Add rails credentials support

[noxasch]

Added rails credentials support with config flag addressing #68

[noxasch]

I'm currently having trouble with different ruby version in the test, any clue ?

[cjlarose]

Not 100% sure what's going on with the tests on CI. Tests pass for me locally. I suspect it has something to do with Rails 7.0 or 7.1 because we don't run tests for those Rails versions when running the test suite for Ruby 2.7, jruby, or truffleruby.

I merged in a change that address the deprecation warnings for fixture_path in Rails 7.1 to help clear up the test output. Hoping that will help clear things up 🤞

[noxasch]

Update:

Rebased to latest master

I look around and found the solution for rails 7.1 fail test. For Rails 7.1 and above it seems we need to use ActiveSupport::EncryptedConfiguration config method instead. But prior 7.1, Rails.credentials.to_h and Rails.secret.to_h will work just fine.

All test should pass now.

[cjlarose]

Awesome work! Requested a few changes

[cjlarose]

Because the version numbers are represented as strings here, this comparison can lead to unexpected results. For example, if Rails.version is 10.0.0, then '10.0.0' < '7.1' == true

To compare version numbers correctly, I think we need to either use something like

if [Rails::VERSION::MAJOR, Rails::VERSION::MINOR] < [7, 1]

or

if Gem::Version.new(Rails.version) < Gem::Version.new('7.1')

[cjlarose]

Let's remove the nesting of the credentials under the top-level secret key. I think that'll be more useful as the default behavior in order to support merging with other config sources. For example, if my config.yaml file has

aws:
  region: 'us-west-1'

And my Rails credentials has

aws:
  secret_access_key: '123456'

...then I'd want to be able to access Settings.aws, which would contain both region and secret_access_key.

If someone really wants to keep their secrets in a separate key, they can always turn off use_rails_credentials add it themselves in an initializer

Settings.add_source!({ secret: Rails.application.credentials.config.deep_stringify_keys })
Settings.reload!

[noxasch]

Awesome, agree on this.

[cjlarose]

I think Rails.application.credentials.config returns a hash with symbol keys. I think for merging to work correctly, we need to .deep_stringify_keys here.

[cjlarose]

Let's load credentials before the environment. My expectation is usually that env vars should "win" against every other configuration source.

[cjlarose]

I tried looking at these values locally with

cd spec/app/rails_7.1 
RAILS_MASTER_KEY='0e29551e5c31acf7c769d64397af54e4' bundle exec rails credentials:edit

but I got an error

Editing config/credentials.yml.enc...
Couldn't decrypt config/credentials.yml.enc. Perhaps you passed the wrong key?

...but it seems to work on CI, so it's a little weird. Any idea how I can look at these values locally?

[noxasch]

@cjlarose just remove the single quotes

[noxasch]

Update:

1. Addressed the changes and refactor the code.
2. Update the crendentails to include the aws patter below to be more realistic

aws:
  secret_access_key: '123456'

Apparently we don't need to check for rails version, just need to require the master_key in test environment and for rails5.2 untiil 6.1 need test.key and master.key, otherwise it somehow ignore the RAILS_MASTER_KEY in environment variable

[noxasch]

@cjlarose let me know if there is anything else require.

[nickpoorman]

@cjlarose @noxasch can we please get this merged? Thanks!

[pkuczynski]

@cjlarose since you reviewed in the past, would you mind doing a re-review? Seems that all your feedback was addressed?

@noxasch would you mind adding a CHANGELOG entry?