feat: add rails credentials support

.github/workflows/tests.yml

@@ -17,6 +17,7 @@ jobs:
     env:
       COVERAGE_RUBY_VERSION: 2.6
       BUNDLE_PATH: ${{ github.workspace }}/vendor/bundle
+      RAILS_MASTER_KEY: 0e29551e5c31acf7c769d64397af54e4 # rails require to decrypt creds
     strategy:
       fail-fast: false
       matrix:

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## Next
+
+* Add rails credentials support ([#355](https://github.com/rubyconfig/config/pull/355))
+
 ## 5.6.1
 
 * fix(security): replace IO.read with File.read [#378](https://github.com/rubyconfig/config/pull/378)

README.md

@@ -290,6 +290,7 @@ After installing `Config` in Rails, you will find automatically generated file t
 * `evaluate_erb_in_yaml` - evaluate ERB in YAML config files. Set to false if the config file contains ERB that should not be evaluated at load time. Default: `true`
 * `file_name` - name of the file to store general keys accessible in all environments. Default: `'settings'` - located at `config/settings.yml`
 * `dir_name` - name of the directory to store environment-specific files. Default: `'settings'` - located at `config/settings/`
+* `use_rails_credentials` - evaluate Rails credentials and secrets (for rails < 7.2) if loaded with `RAILS_MASTER_KEY` or `config/master.key`. Can be access using `Settings.secret.secret_key_base`. `ENV` will still override this as it takes precedent.
 
 ### Merge customization
 

lib/config.rb

@@ -29,6 +29,7 @@ module Config
     merge_hash_arrays: false,
     validation_contract: nil,
     evaluate_erb_in_yaml: true,
+    use_rails_credentials: false,
     environment: nil,
     extra_sources: []
   )
@@ -48,6 +49,15 @@ def self.load_files(*sources)
       config.add_source!(source)
     end
 
+    # load rails credentials
+    if defined?(::Rails::Railtie) && Config.use_rails_credentials
+      if Gem::Version.new(Rails.version) < Gem::Version.new('7.2')
+        config.add_source!(Sources::HashSource.new(Rails.application.secrets.to_h.deep_stringify_keys))
+      end
+
+      config.add_source!(Sources::HashSource.new(Rails.application.credentials.config.deep_stringify_keys))
+    end
+
     config.add_source!(Sources::EnvSource.new(ENV)) if Config.use_env
 
     config.load!

spec/app/rails_5.2/config/credentials.yml.enc

@@ -1 +1 @@
-A2UDbxJDfWG0plzucsHjLA6QIqFzAoXntTM6UZzmqRRWwXT+rQJQEOgIOqeOdW9aNe8AhJJvc4tEMtw3DZ2LSKQ2O06MRhbBbpQRU8UDhEeUUvadNXN7xYW3qS10UINn0kIDUdzAwYxYpo4Ux+p6pvcRcV2+pimvoLoKIcwqsPxGSyVhAuymqn29WMS6JddRNj8LXshYnceVtEtw25Pzc+J5POXQRnF9CCrRV/XWrqtF5qROIMQepiIxizIkwSQA2+qFIL3oOlLBTyPf6I3ybGk/wlTqVnZNRoKI6GP6iJ0uTTKFYIBXSHUjTS/oC91f4xFOWgSvIojcavmeTWKxobaGur8LqUL9/cJ3rirhHyMdCJuVQr+m5ySUyto8Z25/1IdPsRyleGl/k23kXjzwJmzChdq9mElsXJSE--hgxYDA7y8hacPoA2--Rxd34YfrAzf1jlxy3b/FGA==
+eeAQ/OXwC0m/AFe89iINCTXiXfUjEJT0hjQsUdyyR1vH0Z7PxXuMiceL1zms6vjCex9kUIL6PBnaB0QZhWOn9DOEmXF67+1nzvJ5SCTuk33fHouECBHxcRbiIqL2/DtLWq+E49mPdJFL85qZPqfQbNhvVeH7E/kjOFU700KENA1+XDMnmoGRW1ePbDhKSNvsPHRZAX6I4ZirJlYvN9IcN29CTLoYPtcm8J1DAtpTZIlJ+XLgOeJJC606I6WMKcz4wgGl9u7+4q/poP63aUnWgpcagn2MGrVz7GnOdkYIGnapvcr56FesEU8pNjTPrtlCdwU8--hQYbWSSJlVbedEFS--NRIGzBPS6ZyZWUO/8clKpg==

spec/app/rails_5.2/config/environments/test.rb

@@ -12,6 +12,8 @@
   # preloads Rails for running tests, you may have to set it to true.
   config.eager_load = false
 
