rails--rails/railties/test/commands/secrets_test.rb

# frozen_string_literal: true

require "isolation/abstract_unit"
require "env_helpers"
require "rails/command"
require "rails/commands/secrets/secrets_command"

class Rails::Command::SecretsCommandTest < ActiveSupport::TestCase
  include ActiveSupport::Testing::Isolation, EnvHelpers

  setup :build_app
  teardown :teardown_app

  test "edit without editor gives hint" do
    assert_match "No $EDITOR to open decrypted secrets in", run_edit_command(editor: "")
  end

  test "encrypted secrets are deprecated when using credentials" do
    assert_match "Encrypted secrets is deprecated", run_setup_command
    assert_equal 1, $?.exitstatus
    assert_not File.exist?("config/secrets.yml.enc")
  end

  test "encrypted secrets are deprecated when running edit without setup" do
    assert_match "Encrypted secrets is deprecated", run_setup_command
    assert_equal 1, $?.exitstatus
    assert_not File.exist?("config/secrets.yml.enc")
  end

  test "encrypted secrets are deprecated for 5.1 config/secrets.yml apps" do
    Dir.chdir(app_path) do
      FileUtils.rm("config/credentials.yml.enc")
      FileUtils.touch("config/secrets.yml")

      assert_match "Encrypted secrets is deprecated", run_setup_command
      assert_equal 1, $?.exitstatus
      assert_not File.exist?("config/secrets.yml.enc")
    end
  end

  test "edit secrets" do
    prevent_deprecation

    # Run twice to ensure encrypted secrets can be reread after first edit pass.
    2.times do
      assert_match(/external_api_key: 1466aac22e6a869134be3d09b9e89232fc2c2289/, run_edit_command)
    end
  end

  test "show secrets" do
    prevent_deprecation

    assert_match(/external_api_key: 1466aac22e6a869134be3d09b9e89232fc2c2289/, run_show_command)
  end

  private
    def prevent_deprecation
      Dir.chdir(app_path) do
        File.write("config/secrets.yml.key", "f731758c639da2604dfb6bf3d1025de8")
        File.write("config/secrets.yml.enc", "sEB0mHxDbeP1/KdnMk00wyzPFACl9K6t0cZWn5/Mfx/YbTHvnI07vrneqHg9kaH3wOS7L6pIQteu1P077OtE4BSx/ZRc/sgQPHyWu/tXsrfHqnPNpayOF/XZqizE91JacSFItNMWpuPsp9ynbzz+7cGhoB1S4aPNIU6u0doMrzdngDbijsaAFJmsHIQh6t/QHoJx--8aMoE0PvUWmw1Iqz--ldFqnM/K0g9k17M8PKoN/Q==")
      end
    end

    def run_edit_command(editor: "cat")
      switch_env("EDITOR", editor) do
        rails "secrets:edit", allow_failure: true
      end
    end

    def run_show_command
      rails "secrets:show", allow_failure: true
    end

    def run_setup_command
      rails "secrets:setup", allow_failure: true
    end
end
Adding frozen_string_literal pragma to Railties. 2017-08-14 13:08:09 -04:00			`# frozen_string_literal: true`

Tell users how to assign a $EDITOR. In case there's no $EDITOR assigned users would see a cryptic: ``` % EDITOR= bin/rails secrets:edit Waiting for secrets file to be saved. Abort with Ctrl-C. sh: /var/folders/wd/xnncwqp96rj0v1y2nms64mq80000gn/T/secrets.yml.enc: Permission denied New secrets encrypted and saved. ``` That error is misleading, so give a hint in this easily detectable case. Fixes #28143. 2017-03-01 14:40:39 -05:00			`require "isolation/abstract_unit"`
Run in-app rails commands via fork+load where possible While this avoids shell argument parsing, we still pass through everything in our stack. 2017-09-03 12:55:26 -04:00			`require "env_helpers"`
Tell users how to assign a $EDITOR. In case there's no $EDITOR assigned users would see a cryptic: ``` % EDITOR= bin/rails secrets:edit Waiting for secrets file to be saved. Abort with Ctrl-C. sh: /var/folders/wd/xnncwqp96rj0v1y2nms64mq80000gn/T/secrets.yml.enc: Permission denied New secrets encrypted and saved. ``` That error is misleading, so give a hint in this easily detectable case. Fixes #28143. 2017-03-01 14:40:39 -05:00			`require "rails/command"`
			`require "rails/commands/secrets/secrets_command"`

