Merge pull request rails#45544 from jonathanhefner/credentials-custom-templates

Support custom credentials templates

Author: jonathanhefner

railties/CHANGELOG.md

@@ -1,3 +1,15 @@
+*   In-app custom credentials templates are now supported.  When a credentials
+    file does not exist, `rails credentials:edit` will now try to use
+    `lib/templates/rails/credentials/credentials.yml.tt` to generate the
+    credentials file, before falling back to the default template.
+
+    This allows e.g. an open-source Rails app (which would not include encrypted
+    credentials files in its repo) to include a credentials template, so that
+    users who install the app will get a custom pre-filled credentials file when
+    they run `rails credentials:edit`.
+
+    *Jonathan Hefner*
+
 *   Newly generated per-environment credentials files (e.g.
     `config/credentials/production.yml.enc`) now include a `secret_key_base` for
     convenience, just as `config/credentials.yml.enc` does.

railties/lib/rails/application.rb

@@ -493,6 +493,11 @@ def migration_railties # :nodoc:
       ordered_railties.flatten - [self]
     end
 
+    def load_generators(app = self) # :nodoc:
+      app.ensure_generator_templates_added
+      super
+    end
+
     # Eager loads the application code.
     def eager_load!
       Rails.autoloaders.each(&:eager_load)
@@ -582,6 +587,11 @@ def validate_secret_key_base(secret_key_base)
       end
     end
 
+    def ensure_generator_templates_added
+      configured_paths = config.generators.templates
+      configured_paths.unshift(*(paths["lib/templates"].existent - configured_paths))
+    end
+
     private
       def generate_development_secret
         if secrets.secret_key_base.nil?

railties/lib/rails/application/finisher.rb

@@ -11,7 +11,7 @@ module Finisher
       include Initializable
 
       initializer :add_generator_templates do
-        config.generators.templates.unshift(*paths["lib/templates"].existent)
+        ensure_generator_templates_added
       end
 
       initializer :setup_main_autoloader do

railties/lib/rails/commands/credentials/credentials_command.rb

@@ -28,6 +28,7 @@ def help
       def edit
         extract_environment_option_from_argument(default_environment: nil)
         require_application!
+        load_generators
 
         ensure_editor_available(command: "bin/rails credentials:edit") || (return)
 
@@ -77,12 +78,15 @@ def credentials
         end
 
         def ensure_encryption_key_has_been_added
+          require "rails/generators/rails/encryption_key_file/encryption_key_file_generator"
+          encryption_key_file_generator = Rails::Generators::EncryptionKeyFileGenerator.new
           encryption_key_file_generator.add_key_file(key_path)
           encryption_key_file_generator.ignore_key_file(key_path)
         end
 
         def ensure_credentials_have_been_added
-          credentials_generator.add_credentials_file
+          require "rails/generators/rails/credentials/credentials_generator"
+          Rails::Generators::CredentialsGenerator.new([content_path, key_path], quiet: true).invoke_all
         end
 
         def change_credentials_in_system_editor
@@ -110,20 +114,6 @@ def key_path
         def extract_environment_from_path(path)
           available_environments.find { |env| path.include? env } if path.end_with?(".yml.enc")
         end
-
-        def encryption_key_file_generator
-          require "rails/generators"
-          require "rails/generators/rails/encryption_key_file/encryption_key_file_generator"
-
-          Rails::Generators::EncryptionKeyFileGenerator.new
-        end
-
-        def credentials_generator
-          require "rails/generators"
-          require "rails/generators/rails/credentials/credentials_generator"
-
-          Rails::Generators::CredentialsGenerator.new([content_path, key_path], quiet: true)
-        end
     end
   end
 end

railties/lib/rails/generators/rails/credentials/credentials_generator.rb

@@ -17,7 +17,7 @@ def add_credentials_file
           say "Adding #{content_path} to store encrypted credentials."
           say ""
 
-          encrypted_file.write(content)
+          content = render_template_to_encrypted_file
 
           say "The following content has been encrypted with the Rails master key:"
           say ""
@@ -38,15 +38,20 @@ def encrypted_file
           )
         end
 
-        def content
-          @content ||= <<~YAML
-            # aws:
-            #   access_key_id: 123
-            #   secret_access_key: 345
+        def secret_key_base
+          @secret_key_base ||= SecureRandom.hex(64)
+        end
+
+        def render_template_to_encrypted_file
+          content = nil
+
+          encrypted_file.change do |tmp_path|
+            template("credentials.yml", tmp_path, force: true, verbose: false) do |rendered|
+              content = rendered
+            end
+          end
 
-            # Used as the base secret for all MessageVerifiers in Rails, including the one protecting cookies.
-            secret_key_base: #{SecureRandom.hex(64)}
-          YAML
+          content
         end
     end
   end

railties/lib/rails/generators/rails/credentials/templates/credentials.yml.tt

@@ -0,0 +1,6 @@
+# aws:
+#   access_key_id: 123
+#   secret_access_key: 345
+
+# Used as the base secret for all MessageVerifiers in Rails, including the one protecting cookies.
+secret_key_base: <%= secret_key_base %>

railties/test/commands/credentials_test.rb

@@ -91,6 +91,15 @@ class Rails::Command::CredentialsCommandTest < ActiveSupport::TestCase
     assert_file "config/credentials.yml.enc"
   end
 
+  test "edit command can use custom template to generate credentials file" do
+    app_file "lib/templates/rails/credentials/credentials.yml.tt", <<~ERB
+      provides_secret_key_base: <%= [secret_key_base] == [secret_key_base].compact %>
+    ERB
+    remove_file "config/credentials.yml.enc"
+
+    assert_match %r/provides_secret_key_base: true/, run_edit_command
+  end
+
 
   test "show credentials" do
     assert_match DEFAULT_CREDENTIALS_PATTERN, run_show_command