activesupport 6.1.7.2 → 7.1.3

data/lib/active_support/message_encryptor.rb

@@ -3,17 +3,20 @@
 require "openssl"
 require "base64"
 require "active_support/core_ext/module/attribute_accessors"
+require "active_support/messages/codec"
+require "active_support/messages/rotator"
 require "active_support/message_verifier"
-require "active_support/messages/metadata"
 
 module ActiveSupport
+  # = Active Support Message Encryptor
+  #
   # MessageEncryptor is a simple way to encrypt values which get stored
   # somewhere you don't trust.
   #
   # The cipher text and initialization vector are base64 encoded and returned
   # to you.
   #
-  # This can be used in situations similar to the <tt>MessageVerifier</tt>, but
+  # This can be used in situations similar to the MessageVerifier, but
   # where you don't want users to be able to determine the value of the payload.
   #
   #   len   = ActiveSupport::MessageEncryptor.key_len
@@ -23,6 +26,12 @@ module ActiveSupport
   #   encrypted_data = crypt.encrypt_and_sign('my secret data')                   # => "NlFBTTMwOUV5UlA1QlNEN2xkY2d6eThYWWh..."
   #   crypt.decrypt_and_verify(encrypted_data)                                    # => "my secret data"
   #
+  # The +decrypt_and_verify+ method will raise an
+  # +ActiveSupport::MessageEncryptor::InvalidMessage+ exception if the data
+  # provided cannot be decrypted or verified.
+  #
+  #   crypt.decrypt_and_verify('not encrypted data') # => ActiveSupport::MessageEncryptor::InvalidMessage
+  #
   # === Confining messages to a specific purpose
   #
   # By default any message can be used throughout your app. But they can also be
@@ -78,13 +87,13 @@ module ActiveSupport
   # the above should be combined into:
   #
   #   crypt.rotate old_secret, cipher: "aes-256-cbc"
-  class MessageEncryptor
-    prepend Messages::Rotator::Encryptor
+  class MessageEncryptor < Messages::Codec
+    prepend Messages::Rotator
 
     cattr_accessor :use_authenticated_message_encryption, instance_accessor: false, default: false
 
     class << self
-      def default_cipher #:nodoc:
+      def default_cipher # :nodoc:
         if use_authenticated_message_encryption
           "aes-256-gcm"
         else
@@ -93,7 +102,7 @@ module ActiveSupport
       end
     end
 
-    module NullSerializer #:nodoc:
+    module NullSerializer # :nodoc:
       def self.load(value)
         value
       end
@@ -103,55 +112,140 @@ module ActiveSupport
       end
     end
 
-    module NullVerifier #:nodoc:
-      def self.verify(value)
-        value
-      end
-
-      def self.generate(value)
-        value
-      end
-    end
-
     class InvalidMessage < StandardError; end
     OpenSSLCipherError = OpenSSL::Cipher::CipherError
 
