6 files changed, 50 insertions, 167 deletions

diff --git a/railties/lib/rails/commands/secrets/secrets_command.rb b/railties/lib/rails/commands/secrets/secrets_command.rb
index c91139e33b..73a88767e2 100644
--- a/railties/lib/rails/commands/secrets/secrets_command.rb
+++ b/railties/lib/rails/commands/secrets/secrets_command.rb
@@ -15,7 +15,7 @@ module Rails
       end
 
       def setup
-        generator.start
+        deprecate_in_favor_of_credentials_and_exit
       end
 
       def edit
@@ -42,11 +42,10 @@ module Rails
       rescue Rails::Secrets::MissingKeyError => error
         say error.message
       rescue Errno::ENOENT => error
-        raise unless error.message =~ /secrets\.yml\.enc/
-
-        Rails::Secrets.read_template_for_editing do |tmp_path|
-          system("#{ENV["EDITOR"]} #{tmp_path}")
-          generator.skip_secrets_file { setup }
+        if error.message =~ /secrets\.yml\.enc/
+          deprecate_in_favor_of_credentials_and_exit
+        else
+          raise
         end
       end
 
@@ -55,11 +54,11 @@ module Rails
       end
 
       private
-        def generator
-          require "rails/generators"
-          require "rails/generators/rails/encrypted_secrets/encrypted_secrets_generator"
+        def deprecate_in_favor_of_credentials_and_exit
+          say "Encrypted secrets is deprecated in favor of credentials. Run:"
+          say "bin/rails credentials --help"
 
-          Rails::Generators::EncryptedSecretsGenerator
+          exit 1
         end
     end
   end
diff --git a/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb b/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb
deleted file mode 100644
index 1aa7a2622a..0000000000
--- a/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb
+++ /dev/null
@@ -1,72 +0,0 @@
-# frozen_string_literal: true
-
-require "rails/generators/base"
-require "rails/secrets"
-
-module Rails
-  module Generators
-    class EncryptedSecretsGenerator < Base
-      def add_secrets_key_file
-        unless File.exist?("config/secrets.yml.key") || File.exist?("config/secrets.yml.enc")
-          key = Rails::Secrets.generate_key
-
-          say "Adding config/secrets.yml.key to store the encryption key: #{key}"
-          say ""
-          say "Save this in a password manager your team can access."
-          say ""
-          say "If you lose the key, no one, including you, can access any encrypted secrets."
-
-          say ""
-          create_file "config/secrets.yml.key", key
-          say ""
-        end
-      end
-
-      def ignore_key_file
-        if File.exist?(".gitignore")
-          unless File.read(".gitignore").include?(key_ignore)
-            say "Ignoring config/secrets.yml.key so it won't end up in Git history:"
-            say ""
-            append_to_file ".gitignore", key_ignore
-            say ""
-          end
-        else
-          say "IMPORTANT: Don't commit config/secrets.yml.key. Add this to your ignore file:"
-          say key_ignore, :on_green
-          say ""
-        end
-      end
-
-      def add_encrypted_secrets_file
-        unless (defined?(@@skip_secrets_file) && @@skip_secrets_file) || File.exist?("config/secrets.yml.enc")
-          say "Adding config/secrets.yml.enc to store secrets that needs to be encrypted."
-          say ""
-          say "For now the file contains this but it's been encrypted with the generated key:"
-          say ""
-          say Secrets.template, :on_green
-          say ""
-
-          Secrets.write(Secrets.template)
-
-          say "You can edit encrypted secrets with `bin/rails secrets:edit`."
-          say ""
-        end
-
-        say "Add this to your config/environments/production.rb:"
-        say "config.read_encrypted_secrets = true"
-      end
-
-      def self.skip_secrets_file
-        @@skip_secrets_file = true
-        yield
-      ensure
-        @@skip_secrets_file = false
-      end
-
-      private
-        def key_ignore
-          [ "", "# Ignore encrypted secrets key file.", "config/secrets.yml.key", "" ].join("\n")
-        end
-    end
-  end
-end
diff --git a/railties/lib/rails/secrets.rb b/railties/lib/rails/secrets.rb
index aea72b2d01..30e3478c9b 100644
--- a/railties/lib/rails/secrets.rb
+++ b/railties/lib/rails/secrets.rb
@@ -32,23 +32,10 @@ module Rails
         end
       end
 
