RubyGems - secvault - Versions diffs - 2.6.0 → 2.7.1 - Mend

secvault 2.6.0 → 2.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

checksums.yaml +4 -4
data/.rspec +1 -1
data/README.md +45 -159
data/lib/secvault/rails_secrets.rb +10 -16
data/lib/secvault/railtie.rb +4 -5
data/lib/secvault/secrets.rb +35 -61
data/lib/secvault/version.rb +1 -1
data/lib/secvault.rb +103 -93
metadata +1 -8
data/CHANGELOG.md +0 -185
data/CODE_OF_CONDUCT.md +0 -132
data/USAGE_EXAMPLES.md +0 -65
data/lib/secvault/generators/secrets_generator.rb +0 -100
data/lib/secvault/secrets_helper.rb +0 -44
data/secvault-2.0.0.gem +0 -0
data/sig/secvault.rbs +0 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 804b4325743910209d494c3c81b4f5f0dc8cf89dd802b4b424544923e42cee34
-  data.tar.gz: 6c456cdd91bf12b27ab70922deb6736c42c8afdeb3e91c7173428c791441ff2c
+  metadata.gz: 3f3f850252ea738c99ee2fd7bb7c2e9a2688082abc78245f0ac1ae4f262c9f57
+  data.tar.gz: 95c9d1b54bdf4fdeaf490e7bbf4bd1bb13411d50ce9a11291f89848049258636
 SHA512:
-  metadata.gz: 82efdd937655a3ba4eaefe8d732df4e2def7fd12a91302b182d1c300f1a17c10031339a53efe14af1f7c23bdfc40bdc44d43f578bc487a4e425551b75169f1c0
-  data.tar.gz: 0bf0eab87edf50ef01b0d5f0989d8403cd2b96795a393504de87875541ef458fbe3342ba2d8d0e8316b252259bbfee00abff8d1cb265bf0d73cdd951e979c27a
+  metadata.gz: a2399e023247f056496230dc96da152b5c9fcdd1db98b5f7359a5406f9ce45dc190ce0c93cd5dc4736abb16e7396043d78482b0879785faa60353fe0a1d773dd
+  data.tar.gz: e3deef79404b1c382c2e6167e6cb2b2981f511b6e9058fdf4fc484d8b9fce0f041551121631165f60f2220ee1d3be0ef444fb12296dac803a58afb4800b18ce0

data/.rspec CHANGED Viewed

@@ -1,3 +1,3 @@
 --format documentation
 --color
---require spec_helper
+--require spec_helper