+    AUTH_TAG_LENGTH = 16 # :nodoc:
+    SEPARATOR = "--" # :nodoc:
+
     # Initialize a new MessageEncryptor. +secret+ must be at least as long as
     # the cipher key size. For the default 'aes-256-gcm' cipher, this is 256
     # bits. If you are using a user-entered secret, you can generate a suitable
-    # key by using <tt>ActiveSupport::KeyGenerator</tt> or a similar key
+    # key by using ActiveSupport::KeyGenerator or a similar key
     # derivation function.
     #
-    # First additional parameter is used as the signature key for +MessageVerifier+.
-    # This allows you to specify keys to encrypt and sign data.
+    # The first additional parameter is used as the signature key for
+    # MessageVerifier. This allows you to specify keys to encrypt and sign
+    # data. Ignored when using an AEAD cipher like 'aes-256-gcm'.
     #
     #    ActiveSupport::MessageEncryptor.new('secret', 'signature_secret')
     #
-    # Options:
-    # * <tt>:cipher</tt>     - Cipher to use. Can be any cipher returned by
-    #   <tt>OpenSSL::Cipher.ciphers</tt>. Default is 'aes-256-gcm'.
-    # * <tt>:digest</tt> - String of digest to use for signing. Default is
-    #   +SHA1+. Ignored when using an AEAD cipher like 'aes-256-gcm'.
-    # * <tt>:serializer</tt> - Object serializer to use. Default is +Marshal+.
-    def initialize(secret, sign_secret = nil, cipher: nil, digest: nil, serializer: nil)
+    # ==== Options
+    #
+    # [+:cipher+]
+    #   Cipher to use. Can be any cipher returned by +OpenSSL::Cipher.ciphers+.
+    #   Default is 'aes-256-gcm'.
+    #
+    # [+:digest+]
+    #   Digest used for signing. Ignored when using an AEAD cipher like
+    #   'aes-256-gcm'.
+    #
+    # [+:serializer+]
+    #   The serializer used to serialize message data. You can specify any
+    #   object that responds to +dump+ and +load+, or you can choose from
+    #   several preconfigured serializers: +:marshal+, +:json_allow_marshal+,
+    #   +:json+, +:message_pack_allow_marshal+, +:message_pack+.
+    #
+    #   The preconfigured serializers include a fallback mechanism to support
+    #   multiple deserialization formats. For example, the +:marshal+ serializer
+    #   will serialize using +Marshal+, but can deserialize using +Marshal+,
+    #   ActiveSupport::JSON, or ActiveSupport::MessagePack. This makes it easy
+    #   to migrate between serializers.
+    #
+    #   The +:marshal+, +:json_allow_marshal+, and +:message_pack_allow_marshal+
+    #   serializers support deserializing using +Marshal+, but the others do
+    #   not. Beware that +Marshal+ is a potential vector for deserialization
+    #   attacks in cases where a message signing secret has been leaked. <em>If
+    #   possible, choose a serializer that does not support +Marshal+.</em>
+    #
+    #   The +:message_pack+ and +:message_pack_allow_marshal+ serializers use
+    #   ActiveSupport::MessagePack, which can roundtrip some Ruby types that are
+    #   not supported by JSON, and may provide improved performance. However,
+    #   these require the +msgpack+ gem.
+    #
+    #   When using \Rails, the default depends on +config.active_support.message_serializer+.
+    #   Otherwise, the default is +:marshal+.
+    #
+    # [+:url_safe+]
+    #   By default, MessageEncryptor generates RFC 4648 compliant strings
+    #   which are not URL-safe. In other words, they can contain "+" and "/".
+    #   If you want to generate URL-safe strings (in compliance with "Base 64
+    #   Encoding with URL and Filename Safe Alphabet" in RFC 4648), you can
+    #   pass +true+.
+    #
+    # [+:force_legacy_metadata_serializer+]
+    #   Whether to use the legacy metadata serializer, which serializes the
+    #   message first, then wraps it in an envelope which is also serialized. This
+    #   was the default in \Rails 7.0 and below.
+    #
+    #   If you don't pass a truthy value, the default is set using
+    #   +config.active_support.use_message_serializer_for_metadata+.
+    def initialize(secret, sign_secret = nil, **options)
+      super(**options)
       @secret = secret
-      @sign_secret = sign_secret
-      @cipher = cipher || self.class.default_cipher
-      @digest = digest || "SHA1" unless aead_mode?
-      @verifier = resolve_verifier
-      @serializer = serializer || Marshal
+      @cipher = options[:cipher] || self.class.default_cipher
+      @aead_mode = new_cipher.authenticated?
+      @verifier = if !@aead_mode
+        MessageVerifier.new(sign_secret || secret, **options, serializer: NullSerializer)
+      end
     end
 
     # Encrypt and sign a message. We need to sign the message in order to avoid
     # padding attacks. Reference: https://www.limited-entropy.com/padding-oracle-attacks/.
-    def encrypt_and_sign(value, expires_at: nil, expires_in: nil, purpose: nil)
-      verifier.generate(_encrypt(value, expires_at: expires_at, expires_in: expires_in, purpose: purpose))
+    #
+    # ==== Options
+    #
+    # [+:expires_at+]
+    #   The datetime at which the message expires. After this datetime,
+    #   verification of the message will fail.
+    #
+    #     message = encryptor.encrypt_and_sign("hello", expires_at: Time.now.tomorrow)
+    #     encryptor.decrypt_and_verify(message) # => "hello"
+    #     # 24 hours later...
+    #     encryptor.decrypt_and_verify(message) # => nil
+    #
+    # [+:expires_in+]
+    #   The duration for which the message is valid. After this duration has
+    #   elapsed, verification of the message will fail.
+    #
+    #     message = encryptor.encrypt_and_sign("hello", expires_in: 24.hours)
+    #     encryptor.decrypt_and_verify(message) # => "hello"
+    #     # 24 hours later...
+    #     encryptor.decrypt_and_verify(message) # => nil
+    #
+    # [+:purpose+]
+    #   The purpose of the message. If specified, the same purpose must be
+    #   specified when verifying the message; otherwise, verification will fail.
+    #   (See #decrypt_and_verify.)
+    def encrypt_and_sign(value, **options)
+      create_message(value, **options)
     end
 
