From 6690d662920f0db854f7303cd2a5a36c72299199 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Valim?= Date: Mon, 5 Apr 2010 10:52:47 +0200 Subject: Rename config.cookie_secret to config.secret_token and pass it as configuration in request.env. This is another step forward removing global configuration. --- actionpack/lib/action_controller/base.rb | 2 +- .../lib/action_controller/deprecated/base.rb | 7 ++--- actionpack/lib/action_controller/metal/cookies.rb | 3 +- .../action_controller/metal/http_authentication.rb | 17 +++++++--- actionpack/lib/action_controller/railtie.rb | 1 - .../lib/action_dispatch/middleware/cookies.rb | 36 +++++++++++----------- .../middleware/session/cookie_store.rb | 2 +- .../lib/action_dispatch/testing/test_request.rb | 2 ++ actionpack/test/abstract_unit.rb | 4 --- actionpack/test/controller/cookie_test.rb | 3 +- .../controller/http_digest_authentication_test.rb | 5 ++- 11 files changed, 40 insertions(+), 42 deletions(-) (limited to 'actionpack') diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb index d2118ec483..1dfc240029 100644 --- a/actionpack/lib/action_controller/base.rb +++ b/actionpack/lib/action_controller/base.rb @@ -2,7 +2,7 @@ module ActionController class Base < Metal abstract! - def self.modules_without(*modules) + def self.without_modules(*modules) modules = modules.map do |m| m.is_a?(Symbol) ? ActionController.const_get(m) : m end diff --git a/actionpack/lib/action_controller/deprecated/base.rb b/actionpack/lib/action_controller/deprecated/base.rb index 51d1e23753..05551ffee4 100644 --- a/actionpack/lib/action_controller/deprecated/base.rb +++ b/actionpack/lib/action_controller/deprecated/base.rb @@ -77,14 +77,11 @@ module ActionController def cookie_verifier_secret=(value) ActiveSupport::Deprecation.warn "ActionController::Base.cookie_verifier_secret= is deprecated. " << - "Please configure it on your application with config.cookie_secret=", caller - ActionController::Base.config.secret = value + "Please configure it on your application with config.secret_token=", caller end def cookie_verifier_secret - ActiveSupport::Deprecation.warn "ActionController::Base.cookie_verifier_secret is deprecated. " << - "Please use ActionController::Base.config.secret instead.", caller - ActionController::Base.config.secret + ActiveSupport::Deprecation.warn "ActionController::Base.cookie_verifier_secret is deprecated.", caller end def trusted_proxies=(value) diff --git a/actionpack/lib/action_controller/metal/cookies.rb b/actionpack/lib/action_controller/metal/cookies.rb index 4aaa705203..d787f014cd 100644 --- a/actionpack/lib/action_controller/metal/cookies.rb +++ b/actionpack/lib/action_controller/metal/cookies.rb @@ -10,8 +10,7 @@ module ActionController #:nodoc: private def cookies - raise "You must set config.cookie_secret in your app's config" if config.secret.blank? - request.cookie_jar(:signing_secret => config.secret) + request.cookie_jar end end end diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index 424828f7e8..6bd6c15990 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -159,7 +159,7 @@ module ActionController # Authenticate with HTTP Digest, returns true or false def authenticate_with_http_digest(realm = "Application", &password_procedure) - HttpAuthentication::Digest.authenticate(config.secret, request, realm, &password_procedure) + HttpAuthentication::Digest.authenticate(request, realm, &password_procedure) end # Render output including the HTTP Digest authentication header @@ -169,14 +169,15 @@ module ActionController end # Returns false on a valid response, true otherwise - def authenticate(secret_key, request, realm, &password_procedure) - request.authorization && validate_digest_response(secret_key, request, realm, &password_procedure) + def authenticate(request, realm, &password_procedure) + request.authorization && validate_digest_response(request, realm, &password_procedure) end # Returns false unless the request credentials response value matches the expected value. # First try the password as a ha1 digest password. If this fails, then try it as a plain # text password. - def