secvault 1.0.0 → 1.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 67a57fa1ebe481bab8c9f5f4d9f6d0af27250e4d2c145641c125cd61f88018d0
-  data.tar.gz: 8613ed6d87bf067ad69bde7d80d8623a30b6dfb36280ddfe431b236198e63e2c
+  metadata.gz: 4b3a4f3dd5a26567e78f90b281928f6cac684dc2f2a174bba755a78b57dadde2
+  data.tar.gz: 9d951e8c68769591ec2c9e71381ac2bdbe738f6dd3556f84ec142a65c4be51d7
 SHA512:
-  metadata.gz: 3013b492cec7b62296815ea239dc398de08806532ca995de383324a62fd9689e44ae62c744365dbcd29e1158b94b204f2b1522986c5e2d9b1e0d024cab3c871d
-  data.tar.gz: 2c74fa262a228253393a7b5818cb6d59554b67fb6ecbfac37d018c271fea9d6ca38d6c8b2cd84d253e16c42d4b28144c6059a1ee5e297d950db2954de6a5285b
+  metadata.gz: cae9f13a0f6a587fb5cf89a01c076aff1ebbc2830ef7e5fbe34be02537109fc13a977b9b938e711e5a64de90b038f889272f1ac134badc31f127273ddea74365
+  data.tar.gz: 8453cae98b137ce6fe6c985351aaef8676153872ac03ebff4d8a47286c60c3f726dd7f42c86b37f7499d2de19a905068dc41e47526cb5c249af399eb63321532

data/lib/secvault/generators/secrets_generator.rb

@@ -9,9 +9,10 @@ module Secvault
     class SecretsGenerator < Rails::Generators::Base
       source_root File.expand_path("templates", __dir__)
 
-      desc "Creates a secrets.yml file for encrypted secrets management"
+      desc "Creates a secrets.yml file for secrets management"
 
       class_option :force, type: :boolean, default: false, desc: "Overwrite existing secrets.yml"
+      class_option :encrypted, type: :boolean, default: false, desc: "Create encrypted secrets.yml (default: plain YAML)"
 
       def create_secrets_file
         secrets_path = Rails.root.join("config/secrets.yml")
@@ -22,27 +23,32 @@ module Secvault
           return
         end
 
-        # Generate encryption key
-        unless key_path.exist?
-          key = ActiveSupport::EncryptedFile.generate_key
-          File.write(key_path, key)
-          say "Generated encryption key in config/secrets.yml.key", :green
-        end
+        default_content = generate_default_secrets
 
-        # Create encrypted secrets file with template
-        encrypted_file = ActiveSupport::EncryptedFile.new(
-          content_path: secrets_path,
-          key_path: key_path,
-          env_key: "RAILS_SECRETS_KEY",
-          raise_if_missing_key: true
-        )
+        if options[:encrypted]
+          # Create encrypted secrets file
+          unless key_path.exist?
+            key = ActiveSupport::EncryptedFile.generate_key
+            File.write(key_path, key)
+            say "Generated encryption key in config/secrets.yml.key", :green
+          end
 
-        # Write default content
-        default_content = generate_default_secrets
-        encrypted_file.write(default_content)
+          encrypted_file = ActiveSupport::EncryptedFile.new(
+            content_path: secrets_path,
+            key_path: key_path,
+            env_key: "RAILS_SECRETS_KEY",
+            raise_if_missing_key: true
+          )
 
-        say "Created encrypted secrets.yml file", :green
-        say "Add config/secrets.yml.key to your .gitignore file", :yellow
+          encrypted_file.write(default_content)
+          say "Created encrypted secrets.yml file", :green
+          say "Add config/secrets.yml.key to your .gitignore file", :yellow
+        else
+          # Create plain YAML secrets file
+          File.write(secrets_path, default_content)
+          say "Created plain secrets.yml file", :green
+          say "Remember to add config/secrets.yml to your .gitignore if it contains sensitive data", :yellow
+        end
       end
 