     # Decrypt and verify a message. We need to verify the message in order to
     # avoid padding attacks. Reference: https://www.limited-entropy.com/padding-oracle-attacks/.
-    def decrypt_and_verify(data, purpose: nil, **)
-      _decrypt(verifier.verify(data), purpose)
+    #
+    # ==== Options
+    #
+    # [+:purpose+]
+    #   The purpose that the message was generated with. If the purpose does not
+    #   match, +decrypt_and_verify+ will return +nil+.
+    #
+    #     message = encryptor.encrypt_and_sign("hello", purpose: "greeting")
+    #     encryptor.decrypt_and_verify(message, purpose: "greeting") # => "hello"
+    #     encryptor.decrypt_and_verify(message)                      # => nil
+    #
+    #     message = encryptor.encrypt_and_sign("bye")
+    #     encryptor.decrypt_and_verify(message)                      # => "bye"
+    #     encryptor.decrypt_and_verify(message, purpose: "greeting") # => nil
+    #
+    def decrypt_and_verify(message, **options)
+      catch_and_raise :invalid_message_format, as: InvalidMessage do
+        catch_and_raise :invalid_message_serialization, as: InvalidMessage do
+          catch_and_ignore :invalid_message_content do
+            read_message(message, **options)
+          end
+        end
+      end
     end
 
     # Given a cipher, returns the key length of the cipher to help generate the key of desired size
@@ -159,8 +253,28 @@ module ActiveSupport
       OpenSSL::Cipher.new(cipher).key_len
     end
 
+    def create_message(value, **options) # :nodoc:
+      sign(encrypt(serialize_with_metadata(value, **options)))
+    end
+
+    def read_message(message, **options) # :nodoc:
+      deserialize_with_metadata(decrypt(verify(message)), **options)
+    end
+
+    def inspect # :nodoc:
+      "#<#{self.class.name}:#{'%#016x' % (object_id << 1)}>"
+    end
+
     private
-      def _encrypt(value, **metadata_options)
+      def sign(data)
+        @verifier ? @verifier.create_message(data) : data
+      end
+
+      def verify(data)
+        @verifier ? @verifier.read_message(data) : data
+      end
+
+      def encrypt(data)
         cipher = new_cipher
         cipher.encrypt
         cipher.key = @secret
@@ -169,22 +283,25 @@ module ActiveSupport
         iv = cipher.random_iv
         cipher.auth_data = "" if aead_mode?
 
-        encrypted_data = cipher.update(Messages::Metadata.wrap(@serializer.dump(value), **metadata_options))
+        encrypted_data = cipher.update(data)
         encrypted_data << cipher.final
 
-        blob = "#{::Base64.strict_encode64 encrypted_data}--#{::Base64.strict_encode64 iv}"
-        blob = "#{blob}--#{::Base64.strict_encode64 cipher.auth_tag}" if aead_mode?
-        blob
+        parts = [encrypted_data, iv]
+        parts << cipher.auth_tag(AUTH_TAG_LENGTH) if aead_mode?
+
+        join_parts(parts)
       end
 
-      def _decrypt(encrypted_message, purpose)
+      def decrypt(encrypted_message)
         cipher = new_cipher
-        encrypted_data, iv, auth_tag = encrypted_message.split("--").map { |v| ::Base64.strict_decode64(v) }
+        encrypted_data, iv, auth_tag = extract_parts(encrypted_message)
 
         # Currently the OpenSSL bindings do not raise an error if auth_tag is
         # truncated, which would allow an attacker to easily forge it. See
         # https://github.com/ruby/openssl/issues/63
-        raise InvalidMessage if aead_mode? && (auth_tag.nil? || auth_tag.bytes.length != 16)
+        if aead_mode? && auth_tag.bytesize != AUTH_TAG_LENGTH
+          throw :invalid_message_format, "truncated auth_tag"
+        end
 
         cipher.decrypt
         cipher.key = @secret
@@ -196,29 +313,62 @@ module ActiveSupport
 
         decrypted_data = cipher.update(encrypted_data)
         decrypted_data << cipher.final
+      rescue OpenSSLCipherError => error
+        throw :invalid_message_format, error
+      end
 
