Raise an error only when `require_master_key` is specified

To prevent errors from being raise in environments where credentials
is unnecessary.

Context: https://github.com/rails/rails/issues/31283#issuecomment-348801489

Fixes #31283

6 files changed, 27 insertions, 8 deletions

diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb
index 293a736bfd..a200a1005c 100644
--- a/railties/lib/rails/application.rb
+++ b/railties/lib/rails/application.rb
@@ -472,7 +472,8 @@ module Rails
       ActiveSupport::EncryptedConfiguration.new(
         config_path: Rails.root.join(path),
         key_path: Rails.root.join(key_path),
-        env_key: env_key
+        env_key: env_key,
+        raise_if_missing_key: config.require_master_key
       )
     end
 
diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb
index cbc04f8a48..5d8d6740c8 100644
--- a/railties/lib/rails/application/configuration.rb
+++ b/railties/lib/rails/application/configuration.rb
@@ -16,7 +16,8 @@ module Rails
                     :ssl_options, :public_file_server,
                     :session_options, :time_zone, :reload_classes_only_on_change,
                     :beginning_of_week, :filter_redirect, :x, :enable_dependency_loading,
-                    :read_encrypted_secrets, :log_level, :content_security_policy_report_only
+                    :read_encrypted_secrets, :log_level, :content_security_policy_report_only,
+                    :require_master_key
 
       attr_reader :encoding, :api_only
 
@@ -56,6 +57,7 @@ module Rails
         @read_encrypted_secrets              = false
         @content_security_policy             = nil
         @content_security_policy_report_only = false
+        @require_master_key                  = false
       end
 
       def load_defaults(target_version)
diff --git a/railties/lib/rails/commands/credentials/credentials_command.rb b/railties/lib/rails/commands/credentials/credentials_command.rb
index 8085f07c2b..385d3976da 100644
--- a/railties/lib/rails/commands/credentials/credentials_command.rb
+++ b/railties/lib/rails/commands/credentials/credentials_command.rb
@@ -33,8 +33,7 @@ module Rails
       def show
         require_application_and_environment!
 
-        say Rails.application.credentials.read.presence ||
-          "No credentials have been added yet. Use bin/rails credentials:edit to change that."
+        say Rails.application.credentials.read.presence || missing_credentials_message
       end
 
       private
@@ -67,6 +66,14 @@ module Rails
 
           Rails::Generators::CredentialsGenerator.new
         end
+
+        def missing_credentials_message
+          if Rails.application.credentials.key.nil?
+            "Missing master key to decrypt credentials. See bin/rails credentials:help"
+          else
+            "No credentials have been added yet. Use bin/rails credentials:edit to change that."
+          end
+        end
     end
   end
 end
diff --git a/railties/lib/rails/commands/encrypted/encrypted_command.rb b/railties/lib/rails/commands/encrypted/encrypted_command.rb
index 898094f1a4..912c453f09 100644
--- a/railties/lib/rails/commands/encrypted/encrypted_command.rb
+++ b/railties/lib/rails/commands/encrypted/encrypted_command.rb
@@ -37,9 +37,9 @@ module Rails
 
       def show(file_path)
         require_application_and_environment!
+        encrypted = Rails.application.encrypted(file_path, key_path: options[:key])
 
-        say Rails.application.encrypted(file_path, key_path: options[:key]).read.presence ||
-          "File '#{file_path}' does not exist. Use bin/rails encrypted:edit #{file_path} to change that."
+        say encrypted.read.presence || missing_encrypted_message(key: encrypted.key, key_path: options[:key], file_path: file_path)
       end
 
       private
@@ -72,6 +72,14 @@ module Rails
 
           Rails::Generators::EncryptedFileGenerator.new
         end
+
+        def missing_encrypted_message(key:, key_path:, file_path:)
+          if key.nil?
+            "Missing '#{key_path}' to decrypt data. See bin/rails encrypted:help"
+          else
+            "File '#{file_path}' does not exist. Use bin/rails encrypted:edit #{file_path} to change that."
+          end
+        end
     end
   end
 end
diff --git a/railties/lib/rails/generators/rails/credentials/credentials_generator.rb b/railties/lib/rails/generators/rails/credentials/credentials_generator.rb
index 01a5b502f9..9103b1122e 100644
--- a/railties/lib/rails/generators/rails/credentials/credentials_generator.rb
+++ b/railties/lib/rails/generators/rails/credentials/credentials_generator.rb
@@ -36,7 +36,8 @@ module Rails
           ActiveSupport::EncryptedConfiguration.new(
             config_path: "config/credentials.yml.enc",
             key_path: "config/master.key",
-            env_key: "RAILS_MASTER_KEY"
+            env_key: "RAILS_MASTER_KEY",
+            raise_if_missing_key: true
           )
         end
 
diff --git a/railties/lib/rails/generators/rails/encrypted_file/encrypted_file_generator.rb b/railties/lib/rails/generators/rails/encrypted_file/encrypted_file_generator.rb
index ddce5f6fe2..4ce2fc1d86 100644
--- a/railties/lib/rails/generators/rails/encrypted_file/encrypted_file_generator.rb
+++ b/railties/lib/rails/generators/rails/encrypted_file/encrypted_file_generator.rb
@@ -24,7 +24,7 @@ module Rails
 
       def add_encrypted_file_silently(file_path, key_path, template = encrypted_file_template)
         unless File.exist?(file_path)
-          setup = { content_path: file_path, key_path: key_path, env_key: "RAILS_MASTER_KEY" }
+          setup = { content_path: file_path, key_path: key_path, env_key: "RAILS_MASTER_KEY", raise_if_missing_key: true }
           ActiveSupport::EncryptedFile.new(setup).write(template)
         end
       end