Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Add ActiveSupport::KeyGenerator as a simple wrapper around PBKDF2 #6952

Merged
merged 2 commits into from

7 participants

@NZKoz
Owner

As part of the changes for Rails4 we want to sort out all the cryptography related things we have in place right now. The first part of this will be to add PBKDF2 for key derivation, then we can switch the session store and cookies.signed to use derived keys instead of using the bare secret.

Similarly future functionality like encrypted cookies / sessions can utilize derived keys.

So before merging I want to get some feedback from @meder and @thaidn on the particulars of our implementation. In particular, what are suitable default values for iterations and key_size.

This is a pre-requisite for #3955 #5034 and possibly others.

Note to other committers: Please leave this one for me to merge

@NZKoz NZKoz was assigned
@NZKoz
Owner

Once I have someone confirm we're on the right track, I'll expand this functionality to provide something like:

Your::Application.derive_key("asdf")

I may also rename the class because it's deriving not generating keys. At that stage I think we'll be able to work on #3955 and friends

@nahi

Preferred default parameters:

  • iterations: should be > 10000. I use 100000 generally, but 16384 would be not bad at this moment. The key point is enough slowness and it depends on purposes.
  • salt: should have enough entropy. Length check would be good to have. 16 bytes or more?
  • derived key length: should be specified by caller b/c it depends on purpose. SHA1 length (160bit) would be good if you need a default.
  • Something#derive_key interface should have at least a parameter "salt". Just in case it's not a typo.

@emboss should confirm my thoughts. :)

@emboss

iterations: should be > 10000. I use 100000 generally, but 16384 would be not bad at this moment. The key point is enough slowness and it depends on purposes.

I agree, it should be at least a 5 digits number. Although, when chosen too large, this can quickly become an attack vector for denial of service attacks. It largely depends on the infrastructure of how much it can handle - maybe chose a default like @nahi proposed, but make still have it configurable somehow?

salt: should have enough entropy. Length check would be good to have. 16 bytes or more?

PKCS#5 says that the salt should at least be 8 bytes, I typically also use the 16 bytes that nahi proposed. What is essential here is that these bytes must be chosen by a cryptographically secure random number generator, OpenSSL::Random or SecureRandom. Ideally a fresh, per-user salt should be used each time, to forbid any opportunity for precomputation right from the start. Normally an attacker would not know the salt, but it's better to design as if they did, which is plausible - think of bribed/rogue devs/admins etc.
This would however require the salt to be a part of the return value or the salt to be part of the interface, handed over by the user. The latter option has the disadvantage that users could still get things wrong with salt generation, though.

derived key length: should be specified by caller b/c it depends on purpose. SHA1 length (160bit) would be good if you need a default.

Yes, the security margin is tightly related to the underlying digest that was used. It can't exceed the output length of the digest - so in nahi's example of SHA-1, choosing more than 160 bit will for example not increase security. So it's probably best to choose the exact output length of the digest. Some doubt has been cast over SHA-1 recently, and the current recommendations are to use SHA-256 wherever possible. Either way, you can then conveniently choose the dk_len parameter as OpenSSL::Digest#digest_length.

One final note about timing attacks when comparing password hashes. It is argued from time to time on the web that one would have to use some "equal time" comparison methods to compare password hashes in order to not leak any information subject to timing attacks. This is a very delicate issue. I asked a cryptographer who I can absolutely trust on these matters and his advice was as follows: If the underlying hash function were ideal, this attack would be even harder than finding collisions or preimages. So in theory there's no need to worry. But, since current hash functions cannot be proven to be ideal, it doesn't hurt to do equal time comparison, better safe than sorry.

If you'd like to follow his advice, the best method that I see currently for doing equal time comparisons is to do something like this:

d = #some digest
h1 = #first password hash
h2 = #second password hash
if d.digest(h1) == d.digest(h2)
  #success
else
  #fail
end

Execution time of computing a digest is independent of its input. This method was also proposed in Dan Boneh's cryptography course on Coursera, so I believe we can trust it. The issue with other popular methods (keeping a "running sum" of XORs of the individual bits) besides being sufficiently complicated is often that optimizing compilers might one day "see what we did there" and would "optimize" our efforts away :)

@emboss

Execution time of computing a digest is independent of its input.

To clarify: It is now possible to time the resulting digests of course. But this cannot leak any information about the original values if we use a cryptographically secure digest in the process.

@NZKoz
Owner

To clarify the purpose here, we're not looking at using this for passwords. The bcrypt gem does that much more transparently and simply than we could here.

The goal is instead to let us derive multiple keys from a single application secret.

Currently we have:

config.secret_token = "af60a5492cabefa4f84707919d84354c5f7a7cfcd978f977ff16af4aaea4678b14b48f705f6cff7cd86706fd837dd9e2d00fb06e9bd74fa2e615f8a1787faac1"

In every generated app, we use that for signing cookies and the cookie store. However we want to make it possible to ship an encrypted cookie store, which requires an encryption key and a secret.

We also want to make it possible for users to generate their own MessageVerifiers and MessageEncryptors.

On the advice of the google security guys, we don't want to use the same secret as both the encryption key. As a result we need a deterministic way to generate additional keys based on the secret and another value. That's the intended use of the KeyGenerator here.

When we sign cookies, we won't use the raw secret_token, we'll instead use:

  cookie_secret = Application.key_generator.derive_key(some_salt)

The salts will either be generated when your app is generated, or perhaps even just defaulting to static values like "cookie hmac secret", "cookie encryption key".

So, is that a bit clearer? Additionally, does that plan make any sense? ;)

@nahi

@NZKoz My comments and confirmations by @emboss are for key derivation, not directly for password authentication.

@emboss also stated about password authentication. It's also valid because password authentication is actually a key derivation; deriving authentication key (stretched password hash) from master key (password.) That said, I have no idea how Rails should use bcrypt and PBKDF2.

Ah, you meant that Application::Something#derive_key gets only salt to derive a new key because you're going to hide master key inside of Application, right? That would be fine.

@NZKoz
Owner

@nahi exactly, take it as given that the secret is a securely generated master key which is secret. derive_key will be called with a salt which is either static, or configurable, for the sole purpose of deterministically generating keys to be used for other purposes in the application.

We can't use a random salt obviously, otherwise those keys are non-deterministic and we can't then re-validate cookies signed or encrypted with them.

Questions of timing attacks etc are moot as this only generates the keys, existing code in MessageVerifier does the hmac validation and that won't be changing.

@emboss

@NZKoz Yeah, sorry for the confusion - I was under the impression that you were trying to replace bcrypt by PBKDF2. I should've read the title, too, not only the conversation ;) But as @nahi said, the same advice for PBKDF2 still holds for key derivation except for the comparison part because you no longer need to compare things.

A couple of questions about the master key. How is it derived? Is it some form of external input (a password?) or would it be generated within the application itself?

So that I get it right this time: you want to

  1. Create a master key
  2. Derive "session keys" deterministically from that master key in order to encrypt cookies or other things when needed?

If so, how are you planning to do deterministic derivation? That is, based on what information would you derive the key for let's say cookie encryption?

@NZKoz
Owner

The master key itself is generated by SecureRandom when the application is generated. Users can change this as they wish.

The session key would be derived by providing another value as the salt to PBKDF2 with the master key as the 'password. The particular values would be probably be:

  key_generator = KeyGenerator.new(config.secret_token)
  cookie_signing_key = key_generator.generate_key(config.cookie_signing_salt || "Cookie Signing Key")

We could remove the default values, but that makes upgrading a pain in the ass. Essentially the main goal I have is that we have a reliable way to generate keys by transforming the existing secret so that we don't end up using a single as hmac, encryption key, everywhere.

using pbkdf2 to derive keys seems like a sane way to avoid that while simultaneously keeping things pretty straightforward for users.

@emboss

I also discussed the issue with Jean-Philippe Aumasson. It was my impression and he confirmed that PBKDF2 is not the optimal choice in your context. PBKDF2 was designed to mitigate the poor entropy of passwords, but as you confirmed you would be using a SecureRandom master secret right from the start, there is no need for a password-based derivation algorithm.

I thought of something simple at first, like KDF 1-4 on this page, but Jean-Philippe warned me that there are issues when deriving keys in that manner. To overcome these problems, he recommended HMAC as a good solution.

It turns out that there is a standard using HMAC for key derivation that provides all of the features you are looking for, HKDF. It also comes with a paper.

In your situation, where you have a SecureRandom master key, you could skip the "Extract" phase altogether, and immediately use the "Expand" phase. Determinism is supported by providing appropriate "info" strings (see also the comments in section 3.2) to

HKDF-Expand(PRK, info, L)

As the underlying hash function, I would recommend to use SHA-256. This solution has the advantage that there's no need for salt values at all since your initial key material is already secure pseudo-random.

On the downside, there's no implementation in stdlib available so far. But I wanted to add key derivation support to Ruby OpenSSL for quite some time now, because it's also important for key exchange protocols.

@nahi Would you think it's OK to add HKDF support to Ruby OpenSSL even if it's not directly supported by OpenSSL itself? My guess is we could implement it entirely in Ruby, probably no need for native code.

Alternatively, you could use this gem or we could discuss adding a reduced version ("Expand" only) to Rails directly. What do you think?

@NZKoz
Owner

I'm incredibly hesitant to add a dependency on crypto code that's not part of OpenSSL, it's hard enough to use crypto correctly, implementing it's a touch too risky. If there's an implementation of HKDF in a later version of OpenSSL then we could make use of it there.

So you mention that PBKDF2 is not ideal due to our keys already having sufficient entropy, if the sole issues is that the derivation will take an unnecessarily long time, then I'm not worried about it. We'll be generating a handful of keys per application, and doing it once. Are there additional concerns with our using pbkdf2 in this way?

@emboss

Valid points - and nahi confirmed that we would only add HKDF support to Ruby OpenSSL if OpenSSL itself supports it one day.

Regarding PBKDF2, it's always a bit tricky if an algorithm is used in slightly different ways than intended.