			`class Rails::Command::SecretsCommandTest < ActiveSupport::TestCase`
Run in-app rails commands via fork+load where possible While this avoids shell argument parsing, we still pass through everything in our stack. 2017-09-03 12:55:26 -04:00			`include ActiveSupport::Testing::Isolation, EnvHelpers`
Tell users how to assign a $EDITOR. In case there's no $EDITOR assigned users would see a cryptic: ``` % EDITOR= bin/rails secrets:edit Waiting for secrets file to be saved. Abort with Ctrl-C. sh: /var/folders/wd/xnncwqp96rj0v1y2nms64mq80000gn/T/secrets.yml.enc: Permission denied New secrets encrypted and saved. ``` That error is misleading, so give a hint in this easily detectable case. Fixes #28143. 2017-03-01 14:40:39 -05:00
Deprecate encrypted secrets in favor of credentials. Allow edits of existing encrypted secrets generated on Rails 5.1, but refer to credentials when attempting to setup. This also removes the need for any of the setup code, so the generator can be ripped out altogether. 2017-11-12 11:32:52 -05:00			`setup :build_app`
			`teardown :teardown_app`

			`test "edit without editor gives hint" do`
			`assert_match "No $EDITOR to open decrypted secrets in", run_edit_command(editor: "")`
Tell users how to assign a $EDITOR. In case there's no $EDITOR assigned users would see a cryptic: ``` % EDITOR= bin/rails secrets:edit Waiting for secrets file to be saved. Abort with Ctrl-C. sh: /var/folders/wd/xnncwqp96rj0v1y2nms64mq80000gn/T/secrets.yml.enc: Permission denied New secrets encrypted and saved. ``` That error is misleading, so give a hint in this easily detectable case. Fixes #28143. 2017-03-01 14:40:39 -05:00			`end`

Deprecate encrypted secrets in favor of credentials. Allow edits of existing encrypted secrets generated on Rails 5.1, but refer to credentials when attempting to setup. This also removes the need for any of the setup code, so the generator can be ripped out altogether. 2017-11-12 11:32:52 -05:00			`test "encrypted secrets are deprecated when using credentials" do`
			`assert_match "Encrypted secrets is deprecated", run_setup_command`
			`assert_equal 1, $?.exitstatus`
			`assert_not File.exist?("config/secrets.yml.enc")`
Tell users how to assign a $EDITOR. In case there's no $EDITOR assigned users would see a cryptic: ``` % EDITOR= bin/rails secrets:edit Waiting for secrets file to be saved. Abort with Ctrl-C. sh: /var/folders/wd/xnncwqp96rj0v1y2nms64mq80000gn/T/secrets.yml.enc: Permission denied New secrets encrypted and saved. ``` That error is misleading, so give a hint in this easily detectable case. Fixes #28143. 2017-03-01 14:40:39 -05:00			`end`

Deprecate encrypted secrets in favor of credentials. Allow edits of existing encrypted secrets generated on Rails 5.1, but refer to credentials when attempting to setup. This also removes the need for any of the setup code, so the generator can be ripped out altogether. 2017-11-12 11:32:52 -05:00			`test "encrypted secrets are deprecated when running edit without setup" do`
			`assert_match "Encrypted secrets is deprecated", run_setup_command`
			`assert_equal 1, $?.exitstatus`
			`assert_not File.exist?("config/secrets.yml.enc")`
			`end`

			`test "encrypted secrets are deprecated for 5.1 config/secrets.yml apps" do`
			`Dir.chdir(app_path) do`
			`FileUtils.rm("config/credentials.yml.enc")`
			`FileUtils.touch("config/secrets.yml")`

