Deprecate encrypted secrets in favor of credentials.

Allow edits of existing encrypted secrets generated on Rails 5.1,
but refer to credentials when attempting to setup.

This also removes the need for any of the setup code, so the
generator can be ripped out altogether.

6 files changed, 50 insertions, 167 deletions

diff --git a/railties/lib/rails/commands/secrets/secrets_command.rb b/railties/lib/rails/commands/secrets/secrets_command.rb
index c91139e33b..73a88767e2 100644
--- a/railties/lib/rails/commands/secrets/secrets_command.rb
+++ b/railties/lib/rails/commands/secrets/secrets_command.rb
@@ -15,7 +15,7 @@ module Rails
       end
 
       def setup
-        generator.start
+        deprecate_in_favor_of_credentials_and_exit
       end
 
       def edit
@@ -42,11 +42,10 @@ module Rails
       rescue Rails::Secrets::MissingKeyError => error
         say error.message
       rescue Errno::ENOENT => error
-        raise unless error.message =~ /secrets\.yml\.enc/
-
-        Rails::Secrets.read_template_for_editing do |tmp_path|
-          system("#{ENV["EDITOR"]} #{tmp_path}")
-          generator.skip_secrets_file { setup }
+        if error.message =~ /secrets\.yml\.enc/
+          deprecate_in_favor_of_credentials_and_exit
+        else
+          raise
         end
       end
 
@@ -55,11 +54,11 @@ module Rails
       end
 
       private
-        def generator
-          require "rails/generators"
-          require "rails/generators/rails/encrypted_secrets/encrypted_secrets_generator"
+        def deprecate_in_favor_of_credentials_and_exit
+          say "Encrypted secrets is deprecated in favor of credentials. Run:"
+          say "bin/rails credentials --help"
 
-          Rails::Generators::EncryptedSecretsGenerator
+          exit 1
         end
     end
   end
diff --git a/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb b/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb
deleted file mode 100644
index 1aa7a2622a..0000000000
--- a/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb
+++ /dev/null
@@ -1,72 +0,0 @@
-# frozen_string_literal: true
-
-require "rails/generators/base"
-require "rails/secrets"
-
-module Rails
-  module Generators
-    class EncryptedSecretsGenerator < Base
-      def add_secrets_key_file
-        unless File.exist?("config/secrets.yml.key") || File.exist?("config/secrets.yml.enc")
-          key = Rails::Secrets.generate_key
-
-          say "Adding config/secrets.yml.key to store the encryption key: #{key}"
-          say ""
-          say "Save this in a password manager your team can access."
-          say ""
-          say "If you lose the key, no one, including you, can access any encrypted secrets."
-
-          say ""
-          create_file "config/secrets.yml.key", key
-          say ""
-        end
-      end
-
-      def ignore_key_file
-        if File.exist?(".gitignore")
-          unless File.read(".gitignore").include?(key_ignore)
-            say "Ignoring config/secrets.yml.key so it won't end up in Git history:"
-            say ""
-            append_to_file ".gitignore", key_ignore
-            say ""
-          end
-        else
-          say "IMPORTANT: Don't commit config/secrets.yml.key. Add this to your ignore file:"
-          say key_ignore, :on_green
-          say ""
-        end
-      end
-
-      def add_encrypted_secrets_file
-        unless (defined?(@@skip_secrets_file) && @@skip_secrets_file) || File.exist?("config/secrets.yml.enc")
-          say "Adding config/secrets.yml.enc to store secrets that needs to be encrypted."
-          say ""
-          say "For now the file contains this but it's been encrypted with the generated key:"
-          say ""
-          say Secrets.template, :on_green
-          say ""
-
-          Secrets.write(Secrets.template)
-
-          say "You can edit encrypted secrets with `bin/rails secrets:edit`."
-          say ""
-        end
-
-        say "Add this to your config/environments/production.rb:"
-        say "config.read_encrypted_secrets = true"
-      end
-
-      def self.skip_secrets_file
-        @@skip_secrets_file = true
-        yield
-      ensure
-        @@skip_secrets_file = false
-      end
-
-      private
-        def key_ignore
-          [ "", "# Ignore encrypted secrets key file.", "config/secrets.yml.key", "" ].join("\n")
-        end
-    end
-  end
-end
diff --git a/railties/lib/rails/secrets.rb b/railties/lib/rails/secrets.rb
index aea72b2d01..30e3478c9b 100644
--- a/railties/lib/rails/secrets.rb
+++ b/railties/lib/rails/secrets.rb
@@ -32,23 +32,10 @@ module Rails
         end
       end
 