I also do believe that the iteration count should be no concern. My main concern is rather how to handle the salts and how to get the determinism without weakening anything.

A different question - will the master key be (re-)generated on startup (and only kept in memory) or is it read from (and stored to) an external location? If so, are there any measures to protect it there or is this left to the user?

@NZKoz
Owner

Sorry, real life intervened.

The master key is generated when the application is generated and it's up to the user to protect it beyond that. We have a task rake secret, but all that does is print a new random secret out to stdout. There's no KeyCzar style functionality for rotating those keys. However users can simply change it and rails will silently discard the old cookies / sessions. Previously it has raised exceptions however you get lots of false positives with mis-behaving bots and proxies truncating the headers.

My plan for the salts is that they're config values to the application with hard coded defaults. f.ex to sign cookies we may have a config value

  config.something.cookie_signature_salt = "7da55e95cab4feae54f0a8af22a4e0a1280b63b5d5055948066"

But if the value's not set by the user, simply default it to some known value like "org.rubyonrails.cookies.signature"?

@rkh

Using a known salt is about as useful as using no salt, no?

@emboss

@rkh In this case it doesn't add to the security, I would agree. But using a salt would make it possible to derive "sub keys" from the master key in a reproducible way.

Sorry, real life intervened.

No problem, it keeps doing that sometimes ;)

The salt itself can be treated as if it were public once established, but to prevent the ability to precompute values it should be selected randomly at some point. Instead of hardcoding them once and for all, would it be possible to set the individual values for cookie signing etc. at application generation time, together with the master key?

This part from PKCS#5 seems also good advice:

2) Otherwise, the salt should contain data that explicitly
distinguishes between different operations and different key
lengths, in addition to a random part that is at least eight
octets long, and this data should be checked or regenerated by
the party receiving the salt. For instance, the salt could have
an additional non-random octet that specifies the purpose of
the derived key. Alternatively, it could be the encoding of a
structure that specifies detailed information about the derived
key, such as the encryption or authentication technique and a
sequence number among the different keys derived from the
password. The particular format of the additional data is left
to the application.

Taking this into account, how about prefixing the salt with the purpose and then adding a random part? Something like

"org.rubyonrails.cookies.signature7da55e95cab4feae54f0a8af22a4e0a1280b63b5d5055948066"

The raw, (non-hex) salt should still be at least 8 bytes long, to prevent generating the same key twice for different applications:

2) It is unlikely that the same key will be selected twice.
Again, if the salt is 64 bits long, the chance of "collision"
between keys does not become significant until about 2^32 keys
have been produced, according to the Birthday Paradox. This
addresses some of the concerns about interactions between
multiple uses of the same key, which may apply for some
encryption and authentication techniques.

Since the original master key is already secure random, I would assume it's fine to stay modest with the iterations...

@nahi Would you agree?

@thaidn

What we want is to provide a simple API for the developers (including Rails' core ones) to derive different keys from one single master key. I'd like to see something as simple as Application.key_generator.derive_key(info), where info might contain some non-random data to identify the derived key, e.g., "encrypted_cookie_store_key".

One simple way you can do is to use http://www.ruby-doc.org/stdlib-2.0/libdoc/openssl/rdoc/OpenSSL/PKCS5.html#method-c-pbkdf2_hmac with SHA256 as the hash function and pass the arguments as follows:

  • pass: the master key

  • salt: info that passed by the caller

  • iter: 1000. We don't need anything bigger here because the master key is already random.

  • keylen: 256 (= hashlen). This is enough key bits for all crypto operations.

This is actually a misuse of the OpenSSL-PBKDF2 API, but we really know what we are doing here for the following reasons:

1) In this settings PBKDF2-HMAC is very similar to HKDF. When keylen is equal to hashlen, HKDF would output T_1 computed as follows:

T_1 = HMAC-Hash(PRK, info | 0x01)

and PBKDF2-HMAC would output this T_1

F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c
T_1 = F (P, S, c, 1) ,

where

U_1 = PRF (P, S || INT (i)) ,
U_2 = PRF (P, U_1) ,
...
U_c = PRF (P, U{c-1}) .

Here, S is salt (non-random info in our case), c is the iteration counter and INT (i) is a four-octet encoding of the integer i, most significant octet first. You probably notice that HKDF's T_1 is actually PBKDF2-HMAC's U_1. In other words, the 1000 iteration count actually makes PBKDF2 stronger than HKDF.

2) The KDF used in SSL is super simple:

 key_block =
   MD5(master_secret + SHA(`A' + master_secret +
                           ServerHello.random +
                           ClientHello.random)) +
   MD5(master_secret + SHA(`BB' + master_secret +
                           ServerHello.random +
                           ClientHello.random)) +
   MD5(master_secret + SHA(`CCC' + master_secret +
                           ServerHello.random +
                           ClientHello.random)) + [...];

but it's Still Secure After All These Years (TM)!

3) Actually in practice people also use something as simple as HMAC(master_key, "0") and HMAC(master_key, "1") to derive different keys. It's okay because HMAC is a secure PRF, so as long as the master_key is random this would generate complete random keys.

So I guess we'll be fine with the approach I propose above. Anything more complex than it is probably overkill and might confuse developers.

@NZKoz NZKoz Add ActiveSupport::KeyGenerator as a simple wrapper around PBKDF2
This will be used to derive keys from the secret and a salt, in order to allow us to
do things like encrypted cookie stores without using the secret for multiple
purposes directly.
def2ccb
@NZKoz
Owner

OK, I've updated this pull request as per @thaidn's helpful feedback, barring any objections in the next 24 hours I'll merge this in for 4.0 and begin the work of changing cookie / session store to derive the keys rather than using the bare secret.

@NZKoz NZKoz Provide access to the application's KeyGenerator
Available both as an env entry for rack and an instance method on Rails::Application for other uses
0479bff
@NZKoz NZKoz merged commit 0a50792 into rails:master
@steveklabnik steveklabnik referenced this pull request
Closed

