diff options
Diffstat (limited to 'railties')
11 files changed, 115 insertions, 30 deletions
diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb index 9ef001c7d0..b7844bbfbe 100644 --- a/railties/lib/rails/application.rb +++ b/railties/lib/rails/application.rb @@ -1,5 +1,7 @@ require 'fileutils' require 'active_support/queueing' +# FIXME remove DummyKeyGenerator and this require in 4.1 +require 'active_support/key_generator' require 'rails/engine' module Rails @@ -106,32 +108,57 @@ module Rails def key_generator # number of iterations selected based on consultation with the google security # team. Details at https://github.com/rails/rails/pull/6952#issuecomment-7661220 - @key_generator ||= ActiveSupport::KeyGenerator.new(config.secret_token, iterations: 1000) + @caching_key_generator ||= begin + if config.secret_key_base + key_generator = ActiveSupport::KeyGenerator.new(config.secret_key_base, iterations: 1000) + ActiveSupport::CachingKeyGenerator.new(key_generator) + else + ActiveSupport::DummyKeyGenerator.new(config.secret_token) + end + end end # Stores some of the Rails initial environment parameters which # will be used by middlewares and engines to configure themselves. # Currently stores: # - # * "action_dispatch.parameter_filter" => config.filter_parameters, - # * "action_dispatch.secret_token" => config.secret_token, - # * "action_dispatch.show_exceptions" => config.action_dispatch.show_exceptions, - # * "action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local, - # * "action_dispatch.logger" => Rails.logger, - # * "action_dispatch.backtrace_cleaner" => Rails.backtrace_cleaner + # * "action_dispatch.parameter_filter" => config.filter_parameters + # * "action_dispatch.show_exceptions" => config.action_dispatch.show_exceptions + # * "action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local + # * "action_dispatch.logger" => Rails.logger + # * "action_dispatch.backtrace_cleaner" => Rails.backtrace_cleaner + # * "action_dispatch.key_generator" => key_generator + # * "action_dispatch.http_auth_salt" => config.action_dispatch.http_auth_salt + # * "action_dispatch.signed_cookie_salt" => config.action_dispatch.signed_cookie_salt + # * "action_dispatch.encrypted_cookie_salt" => config.action_dispatch.encrypted_cookie_salt + # * "action_dispatch.encrypted_signed_cookie_salt" => config.action_dispatch.encrypted_signed_cookie_salt # # These parameters will be used by middlewares and engines to configure themselves # def env_config - @env_config ||= super.merge({ - "action_dispatch.parameter_filter" => config.filter_parameters, - "action_dispatch.secret_token" => config.secret_token, - "action_dispatch.show_exceptions" => config.action_dispatch.show_exceptions, - "action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local, - "action_dispatch.logger" => Rails.logger, - "action_dispatch.backtrace_cleaner" => Rails.backtrace_cleaner, - "action_dispatch.key_generator" => key_generator - }) + @env_config ||= begin + if config.secret_key_base.nil? + ActiveSupport::Deprecation.warn "You didn't set config.secret_key_base. " + + "This should be used instead of the old deprecated config.secret_token. " + + "Set config.secret_key_base instead of config.secret_token in config/initializers/secret_token.rb" + if config.secret_token.blank? + raise "You must set config.secret_key_base in your app's config" + end + end + + super.merge({ + "action_dispatch.parameter_filter" => config.filter_parameters, + "action_dispatch.show_exceptions" => config.action_dispatch.show_exceptions, + "action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local, + "action_dispatch.logger" => Rails.logger, + "action_dispatch.backtrace_cleaner" => Rails.backtrace_cleaner, + "action_dispatch.key_generator" => key_generator, + "action_dispatch.http_auth_salt" => config.action_dispatch.http_auth_salt, + "action_dispatch.signed_cookie_salt" => config.action_dispatch.signed_cookie_salt, + "action_dispatch.encrypted_cookie_salt" => config.action_dispatch.encrypted_cookie_salt, + "action_dispatch.encrypted_signed_cookie_salt" => config.action_dispatch.encrypted_signed_cookie_salt + }) + end end ## Rails internal API diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb index cc21213f1c..f97e66985c 100644 --- a/railties/lib/rails/application/configuration.rb +++ b/railties/lib/rails/application/configuration.rb @@ -10,7 +10,7 @@ module Rails :cache_classes, :cache_store, :consider_all_requests_local, :console, :eager_load, :exceptions_app, :file_watcher, :filter_parameters, :force_ssl, :helpers_paths, :logger, :log_formatter, :log_tags, - :railties_order, :relative_url_root, :secret_token, + :railties_order, :relative_url_root, :secret_key_base, :secret_token, :serve_static_assets, :ssl_options, :static_cache_control, :session_options, :time_zone, :reload_classes_only_on_change, :queue, :queue_consumer, :beginning_of_week @@ -46,6 +46,8 @@ module Rails @queue = ActiveSupport::SynchronousQueue.new @queue_consumer = nil @eager_load = nil + @secret_token = nil + @secret_key_base = nil @assets = ActiveSupport::OrderedOptions.new @assets.enabled = false diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/secret_token.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/secret_token.rb.tt index 3c5611ca59..e5caab3672 100644 --- a/railties/lib/rails/generators/rails/app/templates/config/initializers/secret_token.rb.tt +++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/secret_token.rb.tt @@ -7,6 +7,6 @@ # no regular words or you'll be exposed to dictionary attacks. # You can use `rake secret` to generate a secure secret key. -# Make sure your secret_token is kept private +# Make sure your secret_key_base is kept private # if you're sharing your code publicly. -<%= app_const %>.config.secret_token = '<%= app_secret %>' +<%= app_const %>.config.secret_key_base = '<%= app_secret %>' diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/session_store.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/session_store.rb.tt index 4a099a4ce2..df07de9922 100644 --- a/railties/lib/rails/generators/rails/app/templates/config/initializers/session_store.rb.tt +++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/session_store.rb.tt @@ -1,3 +1,3 @@ # Be sure to restart your server when you modify this file. -<%= app_const %>.config.session_store :cookie_store, key: <%= "'_#{app_name}_session'" %> +<%= app_const %>.config.session_store :encrypted_cookie_store, key: <%= "'_#{app_name}_session'" %> diff --git a/railties/test/abstract_unit.rb b/railties/test/abstract_unit.rb index dfcf5aa27d..2ea1d2aff4 100644 --- a/railties/test/abstract_unit.rb +++ b/railties/test/abstract_unit.rb @@ -14,5 +14,6 @@ require 'rails/all' module TestApp class Application < Rails::Application config.root = File.dirname(__FILE__) + config.secret_key_base = 'b3c631c314c0bbca50c1b2843150fe33' end end diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb index c4c1100f19..b9d18f4582 100644 --- a/railties/test/application/configuration_test.rb +++ b/railties/test/application/configuration_test.rb @@ -225,21 +225,24 @@ module ApplicationTests assert_equal Pathname.new(app_path).join("somewhere"), Rails.public_path end - test "config.secret_token is sent in env" do + test "Use key_generator when secret_key_base is set" do make_basic_app do |app| - app.config.secret_token = 'b3c631c314c0bbca50c1b2843150fe33' + app.config.secret_key_base = 'b3c631c314c0bbca50c1b2843150fe33' app.config.session_store :disabled end class ::OmgController < ActionController::Base def index cookies.signed[:some_key] = "some_value" - render text: env["action_dispatch.secret_token"] + render text: cookies[:some_key] end end get "/" - assert_equal 'b3c631c314c0bbca50c1b2843150fe33', last_response.body + + secret = app.key_generator.generate_key('signed cookie') + verifier = ActiveSupport::MessageVerifier.new(secret) + assert_equal 'some_value', verifier.verify(last_response.body) end test "protect from forgery is the default in a new app" do @@ -568,7 +571,6 @@ module ApplicationTests assert_respond_to app, :env_config assert_equal app.env_config['action_dispatch.parameter_filter'], app.config.filter_parameters - assert_equal app.env_config['action_dispatch.secret_token'], app.config.secret_token assert_equal app.env_config['action_dispatch.show_exceptions'], app.config.action_dispatch.show_exceptions assert_equal app.env_config['action_dispatch.logger'], Rails.logger assert_equal app.env_config['action_dispatch.backtrace_cleaner'], Rails.backtrace_cleaner diff --git a/railties/test/application/middleware/remote_ip_test.rb b/railties/test/application/middleware/remote_ip_test.rb index 9d97bae9ae..fde13eeb94 100644 --- a/railties/test/application/middleware/remote_ip_test.rb +++ b/railties/test/application/middleware/remote_ip_test.rb @@ -1,4 +1,6 @@ require 'isolation/abstract_unit' +# FIXME remove DummyKeyGenerator and this require in 4.1 +require 'active_support/key_generator' module ApplicationTests class RemoteIpTest < ActiveSupport::TestCase @@ -8,7 +10,7 @@ module ApplicationTests remote_ip = nil env = Rack::MockRequest.env_for("/").merge(env).merge!