diff options
author | Kasper Timm Hansen <kaspth@gmail.com> | 2017-09-24 21:41:16 +0200 |
---|---|---|
committer | Kasper Timm Hansen <kaspth@gmail.com> | 2017-09-24 21:41:16 +0200 |
commit | 38308e6d1353eda587d676ac40ce489c638fb0c3 (patch) | |
tree | d4e827efdaaf6d50b75cd7df9881e65f8c9ec978 /guides/source | |
parent | 9d79d77813c3aca010a5b40cacbd6e68f42ce618 (diff) | |
download | rails-38308e6d1353eda587d676ac40ce489c638fb0c3.tar.gz rails-38308e6d1353eda587d676ac40ce489c638fb0c3.tar.bz2 rails-38308e6d1353eda587d676ac40ce489c638fb0c3.zip |
[ci skip] Attempt a new explanation for rotations.
It's become clear to me that the use case is still a bit muddy
and the upgrade path is going to be tough for people to figure
out.
This attempts at understanding it better through documentation,
but still needs follow up work.
[ Michael Coyne & Kasper Timm Hansen ]
Diffstat (limited to 'guides/source')
-rw-r--r-- | guides/source/configuring.md | 6 | ||||
-rw-r--r-- | guides/source/security.md | 44 |
2 files changed, 18 insertions, 32 deletions
diff --git a/guides/source/configuring.md b/guides/source/configuring.md index 86c8364d83..0f87d73d6e 100644 --- a/guides/source/configuring.md +++ b/guides/source/configuring.md @@ -493,10 +493,8 @@ Defaults to `'signed cookie'`. * `config.action_dispatch.signed_cookie_digest` sets the digest to be used for signed cookies. This defaults to `"SHA1"`. -* `config.action_dispatch.cookies_rotations` is set to an instance of - [RotationConfiguration](http://api.rubyonrails.org/classes/ActiveSupport/RotationConfiguration.html). - It provides an interface for rotating keys, salts, ciphers, and - digests for encrypted and signed cookies. +* `config.action_dispatch.cookies_rotations` allows rotating + secrets, ciphers, and digests for encrypted and signed cookies. * `config.action_dispatch.perform_deep_munge` configures whether `deep_munge` method should be performed on the parameters. See [Security Guide](security.html#unsafe-query-generation) diff --git a/guides/source/security.md b/guides/source/security.md index 994978b88b..9e1dc518d2 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -161,43 +161,31 @@ It is also useful to rotate this value for other more benign reasons, such as an employee leaving your organization or changing hosting environments. -Key rotations can be defined through -`config.action_dispatch.cookies_rotations` which provides an interface for -rotating signed and encrypted cookie keys, salts, digests, and ciphers. - -For example, suppose we want to rotate out an old `secret_key_base`, we -can define a signed and encrypted key rotation as follows: +For example to rotate out an old `secret_key_base`, we can define signed and +encrypted rotations as follows: ```ruby -config.action_dispatch.cookies_rotations.rotate :encrypted, - cipher: "aes-256-gcm", - secret: Rails.application.credentials.old_secret_key_base, - salt: config.action_dispatch.authenticated_encrypted_cookie_salt - -config.action_dispatch.cookies_rotations.rotate :signed, - digest: "SHA1", - secret: Rails.application.credentials.old_secret_key_base, - salt: config.action_dispatch.signed_cookie_salt +Rails.application.config.action_dispatch.cookies_rotations.tap do |cookies| + cookies.rotate :encrypted, secret: Rails.application.credentials.old_secret_key_base + cookies.rotate :signed, secret: Rails.application.credentials.old_secret_key_base +end ``` -Multiple rotations are possible by calling `rotate` multiple times. For -example, suppose we want to use SHA512 for signed cookies while rotating -out SHA256 and SHA1 digests using the same `secret_key_base`: +It's also possible to set up multiple rotations. For instance to use `SHA512` +for signed cookies while rotating out SHA256 and SHA1 digests, we'd do: ```ruby -config.action_dispatch.signed_cookie_digest = "SHA512" +Rails.application.config.action_dispatch.signed_cookie_digest = "SHA512" -config.action_dispatch.cookies_rotations.rotate :signed, - digest: "SHA256", - secret: Rails.application.credentials.secret_key_base, - salt: config.action_dispatch.signed_cookie_salt - -config.action_dispatch.cookies_rotations.rotate :signed, - digest: "SHA1", - secret: Rails.application.credentials.secret_key_base, - salt: config.action_dispatch.signed_cookie_salt +Rails.application.config.action_dispatch.cookies_rotations.tap do |cookies| + cookies.rotate :signed, digest: "SHA256" + cookies.rotate :signed, digest: "SHA1" +end ``` +While you can setup as many rotations as you'd like it's not common to have many +rotations going at any one time. + For more details on key rotation with encrypted and signed messages as well as the various options the `rotate` method accepts, please refer to the |