From 39f8ca64cec8667b66628e970211b4d18abbc373 Mon Sep 17 00:00:00 2001 From: Michael Coyne Date: Sat, 23 Sep 2017 17:16:21 -0400 Subject: Add key rotation message Encryptor and Verifier Both classes now have a rotate method where new instances are added for each call. When decryption or verification fails the next rotation instance is tried. --- railties/lib/rails/application.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'railties/lib/rails/application.rb') diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb index abfec90b6d..f691156921 100644 --- a/railties/lib/rails/application.rb +++ b/railties/lib/rails/application.rb @@ -259,8 +259,11 @@ module Rails "action_dispatch.encrypted_cookie_salt" => config.action_dispatch.encrypted_cookie_salt, "action_dispatch.encrypted_signed_cookie_salt" => config.action_dispatch.encrypted_signed_cookie_salt, "action_dispatch.authenticated_encrypted_cookie_salt" => config.action_dispatch.authenticated_encrypted_cookie_salt, + "action_dispatch.encrypted_cookie_cipher" => config.action_dispatch.encrypted_cookie_cipher, + "action_dispatch.signed_cookie_digest" => config.action_dispatch.signed_cookie_digest, "action_dispatch.cookies_serializer" => config.action_dispatch.cookies_serializer, - "action_dispatch.cookies_digest" => config.action_dispatch.cookies_digest + "action_dispatch.cookies_digest" => config.action_dispatch.cookies_digest, + "action_dispatch.cookies_rotations" => config.action_dispatch.cookies_rotations ) end end -- cgit v1.2.3 From 8b0af54bbe5ab8b598e980013dd53a50d819b636 Mon Sep 17 00:00:00 2001 From: Michael Coyne Date: Sat, 23 Sep 2017 17:18:01 -0400 Subject: Add key rotation cookies middleware Using the action_dispatch.cookies_rotations interface, key rotation is now possible with cookies. Thus the secret_key_base as well as salts, ciphers, and digests, can be rotated without expiring sessions. --- railties/lib/rails/application.rb | 1 + 1 file changed, 1 insertion(+) (limited to 'railties/lib/rails/application.rb') diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb index f691156921..24f5eeae87 100644 --- a/railties/lib/rails/application.rb +++ b/railties/lib/rails/application.rb @@ -259,6 +259,7 @@ module Rails "action_dispatch.encrypted_cookie_salt" => config.action_dispatch.encrypted_cookie_salt, "action_dispatch.encrypted_signed_cookie_salt" => config.action_dispatch.encrypted_signed_cookie_salt, "action_dispatch.authenticated_encrypted_cookie_salt" => config.action_dispatch.authenticated_encrypted_cookie_salt, + "action_dispatch.use_authenticated_cookie_encryption" => config.action_dispatch.use_authenticated_cookie_encryption, "action_dispatch.encrypted_cookie_cipher" => config.action_dispatch.encrypted_cookie_cipher, "action_dispatch.signed_cookie_digest" => config.action_dispatch.signed_cookie_digest, "action_dispatch.cookies_serializer" => config.action_dispatch.cookies_serializer, -- cgit v1.2.3 From fbcc4bfe9a211e219da5d0bb01d894fcdaef0a0e Mon Sep 17 00:00:00 2001 From: Kasper Timm Hansen Date: Thu, 28 Sep 2017 20:04:46 +0200 Subject: Deprecate secret_token, long since usurped by secret_key_base. See the changelog entry. Remove `secrets.secret_token` from the bug report templates, since we don't accept bug reports for Rails versions that don't support a `secret_key_base`. [ claudiob & Kasper Timm Hansen ] --- railties/lib/rails/application.rb | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'railties/lib/rails/application.rb') diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb index 24f5eeae87..4fd20185b1 100644 --- a/railties/lib/rails/application.rb +++ b/railties/lib/rails/application.rb @@ -6,6 +6,7 @@ require "active_support/core_ext/object/blank" require "active_support/key_generator" require "active_support/message_verifier" require "active_support/encrypted_configuration" +require "active_support/deprecation" require_relative "engine" require_relative "secrets" @@ -398,6 +399,11 @@ module Rails # Fallback to config.secret_token if secrets.secret_token isn't set secrets.secret_token ||= config.secret_token + if secrets.secret_token.present? + ActiveSupport::Deprecation.warn \ + "`secrets.secret_token` is deprecated in favor of `secret_key_base` and will be removed in Rails 6.0." + end + secrets end end -- cgit v1.2.3 From 6a728491b66340345a91264b5983ad81944ab97a Mon Sep 17 00:00:00 2001 From: Akira Matsuda Date: Sat, 21 Oct 2017 22:08:33 +0900 Subject: [Railties] require_relative => require This basically reverts 618268b4b9382f4bcf004a945fe2d85c0bd03e32 --- railties/lib/rails/application.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'railties/lib/rails/application.rb') diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb index 4fd20185b1..ade8cb6a48 100644 --- a/railties/lib/rails/application.rb +++ b/railties/lib/rails/application.rb @@ -7,8 +7,8 @@ require "active_support/key_generator" require "active_support/message_verifier" require "active_support/encrypted_configuration" require "active_support/deprecation" -require_relative "engine" -require_relative "secrets" +require "rails/engine" +require "rails/secrets" module Rails # An Engine with the responsibility of coordinating the whole boot process. @@ -474,7 +474,7 @@ module Rails def run_tasks_blocks(app) #:nodoc: railties.each { |r| r.run_tasks_blocks(app) } super - require_relative "tasks" + require "rails/tasks" task :environment do ActiveSupport.on_load(:before_initialize) { config.eager_load = false } -- cgit v1.2.3 From 7a8728a03986489e1c843ed850afc2c16fb6eb06 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wojciech=20Wn=C4=99trzak?= Date: Tue, 14 Nov 2017 11:44:23 +0100 Subject: Add CLI to manage encrypted files/configs. To edit/show encrypted file: ``` bin/rails encrypted:edit config/staging_tokens.yml.enc bin/rails encrypted:edit config/staging_tokens.yml.enc --key config/staging.key bin/rails encrypted:show config/staging_tokens.yml.enc ``` Also provides a backing Rails.application.encrypted API for Ruby access: ```ruby Rails.application.encrypted("config/staging_tokens.yml.enc").read Rails.application.encrypted("config/staging_tokens.yml.enc").config Rails.application.encrypted("config/staging_tokens.yml.enc", key: "config/staging.key") ``` --- railties/lib/rails/application.rb | 39 +++++++++++++++++++++++++++++++++++---- 1 file changed, 35 insertions(+), 4 deletions(-) (limited to 'railties/lib/rails/application.rb') diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb index ade8cb6a48..31bc542308 100644 --- a/railties/lib/rails/application.rb +++ b/railties/lib/rails/application.rb @@ -433,10 +433,41 @@ module Rails # the Rails master key, which is either taken from ENV["RAILS_MASTER_KEY"] or from loading # `config/master.key`. def credentials - @credentials ||= ActiveSupport::EncryptedConfiguration.new \ - config_path: Rails.root.join("config/credentials.yml.enc"), - key_path: Rails.root.join("config/master.key"), - env_key: "RAILS_MASTER_KEY" + @credentials ||= encrypted("config/credentials.yml.enc") + end + + # Shorthand to decrypt any encrypted configurations or files. + # + # For any file added with `bin/rails encrypted:edit` call `read` to decrypt + # the file with the master key. + # The master key is either stored in `config/master.key` or `ENV["RAILS_MASTER_KEY"]`. + # + # Rails.application.encrypted("config/mystery_man.key").read + # # => "We've met before, haven't we?" + # + # It's also possible to interpret encrypted YAML files with `config`. + # + # Rails.application.encrypted("config/credentials.yml.enc").config + # # => { next_guys_line: "I don't think so. Where was it you think we