Don't load app environment when editing credentials #34789
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This avoids missing key exceptions caused by code that tries to read the credentials before they have been added to the encrypted file, for example when editing the credentials for a new environment.
|
Lovely fix, thank you! |
kaspth
added a commit
that referenced
this pull request
Jan 24, 2019
…redentials Don't load app environment when editing credentials
|
Backported to 5-2-stable @ 4b6a24c |
jonathanhefner
added a commit
to jonathanhefner/rails
that referenced
this pull request
Jan 25, 2023
This commit changes the credentials commands (e.g. `bin/rails
credentials:edit`) to load `config/environments/#{Rails.env}.rb`. Thus,
`config.credentials.content_path` and `config.credentials.key_path` can
be set in `config/environments/*.rb`, in addition to the currently
supported `config/application.rb`.
The `load_environment_config` initializer, which is run via
`Rails.application.initialize!`, is responsible for loading the
appropriate `config/environments/*.rb` file.
Normally, when booting an app, `Rails.application.initialize!` is called
without arguments by `config/environment.rb`, which is loaded via
`Rails.application.require_environment!`. Doing so runs all
initializers.
Running all initializers is problematic for credentials commands because
(1) initializers might try to access resources that aren't available
(e.g. a production database), and (2) initializers might try to read
credentials values that have not yet been set in the current
environment's credentials (see rails#34789).
Thus, the credentials commands call `Rails.application.initialize!`
directly with a dummy group argument, so that initializers in the `:all`
group -- including `load_environment_config` -- are run, but not
initializers in the default group, such as
`active_record.initialize_database` and `load_config_initializers`.
Closes rails#40778.
Co-authored-by Brian Thoman <>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
While evaluating multi-environment credentials, I came across a problem trying to create a new environment for my app.
Once you have created your first environment (e.g.
development) you might start adding configuration in initialisers that tries to access encrypted credentials like so:That works fine when running
rails credentials:edit --environment developmentIf you now decide to create a
stagingenvironment, doingrails credentials:edit --environment stagingwill fail with something similar to...ordered_options.rb:49:in 'method_missing': :secret_key_base is blank (KeyError)A great many gems that access 3rd party APIs use an initialiser for configuring credentials so the above situation is quite likely to occur.
I worked around the issue by creating a new empty Rails app, running
rails credentials:edit --environment stagingin it, and copying across the generated credential files.This PR attempts to fix the issue by not loading the application environment for
rails credentials:*commands.I've added a test but I am not sure that it is correct (or sufficient) as I struggled to fully understand the railties test harness. Happy to try another way to test this.