ed4f1400
+  metadata.gz: f2b59aa2b29243d15c43a0262442576eeedb7c2b5d651341e184b771f277c598c62844dfc0b9f3d234ce9206a80ecd62286d352f31a4ea08db6439f64c5ccac8
+  data.tar.gz: a691095131f8babd604bf1a6c5a6aaacf4b137c46dc9adc1cd824ffabe2b2c1f75657e8b082defee4b911c5a37695d8955184ffe5d6c2f593cadc336ffdc92eb

data/README.md

@@ -216,7 +216,7 @@ Ravioli will then check for [encrypted credentials](https://guides.rubyonrails.o
 2. Then, it loads and applies `config/credentials/RAILS_ENV.yml.enc` over top of what it has already loaded
 3. Finally, IF `Rails.config.staging?` IS TRUE, it loads and applies `config/credentials/staging.yml.enc`
 
-This allows you to use your secure credentials stores without duplicating information; you can simply layer environment-specific values over top of
+This allows you to use your secure credentials stores without duplicating information; you can simply layer environment-specific values over top of a "root" `config/credentials.yml.enc` file.
 
 ### All put together, it does this:
 
@@ -417,47 +417,47 @@ staging:
 
 ### Encryption keys in ENV
 
-Because Ravioli merges environment-specific credentials over top of the root credentials file, you'll need to provide encryption keys for two (or, if you have a staging setup, three) different files in ENV vars. As such, Ravioli looks for decryption keys in a fallback-specific way. Here's where it looks for each file:
+Here are a few facts about credentials in Rails and how they're deployed:
 
-<table><thead><tr><th>File</th><th>First it tries...</th><th>Then it tries...</th></tr></thead><tbody><tr><td>
+1. Rails assumes you want to use the file that matches your environment, if it exists (e.g. `RAILS_ENV=production` will look for `config/credentials/production.yml.enc`)
+2. Rails does _not_ support environment-specfic keys, but it _does_ now aggressively loads credentials at boot time.
 
-`config/credentials.yml.enc`
+**This means `RAILS_MASTER_KEY` MUST be the decryption key for your environment-specific credential file, if one exists.**
 
-</td><td>
+But, because Ravioli merges environment-specific credentials over top of the root credentials file, you'll need to provide encryption keys for two (or, if you have a staging setup, three) different files in ENV vars. As such, Ravioli looks for decryption keys in a way that mirrors Rails' assumptions, but allows progressive layering of credentials.
 
-`ENV["RAILS_BASE_KEY"]`
+Here are a few examples
 
-</td><td>
+<table><thead><tr><th>File</th><th>First it tries...</th><th>Then it tries...</th></tr></thead><tbody>
 
-`ENV["RAILS_MASTER_KEY"]`
+<tr>
+	<td><code>config/credentials.yml.enc</code></td>
+	<td><code>ENV["RAILS_MASTER_KEY"]</code></td>
+	<td><code>ENV["RAILS_ROOT_KEY"]</code></td>
+</tr>
 
-</td></tr><tr><td>
+<tr>
+	<td><code>config/credentials/#{RAILS_ENV}.yml.enc</code></td>
+	<td><code>ENV["RAILS_MASTER_KEY"]</code></td>
+	<td><code>ENV["RAILS_#{RAILS_ENV}_KEY"]</code></td>
+</tr>
 
-`config/credentials/production.yml.enc`
 
-</td><td>
+<tr>
+	<td><code>config/credentials/staging.yml.enc</code></td>
+	<td><code>ENV["RAILS_MASTER_KEY"]</code></td>
+	<td><code>ENV["RAILS_STAGING_KEY"]</code></td>
+</tr>
 
-`ENV["RAILS_PRODUCTION_KEY"]`
+</tbody></table>
 
-</td><td>
-
-`ENV["RAILS_MASTER_KEY"]`
-
-</td></tr><tr><td>
-
-`config/credentials/staging.yml.enc` (only if running on staging)
-
-</td><td>
-
-`ENV["RAILS_STAGING_KEY"]`
-
-</td><td>
-
-`ENV["RAILS_MASTER_KEY"]`
+Credentials are loaded in that order, too, so that you can have a base setup on `config/credentials.yml.enc`, overlay that with production-specific stuff from `config/credentials/production.yml.enc`, and then short-circuit or redirect some stuff in `config/credentials/staging.yml.enc` for staging environments.
 
-</td></tr></tbody></table>
+#### TLDR:
 
-Credentials are loaded in that order, too, so that you can have a base setup on `config/credentials.yml.enc`, overlay that with production-specific stuff from `config/credentials/production.yml.enc`, and then short-circuit or redirect some stuff in `config/credentials/staging.yml.enc` for staging environments.
+1. Set `RAILS_MASTER_KEY` to the key for your specific environment
+2. Set `RAILS_STAGING_KEY` to the key for your staging credentials (if deploying to staging AND you have staging-specific credentials)
+3. Set `RAILS_ROOT_KEY` to the key for your root credentials (if you have anything in `config/credentials.yml.enc`)
 
 ## License
 

data/lib/ravioli/builder.rb

@@ -79,17 +79,10 @@ module Ravioli
     #
     # @param is_staging [boolean, #present?] whether or not the current environment is considered a staging environment
     def add_staging_flag!(is_staging = Rails.env.production? && ENV["STAGING"].present?)
+      require_relative "./staging_inquirer"
       is_staging = is_staging.present?
       configuration.staging = is_staging
-      Rails.env.class_eval <<-EOC, __FILE__, __LINE__ + 1
-        def staging?
-          config = Rails.try(:config)
-          return false unless config&.is_a?(Ravioli::Configuration)
-
-          config.staging?
-        end
-      EOC
-      is_staging
+      Rails.env.class.prepend Ravioli::StagingInquirer
     end
 