met?" } + # + # Any top-level configs are also accessible directly on the return value: + # + # Rails.application.encrypted("config/credentials.yml.enc").next_guys_line + # # => "I don't think so. Where was it you think we met?" + # + # The files or configs can also be encrypted with a custom key. To decrypt with + # a key in the `ENV`, use: + # + # Rails.application.encrypted("config/special_tokens.yml.enc", env_key: "SPECIAL_TOKENS") + # + # Or to decrypt with a file, that should be version control ignored, relative to `Rails.root`: + # + # Rails.application.encrypted("config/special_tokens.yml.enc", key_path: "config/special_tokens.key") + def encrypted(path, key_path: "config/master.key", env_key: "RAILS_MASTER_KEY") + ActiveSupport::EncryptedConfiguration.new \ + config_path: Rails.root.join(path), + key_path: Rails.root.join(key_path), + env_key: env_key end def to_app #:nodoc: -- cgit v1.2.3 From 23b9ad5fb103b0a50fbeede84279881d9dbc1687 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wojciech=20Wn=C4=99trzak?= Date: Thu, 16 Nov 2017 09:52:51 +0100 Subject: Fixed example of `Rails.application.encrypted` method usage [ci skip] --- railties/lib/rails/application.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'railties/lib/rails/application.rb') diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb index 31bc542308..df266fbfce 100644 --- a/railties/lib/rails/application.rb +++ b/railties/lib/rails/application.rb @@ -442,7 +442,7 @@ module Rails # the file with the master key. # The master key is either stored in `config/master.key` or `ENV["RAILS_MASTER_KEY"]`. # - # Rails.application.encrypted("config/mystery_man.key").read + # Rails.application.encrypted("config/mystery_man.txt.enc").read # # => "We've met before, haven't we?" # # It's also possible to interpret encrypted YAML files with `config`. -- cgit v1.2.3 From 83cb0fc6326b308322e35b211bac31c73b346b73 Mon Sep 17 00:00:00 2001 From: "yuuji.yaginuma" Date: Sun, 19 Nov 2017 14:42:45 +0900 Subject: Fix formatting of `credentials` and `encrypted` [ci skip] --- railties/lib/rails/application.rb | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'railties/lib/rails/application.rb') diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb index df266fbfce..b1429df18b 100644 --- a/railties/lib/rails/application.rb +++ b/railties/lib/rails/application.rb @@ -429,23 +429,23 @@ module Rails end end - # Decrypts the credentials hash as kept in `config/credentials.yml.enc`. This file is encrypted with - # the Rails master key, which is either taken from ENV["RAILS_MASTER_KEY"] or from loading - # `config/master.key`. + # Decrypts the credentials hash as kept in +config/credentials.yml.enc+. This file is encrypted with + # the Rails master key, which is either taken from ENV["RAILS_MASTER_KEY"] or from loading + # +config/master.key+. def credentials @credentials ||= encrypted("config/credentials.yml.enc") end # Shorthand to decrypt any encrypted configurations or files. # - # For any file added with `bin/rails encrypted:edit` call `read` to decrypt + # For any file added with bin/rails encrypted:edit call +read+ to decrypt # the file with the master key. - # The master key is either stored in `config/master.key` or `ENV["RAILS_MASTER_KEY"]`. + # The master key is either stored in +config/master.key+ or ENV["RAILS_MASTER_KEY"]. # # Rails.application.encrypted("config/mystery_man.txt.enc").read # # => "We've met before, haven't we?" # - # It's also possible to interpret encrypted YAML files with `config`. + # It's also possible to interpret encrypted YAML files with +config+. # # Rails.application.encrypted("config/credentials.yml.enc").config # # => { next_guys_line: "I don't think so. Where was it you think we met?" } @@ -456,11 +456,11 @@ module Rails # # => "I don't think so. Where was it you