			`assert_match "Encrypted secrets is deprecated", run_setup_command`
			`assert_equal 1, $?.exitstatus`
			`assert_not File.exist?("config/secrets.yml.enc")`
			`end`
Tell users how to assign a $EDITOR. In case there's no $EDITOR assigned users would see a cryptic: ``` % EDITOR= bin/rails secrets:edit Waiting for secrets file to be saved. Abort with Ctrl-C. sh: /var/folders/wd/xnncwqp96rj0v1y2nms64mq80000gn/T/secrets.yml.enc: Permission denied New secrets encrypted and saved. ``` That error is misleading, so give a hint in this easily detectable case. Fixes #28143. 2017-03-01 14:40:39 -05:00			`end`

Add secrets edit test 2017-03-09 19:21:53 -05:00			`test "edit secrets" do`
Deprecate encrypted secrets in favor of credentials. Allow edits of existing encrypted secrets generated on Rails 5.1, but refer to credentials when attempting to setup. This also removes the need for any of the setup code, so the generator can be ripped out altogether. 2017-11-12 11:32:52 -05:00			`prevent_deprecation`
Add secrets edit test 2017-03-09 19:21:53 -05:00
			`# Run twice to ensure encrypted secrets can be reread after first edit pass.`
			`2.times do`
Do not use UTF8 in test SecretsCommandTest#test_edit_secrets 2017-05-24 14:43:01 -04:00			`assert_match(/external_api_key: 1466aac22e6a869134be3d09b9e89232fc2c2289/, run_edit_command)`
Add secrets edit test 2017-03-09 19:21:53 -05:00			`end`
			`end`

Add `rails secrets:show` command When secrets confirmed with the `secrets:edit` command, `secrets.yml.enc` will change without updating the secrets. Therefore, even if only want to check secrets, the difference will come out. This is a little inconvenient. In order to solve this problem, added the `secrets:show` command. If just want to check secrets, no difference will occur use this command. 2017-07-06 08:40:33 -04:00			`test "show secrets" do`
Deprecate encrypted secrets in favor of credentials. Allow edits of existing encrypted secrets generated on Rails 5.1, but refer to credentials when attempting to setup. This also removes the need for any of the setup code, so the generator can be ripped out altogether. 2017-11-12 11:32:52 -05:00			`prevent_deprecation`

Add `rails secrets:show` command When secrets confirmed with the `secrets:edit` command, `secrets.yml.enc` will change without updating the secrets. Therefore, even if only want to check secrets, the difference will come out. This is a little inconvenient. In order to solve this problem, added the `secrets:show` command. If just want to check secrets, no difference will occur use this command. 2017-07-06 08:40:33 -04:00			`assert_match(/external_api_key: 1466aac22e6a869134be3d09b9e89232fc2c2289/, run_show_command)`
			`end`

Tell users how to assign a $EDITOR. In case there's no $EDITOR assigned users would see a cryptic: ``` % EDITOR= bin/rails secrets:edit Waiting for secrets file to be saved. Abort with Ctrl-C. sh: /var/folders/wd/xnncwqp96rj0v1y2nms64mq80000gn/T/secrets.yml.enc: Permission denied New secrets encrypted and saved. ``` That error is misleading, so give a hint in this easily detectable case. Fixes #28143. 2017-03-01 14:40:39 -05:00			`private`
Deprecate encrypted secrets in favor of credentials. Allow edits of existing encrypted secrets generated on Rails 5.1, but refer to credentials when attempting to setup. This also removes the need for any of the setup code, so the generator can be ripped out altogether. 2017-11-12 11:32:52 -05:00			`def prevent_deprecation`
			`Dir.chdir(app_path) do`
			`File.write("config/secrets.yml.key", "f731758c639da2604dfb6bf3d1025de8")`
			`File.write("config/secrets.yml.enc", "sEB0mHxDbeP1/KdnMk00wyzPFACl9K6t0cZWn5/Mfx/YbTHvnI07vrneqHg9kaH3wOS7L6pIQteu1P077OtE4BSx/ZRc/sgQPHyWu/tXsrfHqnPNpayOF/XZqizE91JacSFItNMWpuPsp9ynbzz+7cGhoB1S4aPNIU6u0doMrzdngDbijsaAFJmsHIQh6t/QHoJx--8aMoE0PvUWmw1Iqz--ldFqnM/K0g9k17M8PKoN/Q==")`
			`end`
			`end`