-      def generate_key
-        SecureRandom.hex(OpenSSL::Cipher.new(@cipher).key_len)
-      end
-
       def key
         ENV["RAILS_MASTER_KEY"] || read_key_file || handle_missing_key
       end
 
-      def template
-        <<-end_of_template.strip_heredoc
-          # See `secrets.yml` for tips on generating suitable keys.
-          # production:
-          #   external_api_key: 1466aac22e6a869134be3d09b9e89232fc2c2289
-
-        end_of_template
-      end
-
       def encrypt(data)
         encryptor.encrypt_and_sign(data)
       end
@@ -70,10 +57,6 @@ module Rails
         writing(read, &block)
       end
 
-      def read_template_for_editing(&block)
-        writing(template, &block)
-      end
-
       private
         def handle_missing_key
           raise MissingKeyError
diff --git a/railties/test/commands/secrets_test.rb b/railties/test/commands/secrets_test.rb
index 66a81826e3..6b9f284a0c 100644
--- a/railties/test/commands/secrets_test.rb
+++ b/railties/test/commands/secrets_test.rb
@@ -8,21 +8,38 @@ require "rails/commands/secrets/secrets_command"
 class Rails::Command::SecretsCommandTest < ActiveSupport::TestCase
   include ActiveSupport::Testing::Isolation, EnvHelpers
 
-  def setup
-    build_app
+  setup :build_app
+  teardown :teardown_app
+
+  test "edit without editor gives hint" do
+    assert_match "No $EDITOR to open decrypted secrets in", run_edit_command(editor: "")
   end
 
-  def teardown
-    teardown_app
+  test "encrypted secrets are deprecated when using credentials" do
+    assert_match "Encrypted secrets is deprecated", run_setup_command
+    assert_equal 1, $?.exitstatus
+    assert_not File.exist?("config/secrets.yml.enc")
   end
 
-  test "edit without editor gives hint" do
-    assert_match "No $EDITOR to open decrypted secrets in", run_edit_command(editor: "")
+  test "encrypted secrets are deprecated when running edit without setup" do
+    assert_match "Encrypted secrets is deprecated", run_setup_command
+    assert_equal 1, $?.exitstatus
+    assert_not File.exist?("config/secrets.yml.enc")
+  end
+
+  test "encrypted secrets are deprecated for 5.1 config/secrets.yml apps" do
+    Dir.chdir(app_path) do
+      FileUtils.rm("config/credentials.yml.enc")
+      FileUtils.touch("config/secrets.yml")
+
+      assert_match "Encrypted secrets is deprecated", run_setup_command
+      assert_equal 1, $?.exitstatus
+      assert_not File.exist?("config/secrets.yml.enc")
+    end
   end
 
   test "edit secrets" do
-    # Runs setup before first edit.
-    assert_match(/Adding config\/secrets\.yml\.key to store the encryption key/, run_edit_command)
+    prevent_deprecation
 
     # Run twice to ensure encrypted secrets can be reread after first edit pass.
     2.times do
@@ -31,22 +48,30 @@ class Rails::Command::SecretsCommandTest < ActiveSupport::TestCase
   end
 
   test "show secrets" do
-    run_setup_command
+    prevent_deprecation
+
     assert_match(/external_api_key: 1466aac22e6a869134be3d09b9e89232fc2c2289/, run_show_command)
   end
 
   private
+    def prevent_deprecation
+      Dir.chdir(app_path) do
+        File.write("config/secrets.yml.key", "f731758c639da2604dfb6bf3d1025de8")
+        File.write("config/secrets.yml.enc", "sEB0mHxDbeP1/KdnMk00wyzPFACl9K6t0cZWn5/Mfx/YbTHvnI07vrneqHg9kaH3wOS7L6pIQteu1P077OtE4BSx/ZRc/sgQPHyWu/tXsrfHqnPNpayOF/XZqizE91JacSFItNMWpuPsp9ynbzz+7cGhoB1S4aPNIU6u0doMrzdngDbijsaAFJmsHIQh6t/QHoJx--8aMoE0PvUWmw1Iqz--ldFqnM/K0g9k17M8PKoN/Q==")
+      end
+    end
+
     def run_edit_command(editor: "cat")
       switch_env("EDITOR", editor) do
-        rails "secrets:edit"
+        rails "secrets:edit", allow_failure: true
       end
     end
 
