From 60609bb50d5b99d78a01a945a539cccd061cd7e7 Mon Sep 17 00:00:00 2001 From: Santiago Pastorino Date: Wed, 31 Oct 2012 01:06:46 -0200 Subject: Sign cookies using key deriver --- railties/lib/rails/application.rb | 9 ++++++++- railties/lib/rails/application/configuration.rb | 10 ++++++++-- .../rails/app/templates/config/initializers/secret_token.rb.tt | 4 ++-- 3 files changed, 18 insertions(+), 5 deletions(-) (limited to 'railties/lib') diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb index 9ef001c7d0..f22025d35e 100644 --- a/railties/lib/rails/application.rb +++ b/railties/lib/rails/application.rb @@ -1,5 +1,7 @@ require 'fileutils' require 'active_support/queueing' +# FIXME remove DummyKeyGenerator and this require in 4.1 +require 'active_support/key_generator' require 'rails/engine' module Rails @@ -106,7 +108,11 @@ module Rails def key_generator # number of iterations selected based on consultation with the google security # team. Details at https://github.com/rails/rails/pull/6952#issuecomment-7661220 - @key_generator ||= ActiveSupport::KeyGenerator.new(config.secret_token, iterations: 1000) + @key_generator ||= if config.secret_token_key + ActiveSupport::KeyGenerator.new(config.secret_token_key, iterations: 1000) + else + ActiveSupport::DummyKeyGenerator.new(config.secret_token) + end end # Stores some of the Rails initial environment parameters which @@ -119,6 +125,7 @@ module Rails # * "action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local, # * "action_dispatch.logger" => Rails.logger, # * "action_dispatch.backtrace_cleaner" => Rails.backtrace_cleaner + # * "action_dispatch.key_generator" => key_generator # # These parameters will be used by middlewares and engines to configure themselves # diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb index cc21213f1c..b01b97aa67 100644 --- a/railties/lib/rails/application/configuration.rb +++ b/railties/lib/rails/application/configuration.rb @@ -10,12 +10,12 @@ module Rails :cache_classes, :cache_store, :consider_all_requests_local, :console, :eager_load, :exceptions_app, :file_watcher, :filter_parameters, :force_ssl, :helpers_paths, :logger, :log_formatter, :log_tags, - :railties_order, :relative_url_root, :secret_token, + :railties_order, :relative_url_root, :secret_token_key, :serve_static_assets, :ssl_options, :static_cache_control, :session_options, :time_zone, :reload_classes_only_on_change, :queue, :queue_consumer, :beginning_of_week - attr_writer :log_level + attr_writer :secret_token, :log_level attr_reader :encoding def initialize(*) @@ -46,6 +46,8 @@ module Rails @queue = ActiveSupport::SynchronousQueue.new @queue_consumer = nil @eager_load = nil + @secret_token = nil + @secret_token_key = nil @assets = ActiveSupport::OrderedOptions.new @assets.enabled = false @@ -144,6 +146,10 @@ module Rails def whiny_nils=(*) ActiveSupport::Deprecation.warn "config.whiny_nils option is deprecated and no longer works" end + + def secret_token + @secret_token_key || @secret_token + end end end end diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/secret_token.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/secret_token.rb.tt index 3c5611ca59..d96185ae2a 100644 --- a/railties/lib/rails/generators/rails/app/templates/config/initializers/secret_token.rb.tt +++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/secret_token.rb.tt @@ -7,6 +7,6 @@ # no regular words or you'll be exposed to dictionary attacks. # You can use `rake secret` to generate a secure secret key. -# Make sure your secret_token is kept private +# Make sure your secret_token_key is kept private # if you're sharing your code publicly. -<%= app_const %>.config.secret_token = '<%= app_secret %>' +<%= app_const %>.config.secret_token_key = '<%= app_secret %>' -- cgit v1.2.3 From e272000c80548c3de9380bb6c76397d018fb1c68 Mon Sep 17 00:00:00 2001 From: Santiago Pastorino Date: Thu, 1 Nov 2012 02:20:16 -0200 Subject: Warn config.derive_keys will be true by default in 4.1 --- railties/lib/rails/application.rb | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) (limited to 'railties/lib') diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb index f22025d35e..741b03d80e 100644 --- a/railties/lib/rails/application.rb +++ b/railties/lib/rails/application.rb @@ -130,15 +130,23 @@ module Rails # These parameters will be used by middlewares and engines to configure themselves # def env_config - @env_config ||= super.merge({ - "action_dispatch.parameter_filter" => config.filter_parameters, - "action_dispatch.secret_token" => config.secret_token, - "action_dispatch.show_exceptions" => config.action_dispatch.show_exceptions, - "action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local, - "action_dispatch.logger" => Rails.logger, - "action_dispatch.backtrace_cleaner" => Rails.backtrace_cleaner, - "action_dispatch.key_generator" => key_generator - }) + @env_config ||= begin + if config.secret_token_key.nil? + ActiveSupport::Deprecation.warn "You didn't set config.secret_token_key. " + + "This should be used instead of the old deprecated config.secret_token. " + + "Set config.secret_token_key instead of config.secret_token in config/initializers/secret_token.rb" + end + + super.merge({ + "action_dispatch.parameter_filter" => config.filter_parameters, + "action_dispatch.secret_token" => config.secret_token, + "action_dispatch.show_exceptions" => config.action_dispatch.show_exceptions, + "action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local, + "action_dispatch.logger" => Rails.logger, + "action_dispatch.backtrace_cleaner" => Rails.backtrace_cleaner, + "action_dispatch.key_generator" => key_generator + }) + end end ## Rails internal API -- cgit v1.2.3 From fb0cea2b8cf61cde1aa4c640b56e896fbe308aa1 Mon Sep 17 00:00:00 2001 From: Santiago Pastorino Date: Tue, 30 Oct 2012 18:12:23 -0200 Subject: Add encrypted cookie store --- .../rails/app/templates/config/initializers/session_store.rb.tt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'railties/lib') diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/session_store.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/session_store.rb.tt index 4a099a4ce2..df07de9922 100644 --- a/railties/lib/rails/generators/rails/app/templates/config/initializers/session_store.rb.tt +++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/session_store.rb.tt @@ -1,3 +1,3 @@ # Be sure to restart your server when you modify this file. -<%= app_const %>.config.session_store :cookie_store, key: <%= "'_#{app_name}_session'" %> +<%= app_const %>.config.session_store :encrypted_cookie_store, key: <%= "'_#{app_name}_session'" %> -- cgit v1.2.3 From 5d23925f84f0241e28b3fbce740150136ba08254 Mon Sep 17 00:00:00 2001 From: Santiago Pastorino Date: Fri, 2 Nov 2012 20:26:11 -0200 Subject: Use derived keys everywhere, http_authentication was missing it --- railties/lib/rails/application.rb | 5 +++-- railties/lib/rails/application/configuration.rb | 8 ++------ 2 files changed, 5 insertions(+), 8 deletions(-) (limited to 'railties/lib') diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb index 741b03d80e..f9867721a2 100644 --- a/railties/lib/rails/application.rb +++ b/railties/lib/rails/application.rb @@ -120,7 +120,6 @@ module Rails # Currently stores: # # * "action_dispatch.parameter_filter" => config.filter_parameters, - # * "action_dispatch.secret_token" => config.secret_token, # * "action_dispatch.show_exceptions" => config.action_dispatch.show_exceptions, # * "action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local, # * "action_dispatch.logger" => Rails.logger, @@ -135,11 +134,13 @@ module Rails ActiveSupport::Deprecation.warn "You didn't set config.secret_token_key. " + "This should be used instead of the old deprecated config.secret_token. " + "Set config.secret_token_key instead of config.secret_token in config/initializers/secret_token.rb" + if config.secret_token.blank? + raise "You must set config.secret_token_key in your app's config" + end end super.merge({ "action_dispatch.parameter_filter" => config.filter_parameters, - "action_dispatch.secret_token" => config.secret_token, "action_dispatch.show_exceptions" => config.action_dispatch.show_exceptions, "action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local, "action_dispatch.logger" => Rails.logger, diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb index b01b97aa67..0faa62c86c 100644 --- a/railties/lib/rails/application/configuration.rb +++ b/railties/lib/rails/application/configuration.rb @@ -10,12 +10,12 @@ module Rails :cache_classes, :cache_store, :consider_all_requests_local, :console, :eager_load, :exceptions_app, :file_watcher, :filter_parameters, :force_ssl, :helpers_paths, :logger, :log_formatter, :log_tags, - :railties_order, :relative_url_root, :secret_token_key, + :railties_order, :relative_url_root, :secret_token, :secret_token_key, :serve_static_assets, :ssl_options, :static_cache_control, :session_options, :time_zone, :reload_classes_only_on_change, :queue, :queue_consumer, :beginning_of_week - attr_writer :secret_token, :log_level + attr_writer :log_level attr_reader :encoding def initialize(*) @@ -146,10 +146,6 @@ module Rails def whiny_nils=(*) ActiveSupport::Deprecation.warn "config.whiny_nils option is deprecated and no longer works" end - - def secret_token - @secret_token_key || @secret_token - end end end end -- cgit v1.2.3 From 47da5744741f0af668d2f915e09003be35dcce66 Mon Sep 17 00:00:00 2001 From: Santiago Pastorino Date: Thu, 1 Nov 2012 20:02:09 -0200 Subject: Allow users to change the default salt if they want, shouldn't be necessary --- railties/lib/rails/application.rb | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) (limited to 'railties/lib') diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb index f9867721a2..3ec29e1dd6 100644 --- a/railties/lib/rails/application.rb +++ b/railties/lib/rails/application.rb @@ -119,12 +119,16 @@ module Rails # will be used by middlewares and engines to configure themselves. # Currently stores: # - # * "action_dispatch.parameter_filter" => config.filter_parameters, - # * "action_dispatch.show_exceptions" => config.action_dispatch.show_exceptions, - # * "action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local, - # * "action_dispatch.logger" => Rails.logger, - # * "action_dispatch.backtrace_cleaner" => Rails.backtrace_cleaner - # * "action_dispatch.key_generator" => key_generator + # * "action_dispatch.parameter_filter" => config.filter_parameters + # * "action_dispatch.show_exceptions" => config.action_dispatch.show_exceptions + # * "action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local + # * "action_dispatch.logger" => Rails.logger + # * "action_dispatch.backtrace_cleaner" => Rails.backtrace_cleaner + # * "action_dispatch.key_generator" => key_generator + # * "action_dispatch.http_auth_salt" => config.action_dispatch.http_auth_salt + # * "action_dispatch.signed_cookie_salt" => config.action_dispatch.signed_cookie_salt + # * "action_dispatch.encrypted_cookie_salt" => config.action_dispatch.encrypted_cookie_salt + # * "action_dispatch.encrypted_signed_cookie_salt" => config.action_dispatch.encrypted_signed_cookie_salt # # These parameters will be used by middlewares and engines to configure themselves # @@ -145,7 +149,11 @@ module Rails "action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local, "action_dispatch.logger" => Rails.logger, "action_dispatch.backtrace_cleaner" => Rails.backtrace_cleaner, - "action_dispatch.key_generator" => key_generator + "action_dispatch.key_generator" => key_generator, + "action_dispatch.http_auth_salt" => config.action_dispatch.http_auth_salt, + "action_dispatch.signed_cookie_salt" => config.action_dispatch.signed_cookie_salt, + "action_dispatch.encrypted_cookie_salt" => config.action_dispatch.encrypted_cookie_salt, + "action_dispatch.encrypted_signed_cookie_salt" => config.action_dispatch.encrypted_signed_cookie_salt }) end end -- cgit v1.2.3 From 851e8fe897633f095a0f39a91f8bc75eee7a76aa Mon Sep 17 00:00:00 2001 From: Santiago Pastorino Date: Thu, 1 Nov 2012 20:23:21 -0200 Subject: Cache generated keys per KeyGenerator instance using salt + key_size --- railties/lib/rails/application.rb | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'railties/lib') diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb index 3ec29e1dd6..f484e1737c 100644 --- a/railties/lib/rails/application.rb +++ b/railties/lib/rails/application.rb @@ -108,11 +108,14 @@ module Rails def key_generator # number of iterations selected based on consultation with the google security # team. Details at https://github.com/rails/rails/pull/6952#issuecomment-7661220 - @key_generator ||= if config.secret_token_key - ActiveSupport::KeyGenerator.new(config.secret_token_key, iterations: 1000) - else - ActiveSupport::DummyKeyGenerator.new(config.secret_token) - end + @caching_key_generator ||= begin + if config.secret_token_key + key_generator = ActiveSupport::KeyGenerator.new(config.secret_token_key, iterations: 1000) + ActiveSupport::CachingKeyGenerator.new(key_generator) + else + ActiveSupport::DummyKeyGenerator.new(config.secret_token) + end + end end # Stores some of the Rails initial environment parameters which -- cgit v1.2.3 From 4faa0418453055bc81456685d418d486252cc379 Mon Sep 17 00:00:00 2001 From: Santiago Pastorino Date: Fri, 2 Nov 2012 20:27:51 -0200 Subject: Rename secret_token_key to secret_key_base --- railties/lib/rails/application.rb | 12 ++++++------ railties/lib/rails/application/configuration.rb | 4 ++-- .../app/templates/config/initializers/secret_token.rb.tt | 4 ++-- 3 files changed, 10 insertions(+), 10 deletions(-) (limited to 'railties/lib') diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb index f484e1737c..b7844bbfbe 100644 --- a/railties/lib/rails/application.rb +++ b/railties/lib/rails/application.rb @@ -109,8 +109,8 @@ module Rails # number of iterations selected based on consultation with the google security # team. Details at https://github.com/rails/rails/pull/6952#issuecomment-7661220 @caching_key_generator ||= begin - if config.secret_token_key - key_generator = ActiveSupport::KeyGenerator.new(config.secret_token_key, iterations: 1000) + if config.secret_key_base + key_generator = ActiveSupport::KeyGenerator.new(config.secret_key_base, iterations: 1000) ActiveSupport::CachingKeyGenerator.new(key_generator) else ActiveSupport::DummyKeyGenerator.new(config.secret_token) @@ -137,12 +137,12 @@ module Rails # def env_config @env_config ||= begin - if config.secret_token_key.nil? - ActiveSupport::Deprecation.warn "You didn't set config.secret_token_key. " + + if config.secret_key_base.nil? + ActiveSupport::Deprecation.warn "You didn't set config.secret_key_base. " + "This should be used instead of the old deprecated config.secret_token. " + - "Set config.secret_token_key instead of config.secret_token in config/initializers/secret_token.rb" + "Set config.secret_key_base instead of config.secret_token in config/initializers/secret_token.rb" if config.secret_token.blank? - raise "You must set config.secret_token_key in your app's config" + raise "You must set config.secret_key_base in your app's config" end end diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb index 0faa62c86c..f97e66985c 100644 --- a/railties/lib/rails/application/configuration.rb +++ b/railties/lib/rails/application/configuration.rb @@ -10,7 +10,7 @@ module Rails :cache_classes, :cache_store, :consider_all_requests_local, :console, :eager_load, :exceptions_app, :file_watcher, :filter_parameters, :force_ssl, :helpers_paths, :logger, :log_formatter, :log_tags, - :railties_order, :relative_url_root, :secret_token, :secret_token_key, + :railties_order, :relative_url_root, :secret_key_base, :secret_token, :serve_static_assets, :ssl_options, :static_cache_control, :session_options, :time_zone, :reload_classes_only_on_change, :queue, :queue_consumer, :beginning_of_week @@ -47,7 +47,7 @@ module Rails @queue_consumer = nil @eager_load = nil @secret_token = nil - @secret_token_key = nil + @secret_key_base = nil @assets = ActiveSupport::OrderedOptions.new @assets.enabled = false diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/secret_token.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/secret_token.rb.tt index d96185ae2a..e5caab3672 100644 --- a/railties/lib/rails/generators/rails/app/templates/config/initializers/secret_token.rb.tt +++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/secret_token.rb.tt @@ -7,6 +7,6 @@ # no regular words or you'll be exposed to dictionary attacks. # You can use `rake secret` to generate a secure secret key. -# Make sure your secret_token_key is kept private +# Make sure your secret_key_base is kept private # if you're sharing your code publicly. -<%= app_const %>.config.secret_token_key = '<%= app_secret %>' +<%= app_const %>.config.secret_key_base = '<%= app_secret %>' -- cgit v1.2.3