aboutsummaryrefslogtreecommitdiffstats
path: root/activesupport/lib/active_support/message_encryptor.rb
Commit message (Collapse)AuthorAgeFilesLines
* Fix small typo in docs Conrad Beach2019-02-151-1/+1
| | | | | [ci skip]
* Add `Style/RedundantFreeze` to remove redudant `.freeze`Yasuo Honda2018-09-291-1/+1
| | | | | | | | | | | | | | | | | | | | | Since Rails 6.0 will support Ruby 2.4.1 or higher `# frozen_string_literal: true` magic comment is enough to make string object frozen. This magic comment is enabled by `Style/FrozenStringLiteralComment` cop. * Exclude these files not to auto correct false positive `Regexp#freeze` - 'actionpack/lib/action_dispatch/journey/router/utils.rb' - 'activerecord/lib/active_record/connection_adapters/sqlite3_adapter.rb' It has been fixed by https://github.com/rubocop-hq/rubocop/pull/6333 Once the newer version of RuboCop released and available at Code Climate these exclude entries should be removed. * Replace `String#freeze` with `String#-@` manually if explicit frozen string objects are required - 'actionpack/test/controller/test_case_test.rb' - 'activemodel/test/cases/type/string_test.rb' - 'activesupport/lib/active_support/core_ext/string/strip.rb' - 'activesupport/test/core_ext/string_ext_test.rb' - 'railties/test/generators/actions_test.rb'
* Turn on performance based copsDillon Welch2018-07-231-3/+1
| | | | | | | | | | | | | | | | Use attr_reader/attr_writer instead of methods method is 12% slower Use flat_map over map.flatten(1) flatten is 66% slower Use hash[]= instead of hash.merge! with single arguments merge! is 166% slower See https://github.com/rails/rails/pull/32337 for more conversation
* Adding missing extension for `cattr_accessor` methodWojciech Wnętrzak2018-03-301-0/+1
|
* Allow use_authenticated_message_encryption to be set in ↵Eugene Kenny2018-01-071-2/+2
| | | | | | | | | | new_framework_defaults_5_2.rb Enabling this option in new_framework_defaults_5_2.rb didn't work before, as railtie initializers run before application initializers. Using `respond_to?` to decide whether to set the option wasn't working either, as `ActiveSupport::OrderedOptions` responds to any message.
* Update incorrect backtick usage in RDoc to teletypeT.J. Schuck2017-11-221-2/+2
| | | [ci skip]
* [Active Support] require_relative => requireAkira Matsuda2017-10-211-3/+3
| | | | This basically reverts 8da30ad6be34339124ba4cb4e36aea260dda12bc
* Fix documentation [ci skip]Rafael Mendonça França2017-10-101-1/+1
|
* [ci skip] Attempt a new explanation for rotations.Kasper Timm Hansen2017-09-241-25/+21
| | | | | | | | | | | It's become clear to me that the use case is still a bit muddy and the upgrade path is going to be tough for people to figure out. This attempts at understanding it better through documentation, but still needs follow up work. [ Michael Coyne & Kasper Timm Hansen ]
* Add key rotation message Encryptor and VerifierMichael Coyne2017-09-231-1/+31
| | | | | | Both classes now have a rotate method where new instances are added for each call. When decryption or verification fails the next rotation instance is tried.
* Update links to use https instead of http [ci skip]Yoshiyuki Hirano2017-08-221-2/+2
|
* Perform self-serialization once metadata is involved.Kasper Timm Hansen2017-08-131-7/+7
| | | | Adds support for metadata even when using ActiveSupport::MessageEncryptor::NullSerializer.
* document metadata support added to message encryptor and message verifierAssain2017-07-241-0/+32
| | | | [ci skip]
* Add expires_at, expires_in, and purpose meta_data to messages.Assain2017-07-191-5/+6
|
* [Active Support] `rubocop -a --only Layout/EmptyLineAfterMagicComment`Koichi ITO2017-07-111-0/+1
|
* Merge pull request #29730 from bdewater/update-encryptor-docsKasper Timm Hansen2017-07-091-5/+6
|\ | | | | Update MessageEncryptor example to use dynamic key length
| * [ci skip] update MessageEncryptor example to use the key length as returned ↵Bart de Water2017-07-091-5/+6
| | | | | | | | by OpenSSL
* | Use frozen-string-literal in ActiveSupportKir Shatrov2017-07-091-0/+1
| |
* | Merge branch 'master' into require_relative_2017Xavier Noria2017-07-021-1/+1
|\ \
| * | Revert "Merge pull request #29540 from kirs/rubocop-frozen-string"Matthew Draper2017-07-021-1/+0
| | | | | | | | | | | | | | | This reverts commit 3420a14590c0e6915d8b6c242887f74adb4120f9, reversing changes made to afb66a5a598ce4ac74ad84b125a5abf046dcf5aa.
