diff --git a/railties/lib/rails/commands/secrets/secrets_command.rb b/railties/lib/rails/commands/secrets/secrets_command.rb index 76e13a6e49..651411d444 100644 --- a/railties/lib/rails/commands/secrets/secrets_command.rb +++ b/railties/lib/rails/commands/secrets/secrets_command.rb @@ -13,10 +13,7 @@ module Rails end def setup - require "rails/generators" - require "rails/generators/rails/encrypted_secrets/encrypted_secrets_generator" - - Rails::Generators::EncryptedSecretsGenerator.start + generator.start end def edit @@ -42,7 +39,22 @@ module Rails say "Aborted changing encrypted secrets: nothing saved." rescue Rails::Secrets::MissingKeyError => error say error.message + rescue Errno::ENOENT => error + raise unless error.message =~ /secrets\.yml\.enc/ + + Rails::Secrets.read_template_for_editing do |tmp_path| + system("\$EDITOR #{tmp_path}") + generator.skip_secrets_file { setup } + end end + + private + def generator + require "rails/generators" + require "rails/generators/rails/encrypted_secrets/encrypted_secrets_generator" + + Rails::Generators::EncryptedSecretsGenerator + end end end end diff --git a/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb b/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb index 8b29213610..1da2fbc1a5 100644 --- a/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb +++ b/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb @@ -36,25 +36,29 @@ module Rails end def add_encrypted_secrets_file - unless File.exist?("config/secrets.yml.enc") + unless (defined?(@@skip_secrets_file) && @@skip_secrets_file) || File.exist?("config/secrets.yml.enc") say "Adding config/secrets.yml.enc to store secrets that needs to be encrypted." say "" + say "For now the file contains this but it's been encrypted with the generated key:" + say "" + say Secrets.template, :on_green + say "" - template "config/secrets.yml.enc" do |prefill| - say "" - say "For now the file contains this but it's been encrypted with the generated key:" - say "" - say prefill, :on_green - say "" - - Secrets.encrypt(prefill) - end + Secrets.write(Secrets.template) say "You can edit encrypted secrets with `bin/rails secrets:edit`." - - say "Add this to your config/environments/production.rb:" - say "config.read_encrypted_secrets = true" + say "" end + + say "Add this to your config/environments/production.rb:" + say "config.read_encrypted_secrets = true" + end + + def self.skip_secrets_file + @@skip_secrets_file = true + yield + ensure + @@skip_secrets_file = false end private diff --git a/railties/lib/rails/generators/rails/encrypted_secrets/templates/config/secrets.yml.enc b/railties/lib/rails/generators/rails/encrypted_secrets/templates/config/secrets.yml.enc deleted file mode 100644 index 70426a66a5..0000000000 --- a/railties/lib/rails/generators/rails/encrypted_secrets/templates/config/secrets.yml.enc +++ /dev/null @@ -1,3 +0,0 @@ -# See `secrets.yml` for tips on generating suitable keys. -# production: -# external_api_key: 1466aac22e6a869134be3d09b9e89232fc2c2289… diff --git a/railties/lib/rails/secrets.rb b/railties/lib/rails/secrets.rb index 8b644f212c..20c20cb9f1 100644 --- a/railties/lib/rails/secrets.rb +++ b/railties/lib/rails/secrets.rb @@ -1,5 +1,6 @@ require "yaml" require "active_support/message_encryptor" +require "active_support/core_ext/string/strip" module Rails # Greatly inspired by Ara T. Howard's magnificent sekrets gem. 😘 @@ -37,6 +38,15 @@ module Rails ENV["RAILS_MASTER_KEY"] || read_key_file || handle_missing_key end + def template + <<-end_of_template.strip_heredoc + # See `secrets.yml` for tips on generating suitable keys. + # production: + # external_api_key: 1466aac22e6a869134be3d09b9e89232fc2c2289… + + end_of_template + end + def encrypt(data) encryptor.encrypt_and_sign(data) end @@ -54,15 +64,12 @@ module Rails FileUtils.mv("#{path}.tmp", path) end - def read_for_editing - tmp_path = File.join(Dir.tmpdir, File.basename(path)) - IO.binwrite(tmp_path, read) + def read_for_editing(&block) + writing(read, &block) + end - yield tmp_path - - write(IO.binread(tmp_path)) - ensure - FileUtils.rm(tmp_path) if File.exist?(tmp_path) + def read_template_for_editing(&block) + writing(template, &block) end private @@ -92,6 +99,17 @@ module Rails end end + def writing(contents) + tmp_path = File.join(Dir.tmpdir, File.basename(path)) + File.write(tmp_path, contents) + + yield tmp_path + + write(File.read(tmp_path)) + ensure + FileUtils.rm(tmp_path) if File.exist?(tmp_path) + end + def encryptor @encryptor ||= ActiveSupport::MessageEncryptor.new([ key ].pack("H*"), cipher: @cipher) end diff --git a/railties/test/commands/secrets_test.rb b/railties/test/commands/secrets_test.rb index 00b0343397..fb8fd2325e 100644 --- a/railties/test/commands/secrets_test.rb +++ b/railties/test/commands/secrets_test.rb @@ -18,7 +18,8 @@ class Rails::Command::SecretsCommandTest < ActiveSupport::TestCase end test "edit secrets" do - run_setup_command + # Runs setup before first edit. + assert_match(/Adding config\/secrets\.yml\.key to store the encryption key/, run_edit_command) # Run twice to ensure encrypted secrets can be reread after first edit pass. 2.times do @@ -30,8 +31,4 @@ class Rails::Command::SecretsCommandTest < ActiveSupport::TestCase def run_edit_command(editor: "cat") Dir.chdir(app_path) { `EDITOR="#{editor}" bin/rails secrets:edit` } end - - def run_setup_command - Dir.chdir(app_path) { `bin/rails secrets:setup` } - end end