-        message = Messages::Metadata.verify(decrypted_data, purpose)
-        @serializer.load(message) if message
-      rescue OpenSSLCipherError, TypeError, ArgumentError
-        raise InvalidMessage
+      def length_after_encode(length_before_encode)
+        if @url_safe
+          (4 * length_before_encode / 3.0).ceil # length without padding
+        else
+          4 * (length_before_encode / 3.0).ceil # length with padding
+        end
       end
 
-      def new_cipher
-        OpenSSL::Cipher.new(@cipher)
+      def length_of_encoded_iv
+        @length_of_encoded_iv ||= length_after_encode(new_cipher.iv_len)
       end
 
-      attr_reader :verifier
+      def length_of_encoded_auth_tag
+        @length_of_encoded_auth_tag ||= length_after_encode(AUTH_TAG_LENGTH)
+      end
 
-      def aead_mode?
-        @aead_mode ||= new_cipher.authenticated?
+      def join_parts(parts)
+        parts.map! { |part| encode(part) }.join(SEPARATOR)
       end
 
-      def resolve_verifier
-        if aead_mode?
-          NullVerifier
+      def extract_part(encrypted_message, rindex, length)
+        index = rindex - length
+
+        if encrypted_message[index - SEPARATOR.length, SEPARATOR.length] == SEPARATOR
+          encrypted_message[index, length]
         else
-          MessageVerifier.new(@sign_secret || @secret, digest: @digest, serializer: NullSerializer)
+          throw :invalid_message_format, "missing separator"
         end
       end
+
+      def extract_parts(encrypted_message)
+        parts = []
+        rindex = encrypted_message.length
+
+        if aead_mode?
+          parts << extract_part(encrypted_message, rindex, length_of_encoded_auth_tag)
+          rindex -= SEPARATOR.length + length_of_encoded_auth_tag
+        end
+
+        parts << extract_part(encrypted_message, rindex, length_of_encoded_iv)
+        rindex -= SEPARATOR.length + length_of_encoded_iv
+
+        parts << encrypted_message[0, rindex]
+
+        parts.reverse!.map! { |part| decode(part) }
+      end
+
+      def new_cipher
+        OpenSSL::Cipher.new(@cipher)
+      end
+
+      attr_reader :aead_mode
+      alias :aead_mode? :aead_mode
   end
 end