| * | Merge pull request #29540 from kirs/rubocop-frozen-stringMatthew Draper2017-07-021-0/+1
| |\ \ | | | | | | | | | | | | Enforce frozen string in Rubocop
| | * | Enforce frozen string in RubocopKir Shatrov2017-07-011-0/+1
| | |/
| * / Make ActiveSupport frozen string literal friendly.Pat Allan2017-06-201-1/+1
| |/ | | | | | | | | | | | | The ActiveSupport test suite only passes currently if it uses the latest unreleased commits for dalli, and a patch for Builder: https://github.com/tenderlove/builder/pull/6 Beyond that, all external dependencies (at least, to the extent they’re used by ActiveSupport) are happy, including Nokogiri as of 1.8.0.
* / [Active Support] require => require_relativeAkira Matsuda2017-07-011-2/+2
|/
* Fix `Message::Encryptor` default cipher [ci skip]yuuji.yaginuma2017-06-121-1/+1
| | | | Follow up of #29263
* set message_encryptor default cipher to aes-256-gcmAssain2017-06-121-4/+14
| | | | - Introduce a method to select default cipher, and maintain backward compatibility
* Merge pull request #29086 from mikeycgto/message-encryptor-auth-tag-checkKasper Timm Hansen2017-05-151-1/+1
|\ | | | | | | | | Message encryptor auth tag check Fixes MessageEncryptor when used in AEAD mode. Specifically, we need to check if the `auth_tag` is nil. This may arise when an AEAD encryptor is used to decrypt a ciphertext generated from a different mode, such as CBC-HMAC. Basically, the number of double dashes will differ and `auth_tag` may be nil in this case.
| * Fix for AEAD auth_tag check in MessageEncryptorMichael Coyne2017-05-151-1/+1
| | | | | | | | | | | | | | | | | | When MessageEncryptor tries to +decrypt_and_verify+ ciphertexts generated in a different mode (such CBC-HMAC), the +auth_tag+ may be +nil+ and must explicitly check for it. See the discussion here: https://github.com/rails/rails/pull/28132#discussion_r116388462
* | Tweak 28412Jon Moss2017-03-151-1/+1
| | | | | | | | | | | | PR was merged before I could finished reviewing :grimacing: [ci skip]
* | Merge pull request #28412 from benoittgt/add_doc_for_message_encryptor_newRafael França2017-03-151-0/+5
|\ \ | | | | | | Add documentation about signature_key for MessageEncryptor.new [ci skip]
| * | Add documentation about signature_key for MessageEncryptor.new [ci skip]Benoit Tigeot2017-03-151-0/+5
| |/
* / Use DEFAULT_CIPHER constant in MessageEncryptorLukas Zapletal2017-03-011-1/+1
|/
* Make sure we generate keys that can be used with the cipherRafael Mendonça França2017-01-041-4/+4
| | | | | | | | | We use aes-256-cbc cipher by default and it only accepts keys with 32 bytes at max. Closes #27576. [ci skip]
* Start passing cipher from EncryptedCookieJar since we use it to determine ↵Vipul A M2016-09-011-0/+7
| | | | key length
* Add three new rubocop rulesRafael Mendonça França2016-08-161-1/+1
| | | | | | | | Style/SpaceBeforeBlockBraces Style/SpaceInsideBlockBraces Style/SpaceInsideHashLiteralBraces Fix all violations in the repository.
