Rails credentials diff helper only decrypting the "local" state

rubyonrails-talk
1

Hi! We’re using Rails encrypted credentials, with multiple environments. We’ve enrolled the diff helpers for git as well. I’m seeing some strange behavior though - when I run git diff on a merge conflict, I see it decrypting the “local” copy, but for the “base” and “remote” versions it just shows the unencrypted contents. so e.g.

diff --cc config/credentials/staging.yml.enc
--- a/config/credentials/staging.yml.enc
+++ b/config/credentials/staging.yml.enc
@@@ -1,46 -1,50 +1,5 @@@
--key1:
--  subkey1: value
--
...
++<<<<<<< HEAD
++beepboopcyphertext
++=======
++bleepbloopcyphertext
++>>>>>>> upstream_sha

A couple other details that might be relevant:

  • We’re developing inside Docker containers, so running Rails commands requires us to be inside the container. (My mac-using coworkers don’t have the git repo mounted into the container for filesystem performance reasons, but for me on Linux this is not a problem - I have access to the git repo inside and outside the container.)
  • We have multiple environments for credentials files, so e.g. config/credentials/development.yml.enc, config/credentials/production.yml,enc, etc. The keys are never left on disk but rather passed in as needed as environment variables in RAILS_MASTER_KEY. It seems like things work a little better when the keys are on disk (maybe not everything in the stack is passing on env variables correctly).

I don’t have a reproduction yet, but will try and come up with one in the future. I just wanted to see if the behavior I’m experiencing is unusual or expected (maybe the diff helper doesn’t handle merge conflicts correctly?). Thanks!

Edit: Actually, it was pretty easy to reproduce in a new repo. So I guess this is just the current behavior of the diff helper? It’s weird to me because it’s not doing nothing but it’s not exactly doing something helpful either. I wonder in what context it does something more useful?

Oh, I guess one example is that if you show a commit (e.g. git show HEAD), the diff will be useful there. So it’s just not doing the right thing for merge conflicts.

commit 239d89ed7e74ccbf33b7477b0fbccfb04b6ac401 (HEAD -> main, origin/main)
Author: Ibrahim Awwal <ibrahim@volition.co>
Date:   Tue Jun 18 16:12:09 2024 -0700

    Update credentials

diff --git a/config/credentials.yml.enc b/config/credentials.yml.enc
index 3a0b3d7..1443e47 100644
--- a/config/credentials.yml.enc
+++ b/config/credentials.yml.enc
@@ -2,5 +2,8 @@
 #   access_key_id: 123
 #   secret_access_key: 345
 
+thing1:
+  subkey1: value
+
 # Used as the base secret for all MessageVerifiers in Rails, including the one protecting cookies.
 secret_key_base: d1987ebae6f3bc33ab535ca2cfb582567de1fd12d03cb9a8c327daedfa7bb8114da617c6e8d207b24cfe62b9e7a92b840b0ee028b74f9b8dc48a96be500e2e23