data/README.md CHANGED Viewed

@@ -1,10 +1,11 @@
 # Secvault
-Restores the classic Rails `secrets.yml` functionality that was removed in Rails 7.2. Uses simple, plain YAML files for environment-specific secrets management with powerful features like YAML defaults, ERB interpolation, and multi-file configurations.
+Restores Rails `secrets.yml` functionality for environment-specific secrets management using YAML files with ERB templating.
-**Rails Version Support:**
-- **Rails 7.1 and older**: Manual setup (see Older Rails Integration below)
-- **Rails 7.2+**: Automatic setup
+## Rails Version Support
+- **Rails 7.2+**: Automatic setup (drop-in replacement for removed functionality)
+- **Rails 7.1**: Manual setup required
 - **Rails 8.0+**: Full compatibility
 ## Installation
@@ -14,202 +15,87 @@ Restores the classic Rails `secrets.yml` functionality that was removed in Rails
 gem 'secvault'
 ```
-```bash
-bundle install
-```
-## Quick Start (Rails 7.2+)
-```bash
-# 1. Create secrets.yml
-touch config/secrets.yml
+## Quick Start
-# 2. Edit with your favorite editor
-$EDITOR config/secrets.yml
-```
-**Usage in your app:**
-```ruby
-Rails.application.secrets.api_key
-Rails.application.secrets.database_password
-```
+Create `config/secrets.yml`:
-**Example secrets.yml with YAML defaults and ERB:**
 ```yaml
-# YAML defaults - inherited by all environments
-default: &default
-  app_name: "My Application"
-  database:
-    adapter: "postgresql"
-    pool: 5
-    timeout: 5000
-  api:
-    timeout: 30
-    retries: 3
 development:
-  <<: *default  # Inherit defaults
-  api_key: "dev_api_key_123"
-  database:
-    host: "localhost"
-    name: "myapp_development"
-  api:
-    base_url: "http://localhost:3000"  # Override default
+  api_key: "dev_key_123"
+  database_url: "postgresql://localhost/myapp_dev"
 production:
-  <<: *default  # Inherit defaults
   api_key: <%= ENV['API_KEY'] %>
-  database:
-    host: <%= ENV['DATABASE_HOST'] %>
-    name: <%= ENV['DATABASE_NAME'] %>
-    pool: <%= ENV.fetch('DATABASE_POOL', '10').to_i %>  # Type conversion
-  api:
-    base_url: <%= ENV['API_BASE_URL'] %>
-  # Boolean conversion
-  features:
-    new_ui: <%= ENV.fetch('FEATURE_NEW_UI', 'true') == 'true' %>
-  # Array conversion
-  oauth_scopes: <%= ENV.fetch('OAUTH_SCOPES', 'email,profile').split(',') %>
+  database_url: <%= ENV['DATABASE_URL'] %>
 ```
-## Multi-File Configuration
-Organize secrets across multiple files with a **super clean API**:
+Access secrets in your app:
 ```ruby
-# config/initializers/secvault.rb
-require "secvault"
-# That's it! Just pass your files array
-Secvault.setup_multi_file!([
-  'config/secrets.yml',         # Base secrets
-  'config/secrets.oauth.yml',   # OAuth & APIs
-  'config/secrets.local.yml'    # Local overrides
-])
+Rails.application.secrets.api_key
+Rails.application.secrets.database_url
 ```
-**What this does:**
-- ✅ Loads and merges all files in order (later files override earlier ones)
-- ✅ Handles missing files gracefully
-- ✅ Creates Rails.application.secrets with merged configuration
-**Advanced options:**
-```ruby
-# Disable reload helper or logging
-Secvault.setup_multi_file!(files, reload_method: false, logger: false)
-# Use Pathname objects if needed
-Secvault.setup_multi_file!([
-  Rails.root.join('config', 'secrets.yml'),
-  Rails.root.join('config', 'secrets.oauth.yml')
-])
-```
+## Multi-File Configuration
-## Advanced Usage
+Load and merge multiple secrets files:
-**Manual multi-file parsing:**
 ```ruby
-# Parse multiple files - later files override earlier ones
-secrets = Rails::Secrets.parse([
+# config/initializers/secvault.rb
+Secvault.setup_multi_file!([
   'config/secrets.yml',
