ravioli 0.1.3 → 0.1.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 572198c31192d87b63d13d1e672813f7c9e37c9cc3a9f9e17622b5f86c882b34
-  data.tar.gz: 626a0d7ec6f697f00fabc011884fefec7fed2c0a55141638f3096a657fcb0a82
+  metadata.gz: a42c50f1ae58ea21c70956c3a2fda57084dc20042efc3e163c26b80a8ecc8c58
+  data.tar.gz: 2fafc358079f1bab16f25e36563dc5f843fedd7d85e32b8e34ca337b2c3c23ee
 SHA512:
-  metadata.gz: cfb0f8416dd26cb6150a6d0c3cb93a908fd75d7571ccbccc138f5141ff5b888d75a90cfe9dd3438748519f6078ba300875600aa0b3f7cb980ab426c3e2223330
-  data.tar.gz: e1316a4be7b03f9825f7324f70798c2c41ce937b04da209fc2df59a3fa4d1730efb94de12f74b53636ef6069faa27564bc9388951b7ed29f26b1ab73ed4f1400
+  metadata.gz: bf02967cc19dfba1c24a0db7da932999896c278635a8be0c45d6966d4d9e76d2517290770a8d608842b4978beb9c05621b532023ffd2bbd8eed484155c3327b8
+  data.tar.gz: 77bdfbaeb3210f7033e9837d7c52003118fc45edaec020595276f455260cb13a186c1c1239c3bf96e5e4965acb3c3f1b250fc0766e1f5d6957c89d662c633d5e

data/README.md

@@ -216,7 +216,7 @@ Ravioli will then check for [encrypted credentials](https://guides.rubyonrails.o
 2. Then, it loads and applies `config/credentials/RAILS_ENV.yml.enc` over top of what it has already loaded
 3. Finally, IF `Rails.config.staging?` IS TRUE, it loads and applies `config/credentials/staging.yml.enc`
 
-This allows you to use your secure credentials stores without duplicating information; you can simply layer environment-specific values over top of
+This allows you to use your secure credentials stores without duplicating information; you can simply layer environment-specific values over top of a "root" `config/credentials.yml.enc` file.
 
 ### All put together, it does this:
 
@@ -417,47 +417,47 @@ staging:
 
 ### Encryption keys in ENV
 
-Because Ravioli merges environment-specific credentials over top of the root credentials file, you'll need to provide encryption keys for two (or, if you have a staging setup, three) different files in ENV vars. As such, Ravioli looks for decryption keys in a fallback-specific way. Here's where it looks for each file:
+Here are a few facts about credentials in Rails and how they're deployed:
 
-<table><thead><tr><th>File</th><th>First it tries...</th><th>Then it tries...</th></tr></thead><tbody><tr><td>
+1. Rails assumes you want to use the file that matches your environment, if it exists (e.g. `RAILS_ENV=production` will look for `config/credentials/production.yml.enc`)
+2. Rails does _not_ support environment-specfic keys, but it _does_ now aggressively loads credentials at boot time.
 
-`config/credentials.yml.enc`
+**This means `RAILS_MASTER_KEY` MUST be the decryption key for your environment-specific credential file, if one exists.**
 
-</td><td>
+But, because Ravioli merges environment-specific credentials over top of the root credentials file, you'll need to provide encryption keys for two (or, if you have a staging setup, three) different files in ENV vars. As such, Ravioli looks for decryption keys in a way that mirrors Rails' assumptions, but allows progressive layering of credentials.
 
-`ENV["RAILS_BASE_KEY"]`
+Here are a few examples
 
-</td><td>
+<table><thead><tr><th>File</th><th>First it tries...</th><th>Then it tries...</th></tr></thead><tbody>
 
-`ENV["RAILS_MASTER_KEY"]`
+<tr>
+	<td><code>config/credentials.yml.enc</code></td>
+	<td><code>ENV["RAILS_MASTER_KEY"]</code></td>
+	<td><code>ENV["RAILS_ROOT_KEY"]</code></td>
+</tr>
 
-</td></tr><tr><td>
+<tr>
+	<td><code>config/credentials/#{RAILS_ENV}.yml.enc</code></td>
+	<td><code>ENV["RAILS_MASTER_KEY"]</code></td>
+	<td><code>ENV["RAILS_#{RAILS_ENV}_KEY"]</code></td>
+</tr>
 
-`config/credentials/production.yml.enc`
 
-</td><td>
+<tr>
+	<td><code>config/credentials/staging.yml.enc</code></td>
+	<td><code>ENV["RAILS_MASTER_KEY"]</code></td>
+	<td><code>ENV["RAILS_STAGING_KEY"]</code></td>
+</tr>
 
-`ENV["RAILS_PRODUCTION_KEY"]`
+</tbody></table>
 
-</td><td>
-
-`ENV["RAILS_MASTER_KEY"]`
-
-</td></tr><tr><td>
-
-`config/credentials/staging.yml.enc` (only if running on staging)
-
-</td><td>
-
-`ENV["RAILS_STAGING_KEY"]`
-
-</td><td>
-
-`ENV["RAILS_MASTER_KEY"]`
+Credentials are loaded in that order, too, so that you can have a base setup on `config/credentials.yml.enc`, overlay that with production-specific stuff from `config/credentials/production.yml.enc`, and then short-circuit or redirect some stuff in `config/credentials/staging.yml.enc` for staging environments.
 
