Merge branch 'master' into bug/filtered_parameters_class

2 files changed, 109 insertions, 0 deletions

diff --git a/railties/lib/rails/commands/secrets/USAGE b/railties/lib/rails/commands/secrets/USAGE
new file mode 100644
index 0000000000..96e322fe91
--- /dev/null
+++ b/railties/lib/rails/commands/secrets/USAGE
@@ -0,0 +1,60 @@
+=== Storing Encrypted Secrets in Source Control
+
+The Rails `secrets` commands helps encrypting secrets to slim a production
+environment's `ENV` hash. It's also useful for atomic deploys: no need to
+coordinate key changes to get everything working as the keys are shipped
+with the code.
+
+=== Setup
+
+Run `bin/rails secrets:setup` to opt in and generate the `config/secrets.yml.key`
+and `config/secrets.yml.enc` files.
+
+The latter contains all the keys to be encrypted while the former holds the
+encryption key.
+
+Don't lose the key! Put it in a password manager your team can access.
+Should you lose it no one, including you, will be able to access any encrypted
+secrets.
+Don't commit the key! Add `config/secrets.yml.key` to your source control's
+ignore file. If you use Git, Rails handles this for you.
+
+Rails also looks for the key in `ENV["RAILS_MASTER_KEY"]` if that's easier to
+manage.
+
+You could prepend that to your server's start command like this:
+
+   RAILS_MASTER_KEY="im-the-master-now-hahaha" server.start
+
+
+The `config/secrets.yml.enc` has much the same format as `config/secrets.yml`:
+
+   production:
+     secret_key_base: so-secret-very-hidden-wow
+     payment_processing_gateway_key: much-safe-very-gaedwey-wow
+
+But that's where the similarities between `secrets.yml` and `secrets.yml.enc`
+end, e.g. no keys from `secrets.yml` will be moved to `secrets.yml.enc` and
+be encrypted.
+
+A `shared:` top level key is also supported such that any keys there is merged
+into the other environments.
+
+Additionally, Rails won't read encrypted secrets out of the box even if you have
+the key. Add this:
+
+   config.read_encrypted_secrets = true
+
+to the environment you'd like to read encrypted secrets. `bin/rails secrets:setup`
+inserts this into the production environment by default.
+
+=== Editing Secrets
+
+After `bin/rails secrets:setup`, run `bin/rails secrets:edit`.
+
+That command opens a temporary file in `$EDITOR` with the decrypted contents of
+`config/secrets.yml.enc` to edit the encrypted secrets.
+
+When the temporary file is next saved the contents are encrypted and written to
+`config/secrets.yml.enc` while the file itself is destroyed to prevent secrets
+from leaking.
diff --git a/railties/lib/rails/commands/secrets/secrets_command.rb b/railties/lib/rails/commands/secrets/secrets_command.rb
new file mode 100644
index 0000000000..03a640bd65
--- /dev/null
+++ b/railties/lib/rails/commands/secrets/secrets_command.rb
@@ -0,0 +1,49 @@
+require "active_support"
+require "rails/secrets"
+
+module Rails
+  module Command
+    class SecretsCommand < Rails::Command::Base # :nodoc:
+      no_commands do
+        def help
+          say "Usage:\n  #{self.class.banner}"
+          say ""
+          say self.class.desc
+        end
+      end
+
+      def setup
+        require "rails/generators"
+        require "rails/generators/rails/encrypted_secrets/encrypted_secrets_generator"
+
+        Rails::Generators::EncryptedSecretsGenerator.start
+      end
+
+      def edit
+        if ENV["EDITOR"].to_s.empty?
+          say "No $EDITOR to open decrypted secrets in. Assign one like this:"
+          say ""
+          say %(EDITOR="mate --wait" bin/rails secrets:edit)
+          say ""
+          say "For editors that fork and exit immediately, it's important to pass a wait flag,"
+          say "otherwise the secrets will be saved immediately with no chance to edit."
+
+          return
+        end
+
+        require_application_and_environment!
+
+        Rails::Secrets.read_for_editing do |tmp_path|
+          say "Waiting for secrets file to be saved. Abort with Ctrl-C."
+          system("\$EDITOR #{tmp_path}")
+        end
+
+        say "New secrets encrypted and saved."
+      rescue Interrupt
+        say "Aborted changing encrypted secrets: nothing saved."
+      rescue Rails::Secrets::MissingKeyError => error
+        say error.message
+      end
+    end
+  end
+end