   'config/secrets.oauth.yml',
   'config/secrets.local.yml'
-], env: Rails.env)
+])
 ```
-**Load specific environment:**
-```ruby
-# Load production secrets in any environment
-production_secrets = Rails::Secrets.load(env: 'production')
+Files are merged in order with deep merge support for nested hashes.
-# Load development secrets
-dev_secrets = Rails::Secrets.load(env: 'development')
-```
+## Manual API
-**Environment-specific loading:**
 ```ruby
-# Load production secrets in any environment
-production_secrets = Rails::Secrets.load(env: 'production')
-# Load development secrets
-dev_secrets = Rails::Secrets.load(env: 'development')
-```
+# Parse specific files
+secrets = Rails::Secrets.parse(['config/secrets.yml'], env: Rails.env)
-## ERB Features & Type Conversion
+# Load default config/secrets.yml
+secrets = Rails::Secrets.load(env: 'production')
-Secvault supports ERB templating with automatic type conversion:
-```yaml
-production:
-  # String interpolation
-  api_key: <%= ENV['API_KEY'] %>
-  # Integer conversion
-  database_pool: <%= ENV.fetch('DB_POOL', '10').to_i %>
-  # Boolean conversion
-  debug_enabled: <%= ENV.fetch('DEBUG', 'false') == 'true' %>
-  # Array conversion
-  allowed_hosts: <%= ENV.fetch('HOSTS', 'localhost,127.0.0.1').split(',') %>
-  # Fallback values
-  timeout: <%= ENV.fetch('TIMEOUT', '30').to_i %>
-  adapter: <%= ENV.fetch('DB_ADAPTER', 'postgresql') %>
+# Check if active
+Secvault.active? # => true/false
 ```
-## Development Tools
+## Rails 7.1 Integration
-**Hot-reload secrets (automatically available in development):**
-```ruby
-# In Rails console - automatically added by setup_multi_file!
-reload_secrets!  # Reloads all configured files without server restart
-# 🔄 Reloaded secrets from 3 files
+For Rails 7.1 with existing secrets functionality:
-# Also available as:
-Rails.application.reload_secrets!
-```
-**Check integration status:**
 ```ruby
-Secvault.active?  # Returns true if Secvault is managing secrets
+# config/initializers/secvault.rb
+Secvault.setup_backward_compatibility_with_older_rails!
 ```
-## Older Rails Integration
+## ERB Templating
-For Rails versions with existing secrets functionality (like Rails 7.1), use Secvault to test before upgrading:
+Supports full ERB templating for environment variables:
-```ruby
-# config/initializers/secvault.rb
-Secvault.setup_backward_compatibility_with_older_rails!
+```yaml
+production:
+  api_key: <%= ENV['API_KEY'] %>
+  pool_size: <%= ENV.fetch('DB_POOL', '5').to_i %>
+  features:
+    enabled: <%= ENV.fetch('FEATURES_ON', 'false') == 'true' %>
+  hosts: <%= ENV.fetch('ALLOWED_HOSTS', 'localhost').split(',') %>
 ```
-This replaces Rails.application.secrets with Secvault functionality. Your existing Rails 7.1 code works unchanged:
+## Development Tools
-```ruby
-Rails.application.secrets.api_key          # ✅ Works
-Rails.application.secrets.oauth_settings   # ✅ Works
-Rails::Secrets.load                        # ✅ Load default config/secrets.yml
-Rails::Secrets.parse(['custom.yml'], env: Rails.env)  # ✅ Parse custom files
-```
+Reload secrets in development:
-**Check if Secvault is active:**
 ```ruby
-if Secvault.active?
-  puts "Using Secvault for secrets management"
-else
-  puts "Using default Rails secrets functionality"
-end
+# Available after setup_multi_file!
+reload_secrets!
+Rails.application.reload_secrets!
 ```
-## Security Best Practices
-- **Never commit production secrets** to version control
-- **Use environment variables** in production with ERB: `<%= ENV['SECRET'] %>`
-- **Use ENV.fetch()** with fallbacks: `<%= ENV.fetch('SECRET', 'default') %>`
 ## License
-MIT License - see [LICENSE](https://opensource.org/licenses/MIT)
+MIT