     # Iterates through the config directory (including nested folders) and
@@ -104,14 +97,28 @@ module Ravioli
 
     # Loads Rails encrypted credentials that it can. Checks for corresponding private key files, or ENV vars based on the {Ravioli::Builder credentials preadmlogic}
     def auto_load_credentials!
-      # Load the base config
-      load_credentials(key_path: "config/master.key", env_name: "base")
-
-      # Load any environment-specific configuration on top of it
-      load_credentials("config/credentials/#{Rails.env}", key_path: "config/credentials/#{Rails.env}.key", env_name: "master")
+      # Load the root config (supports using the master key or `RAILS_ROOT_KEY`)
+      load_credentials(
+        key_path: "config/master.key",
+        env_names: %w[master root],
+      )
+
+      # Load any environment-specific configuration on top of it. Since Rails will try
+      # `RAILS_MASTER_KEY` from the environment, we assume the same
+      load_credentials(
+        "config/credentials/#{Rails.env}",
+        key_path: "config/credentials/#{Rails.env}.key",
+        env_names: ["master"],
+      )
 
       # Apply staging configuration on top of THAT, if need be
-      load_credentials("config/credentials/staging", key_path: "config/credentials/staging.key") if configuration.staging?
+      if configuration.staging?
+        load_credentials(
+          "config/credentials/staging",
+          env_names: %w[staging master],
+          key_path: "config/credentials/staging.key",
+        )
+      end
     end
 
     # When the builder is done working, lock the configuration and return it
@@ -140,11 +147,30 @@ module Ravioli
     end
 
     # Load secure credentials using a key either from a file or the ENV
-    def load_credentials(path = "credentials", key_path: path, env_name: path.split("/").last)
-      credentials = parse_credentials(path, env_name: env_name, key_path: key_path)
-      configuration.append(credentials) if credentials.present?
-    rescue => error
-      warn "Could not decrypt `#{path}.yml.enc' with key file `#{key_path}' or `ENV[\"#{env_name}\"]'", error, critical: false
+    def load_credentials(path = "credentials", key_path: path, env_names: path.split("/").last)
+      error = nil
+      env_names = Array(env_names).map { |env_name| parse_env_name(env_name) }
+      env_names.each do |env_name|
+        credentials = parse_credentials(path, env_name: env_name, key_path: key_path)
+        if credentials.present?
+          configuration.append(credentials)
+          return credentials
+        end
+      rescue => e
+        error = e
+      end
+
+      if error
+        attempted_names = ["key file `#{key_path}'"]
+        attempted_names.push(*env_names.map { |env_name| "`ENV[\"#{env_name}\"]'" })
+        attempted_names = attempted_names.to_sentence(two_words_connector: " or ", last_word_connector: ", or ")
+        warn(
+          "Could not decrypt `#{path}.yml.enc' with #{attempted_names}",
+          error,
+          critical: false,
+        )
+      end
+
       {}
     end
 
@@ -233,13 +259,17 @@ module Ravioli
       {name => config}
     end
 
+    def parse_env_name(env_name)
+      env_name = env_name.to_s
+      env_name.match?(/^RAILS_/) ? env_name : "RAILS_#{env_name.upcase}_KEY"
+    end
+
     def parse_credentials(path, key_path: path, env_name: path.split("/").last)
       @current_credentials = path
-      env_name = env_name.to_s
-      env_name = "RAILS_#{env_name.upcase}_KEY" unless env_name.upcase == env_name
+      env_name = parse_env_name(env_name)
       key_path = path_to_config_file_path(key_path, extnames: "key", quiet: true)
-      options = {key_path: key_path}
-      options[:env_key] = ENV[env_name].present? ? env_name : SecureRandom.hex(6)
+      options = {key_path: key_path.to_s}
+      options[:env_key] = ENV[env_name].present? ? env_name : "__RAVIOLI__#{SecureRandom.hex(6)}"
 
       path = path_to_config_file_path(path, extnames: "yml.enc")
       (Rails.application.encrypted(path, **options)&.config || {}).tap do
@@ -288,7 +318,7 @@ module Ravioli
       if @strict && critical
         raise BuildError.new(message, error)
       else
-        Rails.logger.warn(message) if defined? Rails
+        Rails.logger.try(:warn, message) if defined? Rails
         $stderr.write message # rubocop:disable Rails/Output
       end
     end

data/lib/ravioli/staging_inquirer.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Ravioli
+  # A module that we mix in to the `Rails.env` inquirer class to add some extra staging-related
+  # metadata
+  module StagingInquirer
+    # Add a `name` method to `Rails.env` that will return "staging" for staging environments, and
+    # otherwise the string's value
+    def name
+      staging? ? "staging" : to_s
+    end
+
+    # Add a `strict:` keyword to reduce `Rails.env.production && !Rails.env.staging` calls
+    def production?(strict: false)
+      is_production = super()
+      return is_production unless strict && is_production
+
+      is_production && !staging?
+    end
+
+    # Override staging inquiries to check against the current configuration
+    def staging?
+      Rails.try(:config)&.staging?
+    end
+  end
+end

data/lib/ravioli/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Ravioli
-  VERSION = "0.1.3"
+  VERSION = "0.1.4"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ravioli
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.4
 platform: ruby
 authors:
 - Flip Sasser
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-06-28 00:00:00.000000000 Z
+date: 2021-07-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -271,6 +271,7 @@ files:
 - lib/ravioli/builder.rb
 - lib/ravioli/configuration.rb
 - lib/ravioli/engine.rb
+- lib/ravioli/staging_inquirer.rb
 - lib/ravioli/version.rb
 homepage: https://github.com/flipsasser/ravioli
 licenses: