Introduce a new ActiveSupport::SecureCompareRotator class:

- This class is used to rotate a previously determined value to a new one before making the comparions. We use this at Shopify to rotate Basic Auth crendials but I can imagine other use cases. The implementation uses the same `Messages::Rotator` module than the MessageEncryptor/MessageVerifier class so it works exactly the same way. You can use it as follow: ```ruby rotator = ActiveSupport::SecureCompareRotator.new('new_production_value') rotator.rotate('previous_production_value') rotator.secure_compare!('previous_production_value') ```
author: Edouard CHIN <edouard.chin@shopify.com> 2019-06-06 17:50:31 +0200
committer: Edouard CHIN <edouard.chin@shopify.com> 2019-06-06 19:08:53 +0200
commit: 123bcf5faa6d6963862a33489b2d678d6ef3c137 (patch)
tree: 80b3da27221b032aacf7b2c13729e46b7d3be1a0 /activesupport
parent: 480d9f2d2431e6a11c89edb45123181f9b6db958 (diff)
download: rails-123bcf5faa6d6963862a33489b2d678d6ef3c137.tar.gz
rails-123bcf5faa6d6963862a33489b2d678d6ef3c137.tar.bz2
rails-123bcf5faa6d6963862a33489b2d678d6ef3c137.zip
2 files changed, 96 insertions, 0 deletions
diff --git a/activesupport/lib/active_support/secure_compare_rotator.rb b/activesupport/lib/active_support/secure_compare_rotator.rb
new file mode 100644
index 0000000000..14a0aee947
--- /dev/null
+++ b/activesupport/lib/active_support/secure_compare_rotator.rb
@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require "active_support/security_utils"
+require "active_support/messages/rotator"
+
+module ActiveSupport
+  # The ActiveSupport::SecureCompareRotator is a wrapper around +ActiveSupport::SecurityUtils.secure_compare+
+  # and allows you to rotate a previously defined value to a new one.
+  #
+  # It can be used as follow:
+  #
+  #   rotator = ActiveSupport::SecureCompareRotator.new('new_production_value')
+  #   rotator.rotate('previous_production_value')
+  #   rotator.secure_compare!('previous_production_value')
+  #
+  # One real use case example would be to rotate a basic auth credentials:
+  #
+  #   class MyController < ApplicationController
+  #     def authenticate_request
+  #       rotator = ActiveSupport::SecureComparerotator.new('new_password')
+  #       rotator.rotate('old_password')
+  #
+  #       authenticate_or_request_with_http_basic do |username, password|
+  #         rotator.secure_compare!(password)
+  #       rescue ActiveSupport::SecureCompareRotator::InvalidMatch
+  #         false
+  #       end
+  #     end
+  #   end
+  class SecureCompareRotator
+    include SecurityUtils
+    prepend Messages::Rotator
+
+    InvalidMatch = Class.new(StandardError)
+
+    def initialize(value, **_options)
+      @value = value
+    end
+
+    def secure_compare!(other_value, on_rotation: @rotation)
+      secure_compare(@value, other_value) ||
+        run_rotations(on_rotation) { |wrapper| wrapper.secure_compare!(other_value) } ||
+        raise(InvalidMatch)
+    end
+
+    private
+
+      def build_rotation(previous_value, _options)
+        self.class.new(previous_value)
+      end
+  end
+end
diff --git a/activesupport/test/secure_compare_rotator_test.rb b/activesupport/test/secure_compare_rotator_test.rb
new file mode 100644
index 0000000000..8acf13e38f
--- /dev/null
+++ b/activesupport/test/secure_compare_rotator_test.rb
@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require "abstract_unit"
+require "active_support/secure_compare_rotator"
+
+class SecureCompareRotatorTest < ActiveSupport::TestCase
+  test "#secure_compare! works correctly after rotation" do
+    wrapper = ActiveSupport::SecureCompareRotator.new("old_secret")
+    wrapper.rotate("new_secret")
+
+    assert_equal(true, wrapper.secure_compare!("new_secret"))
+  end
+
+  test "#secure_compare! works correctly after multiple rotation" do
+    wrapper = ActiveSupport::SecureCompareRotator.new("old_secret")
+    wrapper.rotate("new_secret")
+    wrapper.rotate("another_secret")
+    wrapper.rotate("and_another_one")
+
+    assert_equal(true, wrapper.secure_compare!("and_another_one"))
+  end
+
+  test "#secure_compare! fails correctly when credential is not part of the rotation" do
+    wrapper = ActiveSupport::SecureCompareRotator.new("old_secret")
+    wrapper.rotate("new_secret")
+
+    assert_raises(ActiveSupport::SecureCompareRotator::InvalidMatch) do
+      wrapper.secure_compare!("different_secret")
+    end
+  end
+
+  test "#secure_compare! calls the on_rotation proc" do
+    wrapper = ActiveSupport::SecureCompareRotator.new("old_secret")
+    wrapper.rotate("new_secret")
+    wrapper.rotate("another_secret")
+    wrapper.rotate("and_another_one")
+
+    @witness = nil
+
+    assert_changes(:@witness, from: nil, to: true) do
+      assert_equal(true, wrapper.secure_compare!("and_another_one", on_rotation: -> { @witness = true }))
+    end
+  end
+end
author	Edouard CHIN <edouard.chin@shopify.com>	2019-06-06 17:50:31 +0200
committer	Edouard CHIN <edouard.chin@shopify.com>	2019-06-06 19:08:53 +0200
commit	123bcf5faa6d6963862a33489b2d678d6ef3c137 (patch)
tree	80b3da27221b032aacf7b2c13729e46b7d3be1a0 /activesupport
parent	480d9f2d2431e6a11c89edb45123181f9b6db958 (diff)
download	rails-123bcf5faa6d6963862a33489b2d678d6ef3c137.tar.gz rails-123bcf5faa6d6963862a33489b2d678d6ef3c137.tar.bz2 rails-123bcf5faa6d6963862a33489b2d678d6ef3c137.zip