aboutsummaryrefslogtreecommitdiffstats
path: root/activesupport/test
diff options
context:
space:
mode:
Diffstat (limited to 'activesupport/test')
-rw-r--r--activesupport/test/message_encryptor_test.rb124
-rw-r--r--activesupport/test/message_verifier_test.rb96
-rw-r--r--activesupport/test/messages/rotation_configuration_test.rb32
3 files changed, 71 insertions, 181 deletions
diff --git a/activesupport/test/message_encryptor_test.rb b/activesupport/test/message_encryptor_test.rb
index 17baf3550b..8fde3928dc 100644
--- a/activesupport/test/message_encryptor_test.rb
+++ b/activesupport/test/message_encryptor_test.rb
@@ -115,122 +115,70 @@ class MessageEncryptorTest < ActiveSupport::TestCase
assert_equal "Ruby on Rails", encryptor.decrypt_and_verify(encrypted_message)
end
- def test_with_rotated_raw_key
- old_raw_key = SecureRandom.random_bytes(32)
- old_encryptor = ActiveSupport::MessageEncryptor.new(old_raw_key, cipher: "aes-256-gcm")
- old_message = old_encryptor.encrypt_and_sign("message encrypted with old raw key")
+ def test_rotating_secret
+ old_message = ActiveSupport::MessageEncryptor.new(secrets[:old], cipher: "aes-256-gcm").encrypt_and_sign("old")
encryptor = ActiveSupport::MessageEncryptor.new(@secret, cipher: "aes-256-gcm")
- encryptor.rotate raw_key: old_raw_key, cipher: "aes-256-gcm"
+ encryptor.rotate secrets[:old]
- assert_equal "message encrypted with old raw key", encryptor.decrypt_and_verify(old_message)
+ assert_equal "old", encryptor.decrypt_and_verify(old_message)
end
- def test_with_rotated_secret_and_salt
- old_secret, old_salt = SecureRandom.random_bytes(32), "old salt"
- old_raw_key = ActiveSupport::KeyGenerator.new(old_secret, iterations: 1000).generate_key(old_salt, 32)
+ def test_rotating_serializer
+ old_message = ActiveSupport::MessageEncryptor.new(secrets[:old], cipher: "aes-256-gcm", serializer: JSON).
+ encrypt_and_sign(ahoy: :hoy)
- old_encryptor = ActiveSupport::MessageEncryptor.new(old_raw_key, cipher: "aes-256-gcm")
- old_message = old_encryptor.encrypt_and_sign("message encrypted with old secret and salt")
+ encryptor = ActiveSupport::MessageEncryptor.new(@secret, cipher: "aes-256-gcm", serializer: JSON)
+ encryptor.rotate secrets[:old]
- encryptor = ActiveSupport::MessageEncryptor.new(@secret, cipher: "aes-256-gcm")
- encryptor.rotate secret: old_secret, salt: old_salt, cipher: "aes-256-gcm"
-
- assert_equal "message encrypted with old secret and salt", encryptor.decrypt_and_verify(old_message)
- end
-
- def test_with_rotated_key_generator
- old_key_gen, old_salt = ActiveSupport::KeyGenerator.new(SecureRandom.random_bytes(32), iterations: 256), "old salt"
-
- old_raw_key = old_key_gen.generate_key(old_salt, 32)
- old_encryptor = ActiveSupport::MessageEncryptor.new(old_raw_key, cipher: "aes-256-gcm")
- old_message = old_encryptor.encrypt_and_sign("message encrypted with old key generator and salt")
-
- encryptor = ActiveSupport::MessageEncryptor.new(@secret, cipher: "aes-256-gcm")
- encryptor.rotate key_generator: old_key_gen, salt: old_salt, cipher: "aes-256-gcm"
-
- assert_equal "message encrypted with old key generator and salt", encryptor.decrypt_and_verify(old_message)
+ assert_equal({ "ahoy" => "hoy" }, encryptor.decrypt_and_verify(old_message))
end
- def test_with_rotated_aes_cbc_encryptor_with_raw_keys
- old_raw_key, old_raw_signed_key = SecureRandom.random_bytes(32), SecureRandom.random_bytes(16)
-
- old_encryptor = ActiveSupport::MessageEncryptor.new(old_raw_key, old_raw_signed_key, cipher: "aes-256-cbc", digest: "SHA1")
- old_message = old_encryptor.encrypt_and_sign("message encrypted with old raw keys")
+ def test_rotating_aes_cbc_secrets
+ old_encryptor = ActiveSupport::MessageEncryptor.new(secrets[:old], "old sign", cipher: "aes-256-cbc")
+ old_message = old_encryptor.encrypt_and_sign("old")
encryptor = ActiveSupport::MessageEncryptor.new(@secret)
- encryptor.rotate raw_key: old_raw_key, raw_signed_key: old_raw_signed_key, cipher: "aes-256-cbc", digest: "SHA1"
+ encryptor.rotate secrets[:old], "old sign", cipher: "aes-256-cbc"
- assert_equal "message encrypted with old raw keys", encryptor.decrypt_and_verify(old_message)
+ assert_equal "old", encryptor.decrypt_and_verify(old_message)
end
- def test_with_rotated_aes_cbc_encryptor_with_secret_and_salts
- old_secret, old_salt, old_signed_salt = SecureRandom.random_bytes(32), "old salt", "old signed salt"
-
- old_key_gen = ActiveSupport::KeyGenerator.new(old_secret, iterations: 1000)
- old_raw_key = old_key_gen.generate_key(old_salt, 32)
- old_raw_signed_key = old_key_gen.generate_key(old_signed_salt)
-
- old_encryptor = ActiveSupport::MessageEncryptor.new(old_raw_key, old_raw_signed_key, cipher: "aes-256-cbc", digest: "SHA1")
- old_message = old_encryptor.encrypt_and_sign("message encrypted with old secret and salts")
+ def test_multiple_rotations
+ older_message = ActiveSupport::MessageEncryptor.new(secrets[:older], "older sign").encrypt_and_sign("older")
+ old_message = ActiveSupport::MessageEncryptor.new(secrets[:old], "old sign").encrypt_and_sign("old")
encryptor = ActiveSupport::MessageEncryptor.new(@secret)
- encryptor.rotate secret: old_secret, salt: old_salt, signed_salt: old_signed_salt, cipher: "aes-256-cbc", digest: "SHA1"
+ encryptor.rotate secrets[:old], "old sign"
+ encryptor.rotate secrets[:older], "older sign"
- assert_equal "message encrypted with old secret and salts", encryptor.decrypt_and_verify(old_message)
+ assert_equal "new", encryptor.decrypt_and_verify(encryptor.encrypt_and_sign("new"))
+ assert_equal "old", encryptor.decrypt_and_verify(old_message)
+ assert_equal "older", encryptor.decrypt_and_verify(older_message)
end
- def test_with_rotating_multiple_encryptors
- older_raw_key, older_raw_signed_key = SecureRandom.random_bytes(32), SecureRandom.random_bytes(16)
- old_raw_key, old_raw_signed_key = SecureRandom.random_bytes(32), SecureRandom.random_bytes(16)
-
- older_encryptor = ActiveSupport::MessageEncryptor.new(older_raw_key, older_raw_signed_key, cipher: "aes-256-cbc", digest: "SHA1")
- older_message = older_encryptor.encrypt_and_sign("message encrypted with older raw key")
-
- old_encryptor = ActiveSupport::MessageEncryptor.new(old_raw_key, old_raw_signed_key, cipher: "aes-256-cbc", digest: "SHA1")
- old_message = old_encryptor.encrypt_and_sign("message encrypted with old raw key")
+ def test_on_rotation_is_called_and_returns_modified_messages