think we met?" # # The files or configs can also be encrypted with a custom key. To decrypt with - # a key in the `ENV`, use: + # a key in the +ENV+, use: # # Rails.application.encrypted("config/special_tokens.yml.enc", env_key: "SPECIAL_TOKENS") # - # Or to decrypt with a file, that should be version control ignored, relative to `Rails.root`: + # Or to decrypt with a file, that should be version control ignored, relative to +Rails.root+: # # Rails.application.encrypted("config/special_tokens.yml.enc", key_path: "config/special_tokens.key") def encrypted(path, key_path: "config/master.key", env_key: "RAILS_MASTER_KEY") -- cgit v1.2.3 From aee1a2802f03d864edc1b856e6461ef8b80a78b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= Date: Sat, 25 Nov 2017 14:10:34 -0500 Subject: Use parentheses for multi-line method calls Own style guide says we should be using parentheses for method calls with arguments. --- railties/lib/rails/application.rb | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'railties/lib/rails/application.rb') diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb index b1429df18b..075d17b0f4 100644 --- a/railties/lib/rails/application.rb +++ b/railties/lib/rails/application.rb @@ -174,8 +174,9 @@ module Rails # team. Details at https://github.com/rails/rails/pull/6952#issuecomment-7661220 @caching_key_generator ||= if secret_key_base - ActiveSupport::CachingKeyGenerator.new \ + ActiveSupport::CachingKeyGenerator.new( ActiveSupport::KeyGenerator.new(secret_key_base, iterations: 1000) + ) else ActiveSupport::LegacyKeyGenerator.new(secrets.secret_token) end @@ -400,8 +401,9 @@ module Rails secrets.secret_token ||= config.secret_token if secrets.secret_token.present? - ActiveSupport::Deprecation.warn \ + ActiveSupport::Deprecation.warn( "`secrets.secret_token` is deprecated in favor of `secret_key_base` and will be removed in Rails 6.0." + ) end secrets @@ -424,8 +426,9 @@ module Rails if Rails.env.test? || Rails.env.development? Digest::MD5.hexdigest self.class.name else - validate_secret_key_base \ + validate_secret_key_base( ENV["SECRET_KEY_BASE"] || credentials.secret_key_base || secrets.secret_key_base + ) end end @@ -464,10 +467,11 @@ module Rails # # Rails.application.encrypted("config/special_tokens.yml.enc", key_path: "config/special_tokens.key") def encrypted(path, key_path: "config/master.key", env_key: "RAILS_MASTER_KEY") - ActiveSupport::EncryptedConfiguration.new \ + ActiveSupport::EncryptedConfiguration.new( config_path: Rails.root.join(path), key_path: Rails.root.join(key_path), env_key: env_key + ) end def to_app #:nodoc: -- cgit v1.2.3 From 456c3ffdbe37d430c12ad269514674cc89f38c11 Mon Sep 17 00:00:00 2001 From: Andrew White Date: Wed, 15 Nov 2017 21:07:28 +0000 Subject: Add DSL for configuring Content-Security-Policy header https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy --- railties/lib/rails/application.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'railties/lib/rails/application.rb') diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb index 075d17b0f4..293a736bfd 100644 --- a/railties/lib/rails/application.rb +++ b/railties/lib/rails/application.rb @@ -266,7 +266,9 @@ module Rails "action_dispatch.signed_cookie_digest" => config.action_dispatch.signed_cookie_digest, "action_dispatch.cookies_serializer" => config.action_dispatch.cookies_serializer, "action_dispatch.cookies_digest" => config.action_dispatch.cookies_digest, - "action_dispatch.cookies_rotations" => config.action_dispatch.cookies_rotations + "action_dispatch.cookies_rotations" => config.action_dispatch.cookies_rotations, + "action_dispatch.content_security_policy" => config.content_security_policy, + "action_dispatch.content_security_policy_report_only" => config.content_security_policy_report_only ) end end -- cgit v1.2.3