Deep rails integration (#47)

Improves the way diffcrypt is embedded in applications, with less configuration.

It can also handle native rails credentials a bit better.

Author: marcqualie

.rubocop.yml

@@ -10,10 +10,12 @@ Style/Documentation:
 Metrics/MethodLength:
   Exclude:
     - test/**/*_test.rb
-TrailingCommaInArrayLiteral:
+Style/TrailingCommaInArrayLiteral:
   EnforcedStyleForMultiline: consistent_comma
 Style/TrailingCommaInArguments:
   EnforcedStyleForMultiline: consistent_comma
+Style/TrailingCommaInHashLiteral:
+  EnforcedStyleForMultiline: consistent_comma
 Style/AccessorGrouping:
   EnforcedStyle: separated
 

README.md

@@ -66,17 +66,10 @@ Currently there is not native support for rails, but ActiveSupport can be monkey
 the built in encrypter. All existing `rails credentials:edit` also work with this method.
 
 ```ruby
-require 'diffcrypt/rails/encrypted_configuration'
+# config/application.rb
 module Rails
   class Application
-    def encrypted(path, key_path: 'config/aes-128-gcm.key', env_key: 'RAILS_MASTER_KEY')
-      Diffcrypt::Rails::EncryptedConfiguration.new(
-        config_path: Rails.root.join(path),
-        key_path: Rails.root.join(key_path),
-        env_key: env_key,
-        raise_if_missing_key: config.require_master_key,
-      )
-    end
+    include Diffcrypt::Rails::ApplicationHelper
   end
 end
 ```

Rakefile

@@ -8,5 +8,7 @@ Rake::TestTask.new(:test) do |t|
   t.libs << 'lib'
   t.test_files = FileList['test/**/*_test.rb']
 end
-
 task default: :test
+
+path = File.expand_path(__dir__)
+Dir.glob("#{path}/lib/diffcrypt/tasks/**/*.rake").sort.each { |f| load f }

lib/diffcrypt.rb

@@ -2,6 +2,7 @@
 
 require 'diffcrypt/encryptor'
 require 'diffcrypt/version'
+require 'diffcrypt/railtie' if defined?(Rails)
 
 module Diffcrypt
   class Error < StandardError; end

lib/diffcrypt/encryptor.rb

@@ -47,11 +47,11 @@ def decrypt_hash(data)
     # @param [String] contents The raw YAML string to be encrypted
     # @param [String, nil] original_encrypted_contents The original (encrypted) content to determine which keys have changed
     # @return [String]
-    def encrypt(contents, original_encrypted_contents = nil)
+    def encrypt(contents, original_encrypted_contents = nil, cipher: nil)
       data = encrypt_data contents, original_encrypted_contents
       YAML.dump(
         'client' => "diffcrypt-#{Diffcrypt::VERSION}",
-        'cipher' => @cipher,
+        'cipher' => cipher || @cipher,
         'data' => data,
       )
     end

lib/diffcrypt/file.rb

@@ -14,7 +14,10 @@ def encrypted?
       to_yaml['cipher']
     end
 
+    # Determines the cipher to use for encryption/decryption
     def cipher
+      return 'aes-128-gcm' if format == 'activesupport'
+
       to_yaml['cipher'] || Encryptor::DEFAULT_CIPHER
     end
 
@@ -23,11 +26,33 @@ def exists?
       ::File.exist?(@path)
     end
 
+    # Determines the format to be used for encryption
+    # @return [String] diffcrypt|activesupport
+    def format
+      return 'diffcrypt' if read == ''
+      return 'diffcrypt' if read.index('---')&.zero?
+
+      'activesupport'
+    end
+
     # @return [String] Raw contents of the file
     def read
+      return '' unless ::File.exist?(@path)
+
       @read ||= ::File.read(@path)
+      @read
+    end
+
+    # Save the encrypted contents back to disk
+    # @return [Boolean] True is file save was successful
+    def write(key, data, cipher: nil)
+      cipher ||= self.cipher
+      yaml = ::YAML.dump(data)
+      contents = Encryptor.new(key, cipher: cipher).encrypt(yaml)
+      ::File.write(@path, contents)
     end
 
+    # TODO: This seems useless, figure out what's up
     def encrypt(key, cipher: DEFAULT_CIPHER)
       return read if encrypted?
 