validate_digest_response(secret_key, request, realm, &password_procedure) + def validate_digest_response(request, realm, &password_procedure) + secret_key = secret_token(request) credentials = decode_credentials_header(request) valid_nonce = validate_nonce(secret_key, request, credentials[:nonce]) @@ -225,7 +226,7 @@ module ActionController end def authentication_header(controller, realm) - secret_key = controller.config.secret + secret_key = secret_token(controller.request) nonce = self.nonce(secret_key) opaque = opaque(secret_key) controller.headers["WWW-Authenticate"] = %(Digest realm="#{realm}", qop="auth", algorithm=MD5, nonce="#{nonce}", opaque="#{opaque}") @@ -238,6 +239,12 @@ module ActionController controller.status = 401 end + def secret_token(request) + secret = request.env["action_dispatch.secret_token"] + raise "You must set config.secret_token in your app's config" if secret.blank? + secret + end + # Uses an MD5 digest based on time to generate a value to be used only once. # # A server-specified data string which should be uniquely generated each time a 401 response is made. diff --git a/actionpack/lib/action_controller/railtie.rb b/actionpack/lib/action_controller/railtie.rb index 29d8523ee1..030ba4ec48 100644 --- a/actionpack/lib/action_controller/railtie.rb +++ b/actionpack/lib/action_controller/railtie.rb @@ -51,7 +51,6 @@ module ActionController ac.assets_dir = paths.public.to_a.first ac.javascripts_dir = paths.public.javascripts.to_a.first ac.stylesheets_dir = paths.public.stylesheets.to_a.first - ac.secret = app.config.cookie_secret ActiveSupport.on_load(:action_controller) do self.config.merge!(ac) diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb index 71dcac9e94..42ab1d1ebb 100644 --- a/actionpack/lib/action_dispatch/middleware/cookies.rb +++ b/actionpack/lib/action_dispatch/middleware/cookies.rb @@ -1,7 +1,9 @@ +require "active_support/core_ext/object/blank" + module ActionDispatch class Request - def cookie_jar(config = {}) - env['action_dispatch.cookies'] ||= Cookies::CookieJar.build(self, config) + def cookie_jar + env['action_dispatch.cookies'] ||= Cookies::CookieJar.build(self) end end @@ -51,17 +53,17 @@ module ActionDispatch # only HTTP. Defaults to +false+. class Cookies class CookieJar < Hash #:nodoc: - def self.build(request, config = {}) - new(config).tap do |hash| + def self.build(request) + secret = request.env["action_dispatch.secret_token"] + new(secret).tap do |hash| hash.update(request.cookies) end end - def initialize(config = {}) - @config = config + def initialize(secret=nil) + @secret = secret @set_cookies = {} @delete_cookies = {} - super() end @@ -112,7 +114,7 @@ module ActionDispatch # cookies.permanent.signed[:remember_me] = current_user.id # # => Set-Cookie: discount=BAhU--848956038e692d7046deab32b7131856ab20e14e; path=/; expires=Sun, 16-Dec-2029 03:24:16 GMT def permanent - @permanent ||= PermanentCookieJar.new(self, @config) + @permanent ||= PermanentCookieJar.new(self, @secret) end # Returns a jar that'll automatically generate a signed representation of cookie value and verify it when reading from @@ -120,7 +122,7 @@ module ActionDispatch # cookie was tampered with by the user (or a 3rd party), an ActiveSupport::MessageVerifier::InvalidSignature exception will # be raised. # - # This jar requires that you set a suitable secret for the verification on your app's config.cookie_secret. + # This jar requires that you set a suitable secret for the verification on your app's config.secret_token. # # Example: # @@ -129,7 +131,7 @@ module ActionDispatch # # cookies.signed[:discount] # => 45 def signed - @signed ||= SignedCookieJar.new(self, @config) + @signed ||= SignedCookieJar.new(self, @secret) end def write(response) @@ -139,9 +141,8 @@ module ActionDispatch end class PermanentCookieJar < CookieJar #:nodoc: - def initialize(parent_jar, config = {}) - @parent_jar = parent_jar - @config = config + def initialize(parent_jar, secret) + @parent_jar, @secret = parent_jar, secret end def []=(key, options) @@ -156,7 +157,7 @@ module ActionDispatch end def signed - @signed ||= SignedCookieJar.new(self, @config) + @signed ||= SignedCookieJar.new(self, @secret) end