diff options
| -rw-r--r-- | actionpack/lib/action_dispatch/middleware/cookies.rb | 23 | ||||
| -rw-r--r-- | actionpack/test/dispatch/cookies_test.rb | 65 | ||||
| -rw-r--r-- | activesupport/lib/active_support/messages/rotation_configuration.rb | 10 |
3 files changed, 25 insertions, 73 deletions
diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb index b3831649a8..06ce0b22f4 100644 --- a/actionpack/lib/action_dispatch/middleware/cookies.rb +++ b/actionpack/lib/action_dispatch/middleware/cookies.rb @@ -264,9 +264,9 @@ module ActionDispatch end def upgrade_legacy_hmac_aes_cbc_cookies? - request.secret_key_base.present? && - request.encrypted_signed_cookie_salt.present? && - request.encrypted_cookie_salt.present? && + request.secret_key_base.present? && + request.encrypted_signed_cookie_salt.present? && + request.encrypted_cookie_salt.present? && request.use_authenticated_cookie_encryption end @@ -570,12 +570,12 @@ module ActionDispatch secret = request.key_generator.generate_key(request.signed_cookie_salt) @verifier = ActiveSupport::MessageVerifier.new(secret, digest: signed_cookie_digest, serializer: SERIALIZER) - request.cookies_rotations.signed.each do |rotation_options| - @verifier.rotate serializer: SERIALIZER, **rotation_options + request.cookies_rotations.signed.each do |*secrets, **options| + @verifier.rotate *secrets, serializer: SERIALIZER, **options end if upgrade_legacy_signed_cookies? - @verifier.rotate raw_key: request.secret_token, serializer: SERIALIZER + @verifier.rotate request.secret_token, serializer: SERIALIZER end end @@ -603,14 +603,15 @@ module ActionDispatch secret = request.key_generator.generate_key(request.authenticated_encrypted_cookie_salt, key_len) @encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: encrypted_cookie_cipher, serializer: SERIALIZER) - request.cookies_rotations.encrypted.each do |rotation_options| - @encryptor.rotate serializer: SERIALIZER, **rotation_options + request.cookies_rotations.encrypted.each do |*secrets, **options| + @encryptor.rotate *secrets, serializer: SERIALIZER, **options end if upgrade_legacy_hmac_aes_cbc_cookies? - @encryptor.rotate \ - key_generator: request.key_generator, salt: request.encrypted_cookie_salt, signed_salt: request.encrypted_signed_cookie_salt, - cipher: "aes-256-cbc", digest: digest, serializer: SERIALIZER + secret = request.key_generator.generate_key(request.encrypted_cookie_salt) + sign_secret = request.key_generator.generate_key(request.encrypted_signed_cookie_salt) + + @encryptor.rotate secret, sign_secret, cipher: "aes-256-cbc", digest: digest, serializer: SERIALIZER end if upgrade_legacy_signed_cookies? diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb index 706d0be9c2..70587fa2b0 100644 --- a/actionpack/test/dispatch/cookies_test.rb +++ b/actionpack/test/dispatch/cookies_test.rb @@ -461,37 +461,13 @@ class CookiesTest < ActionController::TestCase assert_equal verifier.generate(45), cookies[:user_id] end - def test_signed_cookie_rotations_with_secret_key_base_and_digest - rotated_secret_key_base = "b3c631c314c0bbca50c1b2843150fe33" - rotated_salt = "signed cookie" + def test_signed_cookie_rotating_secret_and_digest + secret = "b3c631c314c0bbca50c1b2843150fe33" @request.env["action_dispatch.signed_cookie_digest"] = "SHA256" - @request.env["action_dispatch.cookies_rotations"].rotate :signed, - secret: rotated_secret_key_base, salt: rotated_salt, digest: "SHA1" - - old_secret = ActiveSupport::KeyGenerator.new(rotated_secret_key_base, iterations: 1000).generate_key(rotated_salt) - old_message = ActiveSupport::MessageVerifier.new(old_secret, digest: "SHA1", serializer: Marshal).generate(45) - - @request.headers["Cookie"] = "user_id=#{old_message}" - - get :get_signed_cookie - assert_equal 45, @controller.send(:cookies).signed[:user_id] - - key_generator = @request.env["action_dispatch.key_generator"] - secret = key_generator.generate_key(@request.env["action_dispatch.signed_cookie_salt"]) - verifier = ActiveSupport::MessageVerifier.new(secret, digest: "SHA256", serializer: Marshal) - assert_equal 45, verifier.verify(@response.cookies["user_id"]) - end - - def test_signed_cookie_rotations_with_raw_key_and_digest - rotated_raw_key = "b3c631c314c0bbca50c1b2843150fe33" - - @request.env["action_dispatch.signed_cookie_digest"] = "SHA256" - @request.env["action_dispatch.cookies_rotations"].rotate :signed, - raw_key: rotated_raw_key, digest: "SHA1" - - old_message = ActiveSupport::MessageVerifier.new(rotated_raw_key, digest: "SHA1", serializer: Marshal).generate(45) + @request.env["action_dispatch.cookies_rotations"].rotate :signed, secret, digest: "SHA1" + old_message = ActiveSupport::MessageVerifier.new(secret, digest: "SHA1", serializer: Marshal).generate(45) @request.headers["Cookie"] = "user_id=#{old_message}" get :get_signed_cookie @@ -993,40 +969,15 @@ class CookiesTest < ActionController::TestCase assert_equal "bar", encryptor.decrypt_and_verify(@response.cookies["foo"]) end - def test_encrypted_cookie_rotations_with_secret_and_salt - rotated_secret_key_base = "b3c631c314c0bbca50c1b2843150fe33" - rotated_salt = "authenticated encrypted cookie" - - @request.env["action_dispatch.encrypted_cookie_cipher"] = "aes-256-gcm" - @request.env["action_dispatch.cookies_rotations"].rotate :encrypted, - secret: rotated_secret_key_base, salt: rotated_salt, cipher: "aes-256-gcm" - - key_len = ActiveSupport::MessageEncryptor.key_len("aes-256-gcm") - - old_secret = ActiveSupport::KeyGenerator.new(rotated_secret_key_base, iterations: 1000).generate_key(rotated_salt, key_len) - old_message = ActiveSupport::MessageEncryptor.new(old_secret, cipher: "aes-256-gcm", serializer: Marshal).encrypt_and_sign("bar") - - @request.headers["Cookie"] = "foo=#{::Rack::Utils.escape old_message}" - - get :get_encrypted_cookie - assert_equal "bar", @controller.send(:cookies).encrypted[:foo] - - key_generator = @request.env["action_dispatch.key_generator"] - secret = key_generator.generate_key(@request.env["action_dispatch.authenticated_encrypted_cookie_salt"], key_len) - encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: "aes-256-gcm", serializer: Marshal) - assert_equal "bar", encryptor.decrypt_and_verify(@response.cookies["foo"]) - end - - def test_encrypted_cookie_rotations_with_raw_key - raw_key = "b3c631c314c0bbca50c1b2843150fe33" + def test_encrypted_cookie_rotating_secret + secret = "b3c631c314c0bbca50c1b2843150fe33" @request.env["action_dispatch.encrypted_cookie_cipher"] = "aes-256-gcm" - @request.env["action_dispatch.cookies_rotations"].rotate :encrypted, - raw_key: raw_key, cipher: "aes-256-gcm" + @request.env["action_dispatch.cookies_rotations"].rotate :encrypted, secret key_len = ActiveSupport::MessageEncryptor.key_len("aes-256-gcm") - old_message = ActiveSupport::MessageEncryptor.new(raw_key, cipher: "aes-256-gcm", serializer: Marshal).encrypt_and_sign(45) + old_message = ActiveSupport::MessageEncryptor.new(secret, cipher: "aes-256-gcm", serializer: Marshal).encrypt_and_sign(45) @request.headers["Cookie"] = "foo=#{::Rack::Utils.escape old_message}" diff --git a/activesupport/lib/active_support/messages/rotation_configuration.rb b/activesupport/lib/active_support/messages/rotation_configuration.rb index 908658ff02..233703b558 100644 --- a/activesupport/lib/active_support/messages/rotation_configuration.rb +++ b/activesupport/lib/active_support/messages/rotation_configuration.rb @@ -9,15 +9,15 @@ module ActiveSupport @signed, @encrypted = [], [] end - def rotate(kind = nil, **options) + def rotate(kind = nil, *args) case kind when :signed - @signed << options + @signed << args when :encrypted - @encrypted << options + @encrypted << args else - rotate :signed, options - rotate :encrypted, options + rotate :signed, args + rotate :encrypted, args end end end |