@@ -42,7 +67,7 @@ def decrypt(key)
     end
 
     def to_yaml
-      @to_yaml ||= YAML.safe_load(read)
+      @to_yaml ||= YAML.safe_load(read) || {}
     end
   end
 end

lib/diffcrypt/rails/application_helper.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require_relative './encrypted_configuration'
+
+module Diffcrypt
+  module Rails
+    module ApplicationHelper
+      def encrypted(path, key_path: 'config/master.key', env_key: 'RAILS_MASTER_KEY')
+        config_path, key_path = resolve_encrypted_paths(path, key_path)
+
+        Diffcrypt::Rails::EncryptedConfiguration.new(
+          config_path: config_path,
+          key_path: key_path,
+          env_key: env_key,
+          raise_if_missing_key: config.require_master_key,
+        )
+      end
+
+      protected
+
+      def resolve_encrypted_paths(config_path, key_path)
+        config_path_abs = ::Rails.root.join(config_path)
+        key_path_abs = ::Rails.root.join(key_path)
+
+        # We always want to use `config/credentials/[environment]` for consistency
+        # If the master credentials do not exist, and a user has not specificed an environment, default to development
+        if config_path == 'config/credentials.yml.enc' && ::File.exist?(config_path_abs.to_s) == false
+          config_path_abs = ::Rails.root.join('config/credentials/development.yml.enc')
+          key_path_abs = ::Rails.root.join('config/credentials/development.key')
+        end
+
+        [
+          config_path_abs,
+          key_path_abs,
+        ]
+      end
+    end
+  end
+end

lib/diffcrypt/rails/encrypted_configuration.rb

@@ -88,6 +88,13 @@ def writing(contents)
       end
       # rubocop:enable Metrics/AbcSize
 
+      # Standard rails credentials encrypt the entire file. We need to detect this to use the correct
+      # data interface
+      # @return [Boolean]
+      def rails_native_credentials?(contents)
+        contents.index('---').nil?
+      end
+
       # @param [String] contents The new content to be encrypted
       # @param [String] diff_against The original (encrypted) content to determine which keys have changed
       # @return [String] Encrypted content to commit
@@ -98,7 +105,7 @@ def encrypt(contents, original_encrypted_contents = nil)
       # @param [String] contents
       # @return [String]
       def decrypt(contents)
-        if contents.index('---').nil?
+        if rails_native_credentials?(contents)
           active_support_encryptor.decrypt_and_verify contents
         else
           encryptor.decrypt contents
@@ -110,7 +117,7 @@ def decrypt(contents)
       def active_support_encryptor
         @active_support_encryptor ||= ActiveSupport::MessageEncryptor.new(
           [key].pack('H*'),
-          cipher: @diffcrypt_file.cipher,
+          cipher: 'aes-128-gcm',
         )
       end
 

lib/diffcrypt/railtie.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require 'diffcrypt/rails/application_helper'
+
+module Diffcrypt
+  class Railtie < ::Rails::Railtie
+    railtie_name :diffcrypt
+
+    rake_tasks do
+      path = ::File.expand_path(__dir__)
+      ::Dir.glob("#{path}/tasks/**/*.rake").each { |f| load f }
+    end
+  end
+end

lib/diffcrypt/tasks/rails.rake

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+namespace :diffcrypt do
+  desc 'Initialize credentials for all environments'
+  task :init, %i[environments] do |_t, args|
+    args.with_defaults(
+      environments: 'development,test,staging,production',
+    )
+    environments = args.environments.split(',')
+
+    environments.each do |environment|
+      key_path = Rails.root.join('config', 'credentials', "#{environment}.key")
+      file_path = Rails.root.join('config', 'credentials', "#{environment}.yml.enc")
+      gitignore_path = Rails.root.join('.gitignore')
+      next if File.exist?(file_path) || File.exist?(key_path)
+
+      # Generate a new key
+      key = Diffcrypt::Encryptor.generate_key
+      key_dir = File.dirname(key_path)
+      Dir.mkdir(key_dir) unless Dir.exist?(key_dir)
+      ::File.write(key_path, key)
+
+      # Encrypt default contents
+      file = Diffcrypt::File.new(file_path)
+      data = {
+        'secret_key_base' => SecureRandom.hex(32),
+      }
+      file.write(key, data)
+
+      # Ensure .key files are always ignored
+      ::File.open(gitignore_path, 'a') do |f|
+        f.write("\nconfig/credentials/*.key")
+      end
+    end
+  end
+end