From 8eefdb6d7056dc0d4d63a5c34a4b12701ba21c88 Mon Sep 17 00:00:00 2001
From: Santiago Pastorino <santiago@wyeworks.com>
Date: Fri, 16 Nov 2012 17:17:08 -0200
Subject: Add UpgradeSignatureToEncryptionCookieStore

This allows easy upgrading from the old signed Cookie Store <= 3.2
or the deprecated one in 4.0 (the ones that doesn't use key derivation)
to the new one that signs using key derivation
---
 railties/lib/rails/application.rb                  |   2 +
 .../test/application/middleware/session_test.rb    | 110 +++++++++++++++++++++
 2 files changed, 112 insertions(+)

(limited to 'railties')

diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb
index b7844bbfbe..ae3993fbd8 100644
--- a/railties/lib/rails/application.rb
+++ b/railties/lib/rails/application.rb
@@ -123,6 +123,7 @@ module Rails
     # Currently stores:
     #
     #   * "action_dispatch.parameter_filter"             => config.filter_parameters
+    #   * "action_dispatch.secret_token"                 => config.secret_token,
     #   * "action_dispatch.show_exceptions"              => config.action_dispatch.show_exceptions
     #   * "action_dispatch.show_detailed_exceptions"     => config.consider_all_requests_local
     #   * "action_dispatch.logger"                       => Rails.logger
@@ -148,6 +149,7 @@ module Rails
 
         super.merge({
           "action_dispatch.parameter_filter" => config.filter_parameters,
+          "action_dispatch.secret_token" => config.secret_token,
           "action_dispatch.show_exceptions" => config.action_dispatch.show_exceptions,
           "action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local,
           "action_dispatch.logger" => Rails.logger,
diff --git a/railties/test/application/middleware/session_test.rb b/railties/test/application/middleware/session_test.rb
index 9c0b143b74..a5fdfbf887 100644
--- a/railties/test/application/middleware/session_test.rb
+++ b/railties/test/application/middleware/session_test.rb
@@ -177,5 +177,115 @@ module ApplicationTests
       get '/foo/read_raw_cookie'
       assert_equal 1, encryptor.decrypt_and_verify(last_response.body)['foo']
     end
+
+    test "session using upgrade signature to encryption cookie store works the same way as encrypted cookie store" do
+      app_file 'config/routes.rb', <<-RUBY
+        AppTemplate::Application.routes.draw do
+          get ':controller(/:action)'
+        end
+      RUBY
+
+      controller :foo, <<-RUBY
+        class FooController < ActionController::Base
+          def write_session
+            session[:foo] = 1
+            render nothing: true
+          end
+
+          def read_session
+            render text: session[:foo]
+          end
+
+          def read_encrypted_cookie
+            render text: cookies.encrypted[:_myapp_session]['foo']
+          end
+
+          def read_raw_cookie
+            render text: cookies[:_myapp_session]
+          end
+        end
+      RUBY
+
+      add_to_config <<-RUBY
+        config.secret_token = "3b7cd727ee24e8444053437c36cc66c4"
+        config.session_store :upgrade_signature_to_encryption_cookie_store, key: '_myapp_session'
+      RUBY
+
+      require "#{app_path}/config/environment"
+
+      get '/foo/write_session'
+      get '/foo/read_session'
+      assert_equal '1', last_response.body
+
+      get '/foo/read_encrypted_cookie'
+      assert_equal '1', last_response.body
+
+      secret = app.key_generator.generate_key('encrypted cookie')
+      sign_secret = app.key_generator.generate_key('signed encrypted cookie')
+      encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret)
+
+      get '/foo/read_raw_cookie'
+      assert_equal 1, encryptor.decrypt_and_verify(last_response.body)['foo']
+    end
+
+    test "session using upgrade signature to encryption cookie store upgrades session to encrypted mode" do
+      app_file 'config/routes.rb', <<-RUBY
+        AppTemplate::Application.routes.draw do
+          get ':controller(/:action)'
+        end
+      RUBY
+
+      controller :foo, <<-RUBY
+        class FooController < ActionController::Base
+          def write_raw_session
+            # {"session_id"=>"1965d95720fffc123941bdfb7d2e6870", "foo"=>1}
+            cookies[:_myapp_session] = "BAh7B0kiD3Nlc3Npb25faWQGOgZFRkkiJTE5NjVkOTU3MjBmZmZjMTIzOTQxYmRmYjdkMmU2ODcwBjsAVEkiCGZvbwY7AEZpBg==--315fb9931921a87ae7421aec96382f0294119749"
+            render nothing: true
+          end
+
+          def write_session
+            session[:foo] = session[:foo] + 1
+            render nothing: true
+          end
+
+          def read_session
+            render text: session[:foo]
+          end
+
+          def read_encrypted_cookie
+            render text: cookies.encrypted[:_myapp_session]['foo']
+          end
+
+          def read_raw_cookie
+            render text: cookies[:_myapp_session]
+          end
+        end
+      RUBY
+
+      add_to_config <<-RUBY
+        config.secret_token = "3b7cd727ee24e8444053437c36cc66c4"
+        config.session_store :upgrade_signature_to_encryption_cookie_store, key: '_myapp_session'
+      RUBY
+
+      require "#{app_path}/config/environment"
+
+      get '/foo/write_raw_session'
+      get '/foo/read_session'
+      assert_equal '1', last_response.body
+
+      get '/foo/write_session'
+      get '/foo/read_session'
+      assert_equal '2', last_response.body
+
+      get '/foo/read_encrypted_cookie'
+      assert_equal '2', last_response.body
+
+      secret = app.key_generator.generate_key('encrypted cookie')
+      sign_secret = app.key_generator.generate_key('signed encrypted cookie')
+      encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret)
+
+      get '/foo/read_raw_cookie'
+      assert_equal 2, encryptor.decrypt_and_verify(last_response.body)['foo']
+    end
   end
 end
-- 
cgit v1.2.3