-      def generate_key
-        SecureRandom.hex(OpenSSL::Cipher.new(@cipher).key_len)
-      end
-
       def key
         ENV["RAILS_MASTER_KEY"] || read_key_file || handle_missing_key
       end
 
-      def template
-        <<-end_of_template.strip_heredoc
-          # See `secrets.yml` for tips on generating suitable keys.
-          # production:
-          #   external_api_key: 1466aac22e6a869134be3d09b9e89232fc2c2289
-
-        end_of_template
-      end
-
       def encrypt(data)
         encryptor.encrypt_and_sign(data)
       end
@@ -70,10 +57,6 @@ module Rails
         writing(read, &block)
       end
 
-      def read_template_for_editing(&block)
-        writing(template, &block)
-      end
-
       private
         def handle_missing_key
           raise MissingKeyError
diff --git a/railties/test/commands/secrets_test.rb b/railties/test/commands/secrets_test.rb
index 66a81826e3..6b9f284a0c 100644
--- a/railties/test/commands/secrets_test.rb
+++ b/railties/test/commands/secrets_test.rb
@@ -8,21 +8,38 @@ require "rails/commands/secrets/secrets_command"
 class Rails::Command::SecretsCommandTest < ActiveSupport::TestCase
   include ActiveSupport::Testing::Isolation, EnvHelpers
 
-  def setup
-    build_app
+  setup :build_app
+  teardown :teardown_app
+
+  test "edit without editor gives hint" do
+    assert_match "No $EDITOR to open decrypted secrets in", run_edit_command(editor: "")
   end
 
-  def teardown
-    teardown_app
+  test "encrypted secrets are deprecated when using credentials" do
+    assert_match "Encrypted secrets is deprecated", run_setup_command
+    assert_equal 1, $?.exitstatus
+    assert_not File.exist?("config/secrets.yml.enc")
   end
 
-  test "edit without editor gives hint" do
-    assert_match "No $EDITOR to open decrypted secrets in", run_edit_command(editor: "")
+  test "encrypted secrets are deprecated when running edit without setup" do
+    assert_match "Encrypted secrets is deprecated", run_setup_command
+    assert_equal 1, $?.exitstatus
+    assert_not File.exist?("config/secrets.yml.enc")
+  end
+
+  test "encrypted secrets are deprecated for 5.1 config/secrets.yml apps" do
+    Dir.chdir(app_path) do
+      FileUtils.rm("config/credentials.yml.enc")
+      FileUtils.touch("config/secrets.yml")
+
+      assert_match "Encrypted secrets is deprecated", run_setup_command
+      assert_equal 1, $?.exitstatus
+      assert_not File.exist?("config/secrets.yml.enc")
+    end
   end
 
   test "edit secrets" do
-    # Runs setup before first edit.
-    assert_match(/Adding config\/secrets\.yml\.key to store the encryption key/, run_edit_command)
+    prevent_deprecation
 
     # Run twice to ensure encrypted secrets can be reread after first edit pass.
     2.times do
@@ -31,22 +48,30 @@ class Rails::Command::SecretsCommandTest < ActiveSupport::TestCase
   end
 
   test "show secrets" do
-    run_setup_command
+    prevent_deprecation
+
     assert_match(/external_api_key: 1466aac22e6a869134be3d09b9e89232fc2c2289/, run_show_command)
   end
 
   private
+    def prevent_deprecation
+      Dir.chdir(app_path) do
+        File.write("config/secrets.yml.key", "f731758c639da2604dfb6bf3d1025de8")
+        File.write("config/secrets.yml.enc", "sEB0mHxDbeP1/KdnMk00wyzPFACl9K6t0cZWn5/Mfx/YbTHvnI07vrneqHg9kaH3wOS7L6pIQteu1P077OtE4BSx/ZRc/sgQPHyWu/tXsrfHqnPNpayOF/XZqizE91JacSFItNMWpuPsp9ynbzz+7cGhoB1S4aPNIU6u0doMrzdngDbijsaAFJmsHIQh6t/QHoJx--8aMoE0PvUWmw1Iqz--ldFqnM/K0g9k17M8PKoN/Q==")
+      end
+    end
+
     def run_edit_command(editor: "cat")
       switch_env("EDITOR", editor) do
-        rails "secrets:edit"
+        rails "secrets:edit", allow_failure: true
       end
     end
 