+ older_message = ActiveSupport::MessageEncryptor.new(secrets[:older], "older sign").encrypt_and_sign(encoded: "message")
encryptor = ActiveSupport::MessageEncryptor.new(@secret)
- encryptor.rotate raw_key: old_raw_key, raw_signed_key: old_raw_signed_key, cipher: "aes-256-cbc", digest: "SHA1"
- encryptor.rotate raw_key: older_raw_key, raw_signed_key: older_raw_signed_key, cipher: "aes-256-cbc", digest: "SHA1"
-
- assert_equal "encrypted message", encryptor.decrypt_and_verify(encryptor.encrypt_and_sign("encrypted message"))
- assert_equal "message encrypted with old raw key", encryptor.decrypt_and_verify(old_message)
- assert_equal "message encrypted with older raw key", encryptor.decrypt_and_verify(older_message)
- end
+ encryptor.rotate secrets[:old]
+ encryptor.rotate secrets[:older], "older sign"
- def test_on_rotation_instance_callback_is_called_and_returns_modified_messages
- callback_ran, message = nil, nil
+ rotated = false
+ message = encryptor.decrypt_and_verify(older_message, on_rotation: proc { rotated = true })
- older_raw_key, older_raw_signed_key = SecureRandom.random_bytes(32), SecureRandom.random_bytes(16)
- old_raw_key, old_raw_signed_key = SecureRandom.random_bytes(32), SecureRandom.random_bytes(16)
-
- older_encryptor = ActiveSupport::MessageEncryptor.new(older_raw_key, older_raw_signed_key, cipher: "aes-256-cbc", digest: "SHA1")
- older_message = older_encryptor.encrypt_and_sign(encoded: "message")
-
- encryptor = ActiveSupport::MessageEncryptor.new(@secret)
- encryptor.rotate raw_key: old_raw_key, raw_signed_key: old_raw_signed_key, cipher: "aes-256-cbc", digest: "SHA1"
- encryptor.rotate raw_key: older_raw_key, raw_signed_key: older_raw_signed_key, cipher: "aes-256-cbc", digest: "SHA1"
-
- message = encryptor.decrypt_and_verify(older_message, on_rotation: proc { callback_ran = true })
-
- assert callback_ran, "callback was ran"
assert_equal({ encoded: "message" }, message)
+ assert rotated
end
def test_with_rotated_metadata
- old_secret, old_salt = SecureRandom.random_bytes(32), "old salt"
- old_raw_key = ActiveSupport::KeyGenerator.new(old_secret, iterations: 1000).generate_key(old_salt, 32)
-
- old_encryptor = ActiveSupport::MessageEncryptor.new(old_raw_key, cipher: "aes-256-gcm")
- old_message = old_encryptor.encrypt_and_sign(
- "message encrypted with old secret, salt, and metadata", purpose: "rotation")
+ old_message = ActiveSupport::MessageEncryptor.new(secrets[:old], cipher: "aes-256-gcm").
+ encrypt_and_sign("metadata", purpose: :rotation)
encryptor = ActiveSupport::MessageEncryptor.new(@secret, cipher: "aes-256-gcm")
- encryptor.rotate secret: old_secret, salt: old_salt, cipher: "aes-256-gcm"
+ encryptor.rotate secrets[:old]
- assert_equal "message encrypted with old secret, salt, and metadata",
- encryptor.decrypt_and_verify(old_message, purpose: "rotation")
+ assert_equal "metadata", encryptor.decrypt_and_verify(old_message, purpose: :rotation)
end
private
@@ -252,6 +200,10 @@ class MessageEncryptorTest < ActiveSupport::TestCase
end
end
+ def secrets
+ @secrets ||= Hash.new { |h,k| h[k] = SecureRandom.random_bytes(32) }
+ end
+
def munge(base64_string)
bits = ::Base64.strict_decode64(base64_string)
bits.reverse!
