From 9d79d77813c3aca010a5b40cacbd6e68f42ce618 Mon Sep 17 00:00:00 2001
From: Kasper Timm Hansen <kaspth@gmail.com>
Date: Sun, 24 Sep 2017 21:25:59 +0200
Subject: Use new rotation signature in cookies.

[ Michael Coyne & Kasper Timm Hansen ]
---
 .../lib/action_dispatch/middleware/cookies.rb      | 23 ++++----
 actionpack/test/dispatch/cookies_test.rb           | 65 +++-------------------
 2 files changed, 20 insertions(+), 68 deletions(-)

(limited to 'actionpack')

diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index b3831649a8..06ce0b22f4 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -264,9 +264,9 @@ module ActionDispatch
         end
 
         def upgrade_legacy_hmac_aes_cbc_cookies?
-          request.secret_key_base.present?                       &&
-            request.encrypted_signed_cookie_salt.present?        &&
-            request.encrypted_cookie_salt.present?               &&
+          request.secret_key_base.present? &&
+            request.encrypted_signed_cookie_salt.present? &&
+            request.encrypted_cookie_salt.present? &&
             request.use_authenticated_cookie_encryption
         end
 
@@ -570,12 +570,12 @@ module ActionDispatch
         secret = request.key_generator.generate_key(request.signed_cookie_salt)
         @verifier = ActiveSupport::MessageVerifier.new(secret, digest: signed_cookie_digest, serializer: SERIALIZER)
 
-        request.cookies_rotations.signed.each do |rotation_options|
-          @verifier.rotate serializer: SERIALIZER, **rotation_options
+        request.cookies_rotations.signed.each do |*secrets, **options|
+          @verifier.rotate *secrets, serializer: SERIALIZER, **options
         end
 
         if upgrade_legacy_signed_cookies?
-          @verifier.rotate raw_key: request.secret_token, serializer: SERIALIZER
+          @verifier.rotate request.secret_token, serializer: SERIALIZER
         end
       end
 
@@ -603,14 +603,15 @@ module ActionDispatch
         secret = request.key_generator.generate_key(request.authenticated_encrypted_cookie_salt, key_len)
         @encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: encrypted_cookie_cipher, serializer: SERIALIZER)
 
-        request.cookies_rotations.encrypted.each do |rotation_options|
-          @encryptor.rotate serializer: SERIALIZER, **rotation_options
+        request.cookies_rotations.encrypted.each do |*secrets, **options|
+          @encryptor.rotate *secrets, serializer: SERIALIZER, **options
         end
 
         if upgrade_legacy_hmac_aes_cbc_cookies?
-          @encryptor.rotate \
-            key_generator: request.key_generator, salt: request.encrypted_cookie_salt, signed_salt: request.encrypted_signed_cookie_salt,
-            cipher: "aes-256-cbc", digest: digest, serializer: SERIALIZER
+          secret = request.key_generator.generate_key(request.encrypted_cookie_salt)
+          sign_secret = request.key_generator.generate_key(request.encrypted_signed_cookie_salt)
+
+          @encryptor.rotate secret, sign_secret, cipher: "aes-256-cbc", digest: digest, serializer: SERIALIZER
         end
 
         if upgrade_legacy_signed_cookies?
diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb
index 706d0be9c2..70587fa2b0 100644
--- a/actionpack/test/dispatch/cookies_test.rb
+++ b/actionpack/test/dispatch/cookies_test.rb
@@ -461,37 +461,13 @@ class CookiesTest < ActionController::TestCase
     assert_equal verifier.generate(45), cookies[:user_id]
   end
 
-  def test_signed_cookie_rotations_with_secret_key_base_and_digest
-    rotated_secret_key_base = "b3c631c314c0bbca50c1b2843150fe33"
-    rotated_salt = "signed cookie"
+  def test_signed_cookie_rotating_secret_and_digest
+    secret = "b3c631c314c0bbca50c1b2843150fe33"
 
