secrets: Secret management
In r-lib/httr2: Perform HTTP Requests and Process the Responses

secrets

R Documentation

Secret management

Description

httr2 provides a handful of functions designed for working with confidential data. These are useful because testing packages that use httr2 often requires some confidential data that needs to be available for testing, but should not be available to package users.

secret_encrypt() and secret_decrypt() work with individual strings
secret_encrypt_file() encrypts a file in place and secret_decrypt_file() decrypts a file in a temporary location.
secret_write_rds() and secret_read_rds() work with .rds files
secret_make_key() generates a random string to use as a key.
secret_has_key() returns TRUE if the key is available; you can use it in examples and vignettes that you want to evaluate on your CI, but not for CRAN/package users.

These all look for the key in an environment variable. When used inside of testthat, they will automatically testthat::skip() the test if the env var isn't found. (Outside of testthat, they'll error if the env var isn't found.)

Usage

secret_make_key()

secret_encrypt(x, key)

secret_decrypt(encrypted, key)

secret_write_rds(x, path, key)

secret_read_rds(path, key)

secret_decrypt_file(path, key, envir = parent.frame())

secret_encrypt_file(path, key)

secret_has_key(key)

Arguments

`x`	Object to encrypt. Must be a string for `secret_encrypt()`.
`key`	Encryption key; this is the password that allows you to "lock" and "unlock" the secret. The easiest way to specify this is as the name of an environment variable. Alternatively, if you already have a base64url encoded string, you can wrap it in `I()`, or you can pass the raw vector in directly.
`encrypted`	String to decrypt
`path`	Path to file to encrypted file to read or write. For `secret_write_rds()` and `secret_read_rds()` this should be an `.rds` file.
`envir`	The decrypted file will be automatically deleted when this environment exits. You should only need to set this argument if you want to pass the unencrypted file to another function.

Value

secret_decrypt() and secret_encrypt() return strings.
secret_decrypt_file() returns a path to a temporary file; secret_encrypt_file() encrypts the file in place.
secret_write_rds() returns x invisibly; secret_read_rds() returns the saved object.
secret_make_key() returns a string with class AsIs.
secret_has_key() returns TRUE or FALSE.

Basic workflow

Use secret_make_key() to generate a password. Make this available as an env var (e.g. ⁠{MYPACKAGE}_KEY⁠) by adding a line to your .Renviron.
Encrypt strings with secret_encrypt(), files with secret_encrypt_file(), and other data with secret_write_rds(), setting key = "{MYPACKAGE}_KEY".
In your tests, decrypt the data with secret_decrypt(), secret_decrypt_file(), or secret_read_rds() to match how you encrypt it.
If you push this code to your CI server, it will already "work" because all functions automatically skip tests when your ⁠{MYPACKAGE}_KEY⁠ env var isn't set. To make the tests actually run, you'll need to set the env var using whatever tool your CI system provides for setting env vars. Make sure to carefully inspect the test output to check that the skips have actually gone away.

Examples

key <- secret_make_key()

path <- tempfile()
secret_write_rds(mtcars, path, key = key)
secret_read_rds(path, key)

# While you can manage the key explicitly in a variable, it's much
# easier to store in an environment variable. In real life, you should
# NEVER use `Sys.setenv()` to create this env var because you will
# also store the secret in your `.Rhistory`. Instead add it to your
# .Renviron using `usethis::edit_r_environ()` or similar.
Sys.setenv("MY_KEY" = key)

x <- secret_encrypt("This is a secret", "MY_KEY")
x
secret_decrypt(x, "MY_KEY")

r-lib/httr2 documentation built on Nov. 4, 2024, 11:32 p.m.