diff --git a/activesupport/test/message_verifier_test.rb b/activesupport/test/message_verifier_test.rb
index 3079c48c02..05d5c1cbc3 100644
--- a/activesupport/test/message_verifier_test.rb
+++ b/activesupport/test/message_verifier_test.rb
@@ -92,93 +92,49 @@ class MessageVerifierTest < ActiveSupport::TestCase
assert_equal @data, @verifier.verify(signed_message)
end
- def test_with_rotated_raw_key
- old_raw_key = SecureRandom.random_bytes(32)
-
- old_verifier = ActiveSupport::MessageVerifier.new(old_raw_key, digest: "SHA1")
- old_message = old_verifier.generate("message verified with old raw key")
-
- verifier = ActiveSupport::MessageVerifier.new(@secret, digest: "SHA1")
- verifier.rotate raw_key: old_raw_key, digest: "SHA1"
-
- assert_equal "message verified with old raw key", verifier.verified(old_message)
- end
-
- def test_with_rotated_secret_and_salt
- old_secret, old_salt = SecureRandom.random_bytes(32), "old salt"
-
- old_raw_key = ActiveSupport::KeyGenerator.new(old_secret, iterations: 1000).generate_key(old_salt)
- old_verifier = ActiveSupport::MessageVerifier.new(old_raw_key, digest: "SHA1")
- old_message = old_verifier.generate("message verified with old secret and salt")
+ def test_rotating_secret
+ old_message = ActiveSupport::MessageVerifier.new("old", digest: "SHA1").generate("old")
verifier = ActiveSupport::MessageVerifier.new(@secret, digest: "SHA1")
- verifier.rotate secret: old_secret, salt: old_salt, digest: "SHA1"
+ verifier.rotate "old"
- assert_equal "message verified with old secret and salt", verifier.verified(old_message)
+ assert_equal "old", verifier.verified(old_message)
end
- def test_with_rotated_key_generator
- old_key_gen, old_salt = ActiveSupport::KeyGenerator.new(SecureRandom.random_bytes(32), iterations: 256), "old salt"
+ def test_multiple_rotations
+ old_message = ActiveSupport::MessageVerifier.new("old", digest: "SHA256").generate("old")
+ older_message = ActiveSupport::MessageVerifier.new("older", digest: "SHA1").generate("older")
- old_raw_key = old_key_gen.generate_key(old_salt)
- old_verifier = ActiveSupport::MessageVerifier.new(old_raw_key, digest: "SHA1")
- old_message = old_verifier.generate("message verified with old key generator and salt")
+ verifier = ActiveSupport::MessageVerifier.new(@secret, digest: "SHA512")
+ verifier.rotate "old", digest: "SHA256"
+ verifier.rotate "older", digest: "SHA1"
- verifier = ActiveSupport::MessageVerifier.new(@secret, digest: "SHA1")
- verifier.rotate key_generator: old_key_gen, salt: old_salt, digest: "SHA1"
-
- assert_equal "message verified with old key generator and salt", verifier.verified(old_message)
+ assert_equal "new", verifier.verified(verifier.generate("new"))
+ assert_equal "old", verifier.verified(old_message)
+ assert_equal "older", verifier.verified(older_message)
end
- def test_with_rotating_multiple_verifiers
- old_raw_key, older_raw_key = SecureRandom.random_bytes(32), SecureRandom.random_bytes(32)
-
- old_verifier = ActiveSupport::MessageVerifier.new(old_raw_key, digest: "SHA256")
- old_message = old_verifier.generate("message verified with old raw key")
+ def test_on_rotation_is_called_and_verified_returns_message
+ older_message = ActiveSupport::MessageVerifier.new("older", digest: "SHA1").generate(encoded: "message")
- older_verifier = ActiveSupport::MessageVerifier.new(older_raw_key, digest: "SHA1")
- older_message = older_verifier.generate("message verified with older raw key")
+ verifier = ActiveSupport::MessageVerifier.new(@secret, digest: "SHA512")
+ verifier.rotate "old", digest: "SHA256"
+ verifier.rotate "older", digest: "SHA1"
- verifier = ActiveSupport::MessageVerifier.new("new secret", digest: "SHA512")
- verifier.rotate raw_key: old_raw_key, digest: "SHA256"
- verifier.rotate raw_key: older_raw_key, digest: "SHA1"
+ rotated = false