       def add_to_gitignore

data/lib/secvault/rails_secrets.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module Secvault
+  # Rails::Secrets compatibility module
+  # Provides the classic Rails::Secrets interface for backwards compatibility
+  # This replicates the Rails < 7.2 Rails::Secrets module functionality
+  module RailsSecrets
+    extend self
+    
+    # Classic Rails::Secrets.parse method
+    # 
+    # Parses secrets files with support for:
+    # - ERB templating 
+    # - Shared sections that apply to all environments
+    # - Environment-specific sections
+    # - Deep symbolized keys
+    #
+    # Example usage:
+    #   Rails::Secrets.parse([Pathname.new('config/secrets.yml')], env: 'development')
+    #
+    # Example secrets.yml structure:
+    #   shared:
+    #     common_key: shared_value
+    #   
+    #   development:
+    #     secret_key_base: dev_secret
+    #     api_key: dev_api_key
+    #   
+    #   production:
+    #     secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
+    #     api_key: <%= ENV["API_KEY"] %>
+    #
+    def parse(paths, env:)
+      Secvault::Secrets.parse(paths, env: env.to_s)
+    end
+    
+    # Convenience method to parse the default secrets file
+    def parse_default(env: Rails.env)
+      secrets_path = Rails.root.join("config/secrets.yml")
+      parse([secrets_path], env: env)
+    end
+    
+    # Read and parse secrets for the current Rails environment
+    def read(env: Rails.env)
+      parse_default(env: env)
+    end
+  end
+end
+
+# Monkey patch to restore Rails::Secrets interface for backwards compatibility
+module Rails
+  Secrets = Secvault::RailsSecrets
+end

data/lib/secvault/railtie.rb

@@ -6,9 +6,32 @@ module Secvault
   class Railtie < Rails::Railtie
     railtie_name :secvault
 
-    initializer "secvault.initialize" do |app|
+    initializer "secvault.initialize", before: :load_environment_hook do |app|
       Secvault::Secrets.setup(app)
     end
+    
+    # Ensure initialization happens early in all environments
+    config.before_configuration do |app|
+      secrets_path = app.root.join("config/secrets.yml")
+      key_path = app.root.join("config/secrets.yml.key")
+      
+      if secrets_path.exist? && !Rails.application.respond_to?(:secrets)
+        # Early initialization for test environment compatibility
+        current_env = ENV['RAILS_ENV'] || 'development'
+        secrets = Secvault::Secrets.read_secrets(secrets_path, key_path, current_env)
+        
+        if secrets
+          Rails.application.define_singleton_method(:secrets) do
+            @secrets ||= begin
+              current_secrets = ActiveSupport::OrderedOptions.new
+              env_secrets = Secvault::Secrets.read_secrets(secrets_path, key_path, Rails.env)
+              current_secrets.merge!(env_secrets) if env_secrets
+              current_secrets
+            end
+          end
+        end
+      end
+    end
 
     generators do
       require "secvault/generators/secrets_generator"

data/lib/secvault/secrets.rb

@@ -3,6 +3,7 @@
 require "active_support/encrypted_file"
 require "active_support/core_ext/hash/keys"
 require "active_support/core_ext/object/blank"
+require "active_support/ordered_options"
 require "pathname"
 require "erb"
 require "yaml"
@@ -15,27 +16,78 @@ module Secvault
         key_path = app.root.join("config/secrets.yml.key")
 
         if secrets_path.exist?
+          # Use a more reliable approach that works in all environments
           app.config.before_configuration do
-            # Set up secrets if they exist
-            secrets = read_secrets(secrets_path, key_path, Rails.env)
-            Rails.application.secrets.merge!(secrets) if secrets
+            current_env = ENV['RAILS_ENV'] || Rails.env || 'development'
+            setup_secrets_immediately(app, secrets_path, key_path, current_env)
+          end
+          
+          # Also try during to_prepare as a fallback
+          app.config.to_prepare do
+            current_env = Rails.env
+            unless Rails.application.respond_to?(:secrets) && !Rails.application.secrets.empty?
+              setup_secrets_immediately(app, secrets_path, key_path, current_env)
+            end
+          end
+        end
+      end
+
+      def setup_secrets_immediately(app, secrets_path, key_path, env)
+        # Set up secrets if they exist
+        secrets = read_secrets(secrets_path, key_path, env)
+        if secrets
+          # Rails 8.0+ compatibility: Add secrets accessor that initializes on first access
+          unless Rails.application.respond_to?(:secrets)
+            Rails.application.define_singleton_method(:secrets) do
+              @secrets ||= begin
+                current_secrets = ActiveSupport::OrderedOptions.new
+                # Re-read secrets to ensure we have the right environment
+                env_secrets = Secvault::Secrets.read_secrets(secrets_path, key_path, Rails.env)
+                current_secrets.merge!(env_secrets) if env_secrets
+                current_secrets
+              end
+            end
+          end
+          
+          # If secrets accessor already exists, merge the secrets
+          if Rails.application.respond_to?(:secrets) && Rails.application.secrets.respond_to?(:merge!)
+            Rails.application.secrets.merge!(secrets)
           end
         end
       end
 
