From 3b506ee0d8ccc8fa69da19aeb38915115a8aa44d Mon Sep 17 00:00:00 2001 From: Assain Date: Thu, 6 Jul 2017 20:53:22 +0530 Subject: Add expires_at, expires_in, and purpose meta_data to messages. --- .../lib/active_support/message_encryptor.rb | 11 +++-- .../lib/active_support/messages/metadata.rb | 55 ++++++++++++++++++++++ 2 files changed, 61 insertions(+), 5 deletions(-) create mode 100644 activesupport/lib/active_support/messages/metadata.rb (limited to 'activesupport/lib/active_support') diff --git a/activesupport/lib/active_support/message_encryptor.rb b/activesupport/lib/active_support/message_encryptor.rb index d5db2920b9..9ceb3a3a7f 100644 --- a/activesupport/lib/active_support/message_encryptor.rb +++ b/activesupport/lib/active_support/message_encryptor.rb @@ -4,6 +4,7 @@ require "openssl" require "base64" require_relative "core_ext/array/extract_options" require_relative "message_verifier" +require_relative "messages/metadata" module ActiveSupport # MessageEncryptor is a simple way to encrypt values which get stored @@ -87,14 +88,15 @@ module ActiveSupport # Encrypt and sign a message. We need to sign the message in order to avoid # padding attacks. Reference: http://www.limited-entropy.com/padding-oracle-attacks. - def encrypt_and_sign(value) - verifier.generate(_encrypt(value)) + def encrypt_and_sign(value, expires_at: nil, expires_in: nil, purpose: nil) + data = Messages::Metadata.wrap(value, expires_at: expires_at, expires_in: expires_in, purpose: purpose) + verifier.generate(_encrypt(data)) end # Decrypt and verify a message. We need to verify the message in order to # avoid padding attacks. Reference: http://www.limited-entropy.com/padding-oracle-attacks. - def decrypt_and_verify(value) - _decrypt(verifier.verify(value)) + def decrypt_and_verify(data, purpose: nil) + Messages::Metadata.verify(_decrypt(verifier.verify(data)), purpose) end # Given a cipher, returns the key length of the cipher to help generate the key of desired size @@ -103,7 +105,6 @@ module ActiveSupport end private - def _encrypt(value) cipher = new_cipher cipher.encrypt diff --git a/activesupport/lib/active_support/messages/metadata.rb b/activesupport/lib/active_support/messages/metadata.rb new file mode 100644 index 0000000000..e35086fb77 --- /dev/null +++ b/activesupport/lib/active_support/messages/metadata.rb @@ -0,0 +1,55 @@ +# frozen_string_literal: true +require "time" + +module ActiveSupport + module Messages #:nodoc: + class Metadata #:nodoc: + def initialize(expires_at, purpose) + @expires_at, @purpose = expires_at, purpose + end + + class << self + def wrap(message, expires_at: nil, expires_in: nil, purpose: nil) + if expires_at || expires_in || purpose + { "value" => message, "_rails" => { "exp" => pick_expiry(expires_at, expires_in), "pur" => purpose.to_s } } + else + message + end + end + + def verify(message, purpose) + metadata = extract_metadata(message) + + if metadata.nil? + message if purpose.nil? + elsif metadata.match?(purpose.to_s) && metadata.fresh? + message["value"] + end + end + + private + def pick_expiry(expires_at, expires_in) + if expires_at + expires_at.utc.iso8601(3) + elsif expires_in + expires_in.from_now.utc.iso8601(3) + end + end + + def extract_metadata(message) + if message.is_a?(Hash) && message.key?("_rails") + new(message["_rails"]["exp"], message["_rails"]["pur"]) + end + end + end + + def match?(purpose) + @purpose == purpose + end + + def fresh? + @expires_at.nil? || Time.now.utc < Time.iso8601(@expires_at) + end + end + end +end -- cgit v1.2.3