def method_missing(method, *arguments, &block) @@ -165,11 +166,10 @@ module ActionDispatch end class SignedCookieJar < CookieJar #:nodoc: - def initialize(parent_jar, config = {}) - raise 'Missing cookie signing secret' if config[:signing_secret].blank? + def initialize(parent_jar, secret) + raise "You must set config.secret_token in your app's config" if secret.blank? @parent_jar = parent_jar - @config = config - @verifier = ActiveSupport::MessageVerifier.new(config[:signing_secret]) + @verifier = ActiveSupport::MessageVerifier.new(secret) end def [](name) diff --git a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb index 3331b7c25e..88ba941676 100644 --- a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb +++ b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb @@ -192,7 +192,7 @@ module ActionDispatch if secret.blank? raise ArgumentError, "A secret is required to generate an " + "integrity hash for cookie session data. Use " + - "config.cookie_secret = \"some secret phrase of at " + + "config.secret_token = \"some secret phrase of at " + "least #{SECRET_MIN_LENGTH} characters\"" + "in config/application.rb" end diff --git a/actionpack/lib/action_dispatch/testing/test_request.rb b/actionpack/lib/action_dispatch/testing/test_request.rb index 090e03cf44..b3e67f6e36 100644 --- a/actionpack/lib/action_dispatch/testing/test_request.rb +++ b/actionpack/lib/action_dispatch/testing/test_request.rb @@ -1,4 +1,5 @@ require 'active_support/core_ext/object/blank' +require 'active_support/core_ext/hash/reverse_merge' module ActionDispatch class TestRequest < Request @@ -9,6 +10,7 @@ module ActionDispatch end def initialize(env = {}) + env = Rails.application.env_defaults.merge(env) if defined?(Rails.application) super(DEFAULT_ENV.merge(env)) self.host = 'test.host' diff --git a/actionpack/test/abstract_unit.rb b/actionpack/test/abstract_unit.rb index fe78b8ec1f..acf887ee4a 100644 --- a/actionpack/test/abstract_unit.rb +++ b/actionpack/test/abstract_unit.rb @@ -192,10 +192,6 @@ end # Temporary base class class Rack::TestCase < ActionController::IntegrationTest - setup do - ActionController::Base.config.secret = "abc" * 30 - end - def self.testing(klass = nil) if klass @testing = "/#{klass.name.underscore}".sub!(/_controller$/, '') diff --git a/actionpack/test/controller/cookie_test.rb b/actionpack/test/controller/cookie_test.rb index 278cae1415..4971866e7c 100644 --- a/actionpack/test/controller/cookie_test.rb +++ b/actionpack/test/controller/cookie_test.rb @@ -1,7 +1,5 @@ require 'abstract_unit' -ActionController::Base.config.secret = "thisISverySECRET123" - class CookieTest < ActionController::TestCase class TestController < ActionController::Base def authenticate @@ -76,6 +74,7 @@ class CookieTest < ActionController::TestCase def setup super + @request.env["action_dispatch.secret_token"] = "thisISverySECRET123" @request.host = "www.nextangle.com" end diff --git a/actionpack/test/controller/http_digest_authentication_test.rb b/actionpack/test/controller/http_digest_authentication_test.rb index eb2af523a2..b011536717 100644 --- a/actionpack/test/controller/http_digest_authentication_test.rb +++ b/actionpack/test/controller/http_digest_authentication_test.rb @@ -41,8 +41,7 @@ class HttpDigestAuthenticationTest < ActionController::TestCase setup do # Used as secret in generating nonce to prevent tampering of timestamp @secret = "session_options_secret" - @controller.config.secret = @secret - # @old_secret, ActionController::Base.config.secret[:secret] = ActionController::Base.session_options[:secret], @secret + @request.env["action_dispatch.secret_token"] = @secret end teardown do @@ -206,7 +205,7 @@ class HttpDigestAuthenticationTest < ActionController::TestCase test "validate_digest_response should fail with nil returning password_procedure" do @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => nil, :password => nil) - assert !ActionController::HttpAuthentication::Digest.validate_digest_response(@secret, @request, "SuperSecret"){nil} + assert !ActionController::HttpAuthentication::Digest.validate_digest_response(@request, "SuperSecret"){nil} end private -- cgit v1.2.3