     def run_show_command
-      rails "secrets:show"
+      rails "secrets:show", allow_failure: true
     end
 
     def run_setup_command
-      rails "secrets:setup"
+      rails "secrets:setup", allow_failure: true
     end
 end
diff --git a/railties/test/generators/encrypted_secrets_generator_test.rb b/railties/test/generators/encrypted_secrets_generator_test.rb
deleted file mode 100644
index eacb5166c0..0000000000
--- a/railties/test/generators/encrypted_secrets_generator_test.rb
+++ /dev/null
@@ -1,44 +0,0 @@
-# frozen_string_literal: true
-
-require "generators/generators_test_helper"
-require "rails/generators/rails/encrypted_secrets/encrypted_secrets_generator"
-
-class EncryptedSecretsGeneratorTest < Rails::Generators::TestCase
-  include GeneratorsTestHelper
-
-  def setup
-    super
-    cd destination_root
-  end
-
-  def test_generates_key_file_and_encrypted_secrets_file
-    run_generator
-
-    assert_file "config/secrets.yml.key", /\w+/
-
-    assert File.exist?("config/secrets.yml.enc")
-    assert_no_match(/# production:\n#   external_api_key: \w+/, IO.binread("config/secrets.yml.enc"))
-    assert_match(/# production:\n#   external_api_key: \w+/, Rails::Secrets.read)
-  end
-
-  def test_appends_to_gitignore
-    FileUtils.touch(".gitignore")
-
-    run_generator
-
-    assert_file ".gitignore", /config\/secrets.yml.key/, /(?!config\/secrets.yml.enc)/
-  end
-
-  def test_warns_when_ignore_is_missing
-    assert_match(/Add this to your ignore file/i, run_generator)
-  end
-
-  def test_doesnt_generate_a_new_key_file_if_already_opted_in_to_encrypted_secrets
-    FileUtils.mkdir("config")
-    File.open("config/secrets.yml.enc", "w") { |f| f.puts "already secrety" }
-
-    run_generator
-
-    assert_no_file "config/secrets.yml.key"
-  end
-end
diff --git a/railties/test/secrets_test.rb b/railties/test/secrets_test.rb
index 888fee173a..06877bc76a 100644
--- a/railties/test/secrets_test.rb
+++ b/railties/test/secrets_test.rb
@@ -1,20 +1,13 @@
 # frozen_string_literal: true
 
 require "isolation/abstract_unit"
-require "rails/generators"
-require "rails/generators/rails/encrypted_secrets/encrypted_secrets_generator"
 require "rails/secrets"
 
 class Rails::SecretsTest < ActiveSupport::TestCase
   include ActiveSupport::Testing::Isolation
 
-  def setup
-    build_app
-  end
-
-  def teardown
-    teardown_app
-  end
+  setup :build_app
+  teardown :teardown_app
 
   test "setting read to false skips parsing" do
     run_secrets_generator do
@@ -172,9 +165,8 @@ class Rails::SecretsTest < ActiveSupport::TestCase
   private
     def run_secrets_generator
       Dir.chdir(app_path) do
-        capture(:stdout) do
-          Rails::Generators::EncryptedSecretsGenerator.start
-        end
+        File.write("config/secrets.yml.key", "f731758c639da2604dfb6bf3d1025de8")
+        File.write("config/secrets.yml.enc", "sEB0mHxDbeP1/KdnMk00wyzPFACl9K6t0cZWn5/Mfx/YbTHvnI07vrneqHg9kaH3wOS7L6pIQteu1P077OtE4BSx/ZRc/sgQPHyWu/tXsrfHqnPNpayOF/XZqizE91JacSFItNMWpuPsp9ynbzz+7cGhoB1S4aPNIU6u0doMrzdngDbijsaAFJmsHIQh6t/QHoJx--8aMoE0PvUWmw1Iqz--ldFqnM/K0g9k17M8PKoN/Q==")
 
         add_to_config <<-RUBY
           config.read_encrypted_secrets = true