Add rails support via monkey patch

Author: marcqualie

README.md

@@ -29,7 +29,7 @@ Or install it yourself as:
 
 ```ruby
 encryptor = Diffcrypt::Encryptor.new('99e1f86b9e61f24c56ff4108dd415091')
-yaml = File.read('tmp/example.yml')
+yaml = File.read('test/fixtures/example.yml')
 encrypted = encryptor.encrypt(yaml)
 File.write('tmp/example.yml.enc', encrypted)
 ```
@@ -38,10 +38,31 @@ File.write('tmp/example.yml.enc', encrypted)
 
 ```ruby
 encryptor = Diffcrypt::Encryptor.new('99e1f86b9e61f24c56ff4108dd415091')
-yaml = File.read('tmp/example.yml.enc')
+yaml = File.read('test/fixtures/example.yml.enc')
 config = YAML.safe_load(encryptor.decrypt(yaml))
 ```
 
+### Rails
+
+Currently there is not native support for rails, but ActiveSupport can be monkeypatched to override
+the build in encrypter.
+
+```ruby
+require 'diffcrypt/rails/encrypted_configuration'
+module Rails
+  class Application
+    def encrypted(path, key_path: 'config/master.key', env_key: 'RAILS_MASTER_KEY')
+      Diffcrypt::Rails::EncryptedConfiguration.new(
+        config_path: Rails.root.join(path),
+        key_path: Rails.root.join(key_path),
+        env_key: env_key,
+        raise_if_missing_key: config.require_master_key,
+      )
+    end
+  end
+end
+```
+
 
 
 ## Development

lib/diffcrypt.rb

@@ -5,4 +5,18 @@
 
 module Diffcrypt
   class Error < StandardError; end
+
+  class MissingContentError < RuntimeError
+    def initialize(content_path)
+      super "Missing encrypted content file in #{content_path}."
+    end
+  end
+
+  class MissingKeyError < RuntimeError
+    def initialize(key_path:, env_key:)
+      super \
+        'Missing encryption key to decrypt file with. ' \
+          "Ask your team for your master key and write it to #{key_path} or put it in the ENV['#{env_key}']."
+    end
+  end
 end

lib/diffcrypt/rails/encrypted_configuration.rb

@@ -0,0 +1,123 @@
+# frozen_string_literal: true
+
+require 'pathname'
+require 'tmpdir'
+
+require 'active_support/ordered_options'
+require 'active_support/core_ext/hash'
+require 'active_support/core_ext/module/delegation'
+require 'active_support/core_ext/object/inclusion'
+
+module Diffcrypt
+  module Rails
+    class EncryptedConfiguration
+      attr_reader :content_path
+      attr_reader :key_path
+      attr_reader :env_key
+      attr_reader :raise_if_missing_key
+
+      delegate :[], :fetch, to: :config
+      delegate_missing_to :options
+
+      def initialize(config_path:, key_path:, env_key:, raise_if_missing_key:)
+        @content_path = Pathname.new(File.absolute_path(config_path)).yield_self do |path|
+          path.symlink? ? path.realpath : path
+        end
+        @key_path = Pathname.new(key_path)
+        @env_key = env_key
+        @raise_if_missing_key = raise_if_missing_key
+        @active_support_encryptor = ActiveSupport::MessageEncryptor.new([key].pack('H*'), cipher: Encryptor::CIPHER)
+      end
+
+      # Allow a config to be started without a file present
+      # @return [String] Returns decryped content or a blank string
+      def read
+        raise MissingContentError, content_path unless !key.nil? && content_path.exist?
+
+        decrypt content_path.binread
+      rescue MissingContentError
+        ''
+      end
+
+      def write(contents)
+        deserialize(contents)
+
+        IO.binwrite "#{content_path}.tmp", encrypt(contents)
+        FileUtils.mv "#{content_path}.tmp", content_path
+      end
+
+      def config
+        @config ||= deserialize(read).deep_symbolize_keys
+      end
+
+      # @raise [MissingKeyError] Will raise if key is not set
+      # @return [String]
+      def key
+        read_env_key || read_key_file || handle_missing_key
+      end
+
+      def change(&block)
+        writing read, &block
+      end
+
+      protected
+
+      def writing(contents)
+        tmp_file = "#{Process.pid}.#{content_path.basename.to_s.chomp('.enc')}"
+        tmp_path = Pathname.new File.join(Dir.tmpdir, tmp_file)
+        tmp_path.binwrite contents
+
+        yield tmp_path
+
+        updated_contents = tmp_path.binread
+
+        write(updated_contents) if updated_contents != contents
+      ensure
+        FileUtils.rm(tmp_path) if tmp_path&.exist?
+      end
+
+      # @param [String] contents
+      # @return [String]
+      def encrypt(contents)
+        encryptor.encrypt contents
+      end
+
+      # @param [String] contents
+      # @return [String]
+      def decrypt(contents)
+        if contents.index('---').nil?
+          @active_support_encryptor.decrypt_and_verify contents
+        else
+          encryptor.decrypt contents
+        end
+      end
+
+      # @return [Encryptor]
+      def encryptor
+        @encryptor ||= Encryptor.new key
+      end
+
+      def read_env_key
+        ENV[env_key]
+      end
+
+      def read_key_file
+        key_path.binread.strip if key_path.exist?
+      end
+
+      # @raise [MissingKeyError]
+      # @return [void]
+      def handle_missing_key
+        raise MissingKeyError.new(key_path: key_path, env_key: env_key) if raise_if_missing_key
+      end
+
+      def options
+        @options ||= ActiveSupport::InheritableOptions.new(config)
+      end
+
+      def deserialize(config)
+        YAML.safe_load(config).presence || {}
+      end
+    end
+  end
+end