+  config.require_master_key = true
+
   # Configure public file server for tests with Cache-Control for performance.
   config.public_file_server.enabled = true
   config.public_file_server.headers = {

spec/app/rails_5.2/config/master.key

@@ -0,0 +1 @@
+0e29551e5c31acf7c769d64397af54e4

spec/app/rails_6.0/config/credentials.yml.enc

@@ -1 +1 @@
-PaXkA1XvCoD2qMPBVqHDcwGTtDN1gPdMjTkQlR8ULG97mJGnwirXG3zYhSmSE/gUsGgpPNOSIVJzVr8ZhvO1EVR6UMCIVMf0oE1kCtES0gD5JA4wi0jrrE7v0zA0lmIheJRvwb/DSGPKayviZn0md9AdfQyneHOGwDF/PrxkSrs6S/YPz/444dex3GUlKUuBduyGzxTEPs+v8if7CP4pK1qSxt2AM+7lDnr4mFp6lpmfIgeloqF/M0opyVnwnZtzGWzm7rOTntyKBeIN0FlXgRMVhQcZy3PstILHqGMygT+xCD0ZDLQnWziMYmkWaJlNdJvoI6mS2OEONqICDv3C3KT5gdQ6Fe8fgtxFzkR6evOJKJ0a5IX/QEjcNBNj/1+uPyWrk+NauQt4m3c9KIFFmyqZLVU/5NEJPS/d--DP0Q5D3FxFw7oxNZ--/ERbqGg48aYyZeYVnk5STw==
+eeAQ/OXwC0m/AFe89iINCTXiXfUjEJT0hjQsUdyyR1vH0Z7PxXuMiceL1zms6vjCex9kUIL6PBnaB0QZhWOn9DOEmXF67+1nzvJ5SCTuk33fHouECBHxcRbiIqL2/DtLWq+E49mPdJFL85qZPqfQbNhvVeH7E/kjOFU700KENA1+XDMnmoGRW1ePbDhKSNvsPHRZAX6I4ZirJlYvN9IcN29CTLoYPtcm8J1DAtpTZIlJ+XLgOeJJC606I6WMKcz4wgGl9u7+4q/poP63aUnWgpcagn2MGrVz7GnOdkYIGnapvcr56FesEU8pNjTPrtlCdwU8--hQYbWSSJlVbedEFS--NRIGzBPS6ZyZWUO/8clKpg==

spec/app/rails_6.0/config/credentials/test.key

@@ -0,0 +1 @@
+0e29551e5c31acf7c769d64397af54e4

spec/app/rails_6.0/config/credentials/test.yml.enc

@@ -0,0 +1 @@
+eeAQ/OXwC0m/AFe89iINCTXiXfUjEJT0hjQsUdyyR1vH0Z7PxXuMiceL1zms6vjCex9kUIL6PBnaB0QZhWOn9DOEmXF67+1nzvJ5SCTuk33fHouECBHxcRbiIqL2/DtLWq+E49mPdJFL85qZPqfQbNhvVeH7E/kjOFU700KENA1+XDMnmoGRW1ePbDhKSNvsPHRZAX6I4ZirJlYvN9IcN29CTLoYPtcm8J1DAtpTZIlJ+XLgOeJJC606I6WMKcz4wgGl9u7+4q/poP63aUnWgpcagn2MGrVz7GnOdkYIGnapvcr56FesEU8pNjTPrtlCdwU8--hQYbWSSJlVbedEFS--NRIGzBPS6ZyZWUO/8clKpg==

spec/app/rails_6.0/config/environments/test.rb

@@ -13,6 +13,8 @@
   # preloads Rails for running tests, you may have to set it to true.
   config.eager_load = false
 
+  config.require_master_key = true
+
   # Configure public file server for tests with Cache-Control for performance.
   config.public_file_server.enabled = true
   config.public_file_server.headers = {

spec/app/rails_6.1/config/credentials.yml.enc

@@ -1 +1 @@
-jzup5kRgbmiI0F89h0xPvPGGpYC1FQsTvFQQBj0sED/K0rltK+3pv8E2YonXPgHdd8qkKdqKfhm91SlEt/y/vBvcdgklocYFVTlEJpggaPjxkXjIoyYc8/55EAOSt35rWBwyKoINvUYa0X/xlKzp/G0Q9PWmdmnum5+rwA/adEL49qLKofAQoum0XRzj5sIyNfmhJ0nQ+N3LEsGKQZ5nkvD6nCI5ZBQVcyrXpVngzLSXzabNEY7ecMDdMnI9wx+qUxh48f0uro1vHOAmf6uQ+OY3gEX6ctIEKuGEMVaIql5WIxwYXII1GgeKbl8coyKs54Llo/yaMen25NFM3HN8LHZySGa3mH7k3XR9wQVOC2DO00ntgUtpxiszQcEu/mouZnaVBPSVL3EcD45wxBOf88/7SMDxy7cmUoLP--s+KOPMDaTNvlD2T2--Q48zotFsOULqsWoCRU2fDg==
+eeAQ/OXwC0m/AFe89iINCTXiXfUjEJT0hjQsUdyyR1vH0Z7PxXuMiceL1zms6vjCex9kUIL6PBnaB0QZhWOn9DOEmXF67+1nzvJ5SCTuk33fHouECBHxcRbiIqL2/DtLWq+E49mPdJFL85qZPqfQbNhvVeH7E/kjOFU700KENA1+XDMnmoGRW1ePbDhKSNvsPHRZAX6I4ZirJlYvN9IcN29CTLoYPtcm8J1DAtpTZIlJ+XLgOeJJC606I6WMKcz4wgGl9u7+4q/poP63aUnWgpcagn2MGrVz7GnOdkYIGnapvcr56FesEU8pNjTPrtlCdwU8--hQYbWSSJlVbedEFS--NRIGzBPS6ZyZWUO/8clKpg==

spec/app/rails_6.1/config/credentials/test.key

@@ -0,0 +1 @@
+0e29551e5c31acf7c769d64397af54e4

spec/app/rails_6.1/config/credentials/test.yml.enc

@@ -0,0 +1 @@
+eeAQ/OXwC0m/AFe89iINCTXiXfUjEJT0hjQsUdyyR1vH0Z7PxXuMiceL1zms6vjCex9kUIL6PBnaB0QZhWOn9DOEmXF67+1nzvJ5SCTuk33fHouECBHxcRbiIqL2/DtLWq+E49mPdJFL85qZPqfQbNhvVeH7E/kjOFU700KENA1+XDMnmoGRW1ePbDhKSNvsPHRZAX6I4ZirJlYvN9IcN29CTLoYPtcm8J1DAtpTZIlJ+XLgOeJJC606I6WMKcz4wgGl9u7+4q/poP63aUnWgpcagn2MGrVz7GnOdkYIGnapvcr56FesEU8pNjTPrtlCdwU8--hQYbWSSJlVbedEFS--NRIGzBPS6ZyZWUO/8clKpg==

spec/app/rails_6.1/config/environments/test.rb

@@ -16,6 +16,8 @@
   # preloads Rails for running tests, you may have to set it to true.
   config.eager_load = false
 
