Add credentials using a generic EncryptedConfiguration class (#30067)

* WIP: Add credentials using a generic EncryptedConfiguration class

This is sketch code so far.

* Flesh out EncryptedConfiguration and test it

* Better name

* Add command and generator for credentials

* Use the Pathnames

* Extract EncryptedFile from EncryptedConfiguration and add serializers

* Test EncryptedFile

* Extract serializer validation

* Stress the point about losing comments

* Allow encrypted configuration to be read without parsing for display

* Use credentials by default and base them on the master key

* Derive secret_key_base in test/dev, source it from credentials in other envs

And document the usage.

* Document the new credentials setup

* Stop generating the secrets.yml file now that we have credentials

* Document what we should have instead

Still need to make it happen, tho.

* [ci skip] Keep wording to `key base`; prefer defaults.

Usually we say we change defaults, not "spec" out a release.

Can't use backticks in our sdoc generated documentation either.

* Abstract away OpenSSL; prefer MessageEncryptor.

* Spare needless new when raising.

* Encrypted file test shouldn't depend on subclass.

* [ci skip] Some woordings.

* Ditch serializer future coding.

* I said flip it. Flip it good.

* [ci skip] Move require_master_key to the real production.rb.

* Add require_master_key to abort the boot process.

In case the master key is required in a certain environment
we should inspect that the key is there and abort if it isn't.

* Print missing key message and exit immediately.

Spares us a lengthy backtrace and prevents further execution.

I've verified the behavior in a test app, but couldn't figure the
test out as loading the app just exits immediately with:

```
/Users/kasperhansen/Documents/code/rails/activesupport/lib/active_support/testing/isolation.rb:23:in `load': marshal data too short (ArgumentError)
	from /Users/kasperhansen/Documents/code/rails/activesupport/lib/active_support/testing/isolation.rb:23:in `run'
	from /Users/kasperhansen/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/minitest-5.10.2/lib/minitest.rb:830:in `run_one_method'
	from /Users/kasperhansen/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/minitest-5.10.2/lib/minitest/parallel.rb:32:in `block (2 levels) in start'
```

It's likely we need to capture and prevent the exit somehow.
Kernel.stub(:exit) didn't work. Leaving it for tomorrow.

* Fix require_master_key config test.

Loading the app would trigger the `exit 1` per require_master_key's
semantics, which then aborted the test.

Fork and wait for the child process to finish, then inspect the
exit status.

Also check we aborted because of a missing master key, so something
else didn't just abort the boot.

Much <3 to @tenderlove for the tip.

* Support reading/writing configs via methods.

* Skip needless deep symbolizing.

* Remove save; test config reader elsewhere.

* Move secret_key_base check to when we're reading it.

Otherwise we'll abort too soon since we don't assign the secret_key_base
to secrets anymore.

* Add missing string literal comments; require unneeded yaml require.

* ya ya ya, rubocop.

* Add master_key/credentials after bundle.

Then we can reuse the existing message on `rails new bc4`.

It'll look like:

```
Using web-console 3.5.1 from https://github.com/rails/web-console.git (at master@ce985eb)
Using rails 5.2.0.alpha from source at `/Users/kasperhansen/Documents/code/rails`
Using sass-rails 5.0.6
Bundle complete! 16 Gemfile dependencies, 72 gems now installed.
Use `bundle info [gemname]` to see where a bundled gem is installed.
Adding config/master.key to store the master encryption key: 97070158c44b4675b876373a6bc9d5a0

Save this in a password manager your team can access.

If you lose the key, no one, including you, can access anything encrypted with it.

      create  config/master.key
```

And that'll be executed even if `--skip-bundle` was passed.

* Ensure test app has secret_key_base.

* Assign secret_key_base to app or omit.

* Merge noise

* Split options for dynamic delegation into its own method and use deep symbols to make it work

* Update error to point to credentials instead

* Appease Rubocop

* Validate secret_key_base when reading it.

Instead of relying on the validation in key_generator move that into
secret_key_base itself.

* Fix generator and secrets test.

Manually add config.read_encrypted_secrets since it's not there by default
anymore.

Move mentions of config/secrets.yml to config/credentials.yml.enc.

* Remove files I have no idea how they got here.

* [ci skip] swap secrets for credentials.

* [ci skip] And now, changelogs are coming.

5 files changed, 129 insertions, 5 deletions

diff --git a/railties/lib/rails/generators/rails/app/app_generator.rb b/railties/lib/rails/generators/rails/app/app_generator.rb
index 0f73cc4755..c67baa5e91 100644
--- a/railties/lib/rails/generators/rails/app/app_generator.rb
+++ b/railties/lib/rails/generators/rails/app/app_generator.rb
@@ -111,7 +111,6 @@ module Rails
         template "routes.rb"
         template "application.rb"
         template "environment.rb"
-        template "secrets.yml"
         template "cable.yml" unless options[:skip_action_cable]
         template "puma.rb"   unless options[:skip_puma]
         template "spring.rb" if spring_install?
@@ -159,6 +158,22 @@ module Rails
       end
     end
 
+    def master_key
+      require_relative "../master_key/master_key_generator"
+
+      after_bundle do
+        Rails::Generators::MasterKeyGenerator.new.add_master_key_file
+      end
+    end
+
+    def credentials
+      require_relative "../credentials/credentials_generator"
+
+      after_bundle do
+        Rails::Generators::CredentialsGenerator.new.add_credentials_file_silently
+      end
+    end
+
     def database_yml
       template "config/databases/#{options[:database]}.yml", "config/database.yml"
     end
@@ -289,6 +304,14 @@ module Rails
       end
       remove_task :update_config_files
 