test/diffcrypt/encryptor_test.rb

@@ -2,13 +2,12 @@
 
 require 'test_helper'
 
-ENCRYPTED_VALUE_PATTERN = '([a-z0-9A-Z=/+]+)\-\-([a-z0-9A-Z=/+]+)\-\-([a-z0-9A-Z=/+]+)'
+# Since the encrypted values use openssl and are non-deterministic, we can never know the
+# actual value to test against. All we can do is ensure the value is in the correct format
+# for the encrypted content, which verifies it's not in the original state
+ENCRYPTED_VALUE_PATTERN = %('?([a-z0-9A-Z=/+]+)\-\-([a-z0-9A-Z=/+]+)\-\-([a-z0-9A-Z=/+]+)'?)
 
 class Diffcrypt::EncryptorTest < Minitest::Test
-  def test_that_it_has_a_version_number
-    refute_nil ::Diffcrypt::VERSION
-  end
-
   def test_it_decrypts_root_values
     encrypted_content = <<~CONTENT
       secret_key_base: 88Ry6HESUoXBr6QUFXmni9zzfCIYt9qGNFvIWFcN--4xoecI5mqbNRBibI--62qPJbkzzh5h8lhFEFOSaQ==

test/diffcrypt/rails/encrypted_configuration_test.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+require 'diffcrypt/rails/encrypted_configuration'
+
+class Diffcrypt::Rails::EncryptedConfigurationTest < Minitest::Test
+  def configuration
+    Diffcrypt::Rails::EncryptedConfiguration.new(
+      config_path: "#{__dir__}/../../fixtures/example.yml.enc",
+      key_path: "#{__dir__}/../../fixtures/master.key",
+      env_key: 'RAILS_MASTER_KEY',
+      raise_if_missing_key: false
+    )
+  end
+
+  # This verifies that encrypted and unecrypted data can't be accidently the
+  # same, which would create false positive tests and a major security issue
+  def test_that_fixtures_are_different
+    refute_equal File.read("#{__dir__}/../../fixtures/example.yml.enc"), File.read("#{__dir__}/../../fixtures/example.yml")
+  end
+
+  def test_that_fixture_can_be_decrypted
+    assert_equal configuration.read, File.read("#{__dir__}/../../fixtures/example.yml")
+  end
+end

test/fixtures/example.yml

@@ -0,0 +1,4 @@
+---
+secret_key_base: secret_key_base_test
+aws:
+  access_key_id: AKIXXX

test/fixtures/example.yml.enc

@@ -0,0 +1,4 @@
+---
+secret_key_base: q/nKM+MSI0IAUUGTxn336uQDgDXbJxDu6GNI3vlL--I6DThmOJBJYK6SDZ--8wmyBE0O3tGtiZK8gw69Bg==
+aws:
+  access_key_id: HEnbrD9fiNclsf2hFNAyPw==--hbJkPko9OV1QXxAq--zEkhplu33aZ9a5YCPs6mlg==

test/fixtures/master.key

@@ -0,0 +1 @@
+99e1f86b9e61f24c56ff4108dd415091

test/test_helper.rb

@@ -7,6 +7,6 @@
 #
 # @example Generate an expected value for tests
 #   Diffcrypt::Encryptor.new('99e1f86b9e61f24c56ff4108dd415091').encrypt_string('some value here')
-TEST_KEY = '99e1f86b9e61f24c56ff4108dd415091'
+TEST_KEY = File.read("#{__dir__}/fixtures/master.key").strip
 
 require 'minitest/autorun'