Merge pull request rails#42106 from ghiculescu/secrets-nested-keys

rafaelfranca · web-flow · commit a6a9fed1719a · 2021-04-29T15:48:28.000-04:00
Allow access to nested secrets by method calls
diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md
@@ -1,3 +1,19 @@
+*   Allow nested access to keys on `Rails.application.credentials`
+
+    Previously only top level keys in `credentials.yml.enc` could be accessed with method calls. Now any key can.
+
+    For example, given these secrets:
+
+    ```yml
+    aws:
+       access_key_id: 123
+       secret_access_key: 345
+    ```
+
+    `Rails.application.credentials.aws.access_key_id` will now return the same thing as `Rails.application.credentials.aws[:access_key_id]`
+
+    *Alex Ghiculescu*
+
 *   Added a faster and more compact `ActiveSupport::Cache` serialization format.
 
     It can be enabled with `config.active_support.cache_format_version = 7.0` or
diff --git a/activesupport/lib/active_support/encrypted_configuration.rb b/activesupport/lib/active_support/encrypted_configuration.rb
@@ -34,8 +34,12 @@ def config
     end
 
     private
+      def deep_transform(hash)
+        hash.transform_values { |value| value.is_a?(Hash) ? ActiveSupport::InheritableOptions.new(deep_transform(value)) : value }
+      end
+
       def options
-        @options ||= ActiveSupport::InheritableOptions.new(config)
+        @options ||= ActiveSupport::InheritableOptions.new(deep_transform(config))
       end
 
       def deserialize(config)
diff --git a/activesupport/test/encrypted_configuration_test.rb b/activesupport/test/encrypted_configuration_test.rb
@@ -37,9 +37,14 @@ class EncryptedConfigurationTest < ActiveSupport::TestCase
   end
 
   test "reading configuration by key file" do
-    @credentials.write({ something: { good: true } }.to_yaml)
+    @credentials.write({ something: { good: true, bad: false, nested: { foo: "bar" } } }.to_yaml)
 
     assert @credentials.something[:good]
+    assert_not @credentials.something[:bad]
+    assert @credentials.something.good
+    assert_not @credentials.something.bad
+    assert_equal "bar", @credentials.dig(:something, :nested, :foo)
+    assert_equal "bar", @credentials.something.nested.foo
   end
 
   test "reading comment-only configuration" do
diff --git a/guides/source/security.md b/guides/source/security.md
@@ -1163,9 +1163,11 @@ For example, with the following decrypted `config/credentials.yml.enc`:
 ```yaml
 secret_key_base: 3b7cd72...
 some_api_key: SOMEKEY
+system:
+  access_key_id: 1234AB
 ```
 
-`Rails.application.credentials.some_api_key` returns `"SOMEKEY"`.
+`Rails.application.credentials.some_api_key` returns `"SOMEKEY"`. `Rails.application.credentials.system.access_key_id` returns `"1234AB"`.
 
 If you want an exception to be raised when some key is blank, you can use the bang
 version:
