secrets {httr2} | R Documentation |
Secret management
Description
httr2 provides a handful of functions designed for working with confidential data. These are useful because testing packages that use httr2 often requires some confidential data that needs to be available for testing, but should not be available to package users.
-
secret_encrypt()
andsecret_decrypt()
work with individual strings -
secret_encrypt_file()
encrypts a file in place andsecret_decrypt_file()
decrypts a file in a temporary location. -
secret_write_rds()
andsecret_read_rds()
work with.rds
files -
secret_make_key()
generates a random string to use as a key. -
secret_has_key()
returnsTRUE
if the key is available; you can use it in examples and vignettes that you want to evaluate on your CI, but not for CRAN/package users.
These all look for the key in an environment variable. When used inside of
testthat, they will automatically testthat::skip()
the test if the env var
isn't found. (Outside of testthat, they'll error if the env var isn't
found.)
Usage
secret_make_key()
secret_encrypt(x, key)
secret_decrypt(encrypted, key)
secret_write_rds(x, path, key)
secret_read_rds(path, key)
secret_decrypt_file(path, key, envir = parent.frame())
secret_encrypt_file(path, key)
secret_has_key(key)
Arguments
x |
Object to encrypt. Must be a string for |
key |
Encryption key; this is the password that allows you to "lock"
and "unlock" the secret. The easiest way to specify this is as the
name of an environment variable. Alternatively, if you already have
a base64url encoded string, you can wrap it in |
encrypted |
String to decrypt |
path |
Path to |
envir |
The decrypted file will be automatically deleted when this environment exits. You should only need to set this argument if you want to pass the unencrypted file to another function. |
Value
-
secret_decrypt()
andsecret_encrypt()
return strings. -
secret_write_rds()
returnsx
invisibly;secret_read_rds()
returns the saved object. -
secret_make_key()
returns a string with classAsIs
. -
secret_has_key()
returnsTRUE
orFALSE
.
Basic workflow
Use
secret_make_key()
to generate a password. Make this available as an env var (e.g.{MYPACKAGE}_KEY
) by adding a line to your.Renviron
.Encrypt strings with
secret_encrypt()
, files withsecret_encrypt_file()
, and other data withsecret_write_rds()
, settingkey = "{MYPACKAGE}_KEY"
.In your tests, decrypt the data with
secret_decrypt()
,secret_decrypt_file()
, orsecret_read_rds()
to match how you encrypt it.If you push this code to your CI server, it will already "work" because all functions automatically skip tests when your
{MYPACKAGE}_KEY
env var isn't set. To make the tests actually run, you'll need to set the env var using whatever tool your CI system provides for setting env vars. Make sure to carefully inspect the test output to check that the skips have actually gone away.
Examples
key <- secret_make_key()
path <- tempfile()
secret_write_rds(mtcars, path, key = key)
secret_read_rds(path, key)
# While you can manage the key explicitly in a variable, it's much
# easier to store in an environment variable. In real life, you should
# NEVER use `Sys.setenv()` to create this env var because you will
# also store the secret in your `.Rhistory`. Instead add it to your
# .Renviron using `usethis::edit_r_environ()` or similar.
Sys.setenv("MY_KEY" = key)
x <- secret_encrypt("This is a secret", "MY_KEY")
x
secret_decrypt(x, "MY_KEY")