Merge pull request rails#53119 from n-studio/fetch_credentials

Add credentials:fetch command

Author: byroot

railties/CHANGELOG.md

@@ -1,3 +1,11 @@
+*   Add command `rails credentials:fetch PATH` to get the value of a credential from the credentials file.
+
+    ```bash
+    $ bin/rails credentials:fetch kamal_registry/password
+    ```
+
+    *Matthew Nguyen*, *Jean Boussier*
+
 *   Generate static BCrypt password digests in fixtures instead of dynamic ERB expressions.
 
     Previously, fixtures with password digest attributes used `<%= BCrypt::Password.create("secret") %>`,

railties/lib/rails/commands/credentials/credentials_command.rb

@@ -35,7 +35,7 @@ def edit
       def show
         load_environment_config!
 
-        say credentials.read.presence || missing_credentials_message
+        say credentials.read.presence || missing_credentials!
       end
 
       desc "diff", "Enroll/disenroll in decrypted diffs of credentials using git"
@@ -57,6 +57,26 @@ def diff(content_path = nil)
         say credentials.content_path.read
       end
 
+      desc "fetch PATH", "Fetch a value in the decrypted credentials"
+      def fetch(path)
+        load_environment_config!
+
+        if (yaml = credentials.read)
+          begin
+            value = YAML.load(yaml)
+            value = path.split(".").inject(value) do |doc, key|
+              doc.fetch(key)
+            end
+            say value.to_s
+          rescue KeyError, NoMethodError
+            say_error "Invalid or missing credential path: #{path}"
+            exit 1
+          end
+        else
+          missing_credentials!
+        end
+      end
+
       private
         def config
           Rails.application.config.credentials
@@ -114,12 +134,13 @@ def warn_if_credentials_are_invalid
           say "Your application will not be able to load '#{content_path}' until the error has been fixed.", :red
         end
 
-        def missing_credentials_message
+        def missing_credentials!
           if !credentials.key?
-            "Missing '#{key_path}' to decrypt credentials. See `#{executable(:help)}`."
+            say_error "Missing '#{key_path}' to decrypt credentials. See `#{executable(:help)}`."
           else
-            "File '#{content_path}' does not exist. Use `#{executable(:edit)}` to change that."
+            say_error "File '#{content_path}' does not exist. Use `#{executable(:edit)}` to change that."
           end
+          exit 1
         end
 
         def relative_path(path)

railties/lib/rails/generators/rails/app/templates/kamal-secrets.tt

@@ -7,6 +7,9 @@
 # KAMAL_REGISTRY_PASSWORD=$(kamal secrets extract KAMAL_REGISTRY_PASSWORD ${SECRETS})
 # RAILS_MASTER_KEY=$(kamal secrets extract RAILS_MASTER_KEY ${SECRETS})
 
+# Example of extracting secrets from Rails credentials
+# KAMAL_REGISTRY_PASSWORD=$(rails credentials:fetch kamal.registry_password)
+
 # Use a GITHUB_TOKEN if private repositories are needed for the image
 # GITHUB_TOKEN=$(gh config get -h github.com oauth_token)
 

railties/test/command/base_test.rb

@@ -14,7 +14,7 @@ class Rails::Command::BaseTest < ActiveSupport::TestCase
   end
 
   test "printing commands returns namespaced commands" do
-    assert_equal %w(credentials:edit credentials:show credentials:diff), Rails::Command::CredentialsCommand.printing_commands.map(&:first)
+    assert_equal %w(credentials:edit credentials:show credentials:diff credentials:fetch), Rails::Command::CredentialsCommand.printing_commands.map(&:first)
     assert_equal %w(db:system:change), Rails::Command::Db::System::ChangeCommand.printing_commands.map(&:first)
   end
 

railties/test/commands/credentials_test.rb

@@ -170,7 +170,6 @@ class Rails::Command::CredentialsTest < ActiveSupport::TestCase
     assert_match %r/foo: bar: bad/, run_edit_command
   end
 
-
   test "show credentials" do
     assert_match DEFAULT_CREDENTIALS_PATTERN, run_show_command
   end
@@ -186,7 +185,8 @@ class Rails::Command::CredentialsTest < ActiveSupport::TestCase
     remove_file "config/master.key"
     add_to_config "config.require_master_key = false"
 
-    assert_match(/Missing 'config\/master\.key' to decrypt credentials/, run_show_command)
+    stderr_output = capture(:stderr) { run_show_command(stderr: true, allow_failure: true) }
+    assert_match(/Missing 'config\/master\.key' to decrypt credentials/, stderr_output)
   end
 
   test "show command displays content specified by environment option" do
@@ -350,6 +350,20 @@ class Rails::Command::CredentialsTest < ActiveSupport::TestCase
     assert_credentials_paths "config/credentials/production.yml.enc", key_path, environment: "production"
   end
 
+  test "fetch value for given path" do
+    write_credentials({ "foo" => { "bar" => { "baz" => 42 } } }.to_yaml)
+
+    assert_match(/42/, run_fetch_command("foo.bar.baz"))
+  end
+
+  test "fetch missing key" do
+    write_credentials({ "foo" => { "bar" => { "baz" => 42 } } }.to_yaml)
+
+
+    stderr_output = capture(:stderr) { run_fetch_command("egg.spam", stderr: true, allow_failure: true) }
+    assert_match("Invalid or missing credential path: egg.spam", stderr_output)
+  end
+
   private
     DEFAULT_CREDENTIALS_PATTERN = /access_key_id: 123\n.*secret_key_base: \h{128}\n/m
 
@@ -372,6 +386,10 @@ def run_diff_command(path = nil, enroll: nil, disenroll: nil, **options)
       rails "credentials:diff", args, **options
     end
 
+    def run_fetch_command(path, **options)
+      rails "credentials:fetch", path, **options
+    end
+
     def write_credentials(content, **options)
       switch_env("CONTENT", content) do
         run_edit_command(visual: %(ruby -e "File.write ARGV[0], ENV['CONTENT']"), **options)