5 files changed, 107 insertions, 25 deletions

diff --git a/railties/test/application/current_attributes_integration_test.rb b/railties/test/application/current_attributes_integration_test.rb
index b6659f296a..5653ec0be1 100644
--- a/railties/test/application/current_attributes_integration_test.rb
+++ b/railties/test/application/current_attributes_integration_test.rb
@@ -52,19 +52,6 @@ class CurrentAttributesIntegrationTest < ActiveSupport::TestCase
       <%= Current.customer.try(:name) || 'noone' %>,<%= Time.zone.name %>
     RUBY
 
-    app_file "app/executor_intercept.rb", <<-RUBY
-      check_state = -> { puts [ Current.customer.try(:name) || "noone", Time.zone.name ].join(",") }
-
-      check_state.call
-
-      Rails.application.executor.wrap do
-        Current.customer = Customer.new("david")
-        check_state.call
-      end
-
-      check_state.call
-    RUBY
-
     require "#{app_path}/config/environment"
   end
 
@@ -81,8 +68,17 @@ class CurrentAttributesIntegrationTest < ActiveSupport::TestCase
   end
 
   test "resets after execution" do
-    Dir.chdir(app_path) do
-      assert_equal "noone,UTC\ndavid,Copenhagen\nnoone,UTC\n", `bin/rails runner app/executor_intercept.rb`
+    assert_nil Current.customer
+    assert_equal "UTC", Time.zone.name
+
+    Rails.application.executor.wrap do
+      Current.customer = Customer.new("david")
+
+      assert_equal "david", Current.customer.name
+      assert_equal "Copenhagen", Time.zone.name
     end
+
+    assert_nil Current.customer
+    assert_equal "UTC", Time.zone.name
   end
 end
diff --git a/railties/test/application/middleware/session_test.rb b/railties/test/application/middleware/session_test.rb
index 959a629ede..a14ea589ed 100644
--- a/railties/test/application/middleware/session_test.rb
+++ b/railties/test/application/middleware/session_test.rb
@@ -162,6 +162,11 @@ module ApplicationTests
         end
       RUBY
 
+      add_to_config <<-RUBY
+        # Enable AEAD cookies
+        config.action_dispatch.use_authenticated_cookie_encryption = true
+      RUBY
+
       require "#{app_path}/config/environment"
 
       get "/foo/write_session"
@@ -171,9 +176,9 @@ module ApplicationTests
       get "/foo/read_encrypted_cookie"
       assert_equal "1", last_response.body
 
-      secret = app.key_generator.generate_key("encrypted cookie")
-      sign_secret = app.key_generator.generate_key("signed encrypted cookie")
-      encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len], sign_secret)
+      cipher = "aes-256-gcm"
+      secret = app.key_generator.generate_key("authenticated encrypted cookie")
+      encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len(cipher)], cipher: cipher)
 
       get "/foo/read_raw_cookie"
       assert_equal 1, encryptor.decrypt_and_verify(last_response.body)["foo"]
@@ -209,6 +214,9 @@ module ApplicationTests
 
       add_to_config <<-RUBY
         secrets.secret_token = "3b7cd727ee24e8444053437c36cc66c4"
+
+        # Enable AEAD cookies
+        config.action_dispatch.use_authenticated_cookie_encryption = true
       RUBY
 
       require "#{app_path}/config/environment"
@@ -220,9 +228,9 @@ module ApplicationTests
       get "/foo/read_encrypted_cookie"
       assert_equal "1", last_response.body
 
-      secret = app.key_generator.generate_key("encrypted cookie")
-      sign_secret = app.key_generator.generate_key("signed encrypted cookie")
-      encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len], sign_secret)
+      cipher = "aes-256-gcm"
+      secret = app.key_generator.generate_key("authenticated encrypted cookie")
+      encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len(cipher)], cipher: cipher)
 
       get "/foo/read_raw_cookie"
       assert_equal 1, encryptor.decrypt_and_verify(last_response.body)["foo"]
@@ -264,6 +272,73 @@ module ApplicationTests
 