( 'action_dispatch.show_exceptions' => false, - 'action_dispatch.secret_token' => 'b3c631c314c0bbca50c1b2843150fe33' + 'action_dispatch.key_generator' => ActiveSupport::DummyKeyGenerator.new('b3c631c314c0bbca50c1b2843150fe33') ) endpoint = Proc.new do |e| diff --git a/railties/test/application/middleware/session_test.rb b/railties/test/application/middleware/session_test.rb index 5ce41caf61..b1a19d590c 100644 --- a/railties/test/application/middleware/session_test.rb +++ b/railties/test/application/middleware/session_test.rb @@ -128,5 +128,56 @@ module ApplicationTests get '/foo/read_cookie' # Cookie shouldn't be changed assert_equal '"1"', last_response.body end + + test "session using encrypted cookie store" do + app_file 'config/routes.rb', <<-RUBY + AppTemplate::Application.routes.draw do + get ':controller(/:action)' + end + RUBY + + controller :foo, <<-RUBY + class FooController < ActionController::Base + def write_session + session[:foo] = 1 + render nothing: true + end + + def read_session + render text: session[:foo] + end + + def read_encrypted_cookie + render text: cookies.encrypted[:_myapp_session]['foo'] + end + + def read_raw_cookie + render text: cookies[:_myapp_session] + end + end + RUBY + + add_to_config <<-RUBY + config.session_store :encrypted_cookie_store, key: '_myapp_session' + config.action_dispatch.derive_signed_cookie_key = true + RUBY + + require "#{app_path}/config/environment" + + get '/foo/write_session' + get '/foo/write_session' + get '/foo/read_session' + assert_equal '1', last_response.body + + get '/foo/read_encrypted_cookie' + assert_equal '1', last_response.body + + secret = app.key_generator.generate_key('encrypted cookie') + sign_secret = app.key_generator.generate_key('signed encrypted cookie') + encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret) + + get '/foo/read_raw_cookie' + assert_equal 1, encryptor.decrypt_and_verify(last_response.body)['foo'] + end end end diff --git a/railties/test/application/url_generation_test.rb b/railties/test/application/url_generation_test.rb index 2a48adae5c..0905757442 100644 --- a/railties/test/application/url_generation_test.rb +++ b/railties/test/application/url_generation_test.rb @@ -14,7 +14,7 @@ module ApplicationTests require "action_controller/railtie" class MyApp < Rails::Application - config.secret_token = "3b7cd727ee24e8444053437c36cc66c4" + config.secret_key_base = "3b7cd727ee24e8444053437c36cc66c4" config.session_store :cookie_store, key: "_myapp_session" config.active_support.deprecation = :log config.eager_load = false diff --git a/railties/test/generators/app_generator_test.rb b/railties/test/generators/app_generator_test.rb index 62e1f3531e..5ea31f2e0f 100644 --- a/railties/test/generators/app_generator_test.rb +++ b/railties/test/generators/app_generator_test.rb @@ -341,7 +341,7 @@ class AppGeneratorTest < Rails::Generators::TestCase def test_new_hash_style run_generator [destination_root] assert_file "config/initializers/session_store.rb" do |file| - assert_match(/config.session_store :cookie_store, key: '_.+_session'/, file) + assert_match(/config.session_store :encrypted_cookie_store, key: '_.+_session'/, file) end end diff --git a/railties/test/isolation/abstract_unit.rb b/railties/test/isolation/abstract_unit.rb index e59488f97d..0cb65f8e0d 100644 --- a/railties/test/isolation/abstract_unit.rb +++ b/railties/test/isolation/abstract_unit.rb @@ -119,7 +119,7 @@ module TestHelpers add_to_config <<-RUBY config.eager_load = false - config.secret_token = "3b7cd727ee24e8444053437c36cc66c4" + config.secret_key_base = "3b7cd727ee24e8444053437c36cc66c4" config.session_store :cookie_store, key: "_myapp_session" config.active_support.deprecation = :log config.action_controller.allow_forgery_protection = false @@ -138,7 +138,7 @@ module TestHelpers app = Class.new(Rails::Application) app.config.eager_load = false - app.config.secret_token = "3b7cd727ee24e8444053437c36cc66c4" + app.config.secret_key_base = "3b7cd727ee24e8444053437c36cc66c4" app.config.session_store :cookie_store, key: "_myapp_session" app.config.active_support.deprecation = :log |