+      # Classic Rails::Secrets.parse implementation
+      # Parses secrets files and merges shared + environment-specific sections
       def parse(paths, env:)
-        configs = paths.collect do |path|
-          if path.exist?
-            content = encrypted?(path) ? decrypt(path) : path.read
-            YAML.safe_load(ERB.new(content).result, aliases: true) || {}
+        paths.each_with_object(Hash.new) do |path, all_secrets|
+          next unless path.exist?
+          
+          # Read and process the file content (handle both encrypted and plain)
+          source = if encrypted?(path)
+            decrypt(path)
+          else
+            preprocess(path)
+          end
+          
+          # Process ERB and parse YAML
+          erb_result = ERB.new(source).result
+          secrets = if YAML.respond_to?(:unsafe_load)
+            YAML.unsafe_load(erb_result)
           else
-            {}
+            YAML.load(erb_result)
           end
+          
+          secrets ||= {}
+          
+          # Merge shared secrets first, then environment-specific
+          all_secrets.merge!(secrets["shared"].deep_symbolize_keys) if secrets["shared"]
+          all_secrets.merge!(secrets[env].deep_symbolize_keys) if secrets[env]
         end
-
-        configs.reverse.reduce do |config, overrides|
-          config.deep_merge(overrides)
-        end[env] || {}
+      end
+      
+      # Helper method to preprocess plain YAML files (for ERB)
+      def preprocess(path)
+        path.read
       end
 
       def read_secrets(secrets_path, key_path, env)

data/lib/secvault/tasks.rake

@@ -4,31 +4,24 @@ require "active_support/encrypted_file"
 require "securerandom"
 
 namespace :secvault do
-  desc "Setup encrypted secrets.yml file"
+  desc "Setup secrets.yml file (plain YAML by default)"
   task setup: :environment do
     secrets_path = Rails.root.join("config/secrets.yml")
     key_path = Rails.root.join("config/secrets.yml.key")
+    encrypted = ENV["ENCRYPTED"] == "true"
 
     if secrets_path.exist?
       puts "Secrets file already exists at #{secrets_path}"
     else
-      # Generate key if it doesn't exist
-      unless key_path.exist?
-        key = ActiveSupport::EncryptedFile.generate_key
-        File.write(key_path, key)
-        puts "Generated encryption key in #{key_path}"
-      end
-
-      # Create encrypted file with default content
-      encrypted_file = ActiveSupport::EncryptedFile.new(
-        content_path: secrets_path,
-        key_path: key_path,
-        env_key: "RAILS_SECRETS_KEY",
-        raise_if_missing_key: true
-      )
-
       default_content = <<~YAML
         # Be sure to restart your server when you modify this file.
+        #
+        # Your secret key is used for verifying the integrity of signed cookies.
+        # If you change this key, all old signed cookies will become invalid!
+        #
+        # Make sure the secret is at least 30 characters and all random,
+        # no regular words or you'll be exposed to dictionary attacks.
+        # You can use `rails secret` to generate a secure secret key.
 
         development:
           secret_key_base: #{SecureRandom.hex(64)}
@@ -36,17 +29,39 @@ namespace :secvault do
         test:
           secret_key_base: #{SecureRandom.hex(64)}
 
+        # Do not keep production secrets in the repository,
+        # instead read values from the environment.
         production:
           secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
       YAML
 
-      encrypted_file.write(default_content)
-      puts "Created encrypted secrets.yml file"
-      puts "Add #{key_path} to your .gitignore file"
+      if encrypted
+        # Create encrypted file
+        unless key_path.exist?
+          key = ActiveSupport::EncryptedFile.generate_key
+          File.write(key_path, key)
+          puts "Generated encryption key in #{key_path}"
+        end
+
+        encrypted_file = ActiveSupport::EncryptedFile.new(
+          content_path: secrets_path,
+          key_path: key_path,
+          env_key: "RAILS_SECRETS_KEY",
+          raise_if_missing_key: true
+        )
+        encrypted_file.write(default_content)
+        puts "Created encrypted secrets.yml file"
+        puts "Add #{key_path} to your .gitignore file"
+      else
+        # Create plain YAML file
+        File.write(secrets_path, default_content)
+        puts "Created plain secrets.yml file"
+        puts "Remember to add #{secrets_path} to your .gitignore if it contains sensitive data"
+      end
     end
   end
 
-  desc "Edit encrypted secrets.yml file"
+  desc "Edit secrets.yml file"
   task edit: :environment do
     secrets_path = Rails.root.join("config/secrets.yml")
     key_path = Rails.root.join("config/secrets.yml.key")
@@ -56,18 +71,28 @@ namespace :secvault do
       exit 1
     end
 
-    encrypted_file = ActiveSupport::EncryptedFile.new(
-      content_path: secrets_path,
-      key_path: key_path,
-      env_key: "RAILS_SECRETS_KEY",
-      raise_if_missing_key: true
-    )
+    # Check if file is encrypted
+    is_encrypted = Secvault::Secrets.encrypted?(secrets_path)
 