data/lib/secvault/rails_secrets.rb CHANGED Viewed

@@ -6,9 +6,9 @@ module Secvault
   # This replicates the Rails < 7.2 Rails::Secrets module functionality
   module RailsSecrets
     extend self
     # Parse secrets from one or more YAML files
-    #
+    #
     # Supports:
     # - ERB templating for environment variables
     # - Shared sections that apply to all environments
@@ -19,26 +19,26 @@ module Secvault
     # Examples:
     #   # Single file
     #   Rails::Secrets.parse(['config/secrets.yml'], env: 'development')
-    #
+    #
     #   # Multiple files (merged in order)
     #   Rails::Secrets.parse([
     #     'config/secrets.yml',
     #     'config/secrets.local.yml'
     #   ], env: 'development')
-    #
+    #
     #   # Load default config/secrets.yml
     #   Rails::Secrets.load  # uses current Rails.env
     #   Rails::Secrets.load(env: 'production')
     def parse(paths, env:)
       Secvault::Secrets.parse(paths, env: env.to_s)
     end
     # Load secrets from the default config/secrets.yml file
     def load(env: Rails.env)
       secrets_path = Rails.root.join("config/secrets.yml")
       parse([secrets_path], env: env)
     end
     # Backward compatibility aliases (deprecated)
     alias_method :parse_default, :load
     alias_method :read, :load
@@ -46,15 +46,9 @@ module Secvault
 end
 # Monkey patch to restore Rails::Secrets interface for backwards compatibility
-# Only for Rails 7.2+ where Rails::Secrets was removed
-if defined?(Rails) && Rails.respond_to?(:version)
-  rails_version = Rails.version
-  major, minor = rails_version.split('.').map(&:to_i)
-  # Only alias for Rails 7.2+ to avoid conflicts with native Rails::Secrets in 7.1
-  if major > 7 || (major == 7 && minor >= 2)
-    module Rails
-      Secrets = Secvault::RailsSecrets
-    end
+# Works consistently across all Rails versions with warning suppression
+if defined?(Rails)
+  module Rails
+    Secrets = Secvault::RailsSecrets
   end
 end

data/lib/secvault/railtie.rb CHANGED Viewed

@@ -9,16 +9,16 @@ module Secvault
     initializer "secvault.initialize", before: :load_environment_hook do |app|
       Secvault::Secrets.setup(app)
     end
     # Ensure initialization happens early in all environments
     config.before_configuration do |app|
       secrets_path = app.root.join("config/secrets.yml")
       if secrets_path.exist? && !Rails.application.respond_to?(:secrets)
         # Early initialization for test environment compatibility
-        current_env = ENV['RAILS_ENV'] || 'development'
+        current_env = ENV["RAILS_ENV"] || "development"
         secrets = Secvault::Secrets.read_secrets(secrets_path, current_env)
         if secrets
           Rails.application.define_singleton_method(:secrets) do
             @secrets ||= begin
@@ -31,6 +31,5 @@ module Secvault
         end
       end
     end
   end
 end