+  config.require_master_key = true
+
   # Configure public file server for tests with Cache-Control for performance.
   config.public_file_server.enabled = true
   config.public_file_server.headers = {

spec/app/rails_7.0/config/credentials/test.yml.enc

@@ -0,0 +1 @@
+eeAQ/OXwC0m/AFe89iINCTXiXfUjEJT0hjQsUdyyR1vH0Z7PxXuMiceL1zms6vjCex9kUIL6PBnaB0QZhWOn9DOEmXF67+1nzvJ5SCTuk33fHouECBHxcRbiIqL2/DtLWq+E49mPdJFL85qZPqfQbNhvVeH7E/kjOFU700KENA1+XDMnmoGRW1ePbDhKSNvsPHRZAX6I4ZirJlYvN9IcN29CTLoYPtcm8J1DAtpTZIlJ+XLgOeJJC606I6WMKcz4wgGl9u7+4q/poP63aUnWgpcagn2MGrVz7GnOdkYIGnapvcr56FesEU8pNjTPrtlCdwU8--hQYbWSSJlVbedEFS--NRIGzBPS6ZyZWUO/8clKpg==

spec/app/rails_7.1/.gitignore

@@ -33,3 +33,5 @@
 
 # Ignore master key for decrypting credentials and more.
 /config/master.key
+
+/config/credentials/test.key

spec/app/rails_7.1/config/credentials/test.yml.enc

@@ -0,0 +1 @@
+eeAQ/OXwC0m/AFe89iINCTXiXfUjEJT0hjQsUdyyR1vH0Z7PxXuMiceL1zms6vjCex9kUIL6PBnaB0QZhWOn9DOEmXF67+1nzvJ5SCTuk33fHouECBHxcRbiIqL2/DtLWq+E49mPdJFL85qZPqfQbNhvVeH7E/kjOFU700KENA1+XDMnmoGRW1ePbDhKSNvsPHRZAX6I4ZirJlYvN9IcN29CTLoYPtcm8J1DAtpTZIlJ+XLgOeJJC606I6WMKcz4wgGl9u7+4q/poP63aUnWgpcagn2MGrVz7GnOdkYIGnapvcr56FesEU8pNjTPrtlCdwU8--hQYbWSSJlVbedEFS--NRIGzBPS6ZyZWUO/8clKpg==

spec/app/rails_7.2/app/javascript/application.js

@@ -0,0 +1,3 @@
+// Configure your import map in config/importmap.rb. Read more: https://github.com/rails/importmap-rails
+import "@hotwired/turbo-rails"
+import "controllers"

spec/app/rails_7.2/app/javascript/controllers/application.js

@@ -0,0 +1,9 @@
+import { Application } from "@hotwired/stimulus"
+
+const application = Application.start()
+
+// Configure Stimulus development experience
+application.debug = false
+window.Stimulus   = application
+
+export { application }

spec/app/rails_7.2/app/javascript/controllers/hello_controller.js

@@ -0,0 +1,7 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  connect() {
+    this.element.textContent = "Hello World!"
+  }
+}

spec/app/rails_7.2/app/javascript/controllers/index.js

@@ -0,0 +1,11 @@
+// Import and register all your controllers from the importmap under controllers/*
+
+import { application } from "controllers/application"
+
+// Eager load all controllers defined in the import map under controllers/**/*_controller
+import { eagerLoadControllersFrom } from "@hotwired/stimulus-loading"
+eagerLoadControllersFrom("controllers", application)
+
+// Lazy load controllers as they appear in the DOM (remember not to preload controllers in import map!)
+// import { lazyLoadControllersFrom } from "@hotwired/stimulus-loading"
+// lazyLoadControllersFrom("controllers", application)

spec/app/rails_7.2/bin/importmap

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+
+require_relative "../config/application"
+require "importmap/commands"

spec/app/rails_7.2/config/credentials/test.yml.enc

@@ -0,0 +1 @@
+eeAQ/OXwC0m/AFe89iINCTXiXfUjEJT0hjQsUdyyR1vH0Z7PxXuMiceL1zms6vjCex9kUIL6PBnaB0QZhWOn9DOEmXF67+1nzvJ5SCTuk33fHouECBHxcRbiIqL2/DtLWq+E49mPdJFL85qZPqfQbNhvVeH7E/kjOFU700KENA1+XDMnmoGRW1ePbDhKSNvsPHRZAX6I4ZirJlYvN9IcN29CTLoYPtcm8J1DAtpTZIlJ+XLgOeJJC606I6WMKcz4wgGl9u7+4q/poP63aUnWgpcagn2MGrVz7GnOdkYIGnapvcr56FesEU8pNjTPrtlCdwU8--hQYbWSSJlVbedEFS--NRIGzBPS6ZyZWUO/8clKpg==

