Deprecate encrypted secrets in favor of credentials.

Allow edits of existing encrypted secrets generated on Rails 5.1,
but refer to credentials when attempting to setup.

This also removes the need for any of the setup code, so the
generator can be ripped out altogether.

3 files changed, 9 insertions, 99 deletions

diff --git a/railties/lib/rails/commands/secrets/secrets_command.rb b/railties/lib/rails/commands/secrets/secrets_command.rb
index c91139e33b..73a88767e2 100644
--- a/railties/lib/rails/commands/secrets/secrets_command.rb
+++ b/railties/lib/rails/commands/secrets/secrets_command.rb
@@ -15,7 +15,7 @@ module Rails
       end
 
       def setup
-        generator.start
+        deprecate_in_favor_of_credentials_and_exit
       end
 
       def edit
@@ -42,11 +42,10 @@ module Rails
       rescue Rails::Secrets::MissingKeyError => error
         say error.message
       rescue Errno::ENOENT => error
-        raise unless error.message =~ /secrets\.yml\.enc/
-
-        Rails::Secrets.read_template_for_editing do |tmp_path|
-          system("#{ENV["EDITOR"]} #{tmp_path}")
-          generator.skip_secrets_file { setup }
+        if error.message =~ /secrets\.yml\.enc/
+          deprecate_in_favor_of_credentials_and_exit
+        else
+          raise
         end
       end
 
@@ -55,11 +54,11 @@ module Rails
       end
 
       private
-        def generator
-          require "rails/generators"
-          require "rails/generators/rails/encrypted_secrets/encrypted_secrets_generator"
+        def deprecate_in_favor_of_credentials_and_exit
+          say "Encrypted secrets is deprecated in favor of credentials. Run:"
+          say "bin/rails credentials --help"
 
-          Rails::Generators::EncryptedSecretsGenerator
+          exit 1
         end
     end
   end
diff --git a/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb b/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb
deleted file mode 100644
index 1aa7a2622a..0000000000
--- a/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb
+++ /dev/null
@@ -1,72 +0,0 @@
-# frozen_string_literal: true
-
-require "rails/generators/base"
-require "rails/secrets"
-
-module Rails
-  module Generators
-    class EncryptedSecretsGenerator < Base
-      def add_secrets_key_file
-        unless File.exist?("config/secrets.yml.key") || File.exist?("config/secrets.yml.enc")
-          key = Rails::Secrets.generate_key
-
-          say "Adding config/secrets.yml.key to store the encryption key: #{key}"
-          say ""
-          say "Save this in a password manager your team can access."
-          say ""
-          say "If you lose the key, no one, including you, can access any encrypted secrets."
-
-          say ""
-          create_file "config/secrets.yml.key", key
-          say ""
-        end
-      end
-
-      def ignore_key_file
-        if File.exist?(".gitignore")
-          unless File.read(".gitignore").include?(key_ignore)
-            say "Ignoring config/secrets.yml.key so it won't end up in Git history:"
-            say ""
-            append_to_file ".gitignore", key_ignore
-            say ""
-          end
-        else
-          say "IMPORTANT: Don't commit config/secrets.yml.key. Add this to your ignore file:"
-          say key_ignore, :on_green
-          say ""
-        end
-      end
-
-      def add_encrypted_secrets_file
-        unless (defined?(@@skip_secrets_file) && @@skip_secrets_file) || File.exist?("config/secrets.yml.enc")
-          say "Adding config/secrets.yml.enc to store secrets that needs to be encrypted."
-          say ""
-          say "For now the file contains this but it's been encrypted with the generated key:"
-          say ""
-          say Secrets.template, :on_green
-          say ""
-
-          Secrets.write(Secrets.template)
-
-          say "You can edit encrypted secrets with `bin/rails secrets:edit`."
-          say ""
-        end
-
-        say "Add this to your config/environments/production.rb:"
-        say "config.read_encrypted_secrets = true"
-      end
-
-      def self.skip_secrets_file
-        @@skip_secrets_file = true
-        yield
-      ensure
-        @@skip_secrets_file = false
-      end
-
-      private
-        def key_ignore
-          [ "", "# Ignore encrypted secrets key file.", "config/secrets.yml.key", "" ].join("\n")
-        end
-    end
-  end
-end
diff --git a/railties/lib/rails/secrets.rb b/railties/lib/rails/secrets.rb
index aea72b2d01..30e3478c9b 100644
--- a/railties/lib/rails/secrets.rb
+++ b/railties/lib/rails/secrets.rb
@@ -32,23 +32,10 @@ module Rails
         end
       end
 
-      def generate_key
-        SecureRandom.hex(OpenSSL::Cipher.new(@cipher).key_len)
-      end
-
       def key
         ENV["RAILS_MASTER_KEY"] || read_key_file || handle_missing_key
       end
 
-      def template
-        <<-end_of_template.strip_heredoc
-          # See `secrets.yml` for tips on generating suitable keys.
-          # production:
-          #   external_api_key: 1466aac22e6a869134be3d09b9e89232fc2c2289
-
-        end_of_template
-      end
-
       def encrypt(data)
         encryptor.encrypt_and_sign(data)
       end
@@ -70,10 +57,6 @@ module Rails
         writing(read, &block)
       end
 
-      def read_template_for_editing(&block)
-        writing(template, &block)
-      end
-
       private
         def handle_missing_key
           raise MissingKeyError