Remove deprecated Rails.application.secrets

Author: rafaelfranca

guides/source/7_2_release_notes.md

@@ -28,6 +28,8 @@ Please refer to the [Changelog][railties] for detailed changes.
 
 ### Removals
 
+*   Remove deprecated `Rails.application.secrets`.
+
 ### Deprecations
 
 ### Notable changes

railties/CHANGELOG.md

@@ -1,3 +1,7 @@
+*   Remove deprecated `Rails.application.secrets`.
+
+    *Rafael Mendonça França*
+
 *   Generated Gemfile will include `require: "debug/prelude"` for the `debug` gem
 
     Requiring `debug` gem directly automatically activates it, which could introduce

railties/lib/rails/application.rb

@@ -10,7 +10,6 @@
 require "active_support/hash_with_indifferent_access"
 require "active_support/configuration_file"
 require "rails/engine"
-require "rails/secrets"
 require "rails/autoloaders"
 
 module Rails
@@ -104,7 +103,7 @@ def find_root(from)
     delegate :default_url_options, :default_url_options=, to: :routes
 
     INITIAL_VARIABLES = [:config, :railties, :routes_reloader, :reloaders,
-                         :routes, :helpers, :app_env_config, :secrets] # :nodoc:
+                         :routes, :helpers, :app_env_config] # :nodoc:
 
     def initialize(initial_variable_values = {}, &block)
       super()
@@ -439,25 +438,7 @@ def config # :nodoc:
     end
 
     attr_writer :config
-
-    def secrets
-      Rails.deprecator.warn(<<~MSG.squish)
-        `Rails.application.secrets` is deprecated in favor of `Rails.application.credentials` and will be removed in Rails 7.2.
-      MSG
-      @secrets ||= begin
-        secrets = ActiveSupport::OrderedOptions.new
-        files = config.paths["config/secrets"].existent
-        files = files.reject { |path| path.end_with?(".enc") } unless config.read_encrypted_secrets
-        secrets.merge! Rails::Secrets.parse(files, env: Rails.env)
-
-        # Fallback to config.secret_key_base if secrets.secret_key_base isn't set
-        secrets.secret_key_base ||= config.secret_key_base
-
-        secrets
-      end
-    end
-
-    attr_writer :secrets, :credentials
+    attr_writer :credentials
 
     # The secret_key_base is used as the input secret to the application's key generator, which in turn
     # is used to create all ActiveSupport::MessageVerifier and ActiveSupport::MessageEncryptor instances,
@@ -473,33 +454,16 @@ def secrets
     # Dockerfile example: <tt>RUN SECRET_KEY_BASE_DUMMY=1 bundle exec rails assets:precompile</tt>.
     #
     # In all other environments, we look for it first in <tt>ENV["SECRET_KEY_BASE"]</tt>,
-    # then +credentials.secret_key_base+, and finally +secrets.secret_key_base+. For most applications,
-    # the correct place to store it is in the encrypted credentials file.
+    # then +credentials.secret_key_base+. For most applications, the correct place to store it is in the
+    # encrypted credentials file.
     def secret_key_base
-      config.secret_key_base ||=
-        if ENV["SECRET_KEY_BASE_DUMMY"]
-          generate_local_secret
-        else
-          validate_secret_key_base(
-            ENV["SECRET_KEY_BASE"] || credentials.secret_key_base || begin
-              secret_skb = secrets_secret_key_base
-
-              if secret_skb && secret_skb.equal?(config.secret_key_base)
-                config.secret_key_base
-              elsif secret_skb
-                Rails.deprecator.warn(<<~MSG.squish)
-                  Your `secret_key_base` is configured in `Rails.application.secrets`,
-                  which is deprecated in favor of `Rails.application.credentials` and
-                  will be removed in Rails 7.2.
-                MSG
-
-                secret_skb
-              elsif Rails.env.local?
-                generate_local_secret
-              end
-            end
-          )
-        end
+      if Rails.env.local? || ENV["SECRET_KEY_BASE_DUMMY"]
+        config.secret_key_base ||= generate_local_secret
+      else
+        validate_secret_key_base(
+          ENV["SECRET_KEY_BASE"] || credentials.secret_key_base
+        )
+      end
     end
 
