aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKasper Timm Hansen <kaspth@gmail.com>2017-09-24 21:25:59 +0200
committerKasper Timm Hansen <kaspth@gmail.com>2017-09-24 21:25:59 +0200
commit9d79d77813c3aca010a5b40cacbd6e68f42ce618 (patch)
tree7e6090826a522a474d832c970a80dc8dfd303cb3
parentb5aa2e0c495b310cbef90b2185ef28cd00745b23 (diff)
downloadrails-9d79d77813c3aca010a5b40cacbd6e68f42ce618.tar.gz
rails-9d79d77813c3aca010a5b40cacbd6e68f42ce618.tar.bz2
rails-9d79d77813c3aca010a5b40cacbd6e68f42ce618.zip
Use new rotation signature in cookies.
[ Michael Coyne & Kasper Timm Hansen ]
-rw-r--r--actionpack/lib/action_dispatch/middleware/cookies.rb23
-rw-r--r--actionpack/test/dispatch/cookies_test.rb65
-rw-r--r--activesupport/lib/active_support/messages/rotation_configuration.rb10
3 files changed, 25 insertions, 73 deletions
diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index b3831649a8..06ce0b22f4 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -264,9 +264,9 @@ module ActionDispatch
end
def upgrade_legacy_hmac_aes_cbc_cookies?
- request.secret_key_base.present? &&
- request.encrypted_signed_cookie_salt.present? &&
- request.encrypted_cookie_salt.present? &&
+ request.secret_key_base.present? &&
+ request.encrypted_signed_cookie_salt.present? &&
+ request.encrypted_cookie_salt.present? &&
request.use_authenticated_cookie_encryption
end
@@ -570,12 +570,12 @@ module ActionDispatch
secret = request.key_generator.generate_key(request.signed_cookie_salt)
@verifier = ActiveSupport::MessageVerifier.new(secret, digest: signed_cookie_digest, serializer: SERIALIZER)
- request.cookies_rotations.signed.each do |rotation_options|
- @verifier.rotate serializer: SERIALIZER, **rotation_options
+ request.cookies_rotations.signed.each do |*secrets, **options|
+ @verifier.rotate *secrets, serializer: SERIALIZER, **options
end
if upgrade_legacy_signed_cookies?
- @verifier.rotate raw_key: request.secret_token, serializer: SERIALIZER
+ @verifier.rotate request.secret_token, serializer: SERIALIZER
end
end
@@ -603,14 +603,15 @@ module ActionDispatch
secret = request.key_generator.generate_key(request.authenticated_encrypted_cookie_salt, key_len)
@encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: encrypted_cookie_cipher, serializer: SERIALIZER)
- request.cookies_rotations.encrypted.each do |rotation_options|
- @encryptor.rotate serializer: SERIALIZER, **rotation_options
+ request.cookies_rotations.encrypted.each do |*secrets, **options|
+ @encryptor.rotate *secrets, serializer: SERIALIZER, **options
end
if upgrade_legacy_hmac_aes_cbc_cookies?
- @encryptor.rotate \
- key_generator: request.key_generator, salt: request.encrypted_cookie_salt, signed_salt: request.encrypted_signed_cookie_salt,
- cipher: "aes-256-cbc", digest: digest, serializer: SERIALIZER
+ secret = request.key_generator.generate_key(request.encrypted_cookie_salt)
+ sign_secret = request.key_generator.generate_key(request.encrypted_signed_cookie_salt)
+
+ @encryptor.rotate secret, sign_secret, cipher: "aes-256-cbc", digest: digest, serializer: SERIALIZER
end
if upgrade_legacy_signed_cookies?
diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb
index 706d0be9c2..70587fa2b0 100644
--- a/actionpack/test/dispatch/cookies_test.rb
+++ b/actionpack/test/dispatch/cookies_test.rb
@@ -461,37 +461,13 @@ class CookiesTest < ActionController::TestCase
assert_equal verifier.generate(45), cookies[:user_id]
end
- def test_signed_cookie_rotations_with_secret_key_base_and_digest
- rotated_secret_key_base = "b3c631c314c0bbca50c1b2843150fe33"
- rotated_salt = "signed cookie"
+ def test_signed_cookie_rotating_secret_and_digest
+ secret = "b3c631c314c0bbca50c1b2843150fe33"
@request.env["action_dispatch.signed_cookie_digest"] = "SHA256"
- @request.env["action_dispatch.cookies_rotations"].rotate :signed,
- secret: rotated_secret_key_base, salt: rotated_salt, digest: "SHA1"
-
- old_secret = ActiveSupport::KeyGenerator.new(rotated_secret_key_base, iterations: 1000).generate_key(rotated_salt)
- old_message = ActiveSupport::MessageVerifier.new(old_secret, digest: "SHA1", serializer: Marshal).generate(45)
-
- @request.headers["Cookie"] = "user_id=#{old_message}"
-
- get :get_signed_cookie
- assert_equal 45, @controller.send(:cookies).signed[:user_id]
-
- key_generator = @request.env["action_dispatch.key_generator"]
- secret = key_generator.generate_key(@request.env["action_dispatch.signed_cookie_salt"])
- verifier = ActiveSupport::MessageVerifier.new(secret, digest: "SHA256", serializer: Marshal)
- assert_equal 45, verifier.verify(@response.cookies["user_id"])
- end
-
- def test_signed_cookie_rotations_with_raw_key_and_digest
- rotated_raw_key = "b3c631c314c0bbca50c1b2843150fe33"
-
- @request.env["action_dispatch.signed_cookie_digest"] = "SHA256"
- @request.env["action_dispatch.cookies_rotations"].rotate :signed,
- raw_key: rotated_raw_key, digest: "SHA1"
-
- old_message = ActiveSupport::MessageVerifier.new(rotated_raw_key, digest: "SHA1", serializer: Marshal).generate(45)
+ @request.env["action_dispatch.cookies_rotations"].rotate :signed, secret, digest: "SHA1"
+ old_message = ActiveSupport::MessageVerifier.new(secret, digest: "SHA1", serializer: Marshal).generate(45)
@request.headers["Cookie"] = "user_id=#{old_message}"
get :get_signed_cookie
@@ -993,40 +969,15 @@ class CookiesTest < ActionController::TestCase
assert_equal "bar", encryptor.decrypt_and_verify(@response.cookies["foo"])
end
- def test_encrypted_cookie_rotations_with_secret_and_salt
- rotated_secret_key_base = "b3c631c314c0bbca50c1b2843150fe33"
- rotated_salt = "authenticated encrypted cookie"
-
- @request.env["action_dispatch.encrypted_cookie_cipher"] = "aes-256-gcm"
- @request.env["action_dispatch.cookies_rotations"].rotate :encrypted,
- secret: rotated_secret_key_base, salt: rotated_salt, cipher: "aes-256-gcm"
-
- key_len = ActiveSupport::MessageEncryptor.key_len("aes-256-gcm")
-
- old_secret = ActiveSupport::KeyGenerator.new(rotated_secret_key_base, iterations: 1000).generate_key(rotated_salt, key_len)
- old_message = ActiveSupport::MessageEncryptor.new(old_secret, cipher: "aes-256-gcm", serializer: Marshal).encrypt_and_sign("bar")
-
- @request.headers["Cookie"] = "foo=#{::Rack::Utils.escape old_message}"
-
- get :get_encrypted_cookie
- assert_equal "bar", @controller.send(:cookies).encrypted[:foo]
-
- key_generator = @request.env["action_dispatch.key_generator"]
- secret = key_generator.generate_key(@request.env["action_dispatch.authenticated_encrypted_cookie_salt"], key_len)
- encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: "aes-256-gcm", serializer: Marshal)
- assert_equal "bar", encryptor.decrypt_and_verify(@response.cookies["foo"])
- end
-
- def test_encrypted_cookie_rotations_with_raw_key
- raw_key = "b3c631c314c0bbca50c1b2843150fe33"
+ def test_encrypted_cookie_rotating_secret
+ secret = "b3c631c314c0bbca50c1b2843150fe33"
@request.env["action_dispatch.encrypted_cookie_cipher"] = "aes-256-gcm"
- @request.env["action_dispatch.cookies_rotations"].rotate :encrypted,
- raw_key: raw_key, cipher: "aes-256-gcm"
+ @request.env["action_dispatch.cookies_rotations"].rotate :encrypted, secret
key_len = ActiveSupport::MessageEncryptor.key_len("aes-256-gcm")
- old_message = ActiveSupport::MessageEncryptor.new(raw_key, cipher: "aes-256-gcm", serializer: Marshal).encrypt_and_sign(45)
+ old_message = ActiveSupport::MessageEncryptor.new(secret, cipher: "aes-256-gcm", serializer: Marshal).encrypt_and_sign(45)
@request.headers["Cookie"] = "foo=#{::Rack::Utils.escape old_message}"
diff --git a/activesupport/lib/active_support/messages/rotation_configuration.rb b/activesupport/lib/active_support/messages/rotation_configuration.rb
index 908658ff02..233703b558 100644
--- a/activesupport/lib/active_support/messages/rotation_configuration.rb
+++ b/activesupport/lib/active_support/messages/rotation_configuration.rb
@@ -9,15 +9,15 @@ module ActiveSupport
@signed, @encrypted = [], []
end
- def rotate(kind = nil, **options)
+ def rotate(kind = nil, *args)
case kind
when :signed
- @signed << options
+ @signed << args
when :encrypted
- @encrypted << options
+ @encrypted << args
else
- rotate :signed, options
- rotate :encrypted, options
+ rotate :signed, args
+ rotate :encrypted, args
end
end
end