     @request.env["action_dispatch.signed_cookie_digest"] = "SHA256"
-    @request.env["action_dispatch.cookies_rotations"].rotate :signed,
-      secret: rotated_secret_key_base, salt: rotated_salt, digest: "SHA1"
-
-    old_secret = ActiveSupport::KeyGenerator.new(rotated_secret_key_base, iterations: 1000).generate_key(rotated_salt)
-    old_message = ActiveSupport::MessageVerifier.new(old_secret, digest: "SHA1", serializer: Marshal).generate(45)
-
-    @request.headers["Cookie"] = "user_id=#{old_message}"
-
-    get :get_signed_cookie
-    assert_equal 45, @controller.send(:cookies).signed[:user_id]
-
-    key_generator = @request.env["action_dispatch.key_generator"]
-    secret = key_generator.generate_key(@request.env["action_dispatch.signed_cookie_salt"])
-    verifier = ActiveSupport::MessageVerifier.new(secret, digest: "SHA256", serializer: Marshal)
-    assert_equal 45, verifier.verify(@response.cookies["user_id"])
-  end
-
-  def test_signed_cookie_rotations_with_raw_key_and_digest
-    rotated_raw_key = "b3c631c314c0bbca50c1b2843150fe33"
-
-    @request.env["action_dispatch.signed_cookie_digest"] = "SHA256"
-    @request.env["action_dispatch.cookies_rotations"].rotate :signed,
-      raw_key: rotated_raw_key, digest: "SHA1"
-
-    old_message = ActiveSupport::MessageVerifier.new(rotated_raw_key, digest: "SHA1", serializer: Marshal).generate(45)
+    @request.env["action_dispatch.cookies_rotations"].rotate :signed, secret, digest: "SHA1"
 
+    old_message = ActiveSupport::MessageVerifier.new(secret, digest: "SHA1", serializer: Marshal).generate(45)
     @request.headers["Cookie"] = "user_id=#{old_message}"
 
     get :get_signed_cookie
@@ -993,40 +969,15 @@ class CookiesTest < ActionController::TestCase
     assert_equal "bar", encryptor.decrypt_and_verify(@response.cookies["foo"])
   end
 
-  def test_encrypted_cookie_rotations_with_secret_and_salt
-    rotated_secret_key_base = "b3c631c314c0bbca50c1b2843150fe33"
-    rotated_salt = "authenticated encrypted cookie"
-
-    @request.env["action_dispatch.encrypted_cookie_cipher"] = "aes-256-gcm"
-    @request.env["action_dispatch.cookies_rotations"].rotate :encrypted,
-      secret: rotated_secret_key_base, salt: rotated_salt, cipher: "aes-256-gcm"
-
-    key_len = ActiveSupport::MessageEncryptor.key_len("aes-256-gcm")
-
-    old_secret = ActiveSupport::KeyGenerator.new(rotated_secret_key_base, iterations: 1000).generate_key(rotated_salt, key_len)
-    old_message = ActiveSupport::MessageEncryptor.new(old_secret, cipher: "aes-256-gcm", serializer: Marshal).encrypt_and_sign("bar")
-
-    @request.headers["Cookie"] = "foo=#{::Rack::Utils.escape old_message}"
-
-    get :get_encrypted_cookie
-    assert_equal "bar", @controller.send(:cookies).encrypted[:foo]
-
-    key_generator = @request.env["action_dispatch.key_generator"]
-    secret = key_generator.generate_key(@request.env["action_dispatch.authenticated_encrypted_cookie_salt"], key_len)
-    encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: "aes-256-gcm", serializer: Marshal)
-    assert_equal "bar", encryptor.decrypt_and_verify(@response.cookies["foo"])
-  end
-
-  def test_encrypted_cookie_rotations_with_raw_key
-    raw_key = "b3c631c314c0bbca50c1b2843150fe33"
+  def test_encrypted_cookie_rotating_secret
+    secret = "b3c631c314c0bbca50c1b2843150fe33"
 
     @request.env["action_dispatch.encrypted_cookie_cipher"] = "aes-256-gcm"
-    @request.env["action_dispatch.cookies_rotations"].rotate :encrypted,
-      raw_key: raw_key, cipher: "aes-256-gcm"
+    @request.env["action_dispatch.cookies_rotations"].rotate :encrypted, secret
 
     key_len = ActiveSupport::MessageEncryptor.key_len("aes-256-gcm")
 
-    old_message = ActiveSupport::MessageEncryptor.new(raw_key, cipher: "aes-256-gcm", serializer: Marshal).encrypt_and_sign(45)
+    old_message = ActiveSupport::MessageEncryptor.new(secret, cipher: "aes-256-gcm", serializer: Marshal).encrypt_and_sign(45)
 
     @request.headers["Cookie"] = "foo=#{::Rack::Utils.escape old_message}"
 
-- 
cgit v1.2.3