summaryrefslogtreecommitdiff
path: root/spec/initializers
diff options
context:
space:
mode:
authorSean McGivern <sean@gitlab.com>2016-07-19 15:12:40 +0100
committerSean McGivern <sean@gitlab.com>2016-08-03 15:48:48 +0100
commit90565b5f95ce3d6d0b81078fe9fa9a9f196b4cde (patch)
treebc843577162353c02b9587ff8720284176589847 /spec/initializers
parent379c2cbcbd1544a1f80135c491937dabb04821df (diff)
downloadgitlab-ce-90565b5f95ce3d6d0b81078fe9fa9a9f196b4cde.tar.gz
Give priority to environment variables
If an environment variable exists for secret_key_base, use that - always. But don't save it to secrets.yml. Also ensure that we never write to secrets.yml if there's a non-blank value there.
Diffstat (limited to 'spec/initializers')
-rw-r--r--spec/initializers/secret_token_spec.rb74
1 files changed, 68 insertions, 6 deletions
diff --git a/spec/initializers/secret_token_spec.rb b/spec/initializers/secret_token_spec.rb
index aa97a8e1d42..837b0de9a4c 100644
--- a/spec/initializers/secret_token_spec.rb
+++ b/spec/initializers/secret_token_spec.rb
@@ -10,6 +10,8 @@ describe 'create_tokens', lib: true do
allow(File).to receive(:delete)
allow(Rails).to receive_message_chain(:application, :secrets).and_return(secrets)
allow(Rails).to receive_message_chain(:root, :join) { |string| string }
+ allow(self).to receive(:warn)
+ allow(self).to receive(:exit)
end
context 'setting secret_key_base and otp_key_base' do
@@ -61,11 +63,36 @@ describe 'create_tokens', lib: true do
before do
secrets.db_key_base = 'db_key_base'
- allow(ENV).to receive(:[]).with('SECRET_KEY_BASE').and_return('env_key')
allow(File).to receive(:exist?).with('.secret').and_return(true)
allow(File).to receive(:read).with('.secret').and_return('file_key')
end
+ context 'when secret_key_base exists in the environment and secrets.yml' do
+ before do
+ allow(ENV).to receive(:[]).with('SECRET_KEY_BASE').and_return('env_key')
+ secrets.secret_key_base = 'secret_key_base'
+ secrets.otp_key_base = 'otp_key_base'
+ end
+
+ it 'does not issue a warning' do
+ expect(self).not_to receive(:warn)
+
+ create_tokens
+ end
+
+ it 'uses the environment variable' do
+ create_tokens
+
+ expect(secrets.secret_key_base).to eq('env_key')
+ end
+
+ it 'does not update secrets.yml' do
+ expect(File).not_to receive(:write)
+
+ create_tokens
+ end
+ end
+
context 'when secret_key_base and otp_key_base exist' do
before do
secrets.secret_key_base = 'secret_key_base'
@@ -78,7 +105,7 @@ describe 'create_tokens', lib: true do
create_tokens
end
- it 'sets the the keys to the values from secrets.yml' do
+ it 'sets the the keys to the values from the environment and secrets.yml' do
create_tokens
expect(secrets.secret_key_base).to eq('secret_key_base')
@@ -100,18 +127,18 @@ describe 'create_tokens', lib: true do
allow(self).to receive(:warn_missing_secret)
end
- it 'uses the env secret' do
+ it 'uses the file secret' do
expect(File).to receive(:write) do |filename, contents, options|
new_secrets = YAML.load(contents)[Rails.env]
- expect(new_secrets['secret_key_base']).to eq('env_key')
- expect(new_secrets['otp_key_base']).to eq('env_key')
+ expect(new_secrets['secret_key_base']).to eq('file_key')
+ expect(new_secrets['otp_key_base']).to eq('file_key')
expect(new_secrets['db_key_base']).to eq('db_key_base')
end
create_tokens
- expect(secrets.otp_key_base).to eq('env_key')
+ expect(secrets.otp_key_base).to eq('file_key')
end
it 'keeps the other secrets as they were' do
@@ -134,5 +161,40 @@ describe 'create_tokens', lib: true do
end
end
end
+
+ context 'when db_key_base is blank but exists in secrets.yml' do
+ before do
+ secrets.otp_key_base = 'otp_key_base'
+ secrets.secret_key_base = 'secret_key_base'
+ yaml_secrets = secrets.to_h.stringify_keys.merge('db_key_base' => '<%= an_erb_expression %>')
+
+ allow(File).to receive(:exist?).with('.secret').and_return(false)
+ allow(File).to receive(:exist?).with('config/secrets.yml').and_return(true)
+ allow(YAML).to receive(:load_file).with('config/secrets.yml').and_return('test' => yaml_secrets)
+ allow(self).to receive(:warn_missing_secret)
+ end
+
+ it 'warns about updating db_key_base' do
+ expect(self).to receive(:warn_missing_secret).with('db_key_base')
+
+ create_tokens
+ end
+
+ it 'warns about the blank value existing in secrets.yml and exits' do
+ expect(self).to receive(:warn) do |warning|
+ expect(warning).to include('db_key_base')
+ expect(warning).to include('<%= an_erb_expression %>')
+ end
+
+ create_tokens
+ end
+
+ it 'does not update secrets.yml' do
+ expect(self).to receive(:exit).with(1).and_call_original
+ expect(File).not_to receive(:write)
+
+ expect { create_tokens }.to raise_error(SystemExit)
+ end
+ end
end
end