/
secure_compare_rotator.rb
58 lines (52 loc) · 1.68 KB
/
secure_compare_rotator.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# frozen_string_literal: true
require "active_support/security_utils"
require "active_support/messages/rotator"
module ActiveSupport
# = Secure Compare Rotator
#
# The ActiveSupport::SecureCompareRotator is a wrapper around ActiveSupport::SecurityUtils.secure_compare
# and allows you to rotate a previously defined value to a new one.
#
# It can be used as follow:
#
# rotator = ActiveSupport::SecureCompareRotator.new('new_production_value')
# rotator.rotate('previous_production_value')
# rotator.secure_compare!('previous_production_value')
#
# One real use case example would be to rotate a basic auth credentials:
#
# class MyController < ApplicationController
# def authenticate_request
# rotator = ActiveSupport::SecureCompareRotator.new('new_password')
# rotator.rotate('old_password')
#
# authenticate_or_request_with_http_basic do |username, password|
# rotator.secure_compare!(password)
# rescue ActiveSupport::SecureCompareRotator::InvalidMatch
# false
# end
# end
# end
class SecureCompareRotator
include SecurityUtils
InvalidMatch = Class.new(StandardError)
def initialize(value, on_rotation: nil)
@value = value
@rotate_values = []
@on_rotation = on_rotation
end
def rotate(previous_value)
@rotate_values << previous_value
end
def secure_compare!(other_value, on_rotation: @on_rotation)
if secure_compare(@value, other_value)
true
elsif @rotate_values.any? { |value| secure_compare(value, other_value) }
on_rotation&.call
true
else
raise InvalidMatch
end
end
end
end