       add_to_config <<-RUBY
         secrets.secret_token = "3b7cd727ee24e8444053437c36cc66c4"
+
+        # Enable AEAD cookies
+        config.action_dispatch.use_authenticated_cookie_encryption = true
+      RUBY
+
+      require "#{app_path}/config/environment"
+
+      get "/foo/write_raw_session"
+      get "/foo/read_session"
+      assert_equal "1", last_response.body
+
+      get "/foo/write_session"
+      get "/foo/read_session"
+      assert_equal "2", last_response.body
+
+      get "/foo/read_encrypted_cookie"
+      assert_equal "2", last_response.body
+
+      cipher = "aes-256-gcm"
+      secret = app.key_generator.generate_key("authenticated encrypted cookie")
+      encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len(cipher)], cipher: cipher)
+
+      get "/foo/read_raw_cookie"
+      assert_equal 2, encryptor.decrypt_and_verify(last_response.body)["foo"]
+    end
+
+    test "session upgrading from AES-CBC-HMAC encryption to AES-GCM encryption" do
+      app_file "config/routes.rb", <<-RUBY
+        Rails.application.routes.draw do
+          get ':controller(/:action)'
+        end
+      RUBY
+
+      controller :foo, <<-RUBY
+        class FooController < ActionController::Base
+          def write_raw_session
+            # AES-256-CBC with SHA1 HMAC
+            # {"session_id"=>"1965d95720fffc123941bdfb7d2e6870", "foo"=>1}
+            cookies[:_myapp_session] = "TlgrdS85aUpDd1R2cDlPWlR6K0FJeGExckwySjZ2Z0pkR3d2QnRObGxZT25aalJWYWVvbFVLcHF4d0VQVDdSaFF2QjFPbG9MVjJzeWp3YjcyRUlKUUU2ZlR4bXlSNG9ZUkJPRUtld0E3dVU9LS0xNDZXbGpRZ3NjdW43N2haUEZJSUNRPT0=--3639b5ce54c09495cfeaae928cd5634e0c4b2e96"
+            head :ok
+          end
+
+          def write_session
+            session[:foo] = session[:foo] + 1
+            head :ok
+          end
+
+          def read_session
+            render plain: session[:foo]
+          end
+
+          def read_encrypted_cookie
+            render plain: cookies.encrypted[:_myapp_session]['foo']
+          end
+
+          def read_raw_cookie
+            render plain: cookies[:_myapp_session]
+          end
+        end
+      RUBY
+
+      add_to_config <<-RUBY
+        # Use a static key
+        secrets.secret_key_base = "known key base"
+
+        # Enable AEAD cookies
+        config.action_dispatch.use_authenticated_cookie_encryption = true
       RUBY
 
       require "#{app_path}/config/environment"
@@ -279,9 +354,9 @@ module ApplicationTests
       get "/foo/read_encrypted_cookie"
       assert_equal "2", last_response.body
 
-      secret = app.key_generator.generate_key("encrypted cookie")
-      sign_secret = app.key_generator.generate_key("signed encrypted cookie")
-      encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len], sign_secret)
+      cipher = "aes-256-gcm"
+      secret = app.key_generator.generate_key("authenticated encrypted cookie")
+      encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len(cipher)], cipher: cipher)
 
       get "/foo/read_raw_cookie"
       assert_equal 2, encryptor.decrypt_and_verify(last_response.body)["foo"]
diff --git a/railties/test/commands/secrets_test.rb b/railties/test/commands/secrets_test.rb
index fb8fd2325e..be610f3b47 100644
--- a/railties/test/commands/secrets_test.rb
+++ b/railties/test/commands/secrets_test.rb
@@ -23,7 +23,7 @@ class Rails::Command::SecretsCommandTest < ActiveSupport::TestCase
 
     # Run twice to ensure encrypted secrets can be reread after first edit pass.
     2.times do
-      assert_match(/external_api_key: 1466aac22e6a869134be3d09b9e89232fc2c2289…/, run_edit_command)
+      assert_match(/external_api_key: 1466aac22e6a869134be3d09b9e89232fc2c2289/, run_edit_command)
     end
   end
 
diff --git a/railties/test/commands/server_test.rb b/railties/test/commands/server_test.rb
index 7731d10d9b..722323efdc 100644
--- a/railties/test/commands/server_test.rb
+++ b/railties/test/commands/server_test.rb
@@ -165,6 +165,12 @@ class Rails::ServerTest < ActiveSupport::TestCase
 
     server_options = parse_arguments(["--port", 3001])
     assert_equal [:Port], server_options[:user_supplied_options]
+
+    server_options = parse_arguments(["-p3001", "-C", "--binding", "127.0.0.1"])
+    assert_equal [:Port, :Host, :caching], server_options[:user_supplied_options]
+
+    server_options = parse_arguments(["--port=3001"])
+    assert_equal [:Port], server_options[:user_supplied_options]
   end
 
   def test_default_options
diff --git a/railties/test/generators/system_test_generator_test.rb b/railties/test/generators/system_test_generator_test.rb
index e8e561ec49..4622360244 100644
--- a/railties/test/generators/system_test_generator_test.rb
+++ b/railties/test/generators/system_test_generator_test.rb
@@ -9,4 +9,9 @@ class SystemTestGeneratorTest < Rails::Generators::TestCase
     run_generator
     assert_file "test/system/users_test.rb", /class UsersTest < ApplicationSystemTestCase/
   end
+
+  def test_namespaced_system_test_skeleton_is_created
+    run_generator %w(admin/user)
+    assert_file "test/system/admin/users_test.rb", /class Admin::UsersTest < ApplicationSystemTestCase/
+  end
 end