-</td></tr></tbody></table>
+#### TLDR:
 
-Credentials are loaded in that order, too, so that you can have a base setup on `config/credentials.yml.enc`, overlay that with production-specific stuff from `config/credentials/production.yml.enc`, and then short-circuit or redirect some stuff in `config/credentials/staging.yml.enc` for staging environments.
+1. Set `RAILS_MASTER_KEY` to the key for your specific environment
+2. Set `RAILS_STAGING_KEY` to the key for your staging credentials (if deploying to staging AND you have staging-specific credentials)
+3. Set `RAILS_ROOT_KEY` to the key for your root credentials (if you have anything in `config/credentials.yml.enc`)
 
 ## License
 

data/lib/ravioli.rb

@@ -40,4 +40,4 @@ module Ravioli
   end
 end
 
-require_relative "ravioli/engine" if defined?(Rails)
+require_relative "ravioli/railtie" if defined?(Rails)

data/lib/ravioli/builder.rb

@@ -81,15 +81,6 @@ module Ravioli
     def add_staging_flag!(is_staging = Rails.env.production? && ENV["STAGING"].present?)
       is_staging = is_staging.present?
       configuration.staging = is_staging
-      Rails.env.class_eval <<-EOC, __FILE__, __LINE__ + 1
-        def staging?
-          config = Rails.try(:config)
-          return false unless config&.is_a?(Ravioli::Configuration)
-
-          config.staging?
-        end
-      EOC
-      is_staging
     end
 
     # Iterates through the config directory (including nested folders) and
@@ -104,14 +95,28 @@ module Ravioli
 
     # Loads Rails encrypted credentials that it can. Checks for corresponding private key files, or ENV vars based on the {Ravioli::Builder credentials preadmlogic}
     def auto_load_credentials!
-      # Load the base config
-      load_credentials(key_path: "config/master.key", env_name: "base")
-
-      # Load any environment-specific configuration on top of it
-      load_credentials("config/credentials/#{Rails.env}", key_path: "config/credentials/#{Rails.env}.key", env_name: "master")
+      # Load the root config (supports using the master key or `RAILS_ROOT_KEY`)
+      load_credentials(
+        key_path: "config/master.key",
+        env_names: %w[master root],
+      )
+
+      # Load any environment-specific configuration on top of it. Since Rails will try
+      # `RAILS_MASTER_KEY` from the environment, we assume the same
+      load_credentials(
+        "config/credentials/#{Rails.env}",
+        key_path: "config/credentials/#{Rails.env}.key",
+        env_names: ["master"],
+      )
 
       # Apply staging configuration on top of THAT, if need be
-      load_credentials("config/credentials/staging", key_path: "config/credentials/staging.key") if configuration.staging?
+      if configuration.staging?
+        load_credentials(
+          "config/credentials/staging",
+          env_names: %w[staging master],
+          key_path: "config/credentials/staging.key",
+        )
+      end
     end
 
     # When the builder is done working, lock the configuration and return it
@@ -140,11 +145,30 @@ module Ravioli
     end
 
     # Load secure credentials using a key either from a file or the ENV
-    def load_credentials(path = "credentials", key_path: path, env_name: path.split("/").last)
-      credentials = parse_credentials(path, env_name: env_name, key_path: key_path)
-      configuration.append(credentials) if credentials.present?
-    rescue => error
-      warn "Could not decrypt `#{path}.yml.enc' with key file `#{key_path}' or `ENV[\"#{env_name}\"]'", error, critical: false
+    def load_credentials(path = "credentials", key_path: path, env_names: path.split("/").last)
+      error = nil
+      env_names = Array(env_names).map { |env_name| parse_env_name(env_name) }
+      env_names.each do |env_name|
+        credentials = parse_credentials(path, env_name: env_name, key_path: key_path)
+        if credentials.present?
+          configuration.append(credentials)
+          return credentials
+        end
+      rescue => e
+        error = e
+      end
+
+      if error
+        attempted_names = ["key file `#{key_path}'"]
+        attempted_names.push(*env_names.map { |env_name| "`ENV[\"#{env_name}\"]'" })
+        attempted_names = attempted_names.to_sentence(two_words_connector: " or ", last_word_connector: ", or ")
+        warn(
+          "Could not decrypt `#{path}.yml.enc' with #{attempted_names}",
+          error,
+          critical: false,
+        )
+      end
+
       {}
     end
 