+      def create_master_key
+        build(:master_key)
+      end
+
+      def create_credentials
+        build(:credentials)
+      end
+
       def display_upgrade_guide_info
         say "\nAfter this, check Rails upgrade guide at http://guides.rubyonrails.org/upgrading_ruby_on_rails.html for more details about upgrading your app."
       end
diff --git a/railties/lib/rails/generators/rails/app/templates/config/environments/production.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/environments/production.rb.tt
index f68e13aa8b..2e0b555f6f 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/environments/production.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/config/environments/production.rb.tt
@@ -14,10 +14,9 @@ Rails.application.configure do
   config.consider_all_requests_local       = false
   config.action_controller.perform_caching = true
 
-  # Attempt to read encrypted secrets from `config/secrets.yml.enc`.
-  # Requires an encryption key in `ENV["RAILS_MASTER_KEY"]` or
-  # `config/secrets.yml.key`.
-  config.read_encrypted_secrets = true
+  # Ensures that a master key has been made available in either ENV["RAILS_MASTER_KEY"]
+  # or in config/master.key. This key is used to decrypt credentials (and other encrypted files).
+  # config.require_master_key = true
 
   # Disable serving static files from the `/public` folder by default since
   # Apache or NGINX already handles this.
diff --git a/railties/lib/rails/generators/rails/app/templates/gitignore b/railties/lib/rails/generators/rails/app/templates/gitignore
index 83a7b211aa..c37f01a848 100644
--- a/railties/lib/rails/generators/rails/app/templates/gitignore
+++ b/railties/lib/rails/generators/rails/app/templates/gitignore
@@ -7,6 +7,9 @@
 # Ignore bundler config.
 /.bundle
 
+# Ignore master key for decrypting credentials and more.
+/config/master.key
+
 <% if sqlite3? -%>
 # Ignore the default SQLite database.
 /db/*.sqlite3
diff --git a/railties/lib/rails/generators/rails/credentials/credentials_generator.rb b/railties/lib/rails/generators/rails/credentials/credentials_generator.rb
new file mode 100644
index 0000000000..ddcccd5ce5
--- /dev/null
+++ b/railties/lib/rails/generators/rails/credentials/credentials_generator.rb
@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require_relative "../../base"
+require_relative "../master_key/master_key_generator"
+require "active_support/encrypted_configuration"
+
+module Rails
+  module Generators
+    class CredentialsGenerator < Base
+      CONFIG_PATH = "config/credentials.yml.enc"
+      KEY_PATH    = "config/master.key"
+
+      def add_credentials_file
+        unless File.exist?(CONFIG_PATH)
+          template = credentials_template
+
+          say "Adding #{CONFIG_PATH} to store encrypted credentials."
+          say ""
+          say "The following content has been encrypted with the Rails master key:"
+          say ""
+          say template, :on_green
+          say ""
+
+          add_credentials_file_silently(template)
+
+          say "You can edit encrypted credentials with `bin/rails credentials:edit`."
+          say ""
+        end
+      end
+
+      def add_credentials_file_silently(template = nil)
+        unless File.exist?(CONFIG_PATH)
+          setup = { config_path: CONFIG_PATH, key_path: KEY_PATH, env_key: "RAILS_MASTER_KEY" }
+          ActiveSupport::EncryptedConfiguration.new(setup).write(credentials_template)
+        end
+      end
+
+      private
+        def credentials_template
+          "# amazon:\n#  access_key_id: 123\n#  secret_access_key: 345\n\n" +
+          "# Used as the base secret for all MessageVerifiers in Rails, including the one protecting cookies.\n" +
+          "secret_key_base: #{SecureRandom.hex(64)}"
+        end
+    end
+  end
+end
diff --git a/railties/lib/rails/generators/rails/master_key/master_key_generator.rb b/railties/lib/rails/generators/rails/master_key/master_key_generator.rb
new file mode 100644
index 0000000000..36a0b69e76
--- /dev/null
+++ b/railties/lib/rails/generators/rails/master_key/master_key_generator.rb
@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require_relative "../../base"
+require "pathname"
+require "active_support/encrypted_file"
+
+module Rails
+  module Generators
+    class MasterKeyGenerator < Base
+      MASTER_KEY_PATH = Pathname.new("config/master.key")
+
+      def add_master_key_file
+        unless MASTER_KEY_PATH.exist?
+          key = ActiveSupport::EncryptedFile.generate_key
+
+          say "Adding #{MASTER_KEY_PATH} to store the master encryption key: #{key}"
+          say ""
+          say "Save this in a password manager your team can access."
+          say ""
+          say "If you lose the key, no one, including you, can access anything encrypted with it."
+
+          say ""
+          add_master_key_file_silently key
+          say ""
+        end
+      end
+
+      def add_master_key_file_silently(key = nil)
+        create_file MASTER_KEY_PATH, key || ActiveSupport::EncryptedFile.generate_key
+      end
+
+      def ignore_master_key_file
+        if File.exist?(".gitignore")
+          unless File.read(".gitignore").include?(key_ignore)
+            say "Ignoring #{MASTER_KEY_PATH} so it won't end up in Git history:"
+            say ""
+            append_to_file ".gitignore", key_ignore
+            say ""
+          end
+        else
+          say "IMPORTANT: Don't commit #{MASTER_KEY_PATH}. Add this to your ignore file:"
+          say key_ignore, :on_green
+          say ""
+        end
+      end
+
+      private
+        def key_ignore
+          [ "", "# Ignore master key for decrypting credentials and more.", MASTER_KEY_PATH, "" ].join("\n")
+        end
+    end
+  end
+end