From bb30f05f3858f97791f0e1530e625b7ea2c6c5e2 Mon Sep 17 00:00:00 2001 From: Kasper Timm Hansen Date: Sun, 12 Nov 2017 17:32:52 +0100 Subject: Deprecate encrypted secrets in favor of credentials. Allow edits of existing encrypted secrets generated on Rails 5.1, but refer to credentials when attempting to setup. This also removes the need for any of the setup code, so the generator can be ripped out altogether. --- .../lib/rails/commands/secrets/secrets_command.rb | 19 +++--- .../encrypted_secrets_generator.rb | 72 ---------------------- railties/lib/rails/secrets.rb | 17 ----- 3 files changed, 9 insertions(+), 99 deletions(-) delete mode 100644 railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb (limited to 'railties/lib') diff --git a/railties/lib/rails/commands/secrets/secrets_command.rb b/railties/lib/rails/commands/secrets/secrets_command.rb index c91139e33b..73a88767e2 100644 --- a/railties/lib/rails/commands/secrets/secrets_command.rb +++ b/railties/lib/rails/commands/secrets/secrets_command.rb @@ -15,7 +15,7 @@ module Rails end def setup - generator.start + deprecate_in_favor_of_credentials_and_exit end def edit @@ -42,11 +42,10 @@ module Rails rescue Rails::Secrets::MissingKeyError => error say error.message rescue Errno::ENOENT => error - raise unless error.message =~ /secrets\.yml\.enc/ - - Rails::Secrets.read_template_for_editing do |tmp_path| - system("#{ENV["EDITOR"]} #{tmp_path}") - generator.skip_secrets_file { setup } + if error.message =~ /secrets\.yml\.enc/ + deprecate_in_favor_of_credentials_and_exit + else + raise end end @@ -55,11 +54,11 @@ module Rails end private - def generator - require "rails/generators" - require "rails/generators/rails/encrypted_secrets/encrypted_secrets_generator" + def deprecate_in_favor_of_credentials_and_exit + say "Encrypted secrets is deprecated in favor of credentials. Run:" + say "bin/rails credentials --help" - Rails::Generators::EncryptedSecretsGenerator + exit 1 end end end diff --git a/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb b/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb deleted file mode 100644 index 1aa7a2622a..0000000000 --- a/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb +++ /dev/null @@ -1,72 +0,0 @@ -# frozen_string_literal: true - -require "rails/generators/base" -require "rails/secrets" - -module Rails - module Generators - class EncryptedSecretsGenerator < Base - def add_secrets_key_file - unless File.exist?("config/secrets.yml.key") || File.exist?("config/secrets.yml.enc") - key = Rails::Secrets.generate_key - - say "Adding config/secrets.yml.key to store the encryption key: #{key}" - say "" - say "Save this in a password manager your team can access." - say "" - say "If you lose the key, no one, including you, can access any encrypted secrets." - - say "" - create_file "config/secrets.yml.key", key - say "" - end - end - - def ignore_key_file - if File.exist?(".gitignore") - unless File.read(".gitignore").include?(key_ignore) - say "Ignoring config/secrets.yml.key so it won't end up in Git history:" - say "" - append_to_file ".gitignore", key_ignore - say "" - end - else - say "IMPORTANT: Don't commit config/secrets.yml.key. Add this to your ignore file:" - say key_ignore, :on_green - say "" - end - end - - def add_encrypted_secrets_file - unless (defined?(@@skip_secrets_file) && @@skip_secrets_file) || File.exist?("config/secrets.yml.enc") - say "Adding config/secrets.yml.enc to store secrets that needs to be encrypted." - say "" - say "For now the file contains this but it's been encrypted with the generated key:" - say "" - say Secrets.template, :on_green - say "" - - Secrets.write(Secrets.template) - - say "You can edit encrypted secrets with `bin/rails secrets:edit`." - say "" - end - - say "Add this to your config/environments/production.rb:" - say "config.read_encrypted_secrets = true" - end - - def self.skip_secrets_file - @@skip_secrets_file = true - yield - ensure - @@skip_secrets_file = false - end - - private - def key_ignore - [ "", "# Ignore encrypted secrets key file.", "config/secrets.yml.key", "" ].join("\n") - end - end - end -end diff --git a/railties/lib/rails/secrets.rb b/railties/lib/rails/secrets.rb index aea72b2d01..30e3478c9b 100644 --- a/railties/lib/rails/secrets.rb +++ b/railties/lib/rails/secrets.rb @@ -32,23 +32,10 @@ module Rails end end - def generate_key - SecureRandom.hex(OpenSSL::Cipher.new(@cipher).key_len) - end - def key ENV["RAILS_MASTER_KEY"] || read_key_file || handle_missing_key end - def template - <<-end_of_template.strip_heredoc - # See `secrets.yml` for tips on generating suitable keys. - # production: - # external_api_key: 1466aac22e6a869134be3d09b9e89232fc2c2289 - - end_of_template - end - def encrypt(data) encryptor.encrypt_and_sign(data) end @@ -70,10 +57,6 @@ module Rails writing(read, &block) end - def read_template_for_editing(&block) - writing(template, &block) - end - private def handle_missing_key raise MissingKeyError -- cgit v1.2.3