* normalizes indentation and whitespace across the projectXavier Noria2016-08-061-51/+51
|
* applies new string literal convention in activesupport/libXavier Noria2016-08-061-6/+6
| | | | | The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
* Add rationale for manually checking auth_tag length, which got lost when ↵Bart de Water2016-07-271-0/+4
| | | | #25874 was squashed before merging [skip ci]
* Allow MessageEncryptor to take advantage of authenticated encryption modesBart de Water2016-07-211-4/+37
| | | | | | AEAD modes like `aes-256-gcm` provide both confidentiality and data authenticity, eliminating the need to use MessageVerifier to check if the encrypted data has been tampered with. Signed-off-by: Jeremy Daer <jeremydaer@gmail.com>
* use OpenSSL::Cipher instead of deprecated OpenSSL::Cipher::Cipher for cipher ↵Vipul A M2016-05-291-1/+1
| | | | | | creation. Based on https://github.com/rails/rails/pull/25192#discussion_r65018222 and http://ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/Cipher/Cipher.html
* update docs for MessageEncryptor#new to recommend a KDF [ci skip]Paul Kehrer2015-11-101-2/+2
|
* Freeze string literals when not mutated.schneems2015-07-191-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I wrote a utility that helps find areas where you could optimize your program using a frozen string instead of a string literal, it's called [let_it_go](https://github.com/schneems/let_it_go). After going through the output and adding `.freeze` I was able to eliminate the creation of 1,114 string objects on EVERY request to [codetriage](codetriage.com). How does this impact execution? To look at memory: ```ruby require 'get_process_mem' mem = GetProcessMem.new GC.start GC.disable 1_114.times { " " } before = mem.mb after = mem.mb GC.enable puts "Diff: #{after - before} mb" ``` Creating 1,114 string objects results in `Diff: 0.03125 mb` of RAM allocated on every request. Or 1mb every 32 requests. To look at raw speed: ```ruby require 'benchmark/ips' number_of_objects_reduced = 1_114 Benchmark.ips do |x| x.report("freeze") { number_of_objects_reduced.times { " ".freeze } } x.report("no-freeze") { number_of_objects_reduced.times { " " } } end ``` We get the results ``` Calculating ------------------------------------- freeze 1.428k i/100ms no-freeze 609.000 i/100ms ------------------------------------------------- freeze 14.363k (± 8.5%) i/s - 71.400k no-freeze 6.084k (± 8.1%) i/s - 30.450k ``` Now we can do some maths: ```ruby ips = 6_226k # iterations / 1 second call_time_before = 1.0 / ips # seconds per iteration ips = 15_254 # iterations / 1 second call_time_after = 1.0 / ips # seconds per iteration diff = call_time_before - call_time_after number_of_objects_reduced * diff * 100 # => 0.4530373333993266 miliseconds saved per request ``` So we're shaving off 1 second of execution time for every 220 requests. Is this going to be an insane speed boost to any Rails app: nope. Should we merge it: yep. p.s. If you know of a method call that doesn't modify a string input such as [String#gsub](https://github.com/schneems/let_it_go/blob/b0e2da69f0cca87ab581022baa43291cdf48638c/lib/let_it_go/core_ext/string.rb#L37) please [give me a pull request to the appropriate file](https://github.com/schneems/let_it_go/blob/b0e2da69f0cca87ab581022baa43291cdf48638c/lib/let_it_go/core_ext/string.rb#L37), or open an issue in LetItGo so we can track and freeze more strings. Keep those strings Frozen ![](https://www.dropbox.com/s/z4dj9fdsv213r4v/let-it-go.gif?dl=1)
* Add config option for cookies digestŁukasz Strzałkowski2014-08-121-1/+2
| | | | | | You can now configure custom digest for cookies in the same way as `serializer`: config.action_dispatch.cookies_digest = 'SHA256'
* Allow session serializer key in config.session_storeLukasz Sarnacki2014-01-291-1/+1
| | | | | | | | | | | | | MessageEncryptor has :serializer option, where any serializer object can be passed. This commit make it possible to set this serializer from configuration level. There are predefined serializers (:marshal_serializer, :json_serialzier) and custom serializer can be passed as String, Symbol (camelized and constantized in ActionDispatch::Session namepspace) or serializer object. Default :json_serializer was also added to generators to provide secure defalt.
* Use `Base.strict_decode64` instead of `Base.decode64` just as we do in encoding;Vipul A M2013-05-161-3/+3
| | | | Also reduce extra object allocation by creating string directly instead of join on Array
* Merge pull request #9980 from stouset/patch-1Andrew White2013-04-261-4/+5
|\ | | | | | | | | Improve poor security recommendation in docs [ci skip]
| * Improve poor security recommendation in docsStephen Touset2013-03-281-4/+5
| | | | | | | | | | As reported in #9960, the current documentation recommends an insecure practice for key generation from a password (a single round of SHA-256). The modified documentation uses ActiveSupport::KeyGenerator to perform proper key stretching.
* | Reorganize MessageEncryptorjgls2013-04-191-5/+4
|/ | | | | | | | | 1) According to OpenSSL's documentation, cipher.random_iv must be called after cipher.encrypt and already sets the generated IV on the cipher. 2) OpenSSL::CipherError was moved to OpenSSL::Cipher::CipherError in Ruby 1.8.7. Since Rails 4 requires at least Ruby 1.9.3, support for the old location can be dropped.
* Missing require extract_optionsAkira Matsuda2013-01-311-0/+1
|
* Replace comments' non-breaking spaces with spacesclaudiob2012-12-041-2/+2
| | | | | | | | | | Sometimes, on Mac OS X, programmers accidentally press Option+Space rather than just Space and don’t see the difference. The problem is that Option+Space writes a non-breaking space (0XA0) rather than a normal space (0x20). This commit removes all the non-breaking spaces inadvertently introduced in the comments of the code.
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-26 18:00:53 +0000