Dry up reading env vars

.env.example

@@ -6,6 +6,7 @@ AWS_S3_REGION=changeme
 AWS_SECRET_ACCESS_KEY=changeme
 
 GITHUB_WEBHOOK_SECRET=test_token
+GITHUB_WEBHOOK_REF=ref
 
 POSTGRES_DB=development
 POSTGRES_HOST=db

app/controllers/auth_controller.rb

@@ -22,12 +22,12 @@ def destroy
     reset_session
 
     # Prevent redirect loops etc.
-    if ENV['BYPASS_OAUTH'].present?
+    if Rails.configuration.bypass_oauth
       redirect_to root_path
       return
     end
 
-    redirect_to "#{ENV.fetch('IDENTITY_URL', nil)}/logout?returnTo=#{ENV.fetch('HOST_URL', nil)}",
+    redirect_to "#{Rails.configuration.identity_url}/logout?returnTo=#{ENV.fetch('HOST_URL', nil)}",
                 allow_other_host: true
   end
 

app/controllers/github_webhooks_controller.rb

@@ -4,13 +4,17 @@ class GithubWebhooksController < ActionController::API
   include GithubWebhook::Processor
 
   def github_push(payload)
-    UploadJob.perform_later(payload) if payload[:ref] == ENV.fetch('GITHUB_WEBHOOK_REF') && edited_code?(payload)
+    UploadJob.perform_later(payload) if payload[:ref] == webhook_ref && edited_code?(payload)
   end
 
   private
 
   def webhook_secret(_payload)
-    ENV.fetch('GITHUB_WEBHOOK_SECRET')
+    Rails.configuration.x.github_webhook.secret
+  end
+
+  def webhook_ref
+    Rails.configuration.x.github_webhook.ref
   end
 
   def edited_code?(payload)

app/jobs/upload_job.rb

@@ -55,7 +55,7 @@ def modified_locales(payload)
   def load_projects_data(locale, repository, owner)
     GithubApi::Client.query(
       ProjectContentQuery,
-      variables: { repository:, owner:, expression: "#{ENV.fetch('GITHUB_WEBHOOK_REF')}:#{locale}/code" }
+      variables: { repository:, owner:, expression: "#{Rails.configuration.x.github_webhook.ref}:#{locale}/code" }
     )
   end
 
@@ -85,7 +85,7 @@ def component(file)
   def image(file, project_dir, locale, repository, owner)
     filename = file.name
     directory = project_dir.name
-    url = "https://github.com/#{owner}/#{repository}/raw/#{ENV.fetch('GITHUB_WEBHOOK_REF')}/#{locale}/code/#{directory}/#{filename}"
+    url = "https://github.com/#{owner}/#{repository}/raw/#{Rails.configuration.x.github_webhook.ref}/#{locale}/code/#{directory}/#{filename}"
     { filename:, io: URI.parse(url).open }
   end
 

app/views/invitation_mailer/invite_teacher.text.erb

@@ -6,7 +6,7 @@ Being part of this school account will allow you to access the school dashboard
 
 Join school:
 
-<%= "#{ENV.fetch('EDITOR_PUBLIC_URL')}/en/invitations/#{@token}" %>
+<%= "#{Rails.configuration.editor_public_url}/en/invitations/#{@token}" %>
 
 --
 Raspberry Pi Foundation

config/application.rb

@@ -57,5 +57,12 @@ class Application < Rails::Application
 
     config.middleware.insert_before 0, CorpMiddleware
     config.generators.system_tests = nil
+
+    config.bypass_oauth = ENV.fetch('BYPASS_OAUTH', nil) == 'true'
+    config.identity_url = ENV.fetch('IDENTITY_URL')
+    config.editor_public_url = ENV.fetch('EDITOR_PUBLIC_URL')
+
+    config.x.github_webhook.secret = ENV.fetch('GITHUB_WEBHOOK_SECRET')
+    config.x.github_webhook.ref = ENV.fetch('GITHUB_WEBHOOK_REF')
   end
 end

config/initializers/omniauth.rb

@@ -2,7 +2,7 @@
 
 OmniAuth.config.logger = Rails.logger
 
-if ENV['BYPASS_OAUTH'].present?
+if Rails.configuration.bypass_oauth
   using RpiAuthBypass
 
   extra = RpiAuthBypass::DEFAULT_EXTRA.deep_merge(raw_info: { roles: 'editor-admin' })

lib/hydra_public_api_client.rb

@@ -24,7 +24,7 @@ def fetch_oauth_user(token:)
   private
 
   def bypass_oauth?
-    ENV.fetch('BYPASS_OAUTH', nil) == 'true'
+    Rails.configuration.bypass_oauth
   end
 
   def stubbed_user

lib/user_info_api_client.rb

@@ -21,7 +21,7 @@ def fetch_by_ids(user_ids)
     private
 
     def bypass_oauth?
-      ENV.fetch('BYPASS_OAUTH', nil) == 'true'
+      Rails.configuration.bypass_oauth
     end
 
     def transform_result(result)

spec/jobs/upload_job_spec.rb

@@ -4,20 +4,21 @@
 
 RSpec.describe UploadJob do
   around do |example|
-    ClimateControl.modify GITHUB_AUTH_TOKEN: 'secret', GITHUB_WEBHOOK_REF: 'branches/whatever' do
+    ClimateControl.modify GITHUB_AUTH_TOKEN: 'secret' do
       example.run
     end
   end
 