data/lib/active_support/message_encryptors.rb

@@ -0,0 +1,141 @@
+# frozen_string_literal: true
+
+require "active_support/messages/rotation_coordinator"
+
+module ActiveSupport
+  class MessageEncryptors < Messages::RotationCoordinator
+    ##
+    # :attr_accessor: transitional
+    #
+    # If true, the first two rotation option sets are swapped when building
+    # message encryptors. For example, with the following configuration, message
+    # encryptors will encrypt messages using <tt>serializer: Marshal, url_safe: true</tt>,
+    # and will able to decrypt messages that were encrypted using any of the
+    # three option sets:
+    #
+    #   encryptors = ActiveSupport::MessageEncryptors.new { ... }
+    #   encryptors.rotate(serializer: JSON, url_safe: true)
+    #   encryptors.rotate(serializer: Marshal, url_safe: true)
+    #   encryptors.rotate(serializer: Marshal, url_safe: false)
+    #   encryptors.transitional = true
+    #
+    # This can be useful when performing a rolling deploy of an application,
+    # wherein servers that have not yet been updated must still be able to
+    # decrypt messages from updated servers. In such a scenario, first perform a
+    # rolling deploy with the new rotation (e.g. <tt>serializer: JSON, url_safe: true</tt>)
+    # as the first rotation and <tt>transitional = true</tt>. Then, after all
+    # servers have been updated, perform a second rolling deploy with
+    # <tt>transitional = false</tt>.
+
+    ##
+    # :method: initialize
+    # :call-seq: initialize(&secret_generator)
+    #
+    # Initializes a new instance. +secret_generator+ must accept a salt and a
+    # +secret_length+ kwarg, and return a suitable secret (string) or secrets
+    # (array of strings). +secret_generator+ may also accept other arbitrary
+    # kwargs. If #rotate is called with any options matching those kwargs, those
+    # options will be passed to +secret_generator+ instead of to the message
+    # encryptor.
+    #
+    #   encryptors = ActiveSupport::MessageEncryptors.new do |salt, secret_length:, base:|
+    #     MySecretGenerator.new(base).generate(salt, secret_length)
+    #   end
+    #
+    #   encryptors.rotate(base: "...")
+
+    ##
+    # :method: []
+    # :call-seq: [](salt)
+    #
+    # Returns a MessageEncryptor configured with a secret derived from the
+    # given +salt+, and options from #rotate. MessageEncryptor instances will
+    # be memoized, so the same +salt+ will return the same instance.
+
+    ##
+    # :method: []=
+    # :call-seq: []=(salt, encryptor)
+    #
+    # Overrides a MessageEncryptor instance associated with a given +salt+.
+
+    ##
+    # :method: rotate
+    # :call-seq:
+    #   rotate(**options)
+    #   rotate(&block)
+    #
+    # Adds +options+ to the list of option sets. Messages will be encrypted
+    # using the first set in the list. When decrypting, however, each set will
+    # be tried, in order, until one succeeds.
+    #
+    # Notably, the +:secret_generator+ option can specify a different secret
+    # generator than the one initially specified. The secret generator must
+    # respond to +call+, accept a salt and a +secret_length+ kwarg, and return
+    # a suitable secret (string) or secrets (array of strings). The secret
+    # generator may also accept other arbitrary kwargs.
+    #
+    # If any options match the kwargs of the operative secret generator, those
+    # options will be passed to the secret generator instead of to the message
+    # encryptor.
+    #
+    # For fine-grained per-salt rotations, a block form is supported. The block
+    # will receive the salt, and should return an appropriate options Hash. The
+    # block may also return +nil+ to indicate that the rotation does not apply
+    # to the given salt. For example:
+    #
+    #   encryptors = ActiveSupport::MessageEncryptors.new { ... }
+    #
+    #   encryptors.rotate do |salt|
+    #     case salt
+    #     when :foo
+    #       { serializer: JSON, url_safe: true }
+    #     when :bar
+    #       { serializer: Marshal, url_safe: true }
+    #     end
+    #   end
+    #
+    #   encryptors.rotate(serializer: Marshal, url_safe: false)
+    #
+    #   # Uses `serializer: JSON, url_safe: true`.
+    #   # Falls back to `serializer: Marshal, url_safe: false`.
+    #   encryptors[:foo]
+    #
+    #   # Uses `serializer: Marshal, url_safe: true`.
+    #   # Falls back to `serializer: Marshal, url_safe: false`.
+    #   encryptors[:bar]
+    #
+    #   # Uses `serializer: Marshal, url_safe: false`.
+    #   encryptors[:baz]
+
+    ##
+    # :method: rotate_defaults
+    # :call-seq: rotate_defaults
+    #
+    # Invokes #rotate with the default options.
+
+    ##
+    # :method: clear_rotations
+    # :call-seq: clear_rotations
+    #
+    # Clears the list of option sets.
+
+    ##
+    # :method: on_rotation
+    # :call-seq: on_rotation(&callback)
+    #
+    # Sets a callback to invoke when a message is decrypted using an option set
+    # other than the first.
+    #
+    # For example, this callback could log each time it is called, and thus
+    # indicate whether old option sets are still in use or can be removed from
+    # rotation.
+
+    ##
+    private
+      def build(salt, secret_generator:, secret_generator_options:, **options)
+        secret_length = MessageEncryptor.key_len(*options[:cipher])
+        secret = secret_generator.call(salt, secret_length: secret_length, **secret_generator_options)
+        MessageEncryptor.new(*Array(secret), **options)
+      end
+  end
+end

data/lib/active_support/message_pack/cache_serializer.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require_relative "serializer"
+
+module ActiveSupport
+  module MessagePack
+    module CacheSerializer
+      include Serializer
+      extend self
+
+      def load(dumped)
+        super
+      rescue ActiveSupport::MessagePack::MissingClassError
+        # Treat missing class as cache miss => return nil
+      end
+
+      private
+        def install_unregistered_type_handler
+          Extensions.install_unregistered_type_fallback(message_pack_factory)
+        end
+    end
+  end
+end