@@ -189,7 +213,7 @@ module Ravioli
         @reload_credentials.add(@current_credentials)
       end
 
-      configuration.send(*args, &block)
+      configuration.fetch_env_key_for(args) { configuration.send(*args, &block) }
     end
     # rubocop:enable Style/MissingRespondToMissing
     # rubocop:enable Style/MethodMissingSuper
@@ -233,13 +257,17 @@ module Ravioli
       {name => config}
     end
 
+    def parse_env_name(env_name)
+      env_name = env_name.to_s
+      env_name.match?(/^RAILS_/) ? env_name : "RAILS_#{env_name.upcase}_KEY"
+    end
+
     def parse_credentials(path, key_path: path, env_name: path.split("/").last)
       @current_credentials = path
-      env_name = env_name.to_s
-      env_name = "RAILS_#{env_name.upcase}_KEY" unless env_name.upcase == env_name
+      env_name = parse_env_name(env_name)
       key_path = path_to_config_file_path(key_path, extnames: "key", quiet: true)
-      options = {key_path: key_path}
-      options[:env_key] = ENV[env_name].present? ? env_name : SecureRandom.hex(6)
+      options = {key_path: key_path.to_s}
+      options[:env_key] = ENV[env_name].present? ? env_name : "__RAVIOLI__#{SecureRandom.hex(6)}"
 
       path = path_to_config_file_path(path, extnames: "yml.enc")
       (Rails.application.encrypted(path, **options)&.config || {}).tap do
@@ -288,7 +316,7 @@ module Ravioli
       if @strict && critical
         raise BuildError.new(message, error)
       else
-        Rails.logger.warn(message) if defined? Rails
+        Rails.logger.try(:warn, message) if defined? Rails
         $stderr.write message # rubocop:disable Rails/Output
       end
     end

data/lib/ravioli/configuration.rb

@@ -45,6 +45,11 @@ module Ravioli
       dig(*keys) || yield
     end
 
+    def fetch_env_key_for(keys, &block)
+      env_key = key_path_for(keys).join("_").upcase
+      ENV.fetch(env_key, &block)
+    end
+
     def pretty_print(printer = nil)
       table.pretty_print(printer)
     end
@@ -80,11 +85,6 @@ module Ravioli
       end
     end
 
-    def fetch_env_key_for(keys, &block)
-      env_key = key_path_for(keys).join("_").upcase
-      ENV.fetch(env_key, &block)
-    end
-
     def key_path_for(keys)
       Array(key_path) + Array(keys)
     end

data/lib/ravioli/{engine.rb → railtie.rb}

@@ -1,15 +1,8 @@
 # frozen_string_literal: true
 
-module Ravioli
-  class Engine < ::Rails::Engine
-    # Bootstrap Ravioli onto the Rails app
-    initializer "ravioli", before: :load_environment_config do |app|
-      Rails.extend Ravioli::RailsConfig unless Rails.respond_to?(:config)
-    end
-  end
-
-  private
+require_relative "./staging_inquirer"
 
+module Ravioli
   module RailsConfig
     def config
       Ravioli.default || Ravioli.build(namespace: Rails.application&.class&.module_parent, strict: Rails.env.production?) do |config|
@@ -19,4 +12,10 @@ module Ravioli
       end
     end
   end
+
+  class Railtie < ::Rails::Railtie
+    # Bootstrap Ravioli onto the Rails app
+    Rails.env.class.prepend Ravioli::StagingInquirer
+    Rails.extend Ravioli::RailsConfig unless Rails.respond_to?(:config)
+  end
 end

data/lib/ravioli/staging_inquirer.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Ravioli
+  # A module that we mix in to the `Rails.env` inquirer class to add some extra staging-related
+  # metadata
+  module StagingInquirer
+    # Add a `name` method to `Rails.env` that will return "staging" for staging environments, and
+    # otherwise the string's value
+    def name
+      staging? ? "staging" : to_s
+    end
+
+    # Add a `strict:` keyword to reduce `Rails.env.production && !Rails.env.staging` calls
+    def production?(strict: false)
+      is_production = super()
+      return is_production unless strict && is_production
+
+      is_production && !staging?
+    end
+
+    # Override staging inquiries to check against the current configuration
+    def staging?
+      Rails.try(:config)&.staging?
+    end
+  end
+end

data/lib/ravioli/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Ravioli
-  VERSION = "0.1.3"
+  VERSION = "0.1.7"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ravioli
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.7
 platform: ruby
 authors:
 - Flip Sasser
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-06-28 00:00:00.000000000 Z
+date: 2021-08-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -270,7 +270,8 @@ files:
 - lib/ravioli.rb
 - lib/ravioli/builder.rb
 - lib/ravioli/configuration.rb
-- lib/ravioli/engine.rb
+- lib/ravioli/railtie.rb
+- lib/ravioli/staging_inquirer.rb
 - lib/ravioli/version.rb
 homepage: https://github.com/flipsasser/ravioli
 licenses: