Skip to content
Permalink
Browse files
Remove deprecated config.secret_token
  • Loading branch information
rafaelfranca committed Jan 17, 2019
1 parent 6eb1d56 commit 46ac5fe69a20d4539a15929fe48293e1809a26b0
@@ -1,3 +1,7 @@
* Remove deprecated `config.secret_token`.

*Rafael Mendonça França*

* Seed database with inline ActiveJob job adapter.

*Gannon McGibbon*
@@ -18,7 +22,6 @@

*bogdanvlviv*


* Use original `bundler` environment variables during the process of generating a new rails project.

*Marco Costa*
@@ -172,14 +172,9 @@ def reload_routes!
def key_generator
# number of iterations selected based on consultation with the google security
# team. Details at https://github.com/rails/rails/pull/6952#issuecomment-7661220
@caching_key_generator ||=
if secret_key_base
ActiveSupport::CachingKeyGenerator.new(
ActiveSupport::KeyGenerator.new(secret_key_base, iterations: 1000)
)
else
ActiveSupport::LegacyKeyGenerator.new(secrets.secret_token)
end
@caching_key_generator ||= ActiveSupport::CachingKeyGenerator.new(
ActiveSupport::KeyGenerator.new(secret_key_base, iterations: 1000)
)
end

# Returns a message verifier object.
@@ -254,7 +249,6 @@ def env_config
super.merge(
"action_dispatch.parameter_filter" => config.filter_parameters,
"action_dispatch.redirect_filter" => config.filter_redirect,
"action_dispatch.secret_token" => secrets.secret_token,
"action_dispatch.secret_key_base" => secret_key_base,
"action_dispatch.show_exceptions" => config.action_dispatch.show_exceptions,
"action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local,
@@ -404,14 +398,6 @@ def secrets

# Fallback to config.secret_key_base if secrets.secret_key_base isn't set
secrets.secret_key_base ||= config.secret_key_base
# Fallback to config.secret_token if secrets.secret_token isn't set
secrets.secret_token ||= config.secret_token

if secrets.secret_token.present?
ActiveSupport::Deprecation.warn(
"`secrets.secret_token` is deprecated in favor of `secret_key_base` and will be removed in Rails 6.0."
)
end

secrets
end
@@ -587,7 +573,7 @@ def validate_secret_key_base(secret_key_base)
secret_key_base
elsif secret_key_base
raise ArgumentError, "`secret_key_base` for #{Rails.env} environment must be a type of String`"
elsif secrets.secret_token.blank?
else
raise ArgumentError, "Missing `secret_key_base` for '#{Rails.env}' environment, set this string with `rails credentials:edit`"
end
end
@@ -13,7 +13,7 @@ class Configuration < ::Rails::Engine::Configuration
:cache_classes, :cache_store, :consider_all_requests_local, :console,
:eager_load, :exceptions_app, :file_watcher, :filter_parameters,
:force_ssl, :helpers_paths, :hosts, :logger, :log_formatter, :log_tags,
:railties_order, :relative_url_root, :secret_key_base, :secret_token,
:railties_order, :relative_url_root, :secret_key_base,
:ssl_options, :public_file_server,
:session_options, :time_zone, :reload_classes_only_on_change,
:beginning_of_week, :filter_redirect, :x, :enable_dependency_loading,
@@ -50,7 +50,6 @@ def initialize(*)
@autoflush_log = true
@log_formatter = ActiveSupport::Logger::SimpleFormatter.new
@eager_load = nil
@secret_token = nil
@secret_key_base = nil
@api_only = false
@debug_exception_response_format = nil
@@ -596,45 +596,6 @@ def index
assert_equal "some_value", verifier.verify(message)
end

test "application message verifier can be used when the key_generator is ActiveSupport::LegacyKeyGenerator" do
app_file "config/initializers/secret_token.rb", <<-RUBY
Rails.application.credentials.secret_key_base = nil
Rails.application.config.secret_token = "b3c631c314c0bbca50c1b2843150fe33"
RUBY

app "production"

assert_kind_of ActiveSupport::LegacyKeyGenerator, Rails.application.key_generator
message = app.message_verifier(:sensitive_value).generate("some_value")
assert_equal "some_value", Rails.application.message_verifier(:sensitive_value).verify(message)
end

test "config.secret_token is deprecated" do
app_file "config/initializers/secret_token.rb", <<-RUBY
Rails.application.config.secret_token = "b3c631c314c0bbca50c1b2843150fe33"
RUBY

app "production"

assert_deprecated(/secret_token/) do
app.secrets
end
end

test "secrets.secret_token is deprecated" do
app_file "config/secrets.yml", <<-YAML
production:
secret_token: "b3c631c314c0bbca50c1b2843150fe33"
YAML

app "production"

assert_deprecated(/secret_token/) do
app.secrets
end
end


test "raises when secret_key_base is blank" do
app_file "config/initializers/secret_token.rb", <<-RUBY
Rails.application.credentials.secret_key_base = nil
@@ -656,20 +617,6 @@ def index
end
end

test "prefer secrets.secret_token over config.secret_token" do
app_file "config/initializers/secret_token.rb", <<-RUBY
Rails.application.config.secret_token = ""
RUBY
app_file "config/secrets.yml", <<-YAML
development:
secret_token: 3b7cd727ee24e8444053437c36cc66c3
YAML

app "development"

assert_equal "3b7cd727ee24e8444053437c36cc66c3", app.secrets.secret_token
end

test "application verifier can build different verifiers" do
make_basic_app do |application|
application.credentials.secret_key_base = "b3c631c314c0bbca50c1b2843150fe33"
@@ -711,22 +658,6 @@ def index
assert_equal "3b7cd727ee24e8444053437c36cc66c3", app.secrets.secret_key_base
end

test "config.secret_token over-writes a blank secrets.secret_token" do
app_file "config/initializers/secret_token.rb", <<-RUBY
Rails.application.config.secret_token = "b3c631c314c0bbca50c1b2843150fe33"
RUBY
app_file "config/secrets.yml", <<-YAML
development:
secret_key_base:
secret_token:
YAML

app "development"

assert_equal "b3c631c314c0bbca50c1b2843150fe33", app.secrets.secret_token
assert_equal "b3c631c314c0bbca50c1b2843150fe33", app.config.secret_token
end

test "custom secrets saved in config/secrets.yml are loaded in app secrets" do
app_file "config/secrets.yml", <<-YAML
development:
@@ -789,19 +720,6 @@ def index
assert_equal "iaminallyoursecretkeybase", app.secrets.secret_key_base
end

test "uses ActiveSupport::LegacyKeyGenerator as app.key_generator when secrets.secret_key_base is blank" do
app_file "config/initializers/secret_token.rb", <<-RUBY
Rails.application.credentials.secret_key_base = nil
Rails.application.config.secret_token = "b3c631c314c0bbca50c1b2843150fe33"
RUBY

app "production"

assert_equal "b3c631c314c0bbca50c1b2843150fe33", app.config.secret_token
assert_nil app.credentials.secret_key_base
assert_kind_of ActiveSupport::LegacyKeyGenerator, app.key_generator
end

test "that nested keys are symbolized the same as parents for hashes more than one level deep" do
app_file "config/secrets.yml", <<-YAML
development:
@@ -12,7 +12,9 @@ def remote_ip(env = {})
remote_ip = nil
env = Rack::MockRequest.env_for("/").merge(env).merge!(
"action_dispatch.show_exceptions" => false,
"action_dispatch.key_generator" => ActiveSupport::LegacyKeyGenerator.new("b3c631c314c0bbca50c1b2843150fe33")
"action_dispatch.key_generator" => ActiveSupport::CachingKeyGenerator.new(
ActiveSupport::KeyGenerator.new("b3c631c314c0bbca50c1b2843150fe33", iterations: 1000)
)
)

endpoint = Proc.new do |e|
@@ -215,8 +215,6 @@ def read_raw_cookie
RUBY

add_to_config <<-RUBY
secrets.secret_token = "3b7cd727ee24e8444053437c36cc66c4"
# Enable AEAD cookies
config.action_dispatch.use_authenticated_cookie_encryption = true
RUBY
@@ -238,68 +236,6 @@ def read_raw_cookie
assert_equal 1, encryptor.decrypt_and_verify(last_response.body, purpose: "cookie._myapp_session")["foo"]
end

test "session upgrading signature to encryption cookie store upgrades session to encrypted mode" do
app_file "config/routes.rb", <<-RUBY
Rails.application.routes.draw do
get ':controller(/:action)'
end
RUBY

controller :foo, <<-RUBY
class FooController < ActionController::Base
def write_raw_session
# {"session_id"=>"1965d95720fffc123941bdfb7d2e6870", "foo"=>1}
cookies[:_myapp_session] = "BAh7B0kiD3Nlc3Npb25faWQGOgZFRkkiJTE5NjVkOTU3MjBmZmZjMTIzOTQxYmRmYjdkMmU2ODcwBjsAVEkiCGZvbwY7AEZpBg==--315fb9931921a87ae7421aec96382f0294119749"
head :ok
end
def write_session
session[:foo] = session[:foo] + 1
head :ok
end
def read_session
render plain: session[:foo]
end
def read_encrypted_cookie
render plain: cookies.encrypted[:_myapp_session]['foo']
end
def read_raw_cookie
render plain: cookies[:_myapp_session]
end
end
RUBY

add_to_config <<-RUBY
secrets.secret_token = "3b7cd727ee24e8444053437c36cc66c4"
# Enable AEAD cookies
config.action_dispatch.use_authenticated_cookie_encryption = true
RUBY

require "#{app_path}/config/environment"

get "/foo/write_raw_session"
get "/foo/read_session"
assert_equal "1", last_response.body

get "/foo/write_session"
get "/foo/read_session"
assert_equal "2", last_response.body

get "/foo/read_encrypted_cookie"
assert_equal "2", last_response.body

cipher = "aes-256-gcm"
secret = app.key_generator.generate_key("authenticated encrypted cookie")
encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len(cipher)], cipher: cipher)

get "/foo/read_raw_cookie"
assert_equal 2, encryptor.decrypt_and_verify(last_response.body, purpose: "cookie._myapp_session")["foo"]
end

test "session upgrading from AES-CBC-HMAC encryption to AES-GCM encryption" do
app_file "config/routes.rb", <<-RUBY
Rails.application.routes.draw do
@@ -370,70 +306,6 @@ def read_raw_cookie
end
end

test "session upgrading legacy signed cookies to new signed cookies" do
app_file "config/routes.rb", <<-RUBY
Rails.application.routes.draw do
get ':controller(/:action)'
end
RUBY

controller :foo, <<-RUBY
class FooController < ActionController::Base
def write_raw_session
# {"session_id"=>"1965d95720fffc123941bdfb7d2e6870", "foo"=>1}
cookies[:_myapp_session] = "BAh7B0kiD3Nlc3Npb25faWQGOgZFRkkiJTE5NjVkOTU3MjBmZmZjMTIzOTQxYmRmYjdkMmU2ODcwBjsAVEkiCGZvbwY7AEZpBg==--315fb9931921a87ae7421aec96382f0294119749"
head :ok
end
def write_session
session[:foo] = session[:foo] + 1
head :ok
end
def read_session
render plain: session[:foo]
end
def read_signed_cookie
render plain: cookies.signed[:_myapp_session]['foo']
end
def read_raw_cookie
render plain: cookies[:_myapp_session]
end
end
RUBY

add_to_config <<-RUBY
secrets.secret_token = "3b7cd727ee24e8444053437c36cc66c4"
Rails.application.credentials.secret_key_base = nil
RUBY

begin
old_rails_env, ENV["RAILS_ENV"] = ENV["RAILS_ENV"], "production"

require "#{app_path}/config/environment"

get "/foo/write_raw_session"
get "/foo/read_session"
assert_equal "1", last_response.body

get "/foo/write_session"
get "/foo/read_session"
assert_equal "2", last_response.body

get "/foo/read_signed_cookie"
assert_equal "2", last_response.body

verifier = ActiveSupport::MessageVerifier.new(app.secrets.secret_token)

get "/foo/read_raw_cookie"
assert_equal 2, verifier.verify(last_response.body, purpose: "cookie._myapp_session")["foo"]
ensure
ENV["RAILS_ENV"] = old_rails_env
end
end

test "calling reset_session on request does not trigger an error for API apps" do
add_to_config "config.api_only = true"

@@ -66,7 +66,7 @@ def initialize
super
app = self
@routes = TestSet.new ->(c) { app.controller = c }
secrets.secret_token = "foo"
secrets.secret_key_base = "foo"
end
def app; routes; end
}

0 comments on commit 46ac5fe

Please sign in to comment.