How to read ERb when importing a .yml file in an initializer?

Question

I'm seeing behavior where an encrypted AD ID login works for a database, but not for an AD connection. Both are using the exact same code to decrypt before passing the passwords to their respective endpoints. The encryption itself is confirmed to be working.

Is the ruby <%= DM::Encryption.decrypt(:staging, 'nsad;nasdnvoasidnv;asoin') %> is not being evaluated before being assigned in adauth.rb?

config/database.yml:

#...
staging:
  adapter: jdbcmssql
  driver: net.sourceforge.jtds.jdbc.Driver
  url: 'jdbc:jtds:sqlserver://server/db;domain=DM'
  username: some_id
  password: <%= DM::Encryption.decrypt(:staging, 'nsad;nasdnvoasidnv;asoin') %>
  pool: 10
  wait-timeout: 10
#...

config/ad.yml:

#...
  staging:
  <<: *default
  ad.bind_id: some_id
  ad.bind_password: <%= DM::Encryption.decrypt(:staging, 'nsad;nasdnvoasidnv;asoin') %>
#...

initializers/adauth.rb:

AD_CONF = YAML.load_file(Rails.root.join('config/ad.yml'))[Rails.env]

Adauth.configure do |c|
  c.domain = AD_CONF["ad.domain"]
  c.query_user = AD_CONF["ad.bind_id"]
  c.query_password = AD_CONF["ad.bind_password"]
  c.server = AD_CONF["ad.host"]
  c.base = AD_CONF["ad.user_base"]
end

Answer 1

Your question is a little unclear, but it seems like you suspect the ERb (<%= ...) in your YAML file isn't being evaluated before the YAML is parsed in adauth.rb.

It would be easy enough to find out just by printing the value of AD_CONF["ad.bind_password"] in adauth.rb—but it does seem likely, since you're just calling YAML.load_file and never doing anything to parse the ERb. If you want to parse the ERb, you can see how Rails does it in Rails::Application::Configuration.database_configuration. The most important part is this:

yaml = Pathname.new(paths["config/database"].existent.first || "")
# ...snip...
YAML.load(ERB.new(yaml.read).result) || {}

Following this example, you would change the first line in adauth.rb to something like this:

ad_yaml_path = Rails.root.join('config/ad.yml')    # The path to the .yml file
ad_yaml      = ERB.new( ad_yaml_path.read ).result # Read the file and evaluate the ERB
ad_hash      = YAML.load(ad_yaml)                  # Parse the resulting YAML
AD_CONF = ad_hash[Rails.env]

(The first line works because Rails.root is a Pathname object, and Pathname#join also returns a Pathname, and Pathname#read works like File#read, returning the contents of the file.)

Of course, this can be shortened (you could make it a one-liner but that'd be pretty hard to read):

ad_yaml = ERB.new( Rails.root.join('config/ad.yml').read ).result
AD_CONF = YAML.load(ad_yaml)[Rails.env]

One more thing: Rails 4.2, which is now in beta, has a config_for method that does exactly this. Instead of the above you would just do this:

AD_CONF = Rails.application.config_for(Rails.root + 'config/ad.yml')

So that's neat.