-    encrypted_file.change do |tmp_path|
-      system("#{ENV["EDITOR"] || "vi"} #{tmp_path}")
-    end
+    if is_encrypted && key_path.exist?
+      # Handle encrypted file
+      encrypted_file = ActiveSupport::EncryptedFile.new(
+        content_path: secrets_path,
+        key_path: key_path,
+        env_key: "RAILS_SECRETS_KEY",
+        raise_if_missing_key: true
+      )
+
+      encrypted_file.change do |tmp_path|
+        system("#{ENV["EDITOR"] || "vi"} #{tmp_path}")
+      end
 
-    puts "Updated #{secrets_path}"
+      puts "Updated encrypted #{secrets_path}"
+    else
+      # Handle plain YAML file
+      system("#{ENV["EDITOR"] || "vi"} #{secrets_path}")
+      puts "Updated plain #{secrets_path}"
+    end
   rescue ActiveSupport::EncryptedFile::MissingKeyError
     puts "Missing encryption key to decrypt secrets.yml."
     puts "Ask your team for your secrets key and put it in #{key_path}"
@@ -75,7 +100,7 @@ namespace :secvault do
     puts "Invalid encryption key for secrets.yml."
   end
 
-  desc "Show decrypted secrets.yml content"
+  desc "Show secrets.yml content"
   task show: :environment do
     secrets_path = Rails.root.join("config/secrets.yml")
     key_path = Rails.root.join("config/secrets.yml.key")
@@ -85,14 +110,22 @@ namespace :secvault do
       exit 1
     end
 
-    encrypted_file = ActiveSupport::EncryptedFile.new(
-      content_path: secrets_path,
-      key_path: key_path,
-      env_key: "RAILS_SECRETS_KEY",
-      raise_if_missing_key: true
-    )
+    # Check if file is encrypted
+    is_encrypted = Secvault::Secrets.encrypted?(secrets_path)
 
-    puts encrypted_file.read
+    if is_encrypted && key_path.exist?
+      # Handle encrypted file
+      encrypted_file = ActiveSupport::EncryptedFile.new(
+        content_path: secrets_path,
+        key_path: key_path,
+        env_key: "RAILS_SECRETS_KEY",
+        raise_if_missing_key: true
+      )
+      puts encrypted_file.read
+    else
+      # Handle plain YAML file
+      puts File.read(secrets_path)
+    end
   rescue ActiveSupport::EncryptedFile::MissingKeyError
     puts "Missing encryption key to decrypt secrets.yml."
     puts "Ask your team for your secrets key and put it in #{key_path}"

data/lib/secvault/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Secvault
-  VERSION = "1.0.0"
+  VERSION = "1.0.2"
 end

data/lib/secvault.rb

@@ -20,9 +20,10 @@ module Secvault
   extend self
 
   def install!
-    return if Rails.env.test? || defined?(Rails::Railtie).nil?
+    return if defined?(Rails::Railtie).nil?
 
     require "secvault/railtie"
+    require "secvault/rails_secrets"
   end
 end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: secvault
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.2
 platform: ruby
 authors:
 - Unnikrishnan KP
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 7.2.0
+        version: 7.1.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 7.2.0
+        version: 7.1.0
 - !ruby/object:Gem::Dependency
   name: zeitwerk
   requirement: !ruby/object:Gem::Requirement
@@ -40,7 +40,7 @@ dependencies:
         version: '2.6'
 description: Secvault restores the classic Rails secrets.yml functionality that was
   removed in Rails 7.2, allowing you to manage encrypted secrets using the familiar
-  YAML-based approach.
+  YAML-based approach. Compatible with Rails 7.1+, 7.2+ and 8.0+.
 email:
 - unnikrishnan.kp@bigbinary.com
 executables: []
@@ -56,11 +56,13 @@ files:
 - Rakefile
 - lib/secvault.rb
 - lib/secvault/generators/secrets_generator.rb
+- lib/secvault/rails_secrets.rb
 - lib/secvault/railtie.rb
 - lib/secvault/secrets.rb
 - lib/secvault/secrets_helper.rb
 - lib/secvault/tasks.rake
 - lib/secvault/version.rb
+- secvault-1.0.1.gem
 - sig/secvault.rbs
 homepage: https://github.com/unnitallman/secvault
 licenses:
@@ -88,5 +90,5 @@ requirements: []
 rubygems_version: 3.5.10
 signing_key:
 specification_version: 4
-summary: Rails secrets.yml functionality for Rails 7.2+
+summary: Rails secrets.yml functionality for Rails 7.1+, 7.2+ and Rails 8.0+
 test_files: []