     # Returns an ActiveSupport::EncryptedConfiguration instance for the
@@ -674,8 +638,6 @@ def generate_local_secret
 
           if File.exist?(key_file)
             config.secret_key_base = File.binread(key_file)
-          elsif secrets_secret_key_base
-            config.secret_key_base = secrets_secret_key_base
           else
             random_key = SecureRandom.hex(64)
             FileUtils.mkdir_p(key_file.dirname)
@@ -687,12 +649,6 @@ def generate_local_secret
         config.secret_key_base
       end
 
-      def secrets_secret_key_base
-        Rails.deprecator.silence do
-          secrets.secret_key_base
-        end
-      end
-
       def build_request(env)
         req = super
         env["ORIGINAL_FULLPATH"] = req.fullpath

railties/lib/rails/application/bootstrap.rb

@@ -5,7 +5,6 @@
 require "active_support/notifications"
 require "active_support/dependencies"
 require "active_support/descendants_tracker"
-require "rails/secrets"
 
 module Rails
   class Application
@@ -114,10 +113,6 @@ module Bootstrap
       initializer :bootstrap_hook, group: :all do |app|
         ActiveSupport.run_load_hooks(:before_initialize, app)
       end
-
-      initializer :set_secrets_root, group: :all do
-        Rails::Secrets.root = root
-      end
     end
   end
 end

railties/lib/rails/application/configuration.rb

@@ -19,7 +19,7 @@ class Configuration < ::Rails::Engine::Configuration
                     :ssl_options, :public_file_server,
                     :session_options, :time_zone, :reload_classes_only_on_change,
                     :beginning_of_week, :filter_redirect, :x,
-                    :read_encrypted_secrets, :content_security_policy_report_only,
+                    :content_security_policy_report_only,
                     :content_security_policy_nonce_generator, :content_security_policy_nonce_directives,
                     :require_master_key, :credentials, :disable_sandbox, :sandbox_by_default,
                     :add_autoload_paths_to_load_path, :rake_eager_load, :server_timing, :log_file_size,
@@ -68,7 +68,6 @@ def initialize(*)
         @debug_exception_response_format         = nil
         @x                                       = Custom.new
         @enable_dependency_loading               = false
-        @read_encrypted_secrets                  = false
         @content_security_policy                 = nil
         @content_security_policy_report_only     = false
         @content_security_policy_nonce_generator = nil
@@ -367,6 +366,15 @@ def enable_dependency_loading=(value)
         @enable_dependency_loading = value
       end
 
+      def read_encrypted_secrets
+        Rails.deprecator.warn(`config.read_encrypted_secrets is deprecated and will be removed in Rails 7.3.`)
+      end
+
+      def read_encrypted_secrets=(value)
+        Rails.deprecator.warn(`config.read_encrypted_secrets is deprecated and will be removed in Rails 7.3.`)
+      end
+
+
       def encoding=(value)
         @encoding = value
         silence_warnings do
@@ -399,7 +407,6 @@ def paths
         @paths ||= begin
           paths = super
           paths.add "config/database",    with: "config/database.yml"
-          paths.add "config/secrets",     with: "config", glob: "secrets.yml{,.enc}"
           paths.add "config/environment", with: "config/environment.rb"
           paths.add "lib/templates"
           paths.add "log",                with: "log/#{Rails.env}.log"

railties/lib/rails/commands/secrets/USAGE

@@ -203,7 +203,6 @@ def sorted_groups
         rails.map! { |n| n.delete_prefix("rails:") }
         rails.delete("app")
         rails.delete("plugin")
-        rails.delete("encrypted_secrets")
         rails.delete("encrypted_file")
         rails.delete("encryption_key_file")
         rails.delete("master_key")