data/lib/secvault/secrets.rb CHANGED Viewed

@@ -11,85 +11,67 @@ module Secvault
   class Secrets
     class << self
       def setup(app)
-        # Only auto-setup for Rails 7.2+ where secrets functionality was removed
-        return unless rails_7_2_or_later?
+        # Auto-setup for all Rails versions with consistent behavior
         secrets_path = app.root.join("config/secrets.yml")
-        if secrets_path.exist?
-          # Use a more reliable approach that works in all environments
-          app.config.before_configuration do
-            current_env = ENV['RAILS_ENV'] || Rails.env || 'development'
-            setup_secrets_immediately(app, secrets_path, current_env)
-          end
-          # Also try during to_prepare as a fallback
-          app.config.to_prepare do
-            current_env = Rails.env
-            unless Rails.application.respond_to?(:secrets) && !Rails.application.secrets.empty?
-              setup_secrets_immediately(app, secrets_path, current_env)
-            end
-          end
+        return unless secrets_path.exist?
+        # Use a reliable approach that works in all environments
+        app.config.before_configuration do
+          current_env = ENV["RAILS_ENV"] || Rails.env || "development"
+          setup_secrets_immediately(app, secrets_path, current_env)
         end
-      end
-      # Manual setup method for Rails 7.1 (opt-in)
-      def setup_for_rails_71!(app)
-        secrets_path = app.root.join("config/secrets.yml")
-        if secrets_path.exist?
-          app.config.before_configuration do
-            current_env = ENV['RAILS_ENV'] || Rails.env || 'development'
+        # Also try during to_prepare as a fallback
+        app.config.to_prepare do
+          current_env = Rails.env
+          unless Rails.application.respond_to?(:secrets) && !Rails.application.secrets.empty?
             setup_secrets_immediately(app, secrets_path, current_env)
           end
         end
       end
-      def setup_secrets_immediately(app, secrets_path, env)
+      def setup_secrets_immediately(_app, secrets_path, env)
         # Set up secrets if they exist
         secrets = read_secrets(secrets_path, env)
-        if secrets
-          # Rails 8.0+ compatibility: Add secrets accessor that initializes on first access
-          unless Rails.application.respond_to?(:secrets)
-            Rails.application.define_singleton_method(:secrets) do
-              @secrets ||= begin
-                current_secrets = ActiveSupport::OrderedOptions.new
-                # Re-read secrets to ensure we have the right environment
-                env_secrets = Secvault::Secrets.read_secrets(secrets_path, Rails.env)
-                current_secrets.merge!(env_secrets) if env_secrets
-                current_secrets
-              end
+        return unless secrets
+        # Rails 8.0+ compatibility: Add secrets accessor that initializes on first access
+        unless Rails.application.respond_to?(:secrets)
+          Rails.application.define_singleton_method(:secrets) do
+            @secrets ||= begin
+              current_secrets = ActiveSupport::OrderedOptions.new
+              # Re-read secrets to ensure we have the right environment
+              env_secrets = Secvault::Secrets.read_secrets(secrets_path, Rails.env)
+              current_secrets.merge!(env_secrets) if env_secrets
+              current_secrets
             end
           end
-          # If secrets accessor already exists, merge the secrets
-          if Rails.application.respond_to?(:secrets) && Rails.application.secrets.respond_to?(:merge!)
-            Rails.application.secrets.merge!(secrets)
-          end
         end
+        # If secrets accessor already exists, merge the secrets
+        return unless Rails.application.respond_to?(:secrets) && Rails.application.secrets.respond_to?(:merge!)
+        Rails.application.secrets.merge!(secrets)
       end
       # Classic Rails::Secrets.parse implementation
       # Parses plain YAML secrets files and merges shared + environment-specific sections
       def parse(paths, env:)
-        paths.each_with_object(Hash.new) do |path, all_secrets|
+        paths.each_with_object({}) do |path, all_secrets|
           # Handle string paths by converting to Pathname
           path = Pathname.new(path) unless path.respond_to?(:exist?)
           next unless path.exist?
           # Read and process the plain YAML file content
           source = path.read
           # Process ERB and parse YAML
           erb_result = ERB.new(source).result
-          secrets = if YAML.respond_to?(:unsafe_load)
-            YAML.unsafe_load(erb_result)
-          else
-            YAML.load(erb_result)
-          end
+          secrets = YAML.safe_load(erb_result, aliases: true, permitted_classes: [])
           secrets ||= {}
           # Merge shared secrets first, then environment-specific (using deep merge)
           all_secrets.deep_merge!(secrets["shared"].deep_symbolize_keys) if secrets["shared"]
           all_secrets.deep_merge!(secrets[env].deep_symbolize_keys) if secrets[env]
@@ -100,21 +82,13 @@ module Secvault
         if secrets_path.exist?
           # Handle plain YAML secrets.yml only
           all_secrets = YAML.safe_load(ERB.new(secrets_path.read).result, aliases: true)
           env_secrets = all_secrets[env.to_s]
           return env_secrets.deep_symbolize_keys if env_secrets
         end
         {}
       end
-      private
-      def rails_7_2_or_later?
-        rails_version = Rails.version
-        major, minor = rails_version.split('.').map(&:to_i)
-        major > 7 || (major == 7 && minor >= 2)
-      end
     end
   end
 end

data/lib/secvault/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Secvault
-  VERSION = "2.6.0"
+  VERSION = "2.7.1"
 end