   ActiveJob::Base.queue_adapter = :test
+  let(:github_webhook_ref) { 'branches/whatever' }
   let(:graphql_response) do
     GraphQL::Client::Response.new(raw_response, data: UploadJob::ProjectContentQuery.new(raw_response['data'], GraphQL::Client::Errors.new))
   end
   let(:payload) do
     { repository: { name: 'my-amazing-repo', owner: { name: 'me' } }, commits: [{ added: ['ja-JP/code/dont-collide-starter/main.py'], modified: [], removed: [] }] }
   end
   let(:variables) do
-    { repository: 'my-amazing-repo', owner: 'me', expression: "#{ENV.fetch('GITHUB_WEBHOOK_REF')}:ja-JP/code" }
+    { repository: 'my-amazing-repo', owner: 'me', expression: "#{github_webhook_ref}:ja-JP/code" }
   end
 
   let(:raw_response) do
@@ -93,6 +94,7 @@
   end
 
   before do
+    allow(Rails.configuration.x.github_webhook).to receive(:ref).and_return(github_webhook_ref)
     allow(GithubApi::Client).to receive(:query).and_return(graphql_response)
     stub_request(:get, 'https://github.com/me/my-amazing-repo/raw/branches/whatever/ja-JP/code/dont-collide-starter/astronaut1.png').to_return(status: 200, body: '', headers: {})
     allow(ProjectImporter).to receive(:new).and_call_original

spec/mailers/invitation_mailer_spec.rb

@@ -9,7 +9,7 @@
     let(:invitation) { create(:teacher_invitation) }
 
     before do
-      allow(ENV).to receive(:fetch).with('EDITOR_PUBLIC_URL').and_return('http://example.com')
+      allow(Rails.configuration).to receive(:editor_public_url).and_return('http://example.com')
     end
 
     it 'includes the school name in the body' do

spec/models/user_spec.rb

@@ -85,11 +85,9 @@
       end
     end
 
-    context 'when BYPASS_OAUTH is true' do
-      around do |example|
-        ClimateControl.modify(BYPASS_OAUTH: 'true') do
-          example.run
-        end
+    context 'when the app is configured to bypass oauth' do
+      before do
+        allow(Rails.configuration).to receive(:bypass_oauth).and_return(true)
       end
 
       it 'does not call the API' do
@@ -297,15 +295,13 @@
       expect(user.email).to eq '[email protected]'
     end
 
-    context 'when BYPASS_OAUTH is true' do
-      around do |example|
-        ClimateControl.modify(BYPASS_OAUTH: 'true') do
-          example.run
-        end
-      end
-
+    context 'when the app is configured to bypass oauth' do
       let(:owner) { create(:owner, school:, id: '00000000-0000-0000-0000-000000000000') }
 
+      before do
+        allow(Rails.configuration).to receive(:bypass_oauth).and_return(true)
+      end
+
       it 'does not call the API' do
         user
         expect(WebMock).not_to have_requested(:get, /.*/)

spec/requests/github_webhooks/github_webhooks_controller_push_spec.rb

@@ -3,12 +3,7 @@
 require 'rails_helper'
 
 RSpec.describe GithubWebhooksController do
-  around do |example|
-    ClimateControl.modify GITHUB_WEBHOOK_SECRET: 'secret', GITHUB_WEBHOOK_REF: 'branches/whatever' do
-      example.run
-    end
-  end
-
+  let(:github_webhook_secret) { 'secret' }
   let(:params) do
     {
       ref:,
@@ -18,13 +13,15 @@
 
   let(:headers) do
     {
-      'X-Hub-Signature-256': "sha256=#{OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), ENV.fetch('GITHUB_WEBHOOK_SECRET'), params.to_json)}",
+      'X-Hub-Signature-256': "sha256=#{OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), github_webhook_secret, params.to_json)}",
       'X-GitHub-Event': 'push',
       'Content-Type': 'application/json'
     }
   end
 
   before do
+    allow(Rails.configuration.x.github_webhook).to receive(:secret).and_return(github_webhook_secret)
+    allow(Rails.configuration.x.github_webhook).to receive(:ref).and_return('branches/whatever')
     allow(UploadJob).to receive(:perform_later)
     post '/github_webhooks', env: { RAW_POST_DATA: params.to_json }, headers:
   end