spec/app/rails_7.2/config/importmap.rb

@@ -0,0 +1,7 @@
+# Pin npm packages by running ./bin/importmap
+
+pin "application"
+pin "@hotwired/turbo-rails", to: "turbo.min.js"
+pin "@hotwired/stimulus", to: "stimulus.min.js", preload: true
+pin "@hotwired/stimulus-loading", to: "stimulus-loading.js", preload: true
+pin_all_from "app/javascript/controllers", under: "controllers"

spec/app/rails_8.0/config/credentials/test.yml.enc

@@ -0,0 +1 @@
+eeAQ/OXwC0m/AFe89iINCTXiXfUjEJT0hjQsUdyyR1vH0Z7PxXuMiceL1zms6vjCex9kUIL6PBnaB0QZhWOn9DOEmXF67+1nzvJ5SCTuk33fHouECBHxcRbiIqL2/DtLWq+E49mPdJFL85qZPqfQbNhvVeH7E/kjOFU700KENA1+XDMnmoGRW1ePbDhKSNvsPHRZAX6I4ZirJlYvN9IcN29CTLoYPtcm8J1DAtpTZIlJ+XLgOeJJC606I6WMKcz4wgGl9u7+4q/poP63aUnWgpcagn2MGrVz7GnOdkYIGnapvcr56FesEU8pNjTPrtlCdwU8--hQYbWSSJlVbedEFS--NRIGzBPS6ZyZWUO/8clKpg==

spec/config_spec.rb

@@ -504,5 +504,46 @@
       end
 
     end
+
+    context 'rails credentials' do
+      if defined?(::Rails::Railtie)
+        let(:config) do
+          files = ["#{fixture_path}/development.yml"]
+          Config.use_rails_credentials = true
+          Config.load_files(files)
+        end
+
+        it "should have secret_key_base loaded" do
+          expect(config.keys).to include(:size, :section, :aws, :secret_key_base)
+          expect(config.aws.secret_access_key).to eq('123456')
+        end
+
+        context 'use_rails_credentials is false' do
+          let(:config) do
+            files = ["#{fixture_path}/development.yml"]
+            Config.use_rails_credentials = false
+            Config.load_files(files)
+          end
+
+          it "should not have secret_key_base loaded" do
+            expect(config.keys).to contain_exactly(:size, :section)
+          end
+        end
+      end
+
+      unless defined?(::Rails)
+        context 'when not using rails' do
+          let(:config) do
+            files = ["#{fixture_path}/development.yml"]
+            Config.use_rails_credentials = true
+            Config.load_files(files)
+          end
+
+          it 'should not have secret_key_base loaded' do
+            expect(config.keys).to contain_exactly(:size, :section)
+          end
+        end
+      end
+    end
   end
 end

spec/spec_helper.rb

@@ -96,16 +96,17 @@ def self.reset
         end
 
         # Reset configuration to defaults
-        self.const_name           = 'Settings'
-        self.use_env              = false
-        self.knockout_prefix      = nil
-        self.overwrite_arrays     = true
-        self.schema               = nil
-        self.validation_contract  = nil
-        self.fail_on_missing      = false
-        self.file_name            = 'settings'
-        self.dir_name             = 'settings'
-        self.extra_sources        = []
+        self.const_name             = 'Settings'
+        self.use_env                = false
+        self.knockout_prefix        = nil
+        self.overwrite_arrays       = true
+        self.schema                 = nil
+        self.validation_contract    = nil
+        self.fail_on_missing        = false
+        self.use_rails_credentials  = false
+        self.file_name              = 'settings'
+        self.dir_name               = 'settings'
+        self.extra_sources          = []
         instance_variable_set(:@_ran_once, false)
       end
     end