Apply review feedback

-Ensure we creation our tempfile within our final directory
- Add encrypted settings config to gitlab.yml.example
- Update missing key syntax
- And check early for missing key during the edit command
- Ensure spec tests are rails rooted

config/gitlab.yml.example

@@ -616,6 +616,9 @@ production: &base
     enabled: false
     prevent_ldap_sign_in: false
 
+    # File location to read encrypted secrets from
+    # secret_file: /mnt/gitlab/ldap.yaml.enc # Default: shared/encrypted_settings/ldap.yaml.enc
+
     # This setting controls the number of seconds between LDAP permission checks
     # for each user. After this time has expired for a given user, their next
     # interaction with GitLab (a click in the web UI, a git pull, etc.) will be

lib/gitlab/encrypted_ldap_command.rb

@@ -13,8 +13,6 @@ module Gitlab
         puts "File encrypted and saved."
       rescue Interrupt
         puts "Aborted changing file: nothing saved."
-      rescue Gitlab::EncryptedConfiguration::MissingKeyError
-        puts "Missing encryption key enc_settings_key_base."
       rescue ActiveSupport::MessageEncryptor::InvalidMessage
         puts "Couldn't decrypt #{encrypted.content_path}. Perhaps you passed the wrong key?"
       end
@@ -24,7 +22,7 @@ module Gitlab
         return unless validate_config(encrypted)
 
         editor = ENV['EDITOR'] || 'editor'
-        temp_file = Tempfile.new(File.basename(encrypted.content_path))
+        temp_file = Tempfile.new(File.basename(encrypted.content_path), File.dirname(encrypted.content_path))
 
         encrypted.change do |contents|
           contents = encrypted_file_template unless File.exist?(encrypted.content_path)
@@ -36,8 +34,6 @@ module Gitlab
         puts "File encrypted and saved."
       rescue Interrupt
         puts "Aborted changing file: nothing saved."
-      rescue Gitlab::EncryptedConfiguration::MissingKeyError
-        puts "Missing encryption key enc_settings_key_base."
       rescue ActiveSupport::MessageEncryptor::InvalidMessage
         puts "Couldn't decrypt #{encrypted.content_path}. Perhaps you passed the wrong key?"
       ensure
@@ -46,10 +42,9 @@ module Gitlab
 
       def show
         encrypted = Gitlab::Auth::Ldap::Config.encrypted_secrets
+        return unless validate_config(encrypted)
 
         puts encrypted.read.presence || "File '#{encrypted.content_path}' does not exist. Use `rake gitlab:ldap:secret:edit` to change that."
-      rescue Gitlab::EncryptedConfiguration::MissingKeyError
-        puts "Missing encryption key enc_settings_key_base."
       rescue ActiveSupport::MessageEncryptor::InvalidMessage
         puts "Couldn't decrypt #{encrypted.content_path}. Perhaps you passed the wrong key?"
       end
@@ -64,6 +59,11 @@ module Gitlab
           return false
         end
 
+        if encrypted.key.nil?
+          puts "Missing encryption key enc_settings_key_base."
+          return false
+        end
+
         true
       end
 

spec/tasks/gitlab/ldap_rake_spec.rb

@@ -27,7 +27,7 @@ RSpec.describe 'gitlab:ldap:secret rake tasks' do
   end
 
   after do
-    FileUtils.rm_rf('tmp/tests/ldapenc/')
+    FileUtils.rm_rf(Rails.root.join('tmp/tests/ldapenc'))
   end
 
   describe ':show' do
@@ -74,7 +74,7 @@ RSpec.describe 'gitlab:ldap:secret rake tasks' do
     end
 
     it 'displays error when write directory does not exist' do
-      FileUtils.rm_rf('tmp/tests/ldapenc/')
+      FileUtils.rm_rf(Rails.root.join('tmp/tests/ldapenc'))
       expect { run_rake_task('gitlab:ldap:secret:edit') }.to output(/Directory .* does not exist./).to_stdout
     end
   end