Merge pull request #13298 from rails/secret_tokens

Create config/secrets.yml file for store of tokens

4 files changed, 40 insertions, 8 deletions

diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb
index e45bfaf6fc..06acb4c877 100644
--- a/railties/lib/rails/application.rb
+++ b/railties/lib/rails/application.rb
@@ -1,4 +1,5 @@
 require 'fileutils'
+require 'active_support/core_ext/hash/keys'
 require 'active_support/core_ext/object/blank'
 require 'active_support/key_generator'
 require 'active_support/message_verifier'
@@ -104,7 +105,7 @@ module Rails
     delegate :default_url_options, :default_url_options=, to: :routes
 
     INITIAL_VARIABLES = [:config, :railties, :routes_reloader, :reloaders,
-                         :routes, :helpers, :app_env_config] # :nodoc:
+                         :routes, :helpers, :app_env_config, :secrets] # :nodoc:
 
     def initialize(initial_variable_values = {}, &block)
       super()
@@ -151,8 +152,8 @@ module Rails
       # number of iterations selected based on consultation with the google security
       # team. Details at https://github.com/rails/rails/pull/6952#issuecomment-7661220
       @caching_key_generator ||= begin
-        if config.secret_key_base
-          key_generator = ActiveSupport::KeyGenerator.new(config.secret_key_base, iterations: 1000)
+        if secrets.secret_key_base
+          key_generator = ActiveSupport::KeyGenerator.new(secrets.secret_key_base, iterations: 1000)
           ActiveSupport::CachingKeyGenerator.new(key_generator)
         else
           ActiveSupport::LegacyKeyGenerator.new(config.secret_token)
@@ -195,7 +196,7 @@ module Rails
           "action_dispatch.parameter_filter" => config.filter_parameters,
           "action_dispatch.redirect_filter" => config.filter_redirect,
           "action_dispatch.secret_token" => config.secret_token,
-          "action_dispatch.secret_key_base" => config.secret_key_base,
+          "action_dispatch.secret_key_base" => secrets.secret_key_base,
           "action_dispatch.show_exceptions" => config.action_dispatch.show_exceptions,
           "action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local,
           "action_dispatch.logger" => Rails.logger,
@@ -300,6 +301,27 @@ module Rails
       @config = configuration
     end
 
+    def secrets #:nodoc:
+      @secrets ||= begin
+        secrets = ActiveSupport::OrderedOptions.new
+        yaml = config.paths["config/secrets"].first
+        if File.exist?(yaml)
+          require "erb"
+          env_secrets = YAML.load(ERB.new(IO.read(yaml)).result)[Rails.env]
+          secrets.merge!(env_secrets.symbolize_keys) if env_secrets
+        end
+
+        # Fallback to config.secret_key_base if secrets.secret_key_base isn't set
+        secrets.secret_key_base ||= config.secret_key_base
+
+        secrets
+      end
+    end
+
+    def secrets=(secrets) #:nodoc:
+      @secrets = secrets
+    end
+
     def to_app #:nodoc:
       self
     end
@@ -391,8 +413,8 @@ module Rails
     end
 
     def validate_secret_key_config! #:nodoc:
-      if config.secret_key_base.blank? && config.secret_token.blank?
-        raise "You must set config.secret_key_base in your app's config."
+      if secrets.secret_key_base.blank? && config.secret_token.blank?
+        raise "You must set secret_key_base in your app's config"
       end
     end
   end
diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb
index dd0b9c6d70..9975bb8596 100644
--- a/railties/lib/rails/application/configuration.rb
+++ b/railties/lib/rails/application/configuration.rb
@@ -76,6 +76,7 @@ module Rails
         @paths ||= begin
           paths = super
           paths.add "config/database",    with: "config/database.yml"
+          paths.add "config/secrets",     with: "config/secrets.yml"
           paths.add "config/environment", with: "config/environment.rb"
           paths.add "lib/templates"
           paths.add "log",                with: "log/#{Rails.env}.log"
diff --git a/railties/lib/rails/generators/rails/app/app_generator.rb b/railties/lib/rails/generators/rails/app/app_generator.rb
index 87556bd609..e12ee3c713 100644
--- a/railties/lib/rails/generators/rails/app/app_generator.rb
+++ b/railties/lib/rails/generators/rails/app/app_generator.rb
@@ -78,6 +78,7 @@ module Rails
         template "routes.rb"
         template "application.rb"
         template "environment.rb"
+        template "secrets.yml"
 
         directory "environments"
         directory "initializers"
diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/secret_token.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/secrets.yml
index f3cc6098a3..50c1d1d8c7 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/initializers/secret_token.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/config/secrets.yml
@@ -7,6 +7,14 @@
 # no regular words or you'll be exposed to dictionary attacks.
 # You can use `rake secret` to generate a secure secret key.
 
-# Make sure your secret_key_base is kept private
+# Make sure the secrets in this file are kept private
 # if you're sharing your code publicly.
-Rails.application.config.secret_key_base = '<%= app_secret %>'
+
+development:
+  secret_key_base: <%= app_secret %>
+
+test:
+  secret_key_base: <%= app_secret %>
+
+production:
+  secret_key_base: <%= app_secret %>