+ message = verifier.verified(older_message, on_rotation: proc { rotated = true })
- assert_equal "verified message", verifier.verified(verifier.generate("verified message"))
- assert_equal "message verified with old raw key", verifier.verified(old_message)
- assert_equal "message verified with older raw key", verifier.verified(older_message)
- end
-
- def test_on_rotation_keyword_block_is_called_and_verified_returns_message
- callback_ran, message = nil, nil
-
- old_raw_key, older_raw_key = SecureRandom.random_bytes(32), SecureRandom.random_bytes(32)
-
- older_verifier = ActiveSupport::MessageVerifier.new(older_raw_key, digest: "SHA1")
- older_message = older_verifier.generate(encoded: "message")
-
- verifier = ActiveSupport::MessageVerifier.new("new secret", digest: "SHA512")
- verifier.rotate raw_key: old_raw_key, digest: "SHA256"
- verifier.rotate raw_key: older_raw_key, digest: "SHA1"
-
- message = verifier.verified(older_message, on_rotation: proc { callback_ran = true })
-
- assert callback_ran, "callback was ran"
assert_equal({ encoded: "message" }, message)
+ assert rotated
end
- def test_with_rotated_metadata
- old_secret, old_salt = SecureRandom.random_bytes(32), "old salt"
+ def test_rotations_with_metadata
+ old_message = ActiveSupport::MessageVerifier.new("old").generate("old", purpose: :rotation)
- old_raw_key = ActiveSupport::KeyGenerator.new(old_secret, iterations: 1000).generate_key(old_salt)
- old_verifier = ActiveSupport::MessageVerifier.new(old_raw_key, digest: "SHA1")
- old_message = old_verifier.generate(
- "message verified with old secret, salt, and metadata", purpose: "rotation")
-
- verifier = ActiveSupport::MessageVerifier.new(@secret, digest: "SHA1")
- verifier.rotate secret: old_secret, salt: old_salt, digest: "SHA1"
+ verifier = ActiveSupport::MessageVerifier.new(@secret)
+ verifier.rotate "old"
- assert_equal "message verified with old secret, salt, and metadata",
- verifier.verified(old_message, purpose: "rotation")
+ assert_equal "old", verifier.verified(old_message, purpose: :rotation)
end
end
diff --git a/activesupport/test/messages/rotation_configuration_test.rb b/activesupport/test/messages/rotation_configuration_test.rb
index 41d938e119..2f6824ed21 100644
--- a/activesupport/test/messages/rotation_configuration_test.rb
+++ b/activesupport/test/messages/rotation_configuration_test.rb
@@ -9,35 +9,17 @@ class MessagesRotationConfiguration < ActiveSupport::TestCase
end
def test_signed_configurations
- @config.rotate :signed, secret: "older secret", salt: "salt", digest: "SHA1"
- @config.rotate :signed, secret: "old secret", salt: "salt", digest: "SHA256"
+ @config.rotate :signed, "older secret", salt: "salt", digest: "SHA1"
+ @config.rotate :signed, "old secret", salt: "salt", digest: "SHA256"
- assert_equal [{
- secret: "older secret", salt: "salt", digest: "SHA1"
- }, {
- secret: "old secret", salt: "salt", digest: "SHA256"
- }], @config.signed
+ assert_equal [
+ [ "older secret", salt: "salt", digest: "SHA1" ],
+ [ "old secret", salt: "salt", digest: "SHA256" ] ], @config.signed
end
def test_encrypted_configurations
- @config.rotate :encrypted, raw_key: "old raw key", cipher: "aes-256-gcm"
+ @config.rotate :encrypted, "old raw key", cipher: "aes-256-gcm"
- assert_equal [{
- raw_key: "old raw key", cipher: "aes-256-gcm"
- }], @config.encrypted
- end
-
- def test_rotate_without_kind
- @config.rotate secret: "older secret", salt: "salt", digest: "SHA1"
- @config.rotate raw_key: "old raw key", cipher: "aes-256-gcm"
-
- expected = [{
- secret: "older secret", salt: "salt", digest: "SHA1"
- }, {
- raw_key: "old raw key", cipher: "aes-256-gcm"
- }]
-
- assert_equal expected, @config.encrypted
- assert_equal expected, @config.signed
+ assert_equal [ [ "old raw key", cipher: "aes-256-gcm" ] ], @config.encrypted
end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-18 20:12:57 +0000