encrypted cookie jar #5034

@benja83 benja83 referenced this pull request from a commit in benja83/toyotakataboard-relational
@benja83 benja83 initial commit, create kata and condition model
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..6a502e9
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,16 @@
+# See https://help.github.com/articles/ignoring-files for more about ignoring files.
+#
+# If you find yourself ignoring temporary files generated by your text editor
+# or operating system, you probably want to add a global ignore instead:
+#   git config --global core.excludesfile '~/.gitignore_global'
+
+# Ignore bundler config.
+/.bundle
+
+# Ignore the default SQLite database.
+/db/*.sqlite3
+/db/*.sqlite3-journal
+
+# Ignore all logfiles and tempfiles.
+/log/*.log
+/tmp
diff --git a/.rspec b/.rspec
new file mode 100644
index 0000000..83e16f8
--- /dev/null
+++ b/.rspec
@@ -0,0 +1,2 @@
+--color
+--require spec_helper
diff --git a/Gemfile b/Gemfile
new file mode 100644
index 0000000..1176802
--- /dev/null
+++ b/Gemfile
@@ -0,0 +1,43 @@
+source 'https://rubygems.org'
+
+
+# Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
+gem 'rails', '4.1.0'
+# Use postgresql as the database for Active Record
+gem 'pg'
+# Use SCSS for stylesheets
+gem 'sass-rails', '~> 4.0.3'
+# Use Uglifier as compressor for JavaScript assets
+gem 'uglifier', '>= 1.3.0'
+# Use CoffeeScript for .js.coffee assets and views
+# gem 'coffee-rails', '~> 4.0.0'
+# See https://github.com/sstephenson/execjs#readme for more supported runtimes
+# gem 'therubyracer',  platforms: :ruby
+
+# Use jquery as the JavaScript library
+gem 'jquery-rails'
+# Turbolinks makes following links in your web application faster. Read more: https://github.com/rails/turbolinks
+gem 'turbolinks'
+# Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder
+gem 'jbuilder', '~> 2.0'
+# bundle exec rake doc:rails generates the API under doc/api.
+gem 'sdoc', '~> 0.4.0',          group: :doc
+
+# Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring
+gem 'spring',        group: :development
+
+# Use ActiveModel has_secure_password
+# gem 'bcrypt', '~> 3.1.7'
+
+# Use unicorn as the app server
+# gem 'unicorn'
+
+# Use Capistrano for deployment
+# gem 'capistrano-rails', group: :development
+
+# Use debugger
+# gem 'debugger', group: [:development, :test]
+
+group :development, :test do
+  gem 'rspec-rails', '~> 3.0'
+end
\ No newline at end of file
diff --git a/Gemfile.lock b/Gemfile.lock
new file mode 100644
index 0000000..9d708c6
--- /dev/null
+++ b/Gemfile.lock
@@ -0,0 +1,143 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actionmailer (4.1.0)
+      actionpack (= 4.1.0)
+      actionview (= 4.1.0)
+      mail (~> 2.5.4)
+    actionpack (4.1.0)
+      actionview (= 4.1.0)
+      activesupport (= 4.1.0)
+      rack (~> 1.5.2)
+      rack-test (~> 0.6.2)
+    actionview (4.1.0)
+      activesupport (= 4.1.0)
+      builder (~> 3.1)
+      erubis (~> 2.7.0)
+    activemodel (4.1.0)
+      activesupport (= 4.1.0)
+      builder (~> 3.1)
+    activerecord (4.1.0)
+      activemodel (= 4.1.0)
+      activesupport (= 4.1.0)
+      arel (~> 5.0.0)
+    activesupport (4.1.0)
+      i18n (~> 0.6, >= 0.6.9)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.1)
+      tzinfo (~> 1.1)
+    arel (5.0.1.20140414130214)
+    builder (3.2.2)
+    coffee-rails (4.1.0)
+      coffee-script (>= 2.2.0)
+      railties (>= 4.0.0, < 5.0)
+    coffee-script (2.4.1)
+      coffee-script-source
+      execjs
+    coffee-script-source (1.9.1.1)
+    diff-lcs (1.2.5)
+    erubis (2.7.0)
+    execjs (2.5.2)
+    hike (1.2.3)
+    i18n (0.7.0)
+    jbuilder (2.2.16)
+      activesupport (>= 3.0.0, < 5)
+      multi_json (~> 1.2)
+    jquery-rails (3.1.2)
+      railties (>= 3.0, < 5.0)
+      thor (>= 0.14, < 2.0)
+    json (1.8.2)
+    mail (2.5.4)
+      mime-types (~> 1.16)
+      treetop (~> 1.4.8)
+    mime-types (1.25.1)
+    minitest (5.6.1)
+    multi_json (1.11.0)
+    pg (0.18.2)
+    polyglot (0.3.5)
+    rack (1.5.3)
+    rack-test (0.6.3)
+      rack (>= 1.0)
+    rails (4.1.0)
+      actionmailer (= 4.1.0)
+      actionpack (= 4.1.0)
+      actionview (= 4.1.0)
+      activemodel (= 4.1.0)
+      activerecord (= 4.1.0)
+      activesupport (= 4.1.0)
+      bundler (>= 1.3.0, < 2.0)
+      railties (= 4.1.0)
+      sprockets-rails (~> 2.0)
+    railties (4.1.0)
+      actionpack (= 4.1.0)
+      activesupport (= 4.1.0)
+      rake (>= 0.8.7)
+      thor (>= 0.18.1, < 2.0)
+    rake (10.4.2)
+    rdoc (4.2.0)
+      json (~> 1.4)
+    rspec-core (3.2.3)
+      rspec-support (~> 3.2.0)
+    rspec-expectations (3.2.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.2.0)
+    rspec-mocks (3.2.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.2.0)
+    rspec-rails (3.2.1)
+      actionpack (>= 3.0, < 4.3)
+      activesupport (>= 3.0, < 4.3)
+      railties (>= 3.0, < 4.3)
+      rspec-core (~> 3.2.0)
+      rspec-expectations (~> 3.2.0)
+      rspec-mocks (~> 3.2.0)
+      rspec-support (~> 3.2.0)
+    rspec-support (3.2.2)
+    sass (3.2.19)
+    sass-rails (4.0.5)
+      railties (>= 4.0.0, < 5.0)
+      sass (~> 3.2.2)
+      sprockets (~> 2.8, < 3.0)
+      sprockets-rails (~> 2.0)
+    sdoc (0.4.1)
+      json (~> 1.7, >= 1.7.7)
+      rdoc (~> 4.0)
+    spring (1.3.6)
+    sprockets (2.12.3)
+      hike (~> 1.2)
+      multi_json (~> 1.0)
+      rack (~> 1.0)
+      tilt (~> 1.1, != 1.3.0)
+    sprockets-rails (2.3.1)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      sprockets (>= 2.8, < 4.0)
+    thor (0.19.1)
+    thread_safe (0.3.5)
+    tilt (1.4.1)
+    treetop (1.4.15)
+      polyglot
+      polyglot (>= 0.3.1)
+    turbolinks (2.5.3)
+      coffee-rails
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+    uglifier (2.7.1)
+      execjs (>= 0.3.0)
+      json (>= 1.8.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  jbuilder (~> 2.0)
+  jquery-rails
+  pg
+  rails (= 4.1.0)
+  rspec-rails (~> 3.0)
+  sass-rails (~> 4.0.3)
+  sdoc (~> 0.4.0)
+  spring
+  turbolinks
+  uglifier (>= 1.3.0)
diff --git a/README.rdoc b/README.rdoc
new file mode 100644
index 0000000..dd4e97e
--- /dev/null
+++ b/README.rdoc
@@ -0,0 +1,28 @@
+== README
+
+This README would normally document whatever steps are necessary to get the
+application up and running.
+
+Things you may want to cover:
+
+* Ruby version
+
+* System dependencies
+
+* Configuration
+
+* Database creation
+
+* Database initialization
+
+* How to run the test suite
+
+* Services (job queues, cache servers, search engines, etc.)
+
+* Deployment instructions
+
+* ...
+
+
+Please feel free to use a different markup language if you do not plan to run
+<tt>rake doc:app</tt>.
diff --git a/Rakefile b/Rakefile
new file mode 100644
index 0000000..ba6b733
--- /dev/null
+++ b/Rakefile
@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+
+Rails.application.load_tasks
diff --git a/app/assets/images/.keep b/app/assets/images/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/app/assets/javascripts/application.js b/app/assets/javascripts/application.js
new file mode 100644
index 0000000..d6925fa
--- /dev/null
+++ b/app/assets/javascripts/application.js
@@ -0,0 +1,16 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file.
+//
+// Read Sprockets README (https://github.com/sstephenson/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require jquery
+//= require jquery_ujs
+//= require turbolinks
+//= require_tree .
diff --git a/app/assets/stylesheets/application.css b/app/assets/stylesheets/application.css
new file mode 100644
index 0000000..a443db3
--- /dev/null
+++ b/app/assets/stylesheets/application.css
@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or vendor/assets/stylesheets of plugins, if any, can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any styles
+ * defined in the other CSS/SCSS files in this directory. It is generally better to create a new
+ * file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
new file mode 100644
index 0000000..d83690e
--- /dev/null
+++ b/app/controllers/application_controller.rb
@@ -0,0 +1,5 @@
+class ApplicationController < ActionController::Base
+  # Prevent CSRF attacks by raising an exception.
+  # For APIs, you may want to use :null_session instead.
+  protect_from_forgery with: :exception
+end
diff --git a/app/controllers/concerns/.keep b/app/controllers/concerns/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
new file mode 100644
index 0000000..de6be79
--- /dev/null
+++ b/app/helpers/application_helper.rb
@@ -0,0 +1,2 @@
+module ApplicationHelper
+end
diff --git a/app/mailers/.keep b/app/mailers/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/app/models/.keep b/app/models/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/app/models/concerns/.keep b/app/models/concerns/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/app/models/condition.rb b/app/models/condition.rb
new file mode 100644
index 0000000..e288628
--- /dev/null
+++ b/app/models/condition.rb
@@ -0,0 +1,3 @@
+class Condition < ActiveRecord::Base
+  belongs_to :kata
+end
diff --git a/app/models/kata.rb b/app/models/kata.rb
new file mode 100644
index 0000000..9fe377a
--- /dev/null
+++ b/app/models/kata.rb
@@ -0,0 +1,3 @@
+class Kata < ActiveRecord::Base
+  has_many :conditions
+end
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
new file mode 100644
index 0000000..c8c3a37
--- /dev/null
+++ b/app/views/layouts/application.html.erb
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Toyotakataboard</title>
+  <%= stylesheet_link_tag    'application', media: 'all', 'data-turbolinks-track' => true %>
+  <%= javascript_include_tag 'application', 'data-turbolinks-track' => true %>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>
diff --git a/bin/bundle b/bin/bundle
new file mode 100755
index 0000000..66e9889
--- /dev/null
+++ b/bin/bundle
@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+load Gem.bin_path('bundler', 'bundle')
diff --git a/bin/rails b/bin/rails
new file mode 100755
index 0000000..728cd85
--- /dev/null
+++ b/bin/rails
@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+APP_PATH = File.expand_path('../../config/application',  __FILE__)
+require_relative '../config/boot'
+require 'rails/commands'
diff --git a/bin/rake b/bin/rake
new file mode 100755
index 0000000..1724048
--- /dev/null
+++ b/bin/rake
@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require_relative '../config/boot'
+require 'rake'
+Rake.application.run
diff --git a/config.ru b/config.ru
new file mode 100644
index 0000000..5bc2a61
--- /dev/null
+++ b/config.ru
@@ -0,0 +1,4 @@
+# This file is used by Rack-based servers to start the application.
+
+require ::File.expand_path('../config/environment',  __FILE__)
+run Rails.application
diff --git a/config/application.rb b/config/application.rb
new file mode 100644
index 0000000..784b718
--- /dev/null
+++ b/config/application.rb
@@ -0,0 +1,30 @@
+require File.expand_path('../boot', __FILE__)
+
+# Pick the frameworks you want:
+require "active_model/railtie"
+require "active_record/railtie"
+require "action_controller/railtie"
+require "action_mailer/railtie"
+require "action_view/railtie"
+require "sprockets/railtie"
+# require "rails/test_unit/railtie"
+
+# Require the gems listed in Gemfile, including any gems
+# you've limited to :test, :development, or :production.
+Bundler.require(*Rails.groups)
+
+module Toyotakataboard
+  class Application < Rails::Application
+    # Settings in config/environments/* take precedence over those specified here.
+    # Application configuration should go into files in config/initializers
+    # -- all .rb files in that directory are automatically loaded.
+
+    # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
+    # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
+    # config.time_zone = 'Central Time (US & Canada)'
+
+    # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
+    # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
+    # config.i18n.default_locale = :de
+  end
+end
diff --git a/config/boot.rb b/config/boot.rb
new file mode 100644
index 0000000..5e5f0c1
--- /dev/null
+++ b/config/boot.rb
@@ -0,0 +1,4 @@
+# Set up gems listed in the Gemfile.
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+
+require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])
diff --git a/config/database.yml b/config/database.yml
new file mode 100644
index 0000000..0ac6612
--- /dev/null
+++ b/config/database.yml
@@ -0,0 +1,85 @@
+# PostgreSQL. Versions 8.2 and up are supported.
+#
+# Install the pg driver:
+#   gem install pg
+# On OS X with Homebrew:
+#   gem install pg -- --with-pg-config=/usr/local/bin/pg_config
+# On OS X with MacPorts:
+#   gem install pg -- --with-pg-config=/opt/local/lib/postgresql84/bin/pg_config
+# On Windows:
+#   gem install pg
+#       Choose the win32 build.
+#       Install PostgreSQL and put its /bin directory on your path.
+#
+# Configure Using Gemfile
+# gem 'pg'
+#
+default: &default
+  adapter: postgresql
+  encoding: unicode
+  # For details on connection pooling, see rails configuration guide
+  # http://guides.rubyonrails.org/configuring.html#database-pooling
+  pool: 5
+
+development:
+  <<: *default
+  database: toyotakataboard_development
+
+  # The specified database role being used to connect to postgres.
+  # To create additional roles in postgres see `$ createuser --help`.
+  # When left blank, postgres will use the default role. This is
+  # the same name as the operating system user that initialized the database.
+  #username: toyotakataboard
+
+  # The password associated with the postgres role (username).
+  #password:
+
+  # Connect on a TCP socket. Omitted by default since the client uses a
+  # domain socket that doesn't need configuration. Windows does not have
+  # domain sockets, so uncomment these lines.
+  #host: localhost
+
+  # The TCP port the server listens on. Defaults to 5432.
+  # If your server runs on a different port number, change accordingly.
+  #port: 5432
+
+  # Schema search path. The server defaults to $user,public
+  #schema_search_path: myapp,sharedapp,public
+
+  # Minimum log levels, in increasing order:
+  #   debug5, debug4, debug3, debug2, debug1,
+  #   log, notice, warning, error, fatal, and panic
+  # Defaults to warning.
+  #min_messages: notice
+
+# Warning: The database defined as "test" will be erased and
+# re-generated from your development database when you run "rake".
+# Do not set this db to the same as development or production.
+test:
+  <<: *default
+  database: toyotakataboard_test
+
+# As with config/secrets.yml, you never want to store sensitive information,
+# like your database password, in your source code. If your source code is
+# ever seen by anyone, they now have access to your database.
+#
+# Instead, provide the password as a unix environment variable when you boot
+# the app. Read http://guides.rubyonrails.org/configuring.html#configuring-a-database
+# for a full rundown on how to provide these environment variables in a
+# production deployment.
+#
+# On Heroku and other platform providers, you may have a full connection URL
+# available as an environment variable. For example:
+#
+#   DATABASE_URL="postgres://myuser:mypass@localhost/somedatabase"
+#
+# You can use this database configuration with:
+#
+#   production:
+#     url: <%= ENV['DATABASE_URL'] %>
+#
+production:
+  <<: *default
+  database: toyotakataboard_production
+  username: toyotakataboard
+  password: <%= ENV['TOYOTAKATABOARD_DATABASE_PASSWORD'] %>
diff --git a/config/environment.rb b/config/environment.rb
new file mode 100644
index 0000000..ee8d90d
--- /dev/null
+++ b/config/environment.rb
@@ -0,0 +1,5 @@
+# Load the Rails application.
+require File.expand_path('../application', __FILE__)
+
+# Initialize the Rails application.
+Rails.application.initialize!
diff --git a/config/environments/development.rb b/config/environments/development.rb
new file mode 100644
index 0000000..ddf0e90
--- /dev/null
+++ b/config/environments/development.rb
@@ -0,0 +1,37 @@
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # In the development environment your application's code is reloaded on
+  # every request. This slows down response time but is perfect for development
+  # since you don't have to restart the web server when you make code changes.
+  config.cache_classes = false
+
+  # Do not eager load code on boot.
+  config.eager_load = false
+
+  # Show full error reports and disable caching.
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Don't care if the mailer can't send.
+  config.action_mailer.raise_delivery_errors = false
+
+  # Print deprecation notices to the Rails logger.
+  config.active_support.deprecation = :log
+
+  # Raise an error on page load if there are pending migrations.
+  config.active_record.migration_error = :page_load
+
+  # Debug mode disables concatenation and preprocessing of assets.
+  # This option may cause significant delays in view rendering with a large
+  # number of complex assets.
+  config.assets.debug = true
+
+  # Adds additional error checking when serving assets at runtime.
+  # Checks for improperly declared sprockets dependencies.
+  # Raises helpful error messages.
+  config.assets.raise_runtime_errors = true
+
+  # Raises error for missing translations
+  # config.action_view.raise_on_missing_translations = true
+end
diff --git a/config/environments/production.rb b/config/environments/production.rb
new file mode 100644
index 0000000..47d3553
--- /dev/null
+++ b/config/environments/production.rb
@@ -0,0 +1,83 @@
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # Code is not reloaded between requests.
+  config.cache_classes = true
+
+  # Eager load code on boot. This eager loads most of Rails and
+  # your application in memory, allowing both threaded web servers
+  # and those relying on copy on write to perform better.
+  # Rake tasks automatically ignore this option for performance.
+  config.eager_load = true
+
+  # Full error reports are disabled and caching is turned on.
+  config.consider_all_requests_local       = false
+  config.action_controller.perform_caching = true
+
+  # Enable Rack::Cache to put a simple HTTP cache in front of your application
+  # Add `rack-cache` to your Gemfile before enabling this.
+  # For large-scale production use, consider using a caching reverse proxy like nginx, varnish or squid.
+  # config.action_dispatch.rack_cache = true
+
+  # Disable Rails's static asset server (Apache or nginx will already do this).
+  config.serve_static_assets = false
+
+  # Compress JavaScripts and CSS.
+  config.assets.js_compressor = :uglifier
+  # config.assets.css_compressor = :sass
+
+  # Do not fallback to assets pipeline if a precompiled asset is missed.
+  config.assets.compile = false
+
+  # Generate digests for assets URLs.
+  config.assets.digest = true
+
+  # Version of your assets, change this if you want to expire all your assets.
+  config.assets.version = '1.0'
+
+  # Specifies the header that your server uses for sending files.
+  # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
+  # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
+
+  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
+  # config.force_ssl = true
+
+  # Set to :debug to see everything in the log.
+  config.log_level = :info
+
+  # Prepend all log lines with the following tags.
+  # config.log_tags = [ :subdomain, :uuid ]
+
+  # Use a different logger for distributed setups.
+  # config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
+
+  # Use a different cache store in production.
+  # config.cache_store = :mem_cache_store
+
+  # Enable serving of images, stylesheets, and JavaScripts from an asset server.
+  # config.action_controller.asset_host = "http://assets.example.com"
+
+  # Precompile additional assets.
+  # application.js, application.css, and all non-JS/CSS in app/assets folder are already added.
+  # config.assets.precompile += %w( search.js )
+
+  # Ignore bad email addresses and do not raise email delivery errors.
+  # Set this to true and configure the email server for immediate delivery to raise delivery errors.
+  # config.action_mailer.raise_delivery_errors = false
+
+  # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
+  # the I18n.default_locale when a translation cannot be found).
+  config.i18n.fallbacks = true
+
+  # Send deprecation notices to registered listeners.
+  config.active_support.deprecation = :notify
+
+  # Disable automatic flushing of the log to improve performance.
+  # config.autoflush_log = false
+
+  # Use default logging formatter so that PID and timestamp are not suppressed.
+  config.log_formatter = ::Logger::Formatter.new
+
+  # Do not dump schema after migrations.
+  config.active_record.dump_schema_after_migration = false
+end
diff --git a/config/environments/test.rb b/config/environments/test.rb
new file mode 100644
index 0000000..053f5b6
--- /dev/null
+++ b/config/environments/test.rb
@@ -0,0 +1,39 @@
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # The test environment is used exclusively to run your application's
+  # test suite. You never need to work with it otherwise. Remember that
+  # your test database is "scratch space" for the test suite and is wiped
+  # and recreated between test runs. Don't rely on the data there!
+  config.cache_classes = true
+
+  # Do not eager load code on boot. This avoids loading your whole application
+  # just for the purpose of running a single test. If you are using a tool that
+  # preloads Rails for running tests, you may have to set it to true.
+  config.eager_load = false
+
+  # Configure static asset server for tests with Cache-Control for performance.
+  config.serve_static_assets  = true
+  config.static_cache_control = 'public, max-age=3600'
+
+  # Show full error reports and disable caching.
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Raise exceptions instead of rendering exception templates.
+  config.action_dispatch.show_exceptions = false
+
+  # Disable request forgery protection in test environment.
+  config.action_controller.allow_forgery_protection = false
+
+  # Tell Action Mailer not to deliver emails to the real world.
+  # The :test delivery method accumulates sent emails in the
+  # ActionMailer::Base.deliveries array.
+  config.action_mailer.delivery_method = :test
+
+  # Print deprecation notices to the stderr.
+  config.active_support.deprecation = :stderr
+
+  # Raises error for missing translations
+  # config.action_view.raise_on_missing_translations = true
+end
diff --git a/config/initializers/backtrace_silencers.rb b/config/initializers/backtrace_silencers.rb
new file mode 100644
index 0000000..59385cd
--- /dev/null
+++ b/config/initializers/backtrace_silencers.rb
@@ -0,0 +1,7 @@
+# Be sure to restart your server when you modify this file.
+
+# You can add backtrace silencers for libraries that you're using but don't wish to see in your backtraces.
+# Rails.backtrace_cleaner.add_silencer { |line| line =~ /my_noisy_library/ }
+
+# You can also remove all the silencers if you're trying to debug a problem that might stem from framework code.
+# Rails.backtrace_cleaner.remove_silencers!
diff --git a/config/initializers/cookies_serializer.rb b/config/initializers/cookies_serializer.rb
new file mode 100644
index 0000000..7a06a89
--- /dev/null
+++ b/config/initializers/cookies_serializer.rb
@@ -0,0 +1,3 @@
+# Be sure to restart your server when you modify this file.
+
+Rails.application.config.action_dispatch.cookies_serializer = :json
\ No newline at end of file
diff --git a/config/initializers/filter_parameter_logging.rb b/config/initializers/filter_parameter_logging.rb
new file mode 100644
index 0000000..4a994e1
--- /dev/null
+++ b/config/initializers/filter_parameter_logging.rb
@@ -0,0 +1,4 @@
+# Be sure to restart your server when you modify this file.
+
+# Configure sensitive parameters which will be filtered from the log file.
+Rails.application.config.filter_parameters += [:password]
diff --git a/config/initializers/inflections.rb b/config/initializers/inflections.rb
new file mode 100644
index 0000000..ac033bf
--- /dev/null
+++ b/config/initializers/inflections.rb
@@ -0,0 +1,16 @@
+# Be sure to restart your server when you modify this file.
+
+# Add new inflection rules using the following format. Inflections
+# are locale specific, and you may define rules for as many different
+# locales as you wish. All of these examples are active by default:
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
+#   inflect.plural /^(ox)$/i, '\1en'
+#   inflect.singular /^(ox)en/i, '\1'
+#   inflect.irregular 'person', 'people'
+#   inflect.uncountable %w( fish sheep )
+# end
+
+# These inflection rules are supported but not enabled by default:
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
+#   inflect.acronym 'RESTful'
+# end
diff --git a/config/initializers/mime_types.rb b/config/initializers/mime_types.rb
new file mode 100644
index 0000000..dc18996
--- /dev/null
+++ b/config/initializers/mime_types.rb
@@ -0,0 +1,4 @@
+# Be sure to restart your server when you modify this file.
+
+# Add new mime types for use in respond_to blocks:
+# Mime::Type.register "text/richtext", :rtf
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
new file mode 100644
index 0000000..f73ba88
--- /dev/null
+++ b/config/initializers/session_store.rb
@@ -0,0 +1,3 @@
+# Be sure to restart your server when you modify this file.
+
+Rails.application.config.session_store :cookie_store, key: '_toyotakataboard_session'
diff --git a/config/initializers/wrap_parameters.rb b/config/initializers/wrap_parameters.rb
new file mode 100644
index 0000000..33725e9
--- /dev/null
+++ b/config/initializers/wrap_parameters.rb
@@ -0,0 +1,14 @@
+# Be sure to restart your server when you modify this file.
+
+# This file contains settings for ActionController::ParamsWrapper which
+# is enabled by default.
+
+# Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
+ActiveSupport.on_load(:action_controller) do
+  wrap_parameters format: [:json] if respond_to?(:wrap_parameters)
+end
+
+# To enable root element in JSON for ActiveRecord objects.
+# ActiveSupport.on_load(:active_record) do
+#  self.include_root_in_json = true
+# end
diff --git a/config/locales/en.yml b/config/locales/en.yml
new file mode 100644
index 0000000..0653957
--- /dev/null
+++ b/config/locales/en.yml
@@ -0,0 +1,23 @@
+# Files in the config/locales directory are used for internationalization
+# and are automatically loaded by Rails. If you want to use locales other
+# than English, add the necessary files in this directory.
+#
+# To use the locales, use `I18n.t`:
+#
+#     I18n.t 'hello'
+#
+# In views, this is aliased to just `t`:
+#
+#     <%= t('hello') %>
+#
+# To use a different locale, set it with `I18n.locale`:
+#
+#     I18n.locale = :es
+#
+# This would use the information in config/locales/es.yml.
+#
+# To learn more, please read the Rails Internationalization guide
+# available at http://guides.rubyonrails.org/i18n.html.
+
+en:
+  hello: "Hello world"
diff --git a/config/routes.rb b/config/routes.rb
new file mode 100644
index 0000000..3f66539
--- /dev/null
+++ b/config/routes.rb
@@ -0,0 +1,56 @@
+Rails.application.routes.draw do
+  # The priority is based upon order of creation: first created -> highest priority.
+  # See how all your routes lay out with "rake routes".
+
+  # You can have the root of your site routed with "root"
+  # root 'welcome#index'
+
+  # Example of regular route:
+  #   get 'products/:id' => 'catalog#view'
+
+  # Example of named route that can be invoked with purchase_url(id: product.id)
+  #   get 'products/:id/purchase' => 'catalog#purchase', as: :purchase
+
+  # Example resource route (maps HTTP verbs to controller actions automatically):
+  #   resources :products
+
+  # Example resource route with options:
+  #   resources :products do
+  #     member do
+  #       get 'short'
+  #       post 'toggle'
+  #     end
+  #
+  #     collection do
+  #       get 'sold'
+  #     end
+  #   end
+
+  # Example resource route with sub-resources:
+  #   resources :products do
+  #     resources :comments, :sales
+  #     resource :seller
+  #   end
+
+  # Example resource route with more complex sub-resources:
+  #   resources :products do
+  #     resources :comments
+  #     resources :sales do
+  #       get 'recent', on: :collection
+  #     end
+  #   end
+
+  # Example resource route with concerns:
+  #   concern :toggleable do
+  #     post 'toggle'
+  #   end
+  #   resources :posts, concerns: :toggleable
+  #   resources :photos, concerns: :toggleable
+
+  # Example resource route within a namespace:
+  #   namespace :admin do
+  #     # Directs /admin/products/* to Admin::ProductsController
+  #     # (app/controllers/admin/products_controller.rb)
+  #     resources :products
+  #   end
+end
diff --git a/config/secrets.yml b/config/secrets.yml
new file mode 100644
index 0000000..3581cc2
--- /dev/null
+++ b/config/secrets.yml
@@ -0,0 +1,22 @@
+# Be sure to restart your server when you modify this file.
+
+# Your secret key is used for verifying the integrity of signed cookies.
+# If you change this key, all old signed cookies will become invalid!
+
+# Make sure the secret is at least 30 characters and all random,
+# no regular words or you'll be exposed to dictionary attacks.
+# You can use `rake secret` to generate a secure secret key.
+
+# Make sure the secrets in this file are kept private
+# if you're sharing your code publicly.
+
+development:
+  secret_key_base: 302b3fcb0aa199aec43023bdb6908f5c00c3451fcabb825b33052c910958805752462436ba6725e921d4528068481d1888ddf3a58816b95a2d3cdd4623be22bc
+
+test:
+  secret_key_base: eed3713fdcb5cd2767385f7a9450f13eadd5ca88f125ec5b8fa81198dfa3bae7d0a6c7696c2ea866b982aa9c602e58af09f363de178e569fdb869cfe9f7f4d52
+
+# Do not keep production secrets in the repository,
+# instead read values from the environment.
+production:
+  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
diff --git a/db/migrate/20150524190249_create_kata.rb b/db/migrate/20150524190249_create_kata.rb
new file mode 100644
index 0000000..3da4eb7
--- /dev/null
+++ b/db/migrate/20150524190249_create_kata.rb
@@ -0,0 +1,13 @@
+class CreateKata < ActiveRecord::Migration
+  def change
+    create_table :kata do |t|
+      t.string :name
+      t.string :vision
+      t.string :team
+      t.date :init_date
+      t.date :end_date
+      t.string :responsible
+      t.timestamps
+    end
+  end
+end
diff --git a/db/migrate/20150524192645_create_conditions.rb b/db/migrate/20150524192645_create_conditions.rb
new file mode 100644
index 0000000..d8725f3
--- /dev/null
+++ b/db/migrate/20150524192645_create_conditions.rb
@@ -0,0 +1,10 @@
+class CreateConditions < ActiveRecord::Migration
+  def change
+    create_table :conditions do |t|
+      t.string :title
+      t.string :type
+      t.timestamps
+    end
+    add_reference :conditions, :kata, index: true
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
new file mode 100644
index 0000000..b092856
--- /dev/null
+++ b/db/schema.rb
@@ -0,0 +1,30 @@
+# encoding: UTF-8
+# This file is auto-generated from the current state of the database. Instead
+# of editing this file, please use the migrations feature of Active Record to
+# incrementally modify your database, and then regenerate this schema definition.
+#
+# Note that this schema.rb definition is the authoritative source for your
+# database schema. If you need to create the application database on another
+# system, you should be using db:schema:load, not running all the migrations
+# from scratch. The latter is a flawed and unsustainable approach (the more migrations
+# you'll amass, the slower it'll run and the greater likelihood for issues).
+#
+# It's strongly recommended that you check this file into your version control system.
+
+ActiveRecord::Schema.define(version: 20150524190249) do
+
+  # These are extensions that must be enabled in order to support this database
+  enable_extension "plpgsql"
+
+  create_table "kata", force: true do |t|
+    t.string   "name"
+    t.string   "vision"
+    t.string   "team"
+    t.date     "init_date"
+    t.date     "end_date"
+    t.string   "responsible"
+    t.datetime "created_at"
+    t.datetime "updated_at"
+  end
+
+end
diff --git a/db/seeds.rb b/db/seeds.rb
new file mode 100644
index 0000000..4edb1e8
--- /dev/null
+++ b/db/seeds.rb
@@ -0,0 +1,7 @@
+# This file should contain all the record creation needed to seed the database with its default values.
+# The data can then be loaded with the rake db:seed (or created alongside the db with db:setup).
+#
+# Examples:
+#
+#   cities = City.create([{ name: 'Chicago' }, { name: 'Copenhagen' }])
+#   Mayor.create(name: 'Emanuel', city: cities.first)
diff --git a/lib/assets/.keep b/lib/assets/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/lib/tasks/.keep b/lib/tasks/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/log/.keep b/log/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/public/404.html b/public/404.html
new file mode 100644
index 0000000..b612547
--- /dev/null
+++ b/public/404.html
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The page you were looking for doesn't exist (404)</title>
+  <meta name="viewport" content="width=device-width,initial-scale=1">
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+    margin: 0;
+  }
+
+  div.dialog {
+    width: 95%;
+    max-width: 33em;
+    margin: 4em auto 0;
+  }
+
+  div.dialog > div {
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 12% 0;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  div.dialog > p {
+    margin: 0 0 1em;
+    padding: 1em;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/404.html -->
+  <div class="dialog">
+    <div>
+      <h1>The page you were looking for doesn't exist.</h1>
+      <p>You may have mistyped the address or the page may have moved.</p>
+    </div>
+    <p>If you are the application owner check the logs for more information.</p>
+  </div>
+</body>
+</html>
diff --git a/public/422.html b/public/422.html
new file mode 100644
index 0000000..a21f82b
--- /dev/null
+++ b/public/422.html
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The change you wanted was rejected (422)</title>
+  <meta name="viewport" content="width=device-width,initial-scale=1">
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+    margin: 0;
+  }
+
+  div.dialog {
+    width: 95%;
+    max-width: 33em;
+    margin: 4em auto 0;
+  }
+
+  div.dialog > div {
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 12% 0;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  div.dialog > p {
+    margin: 0 0 1em;
+    padding: 1em;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/422.html -->
+  <div class="dialog">
+    <div>
+      <h1>The change you wanted was rejected.</h1>
+      <p>Maybe you tried to change something you didn't have access to.</p>
+    </div>
+    <p>If you are the application owner check the logs for more information.</p>
+  </div>
+</body>
+</html>
diff --git a/public/500.html b/public/500.html
new file mode 100644
index 0000000..061abc5
--- /dev/null
+++ b/public/500.html
@@ -0,0 +1,66 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>We're sorry, but something went wrong (500)</title>
+  <meta name="viewport" content="width=device-width,initial-scale=1">
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+    margin: 0;
+  }
+
+  div.dialog {
+    width: 95%;
+    max-width: 33em;
+    margin: 4em auto 0;
+  }
+
+  div.dialog > div {
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 12% 0;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  div.dialog > p {
+    margin: 0 0 1em;
+    padding: 1em;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/500.html -->
+  <div class="dialog">
+    <div>
+      <h1>We're sorry, but something went wrong.</h1>
+    </div>
+    <p>If you are the application owner check the logs for more information.</p>
+  </div>
+</body>
+</html>
diff --git a/public/favicon.ico b/public/favicon.ico
new file mode 100644
index 0000000..e69de29
diff --git a/public/robots.txt b/public/robots.txt
new file mode 100644
index 0000000..3c9c7c0
--- /dev/null
+++ b/public/robots.txt
@@ -0,0 +1,5 @@
+# See http://www.robotstxt.org/robotstxt.html for documentation on how to use the robots.txt file
+#
+# To ban all spiders from the entire site uncomment the next two lines:
+# User-agent: *
+# Disallow: /
diff --git a/spec/models/condition_spec.rb b/spec/models/condition_spec.rb
new file mode 100644
index 0000000..bcf85ec
--- /dev/null
+++ b/spec/models/condition_spec.rb
@@ -0,0 +1,5 @@
+require 'rails_helper'
+
+RSpec.describe Condition, type: :model do
+  pending "add some examples to (or delete) #{__FILE__}"
+end
diff --git a/spec/models/kata_spec.rb b/spec/models/kata_spec.rb
new file mode 100644
index 0000000..e75ae04
--- /dev/null
+++ b/spec/models/kata_spec.rb
@@ -0,0 +1,5 @@
+require 'rails_helper'
+
+RSpec.describe Kata, type: :model do
+  pending "add some examples to (or delete) #{__FILE__}"
+end
diff --git a/spec/rails_helper.rb b/spec/rails_helper.rb
new file mode 100644
index 0000000..c278035
--- /dev/null
+++ b/spec/rails_helper.rb
@@ -0,0 +1,50 @@
+# This file is copied to spec/ when you run 'rails generate rspec:install'
+ENV['RAILS_ENV'] ||= 'test'
+require 'spec_helper'
+require File.expand_path('../../config/environment', __FILE__)
+require 'rspec/rails'
+# Add additional requires below this line. Rails is not loaded until this point!
+
+# Requires supporting ruby files with custom matchers and macros, etc, in
+# spec/support/ and its subdirectories. Files matching `spec/**/*_spec.rb` are
+# run as spec files by default. This means that files in spec/support that end
+# in _spec.rb will both be required and run as specs, causing the specs to be
+# run twice. It is recommended that you do not name files matching this glob to
+# end with _spec.rb. You can configure this pattern with the --pattern
+# option on the command line or in ~/.rspec, .rspec or `.rspec-local`.
+#
+# The following line is provided for convenience purposes. It has the downside
+# of increasing the boot-up time by auto-requiring all files in the support
+# directory. Alternatively, in the individual `*_spec.rb` files, manually
+# require only the support files necessary.
+#
+# Dir[Rails.root.join('spec/support/**/*.rb')].each { |f| require f }
+
+# Checks for pending migrations before tests are run.
+# If you are not using ActiveRecord, you can remove this line.
+ActiveRecord::Migration.maintain_test_schema!
+
+RSpec.configure do |config|
+  # Remove this line if you're not using ActiveRecord or ActiveRecord fixtures
+  config.fixture_path = "#{::Rails.root}/spec/fixtures"
+
+  # If you're not using ActiveRecord, or you'd prefer not to run each of your
+  # examples within a transaction, remove the following line or assign false
+  # instead of true.
+  config.use_transactional_fixtures = true
+
+  # RSpec Rails can automatically mix in different behaviours to your tests
+  # based on their file location, for example enabling you to call `get` and
+  # `post` in specs under `spec/controllers`.
+  #
+  # You can disable this behaviour by removing the line below, and instead
+  # explicitly tag your specs with their type, e.g.:
+  #
+  #     RSpec.describe UsersController, :type => :controller do
+  #       # ...
+  #     end
+  #
+  # The different available types are documented in the features, such as in
+  # https://relishapp.com/rspec/rspec-rails/docs
+  config.infer_spec_type_from_file_location!
+end
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
new file mode 100644
index 0000000..38a4f9a
--- /dev/null
+++ b/spec/spec_helper.rb
@@ -0,0 +1,87 @@
+# This file was generated by the `rails generate rspec:install` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# The generated `.rspec` file contains `--require spec_helper` which will cause
+# this file to always be loaded, without a need to explicitly require it in any
+# files.
+#
+# Given that it is always loaded, you are encouraged to keep this file as
+# light-weight as possible. Requiring heavyweight dependencies from this file
+# will add to the boot time of your test suite on EVERY test run, even for an
+# individual file that may not need all of that loaded. Instead, consider making
+# a separate helper file that requires the additional dependencies and performs
+# the additional setup, and require it from the spec files that actually need
+# it.
+#
+# The `.rspec` file also contains a few flags that are not defaults but that
+# users commonly want.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  # rspec-expectations config goes here. You can use an alternate
+  # assertion/expectation library such as wrong or the stdlib/minitest
+  # assertions if you prefer.
+  config.expect_with :rspec do |expectations|
+    # This option will default to `true` in RSpec 4. It makes the `description`
+    # and `failure_message` of custom matchers include text for helper methods
+    # defined using `chain`, e.g.:
+    #     be_bigger_than(2).and_smaller_than(4).description
+    #     # => "be bigger than 2 and smaller than 4"
+    # ...rather than:
+    #     # => "be bigger than 2"
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  # rspec-mocks config goes here. You can use an alternate test double
+  # library (such as bogus or mocha) by changing the `mock_with` option here.
+  config.mock_with :rspec do |mocks|
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended, and will default to
+    # `true` in RSpec 4.
+    mocks.verify_partial_doubles = true
+  end
+
+# The settings below are suggested to provide a good initial experience
+# with RSpec, but feel free to customize to your heart's content.
+=begin
+  # These two settings work together to allow you to limit a spec run
+  # to individual examples or groups you care about by tagging them with
+  # `:focus` metadata. When nothing is tagged with `:focus`, all examples
+  # get run.
+  config.filter_run :focus
+  config.run_all_when_everything_filtered = true
+
+  # Limits the available syntax to the non-monkey patched syntax that is
+  # recommended. For more details, see:
+  #   - http://myronmars.to/n/dev-blog/2012/06/rspecs-new-expectation-syntax
+  #   - http://teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+  #   - http://myronmars.to/n/dev-blog/2014/05/notable-changes-in-rspec-3#new__config_option_to_disable_rspeccore_monkey_patching
+  config.disable_monkey_patching!
+
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  if config.files_to_run.one?
+    # Use the documentation formatter for detailed output,
+    # unless a formatter has already been configured
+    # (e.g. via a command-line flag).
+    config.default_formatter = 'doc'
+  end
+
+  # Print the 10 slowest examples and example groups at the
+  # end of the spec run, to help surface which specs are running
+  # particularly slow.
+  config.profile_examples = 10
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = :random
+
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  Kernel.srand config.seed
+=end
+end
diff --git a/vendor/assets/javascripts/.keep b/vendor/assets/javascripts/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/vendor/assets/stylesheets/.keep b/vendor/assets/stylesheets/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/vendor/bundle/ruby/2.1.0/bin/erubis b/vendor/bundle/ruby/2.1.0/bin/erubis
new file mode 100755
index 0000000..301dd30
--- /dev/null
+++ b/vendor/bundle/ruby/2.1.0/bin/erubis
@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+#
+# This file was generated by RubyGems.
+#
+# The application 'erubis' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+version = ">= 0"
+
+if ARGV.first
+  str = ARGV.first
+  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
+  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
+    version = $1
+    ARGV.shift
+  end
+end
+
+gem 'erubis', version
+load Gem.bin_path('erubis', 'erubis', version)
diff --git a/vendor/bundle/ruby/2.1.0/bin/htmldiff b/vendor/bundle/ruby/2.1.0/bin/htmldiff
new file mode 100755
index 0000000..6829c46
--- /dev/null
+++ b/vendor/bundle/ruby/2.1.0/bin/htmldiff
@@ -0,0 +1,25 @@
+#!/bin/sh
+'exec' "ruby" '-x' "$0" "$@"
+#!/Users/benjamintarenne/.rvm/rubies/ruby-2.1.1/bin/ruby
+#
+# This file was generated by RubyGems.
+#
+# The application 'diff-lcs' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+version = ">= 0"
+
+if ARGV.first
+  str = ARGV.first
+  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
+  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
+    version = $1
+    ARGV.shift
+  end
+end
+
+gem 'diff-lcs', version
+load Gem.bin_path('diff-lcs', 'htmldiff', version)
diff --git a/vendor/bundle/ruby/2.1.0/bin/ldiff b/vendor/bundle/ruby/2.1.0/bin/ldiff
new file mode 100755
index 0000000..5d8588a
--- /dev/null
+++ b/vendor/bundle/ruby/2.1.0/bin/ldiff
@@ -0,0 +1,25 @@
+#!/bin/sh
+'exec' "ruby" '-x' "$0" "$@"
+#!/Users/benjamintarenne/.rvm/rubies/ruby-2.1.1/bin/ruby
+#
+# This file was generated by RubyGems.
+#
+# The application 'diff-lcs' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+version = ">= 0"
+
+if ARGV.first
+  str = ARGV.first
+  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
+  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
+    version = $1
+    ARGV.shift
+  end
+end
+
+gem 'diff-lcs', version
+load Gem.bin_path('diff-lcs', 'ldiff', version)
diff --git a/vendor/bundle/ruby/2.1.0/bin/rackup b/vendor/bundle/ruby/2.1.0/bin/rackup
new file mode 100755
index 0000000..416d30a
--- /dev/null
+++ b/vendor/bundle/ruby/2.1.0/bin/rackup
@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+#
+# This file was generated by RubyGems.
+#
+# The application 'rack' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+version = ">= 0"
+
+if ARGV.first
+  str = ARGV.first
+  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
+  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
+    version = $1
+    ARGV.shift
+  end
+end
+
+gem 'rack', version
+load Gem.bin_path('rack', 'rackup', version)
diff --git a/vendor/bundle/ruby/2.1.0/bin/rails b/vendor/bundle/ruby/2.1.0/bin/rails
new file mode 100755
index 0000000..b2a661f
--- /dev/null
+++ b/vendor/bundle/ruby/2.1.0/bin/rails
@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+#
+# This file was generated by RubyGems.
+#
+# The application 'railties' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+version = ">= 0"
+
+if ARGV.first
+  str = ARGV.first
+  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
+  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
+    version = $1
+    ARGV.shift
+  end
+end
+
+gem 'railties', version
+load Gem.bin_path('railties', 'rails', version)
diff --git a/vendor/bundle/ruby/2.1.0/bin/rake b/vendor/bundle/ruby/2.1.0/bin/rake
new file mode 100755
index 0000000..97d1fcc
--- /dev/null
+++ b/vendor/bundle/ruby/2.1.0/bin/rake
@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+#
+# This file was generated by RubyGems.
+#
+# The application 'rake' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+version = ">= 0"
+
+if ARGV.first
+  str = ARGV.first
+  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
+  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
+    version = $1
+    ARGV.shift
+  end
+end
+
+gem 'rake', version
+load Gem.bin_path('rake', 'rake', version)
diff --git a/vendor/bundle/ruby/2.1.0/bin/rdoc b/vendor/bundle/ruby/2.1.0/bin/rdoc
new file mode 100755
index 0000000..0d3d314
--- /dev/null
+++ b/vendor/bundle/ruby/2.1.0/bin/rdoc
@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+#
+# This file was generated by RubyGems.
+#
+# The application 'rdoc' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+version = ">= 0"
+
+if ARGV.first
+  str = ARGV.first
+  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
+  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
+    version = $1
+    ARGV.shift
+  end
+end
+
+gem 'rdoc', version
+load Gem.bin_path('rdoc', 'rdoc', version)
diff --git a/vendor/bundle/ruby/2.1.0/bin/ri b/vendor/bundle/ruby/2.1.0/bin/ri
new file mode 100755
index 0000000..cf45350
--- /dev/null
+++ b/vendor/bundle/ruby/2.1.0/bin/ri
@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+#
+# This file was generated by RubyGems.
+#
+# The application 'rdoc' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+version = ">= 0"
+
+if ARGV.first
+  str = ARGV.first
+  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
+  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
+    version = $1
+    ARGV.shift
+  end
+end
+
+gem 'rdoc', version
+load Gem.bin_path('rdoc', 'ri', version)
diff --git a/vendor/bundle/ruby/2.1.0/bin/rspec b/vendor/bundle/ruby/2.1.0/bin/rspec
new file mode 100755
index 0000000..1df29e9
--- /dev/null
+++ b/vendor/bundle/ruby/2.1.0/bin/rspec
@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+#
+# This file was generated by RubyGems.
+#
+# The application 'rspec-core' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+version = ">= 0"
+
+if ARGV.first
+  str = ARGV.first
+  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
+  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
+    version = $1
+    ARGV.shift
+  end
+end
+
+gem 'rspec-core', version
+load Gem.bin_path('rspec-core', 'rspec', version)
diff --git a/vendor/bundle/ruby/2.1.0/bin/sass b/vendor/bundle/ruby/2.1.0/bin/sass
new file mode 100755
index 0000000..2ade46c
--- /dev/null
+++ b/vendor/bundle/ruby/2.1.0/bin/sass
@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+#
+# This file was generated by RubyGems.
+#
+# The application 'sass' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+version = ">= 0"
+
+if ARGV.first
+  str = ARGV.first
+  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
+  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
+    version = $1
+    ARGV.shift
+  end
+end
+
+gem 'sass', version
+load Gem.bin_path('sass', 'sass', version)
diff --git a/vendor/bundle/ruby/2.1.0/bin/sass-convert b/vendor/bundle/ruby/2.1.0/bin/sass-convert
new file mode 100755
index 0000000..2c1393c
--- /dev/null
+++ b/vendor/bundle/ruby/2.1.0/bin/sass-convert
@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+#
+# This file was generated by RubyGems.
+#
+# The application 'sass' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+version = ">= 0"
+
+if ARGV.first
+  str = ARGV.first
+  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
+  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
+    version = $1
+    ARGV.shift
+  end
+end
+
+gem 'sass', version
+load Gem.bin_path('sass', 'sass-convert', version)
diff --git a/vendor/bundle/ruby/2.1.0/bin/scss b/vendor/bundle/ruby/2.1.0/bin/scss
new file mode 100755
index 0000000..6be603a
--- /dev/null
+++ b/vendor/bundle/ruby/2.1.0/bin/scss
@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+#
+# This file was generated by RubyGems.
+#
+# The application 'sass' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+version = ">= 0"
+
+if ARGV.first
+  str = ARGV.first
+  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
+  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
+    version = $1
+    ARGV.shift
+  end
+end
+
+gem 'sass', version
+load Gem.bin_path('sass', 'scss', version)
diff --git a/vendor/bundle/ruby/2.1.0/bin/sdoc b/vendor/bundle/ruby/2.1.0/bin/sdoc
new file mode 100755
index 0000000..b28fa10
--- /dev/null
+++ b/vendor/bundle/ruby/2.1.0/bin/sdoc
@@ -0,0 +1,25 @@
+#!/bin/sh
+'exec' "ruby" '-x' "$0" "$@"
+#!/Users/benjamintarenne/.rvm/rubies/ruby-2.1.1/bin/ruby
+#
+# This file was generated by RubyGems.
+#
+# The application 'sdoc' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+version = ">= 0"
+
+if ARGV.first
+  str = ARGV.first
+  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
+  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
+    version = $1
+    ARGV.shift
+  end
+end
+
+gem 'sdoc', version
+load Gem.bin_path('sdoc', 'sdoc', version)
diff --git a/vendor/bundle/ruby/2.1.0/bin/sdoc-merge b/vendor/bundle/ruby/2.1.0/bin/sdoc-merge
new file mode 100755
index 0000000..a836cc7
--- /dev/null
+++ b/vendor/bundle/ruby/2.1.0/bin/sdoc-merge
@@ -0,0 +1,25 @@
+#!/bin/sh
+'exec' "ruby" '-x' "$0" "$@"
+#!/Users/benjamintarenne/.rvm/rubies/ruby-2.1.1/bin/ruby
+#
+# This file was generated by RubyGems.
+#
+# The application 'sdoc' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+version = ">= 0"
+
+if ARGV.first
+  str = ARGV.first
+  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
+  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
+    version = $1
+    ARGV.shift
+  end
+end
+
+gem 'sdoc', version
+load Gem.bin_path('sdoc', 'sdoc-merge', version)
diff --git a/vendor/bundle/ruby/2.1.0/bin/spring b/vendor/bundle/ruby/2.1.0/bin/spring
new file mode 100755
index 0000000..49623b8
--- /dev/null
+++ b/vendor/bundle/ruby/2.1.0/bin/spring
@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+#
+# This file was generated by RubyGems.
+#
+# The application 'spring' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+version = ">= 0"
+
+if ARGV.first
+  str = ARGV.first
+  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
+  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
+    version = $1
+    ARGV.shift
+  end
+end
+
+gem 'spring', version
+load Gem.bin_path('spring', 'spring', version)
diff --git a/vendor/bundle/ruby/2.1.0/bin/sprockets b/vendor/bundle/ruby/2.1.0/bin/sprockets
new file mode 100755
index 0000000..bb01742
--- /dev/null
+++ b/vendor/bundle/ruby/2.1.0/bin/sprockets
@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+#
+# This file was generated by RubyGems.
+#
+# The application 'sprockets' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+version = ">= 0"
+
+if ARGV.first
+  str = ARGV.first
+  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
+  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
+    version = $1
+    ARGV.shift
+  end
+end
+
+gem 'sprockets', version
+load Gem.bin_path('sprockets', 'sprockets', version)
diff --git a/vendor/bundle/ruby/2.1.0/bin/thor b/vendor/bundle/ruby/2.1.0/bin/thor
new file mode 100755
index 0000000..2533f7b
--- /dev/null
+++ b/vendor/bundle/ruby/2.1.0/bin/thor
@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+#
+# This file was generated by RubyGems.
+#
+# The application 'thor' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+version = ">= 0"
+
+if ARGV.first
+  str = ARGV.first
+  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
+  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
+    version = $1
+    ARGV.shift
+  end
+end
+
+gem 'thor', version
+load Gem.bin_path('thor', 'thor', version)
diff --git a/vendor/bundle/ruby/2.1.0/bin/tilt b/vendor/bundle/ruby/2.1.0/bin/tilt
new file mode 100755
index 0000000..cba5196
--- /dev/null
+++ b/vendor/bundle/ruby/2.1.0/bin/tilt
@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+#
+# This file was generated by RubyGems.
+#
+# The application 'tilt' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+version = ">= 0"
+
+if ARGV.first
+  str = ARGV.first
+  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
+  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
+    version = $1
+    ARGV.shift
+  end
+end
+
+gem 'tilt', version
+load Gem.bin_path('tilt', 'tilt', version)
diff --git a/vendor/bundle/ruby/2.1.0/bin/tt b/vendor/bundle/ruby/2.1.0/bin/tt
new file mode 100755
index 0000000..34efa1b
--- /dev/null
+++ b/vendor/bundle/ruby/2.1.0/bin/tt
@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+#
+# This file was generated by RubyGems.
+#
+# The application 'treetop' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+version = ">= 0"
+
+if ARGV.first
+  str = ARGV.first
+  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
+  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
+    version = $1
+    ARGV.shift
+  end
+end
+
+gem 'treetop', version
+load Gem.bin_path('treetop', 'tt', version)
diff --git a/vendor/bundle/ruby/2.1.0/cache/actionmailer-4.1.0.gem b/vendor/bundle/ruby/2.1.0/cache/actionmailer-4.1.0.gem
new file mode 100644
index 0000000..9e518e7
Binary files /dev/null and b/vendor/bundle/ruby/2.1.0/cache/actionmailer-4.1.0.gem differ
diff --git a/vendor/bundle/ruby/2.1.0/cache/actionpack-4.1.0.gem b/vendor/bundle/ruby/2.1.0/cache/actionpack-4.1.0.gem
new file mode 100644
index 0000000..1e70691
Binary files /dev/null and b/vendor/bundle/ruby/2.1.0/cache/actionpack-4.1.0.gem differ
diff --git a/vendor/bundle/ruby/2.1.0/cache/actionview-4.1.0.gem b/vendor/bundle/ruby/2.1.0/cache/actionview-4.1.0.gem
new file mode 100644
index 0000000..af9fb87
Binary files /dev/null and b/vendor/bundle/ruby/2.1.0/cache/actionview-4.1.0.gem differ
diff --git a/vendor/bundle/ruby/2.1.0/cache/activemodel-4.1.0.gem b/vendor/bundle/ruby/2.1.0/cache/activemodel-4.1.0.gem
new file mode 100644
index 0000000..3f961d6
Binary files /dev/null and b/vendor/bundle/ruby/2.1.0/cache/activemodel-4.1.0.gem differ
diff --git a/vendor/bundle/ruby/2.1.0/cache/activerecord-4.1.0.gem b/vendor/bundle/ruby/2.1.0/cache/activerecord-4.1.0.gem
new file mode 100644
index 0000000..c624bbb
Binary files /dev/null and b/vendor/bundle/ruby/2.1.0/cache/activerecord-4.1.0.gem differ
diff --git a/vendor/bundle/ruby/2.1.0/cache/activesupport-4.1.0.gem b/vendor/bundle/ruby/2.1.0/cache/activesupport-4.1.0.gem
new file mode 100644
index 0000000..c9b221c
Binary files /dev/null and b/vendor/bundle/ruby/2.1.0/cache/activesupport-4.1.0.gem differ
diff --git a/vendor/bundle/ruby/2.1.0/cache/arel-5.0.1.20140414130214.gem b/vendor/bundle/ruby/2.1.0/cache/arel-5.0.1.20140414130214.gem
new file mode 100644
index 0000000..5200b6f
Binary files /dev/null and b/vendor/bundle/ruby/2.1.0/cache/arel-5.0.1.20140414130214.gem differ
diff --git a/vendor/bundle/ruby/2.1.0/cache/builder-3.2.2.gem b/vendor/bundle/ruby/2.1.0/cache/builder-3.2.2.gem
new file mode 100644
index 0000000..b59ef92
Binary files /dev/null and b/vendor/bundle/ruby/2.1.0/cache/builder-3.2.2.gem differ
diff --git a/vendor/bundle/ruby/2.1.0/cache/coffee-rails-4.1.0.gem b/vendor/bundle/ruby/2.1.0/cache/coffee-rails-4.1.0.gem
new file mode 100644
index 0000000..7477588
Binary files /dev/null and b/vendor/bundle/ruby/2.1.0/cache/coffee-rails-4.1.0.gem differ
diff --git a/vendor/bundle/ruby/2.1.0/cache/coffee-script-2.4.1.gem b/vendor/bundle/ruby/2.1.0/cache/coffee-script-2.4.1.gem
new file mode 100644
index 0000000..7e4066d
Binary files /dev/null and b/vendor/bundle/ruby/2.1.0/cache/coffee-script-2.4.1.gem differ
diff --git a/vendor/bundle/ruby/2.1.0/cache/coffee-script-source-1.9.1.1.gem b/vendor/bundle/ruby/2.1.0/cache/coffee-script-source-1.9.1.1.gem
new file mode 100644
index 0000000..5c27695
Binary files /dev/null and b/vendor/bundle/ruby/2.1.0/cache/coffee-script-source-1.9.1.1.gem differ
diff --git a/vendor/bundle/ruby/2.1.0/cache/diff-lcs-1.2.5.gem b/vendor/bundle/ruby/2.1.0/cache/diff-lcs-1.2.5.gem
new file mode 100644
index 0000000..e4436cc
Binary files /dev/null and b/vendor/bundle/ruby/2.1.0/cache/diff-lcs-1.2.5.gem diffe…
a53f3de
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Sep 30, 2012
  1. @NZKoz

    Add ActiveSupport::KeyGenerator as a simple wrapper around PBKDF2

    NZKoz authored
    This will be used to derive keys from the secret and a salt, in order to allow us to
    do things like encrypted cookie stores without using the secret for multiple
    purposes directly.
  2. @NZKoz

    Provide access to the application's KeyGenerator

    NZKoz authored
    Available both as an env entry for rack and an instance method on Rails::Application for other uses
This page is out of date. Refresh to see the latest.
View
1  activesupport/lib/active_support.rb
@@ -48,6 +48,7 @@ module ActiveSupport
autoload :Gzip
autoload :Inflector
autoload :JSON
+ autoload :KeyGenerator
autoload :MessageEncryptor
autoload :MessageVerifier
autoload :Multibyte
View
23 activesupport/lib/active_support/key_generator.rb
@@ -0,0 +1,23 @@
+require 'openssl'
+
+module ActiveSupport
+ # KeyGenerator is a simple wrapper around OpenSSL's implementation of PBKDF2
+ # It can be used to derive a number of keys for various purposes from a given secret.
+ # This lets rails applications have a single secure secret, but avoid reusing that
+ # key in multiple incompatible contexts.
+ class KeyGenerator
+ def initialize(secret, options = {})
+ @secret = secret
+ # The default iterations are higher than required for our key derivation uses
+ # on the off chance someone uses this for password storage
+ @iterations = options[:iterations] || 2**16
+ end
+
+ # Returns a derived key suitable for use. The default key_size is chosen
+ # to be compatible with the default settings of ActiveSupport::MessageVerifier.
+ # i.e. OpenSSL::Digest::SHA1#block_length
+ def generate_key(salt, key_size=64)
+ OpenSSL::PKCS5.pbkdf2_hmac_sha1(@secret, salt, @iterations, key_size)
+ end
+ end
+end
View
32 activesupport/test/key_generator_test.rb
@@ -0,0 +1,32 @@
+require 'abstract_unit'
+
+begin
+ require 'openssl'
+ OpenSSL::PKCS5
+rescue LoadError, NameError
+ $stderr.puts "Skipping KeyGenerator test: broken OpenSSL install"
+else
+
+require 'active_support/time'
+require 'active_support/json'
+
+class KeyGeneratorTest < ActiveSupport::TestCase
+ def setup
+ @secret = SecureRandom.hex(64)
+ @generator = ActiveSupport::KeyGenerator.new(@secret, :iterations=>2)
+ end
+
+ test "Generating a key of the default length" do
+ derived_key = @generator.generate_key("some_salt")
+ assert_kind_of String, derived_key
+ assert_equal OpenSSL::Digest::SHA1.new.block_length, derived_key.length, "Should have generated a key of the default size"
+ end
+
+ test "Generating a key of an alternative length" do
+ derived_key = @generator.generate_key("some_salt", 32)
+ assert_kind_of String, derived_key
+ assert_equal 32, derived_key.length, "Should have generated a key of the right size"
+ end
+end
+
+end
View
11 railties/lib/rails/application.rb
@@ -101,6 +101,14 @@ def reload_routes!
routes_reloader.reload!
end
+
+ # Return the application's KeyGenerator
+ def key_generator
+ # number of iterations selected based on consultation with the google security
+ # team. Details at https://github.com/rails/rails/pull/6952#issuecomment-7661220
+ @key_generator ||= ActiveSupport::KeyGenerator.new(config.secret_token, :iterations=>1000)
+ end
+
# Stores some of the Rails initial environment parameters which
# will be used by middlewares and engines to configure themselves.
# Currently stores:
@@ -121,7 +129,8 @@ def env_config
"action_dispatch.show_exceptions" => config.action_dispatch.show_exceptions,
"action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local,
"action_dispatch.logger" => Rails.logger,
- "action_dispatch.backtrace_cleaner" => Rails.backtrace_cleaner
+ "action_dispatch.backtrace_cleaner" => Rails.backtrace_cleaner,
+ "action_dispatch.key_generator" => key_generator
})
end
View
1  railties/test/application/configuration_test.rb
@@ -634,6 +634,7 @@ def index
assert_equal app.env_config['action_dispatch.show_exceptions'], app.config.action_dispatch.show_exceptions
assert_equal app.env_config['action_dispatch.logger'], Rails.logger
assert_equal app.env_config['action_dispatch.backtrace_cleaner'], Rails.backtrace_cleaner
+ assert_equal app.env_config['action_dispatch.key_generator'], Rails.application.key_generator
end
test "config.colorize_logging default is true" do
Something went wrong with that request. Please try again.