Deprecate encrypted secrets in favor of credentials.

Allow edits of existing encrypted secrets generated on Rails 5.1,
but refer to credentials when attempting to setup.

This also removes the need for any of the setup code, so the
generator can be ripped out altogether.

railties/lib/rails/commands/secrets/secrets_command.rb

@@ -15,7 +15,7 @@ def help
       end
 
       def setup
-        generator.start
+        deprecate_in_favor_of_credentials_and_exit
       end
 
       def edit
@@ -42,11 +42,10 @@ def edit
       rescue Rails::Secrets::MissingKeyError => error
         say error.message
       rescue Errno::ENOENT => error
-        raise unless error.message =~ /secrets\.yml\.enc/
-
-        Rails::Secrets.read_template_for_editing do |tmp_path|
-          system("#{ENV["EDITOR"]} #{tmp_path}")
-          generator.skip_secrets_file { setup }
+        if error.message =~ /secrets\.yml\.enc/
+          deprecate_in_favor_of_credentials_and_exit
+        else
+          raise
         end
       end
 
@@ -55,11 +54,11 @@ def show
       end
 
       private
-        def generator
-          require "rails/generators"
-          require "rails/generators/rails/encrypted_secrets/encrypted_secrets_generator"
+        def deprecate_in_favor_of_credentials_and_exit
+          say "Encrypted secrets is deprecated in favor of credentials. Run:"
+          say "bin/rails credentials --help"
 
-          Rails::Generators::EncryptedSecretsGenerator
+          exit 1
         end
     end
   end

railties/lib/rails/secrets.rb

@@ -32,23 +32,10 @@ def parse(paths, env:)
         end
       end
 
-      def generate_key
-        SecureRandom.hex(OpenSSL::Cipher.new(@cipher).key_len)
-      end
-
       def key
         ENV["RAILS_MASTER_KEY"] || read_key_file || handle_missing_key
       end
 
-      def template
-        <<-end_of_template.strip_heredoc
-          # See `secrets.yml` for tips on generating suitable keys.
-          # production:
-          #   external_api_key: 1466aac22e6a869134be3d09b9e89232fc2c2289
-
-        end_of_template
-      end
-
       def encrypt(data)
         encryptor.encrypt_and_sign(data)
       end
@@ -70,10 +57,6 @@ def read_for_editing(&block)
         writing(read, &block)
       end
 
-      def read_template_for_editing(&block)
-        writing(template, &block)
-      end
-
       private
         def handle_missing_key
           raise MissingKeyError

railties/test/commands/secrets_test.rb

@@ -8,21 +8,38 @@
 class Rails::Command::SecretsCommandTest < ActiveSupport::TestCase
   include ActiveSupport::Testing::Isolation, EnvHelpers
 
-  def setup
-    build_app
+  setup :build_app
+  teardown :teardown_app
+
+  test "edit without editor gives hint" do
+    assert_match "No $EDITOR to open decrypted secrets in", run_edit_command(editor: "")
   end
 
-  def teardown
-    teardown_app
+  test "encrypted secrets are deprecated when using credentials" do
+    assert_match "Encrypted secrets is deprecated", run_setup_command
+    assert_equal 1, $?.exitstatus
+    assert_not File.exist?("config/secrets.yml.enc")
   end
 
-  test "edit without editor gives hint" do
-    assert_match "No $EDITOR to open decrypted secrets in", run_edit_command(editor: "")
+  test "encrypted secrets are deprecated when running edit without setup" do
+    assert_match "Encrypted secrets is deprecated", run_setup_command
+    assert_equal 1, $?.exitstatus
+    assert_not File.exist?("config/secrets.yml.enc")
+  end
+
+  test "encrypted secrets are deprecated for 5.1 config/secrets.yml apps" do
+    Dir.chdir(app_path) do
+      FileUtils.rm("config/credentials.yml.enc")
+      FileUtils.touch("config/secrets.yml")
+
+      assert_match "Encrypted secrets is deprecated", run_setup_command
+      assert_equal 1, $?.exitstatus
+      assert_not File.exist?("config/secrets.yml.enc")
+    end
   end
 
   test "edit secrets" do
-    # Runs setup before first edit.
-    assert_match(/Adding config\/secrets\.yml\.key to store the encryption key/, run_edit_command)
+    prevent_deprecation
 
     # Run twice to ensure encrypted secrets can be reread after first edit pass.
     2.times do
@@ -31,22 +48,30 @@ def teardown
   end
 
   test "show secrets" do
-    run_setup_command
+    prevent_deprecation
+
     assert_match(/external_api_key: 1466aac22e6a869134be3d09b9e89232fc2c2289/, run_show_command)
   end
 
   private
+    def prevent_deprecation
+      Dir.chdir(app_path) do
+        File.write("config/secrets.yml.key", "f731758c639da2604dfb6bf3d1025de8")
+        File.write("config/secrets.yml.enc", "sEB0mHxDbeP1/KdnMk00wyzPFACl9K6t0cZWn5/Mfx/YbTHvnI07vrneqHg9kaH3wOS7L6pIQteu1P077OtE4BSx/ZRc/sgQPHyWu/tXsrfHqnPNpayOF/XZqizE91JacSFItNMWpuPsp9ynbzz+7cGhoB1S4aPNIU6u0doMrzdngDbijsaAFJmsHIQh6t/QHoJx--8aMoE0PvUWmw1Iqz--ldFqnM/K0g9k17M8PKoN/Q==")
+      end
+    end
+
     def run_edit_command(editor: "cat")
       switch_env("EDITOR", editor) do
-        rails "secrets:edit"
+        rails "secrets:edit", allow_failure: true
       end
     end
 
     def run_show_command
-      rails "secrets:show"
+      rails "secrets:show", allow_failure: true
     end
 
     def run_setup_command
-      rails "secrets:setup"
+      rails "secrets:setup", allow_failure: true
     end
 end

railties/test/secrets_test.rb

@@ -1,20 +1,13 @@
 # frozen_string_literal: true
 
 require "isolation/abstract_unit"
-require "rails/generators"
-require "rails/generators/rails/encrypted_secrets/encrypted_secrets_generator"
 require "rails/secrets"
 
 class Rails::SecretsTest < ActiveSupport::TestCase
   include ActiveSupport::Testing::Isolation
 
-  def setup
-    build_app
-  end
-
-  def teardown
-    teardown_app
-  end
+  setup :build_app
+  teardown :teardown_app
 
   test "setting read to false skips parsing" do
     run_secrets_generator do
@@ -172,9 +165,8 @@ def teardown
   private
     def run_secrets_generator
       Dir.chdir(app_path) do
-        capture(:stdout) do
-          Rails::Generators::EncryptedSecretsGenerator.start
-        end
+        File.write("config/secrets.yml.key", "f731758c639da2604dfb6bf3d1025de8")
+        File.write("config/secrets.yml.enc", "sEB0mHxDbeP1/KdnMk00wyzPFACl9K6t0cZWn5/Mfx/YbTHvnI07vrneqHg9kaH3wOS7L6pIQteu1P077OtE4BSx/ZRc/sgQPHyWu/tXsrfHqnPNpayOF/XZqizE91JacSFItNMWpuPsp9ynbzz+7cGhoB1S4aPNIU6u0doMrzdngDbijsaAFJmsHIQh6t/QHoJx--8aMoE0PvUWmw1Iqz--ldFqnM/K0g9k17M8PKoN/Q==")
 
         add_to_config <<-RUBY
           config.read_encrypted_secrets = true