Tell users how to assign a $EDITOR. In case there's no $EDITOR assigned users would see a cryptic: ``` % EDITOR= bin/rails secrets:edit Waiting for secrets file to be saved. Abort with Ctrl-C. sh: /var/folders/wd/xnncwqp96rj0v1y2nms64mq80000gn/T/secrets.yml.enc: Permission denied New secrets encrypted and saved. ``` That error is misleading, so give a hint in this easily detectable case. Fixes #28143. 2017-03-01 14:40:39 -05:00			`def run_edit_command(editor: "cat")`
Run in-app rails commands via fork+load where possible While this avoids shell argument parsing, we still pass through everything in our stack. 2017-09-03 12:55:26 -04:00			`switch_env("EDITOR", editor) do`
Deprecate encrypted secrets in favor of credentials. Allow edits of existing encrypted secrets generated on Rails 5.1, but refer to credentials when attempting to setup. This also removes the need for any of the setup code, so the generator can be ripped out altogether. 2017-11-12 11:32:52 -05:00			`rails "secrets:edit", allow_failure: true`
Run in-app rails commands via fork+load where possible While this avoids shell argument parsing, we still pass through everything in our stack. 2017-09-03 12:55:26 -04:00			`end`
Tell users how to assign a $EDITOR. In case there's no $EDITOR assigned users would see a cryptic: ``` % EDITOR= bin/rails secrets:edit Waiting for secrets file to be saved. Abort with Ctrl-C. sh: /var/folders/wd/xnncwqp96rj0v1y2nms64mq80000gn/T/secrets.yml.enc: Permission denied New secrets encrypted and saved. ``` That error is misleading, so give a hint in this easily detectable case. Fixes #28143. 2017-03-01 14:40:39 -05:00			`end`
Add `rails secrets:show` command When secrets confirmed with the `secrets:edit` command, `secrets.yml.enc` will change without updating the secrets. Therefore, even if only want to check secrets, the difference will come out. This is a little inconvenient. In order to solve this problem, added the `secrets:show` command. If just want to check secrets, no difference will occur use this command. 2017-07-06 08:40:33 -04:00
			`def run_show_command`
Deprecate encrypted secrets in favor of credentials. Allow edits of existing encrypted secrets generated on Rails 5.1, but refer to credentials when attempting to setup. This also removes the need for any of the setup code, so the generator can be ripped out altogether. 2017-11-12 11:32:52 -05:00			`rails "secrets:show", allow_failure: true`
Add `rails secrets:show` command When secrets confirmed with the `secrets:edit` command, `secrets.yml.enc` will change without updating the secrets. Therefore, even if only want to check secrets, the difference will come out. This is a little inconvenient. In order to solve this problem, added the `secrets:show` command. If just want to check secrets, no difference will occur use this command. 2017-07-06 08:40:33 -04:00			`end`

			`def run_setup_command`
Deprecate encrypted secrets in favor of credentials. Allow edits of existing encrypted secrets generated on Rails 5.1, but refer to credentials when attempting to setup. This also removes the need for any of the setup code, so the generator can be ripped out altogether. 2017-11-12 11:32:52 -05:00			`rails "secrets:setup", allow_failure: true`
Add `rails secrets:show` command When secrets confirmed with the `secrets:edit` command, `secrets.yml.enc` will change without updating the secrets. Therefore, even if only want to check secrets, the difference will come out. This is a little inconvenient. In order to solve this problem, added the `secrets:show` command. If just want to check secrets, no difference will occur use this command. 2017-07-06 08:40:33 -04:00			`end`
Tell users how to assign a $EDITOR. In case there's no $EDITOR assigned users would see a cryptic: ``` % EDITOR= bin/rails secrets:edit Waiting for secrets file to be saved. Abort with Ctrl-C. sh: /var/folders/wd/xnncwqp96rj0v1y2nms64mq80000gn/T/secrets.yml.enc: Permission denied New secrets encrypted and saved. ``` That error is misleading, so give a hint in this easily detectable case. Fixes #28143. 2017-03-01 14:40:39 -05:00			`end`