     def run_show_command
-      rails "secrets:show"
+      rails "secrets:show", allow_failure: true
     end
 
     def run_setup_command
-      rails "secrets:setup"
+      rails "secrets:setup", allow_failure: true
     end
 end
diff --git a/railties/test/generators/encrypted_secrets_generator_test.rb b/railties/test/generators/encrypted_secrets_generator_test.rb
deleted file mode 100644
index eacb5166c0..0000000000
--- a/railties/test/generators/encrypted_secrets_generator_test.rb
+++ /dev/null
@@ -1,44 +0,0 @@
-# frozen_string_literal: true
-
-require "generators/generators_test_helper"
-require "rails/generators/rails/encrypted_secrets/encrypted_secrets_generator"
-
-class EncryptedSecretsGeneratorTest < Rails::Generators::TestCase
-  include GeneratorsTestHelper
-
-  def setup
-    super
-    cd destination_root
-  end
-
-  def test_generates_key_file_and_encrypted_secrets_file
-    run_generator
-
-    assert_file "config/secrets.yml.key", /\w+/
-
-    assert File.exist?("config/secrets.yml.enc")
-    assert_no_match(/# production:\n#   external_api_key: \w+/, IO.binread("config/secrets.yml.enc"))
-    assert_match(/# production:\n#   external_api_key: \w+/, Rails::Secrets.read)
-  end
-
-  def test_appends_to_gitignore
-    FileUtils.touch(".gitignore")
-
-    run_generator
-
-    assert_file ".gitignore", /config\/secrets.yml.key/, /(?!config\/secrets.yml.enc)/
-  end
-
-  def test_warns_when_ignore_is_missing
-    assert_match(/Add this to your ignore file/i, run_generator)
-  end
-
-  def test_doesnt_generate_a_new_key_file_if_already_opted_in_to_encrypted_secrets
-    FileUtils.mkdir("config")
-    File.open("config/secrets.yml.enc", "w") { |f| f.puts "already secrety" }
-
-    run_generator
-
-    assert_no_file "config/secrets.yml.key"
-  end
-end
diff --git a/railties/test/secrets_test.rb b/railties/test/secrets_test.rb
index 888fee173a..06877bc76a 100644
--- a/railties/test/secrets_test.rb
+++ b/railties/test/secrets_test.rb
@@ -1,20 +1,13 @@
 # frozen_string_literal: true
 
 require "isolation/abstract_unit"
-require "rails/generators"
-require "rails/generators/rails/encrypted_secrets/encrypted_secrets_generator"
 require "rails/secrets"
 
 class Rails::SecretsTest < ActiveSupport::TestCase
   include ActiveSupport::Testing::Isolation
 
-  def setup
-    build_app
-  end
-
-  def teardown
-    teardown_app
-  end
+  setup :build_app
+  teardown :teardown_app
 
   test "setting read to false skips parsing" do
     run_secrets_generator do
@@ -172,9 +165,8 @@ class Rails::SecretsTest < ActiveSupport::TestCase
   private
     def run_secrets_generator
       Dir.chdir(app_path) do
-        capture(:stdout) do
-          Rails::Generators::EncryptedSecretsGenerator.start
-        end
+        File.write("config/secrets.yml.key", "f731758c639da2604dfb6bf3d1025de8")
+        File.write("config/secrets.yml.enc", "sEB0mHxDbeP1/KdnMk00wyzPFACl9K6t0cZWn5/Mfx/YbTHvnI07vrneqHg9kaH3wOS7L6pIQteu1P077OtE4BSx/ZRc/sgQPHyWu/tXsrfHqnPNpayOF/XZqizE91JacSFItNMWpuPsp9ynbzz+7cGhoB1S4aPNIU6u0doMrzdngDbijsaAFJmsHIQh6t/QHoJx--8aMoE0PvUWmw1Iqz--ldFqnM/K0g9k17M8PKoN/Q==")
 
         add_to_config <<-RUBY
           config.read_encrypted_secrets = true