RubyGems - encrypted_cookie_store-instructure - Versions diffs - 1.0.8 → 1.1.0 - Mend

encrypted_cookie_store-instructure 1.0.8 → 1.1.0

Files changed (4) hide show

data/encrypted_cookie_store-instructure.gemspec +9 -3
data/lib/encrypted_cookie_store.rb +159 -169
metadata +90 -8
checksums.yaml +0 -15

data/encrypted_cookie_store-instructure.gemspec CHANGED Viewed

@@ -1,9 +1,9 @@
 Gem::Specification.new do |s|
   s.name = %q{encrypted_cookie_store-instructure}
-  s.version = "1.0.8"
+  s.version = "1.1.0"
   s.authors = ["Cody Cutrer", "Jacob Fugal", "James Williams"]
-  s.date = %q{2013-12-20}
+  s.date = %q{2013-11-13}
   s.extra_rdoc_files = [
     "LICENSE.txt"
   ]
@@ -15,6 +15,12 @@ Gem::Specification.new do |s|
   ]
   s.homepage = %q{http://github.com/ccutrer/encrypted_cookie_store}
   s.require_paths = ["lib"]
-  s.summary = %q{EncryptedCookieStore for Ruby on Rails 2.3}
+  s.summary = %q{EncryptedCookieStore for Ruby on Rails 3.2}
   s.description = %q{A secure version of Rails' built in CookieStore}
+  s.add_dependency "actionpack", "~> 3.2"
+  s.add_development_dependency "bundler", "~> 1.3"
+  s.add_development_dependency "rake"
+  s.add_development_dependency "rspec-rails", "~> 2.0"
+  s.add_development_dependency "debugger"
 end

data/lib/encrypted_cookie_store.rb CHANGED Viewed

@@ -1,204 +1,194 @@
 require 'openssl'
 require 'zlib'
-class EncryptedCookieStore < ActionController::Session::CookieStore
-  OpenSSLCipherError = OpenSSL::Cipher.const_defined?(:CipherError) ? OpenSSL::Cipher::CipherError : OpenSSL::CipherError
+require 'active_support/core_ext/hash/deep_dup'
+require 'active_support/core_ext/numeric/time'
+require 'action_dispatch'
+module ActionDispatch
+  module Session
+    class EncryptedCookieStore < CookieStore
+      class << self
+        attr_accessor :data_cipher_type
+      end
+      self.data_cipher_type = "aes-128-cbc".freeze
-  EXPIRE_AFTER_KEY = "encrypted_cookie_store.session_expire_after"
+      OpenSSLCipherError = OpenSSL::Cipher.const_defined?(:CipherError) ? OpenSSL::Cipher::CipherError : OpenSSL::CipherError
-  class << self
-    attr_accessor :data_cipher_type
-  end
+      def initialize(app, options = {})
+        @digest = options.delete(:digest) || 'SHA1'
-  self.data_cipher_type = "aes-128-cbc".freeze
-  def initialize(app, options = {})
-    options[:secret] = options[:secret].call if options[:secret].respond_to?(:call)
-    @logger = options[:logger]
-    ensure_encryption_key_secure(options[:secret])
-    @encryption_key = unhex(options[:secret]).freeze
-    @compress = options[:compress]
-    @compress = true if @compress.nil?
-    @data_cipher    = OpenSSL::Cipher::Cipher.new(EncryptedCookieStore.data_cipher_type)
-    @options = options
-    options[:refresh_interval] ||= 5.minutes
-    super(app, options)
-  end
+        @compress = options[:compress]
+        @compress = true if @compress.nil?
-  def call(env)
-    @options[:expire_after] = env[EXPIRE_AFTER_KEY] || @options[:expire_after]
-    prepare!(env)
+        @secret = options.delete(:secret)
+        @secret = @secret.call if @secret.respond_to?(:call)
+        @secret.freeze
+        @encryption_key = unhex(@secret).freeze
+        ensure_encryption_key_secure
-    old_session_data, raw_old_session_data, old_timestamp = all_unpacked_cookie_data(env)
-    # make sure we have a deep copy
-    old_session_data = Marshal.load(raw_old_session_data) if raw_old_session_data
-    env['encrypted_cookie_store.session_refreshed_at'] ||= session_refreshed_at(old_timestamp)
+        @data_cipher = OpenSSL::Cipher::Cipher.new(EncryptedCookieStore.data_cipher_type)
+        options[:refresh_interval] ||= 5.minutes
-    status, headers, body = @app.call(env)
+        super(app, options)
+      end
-    session_data = env[ENV_SESSION_KEY]
-    options = env[ENV_SESSION_OPTIONS_KEY]
-    request = ActionController::Request.new(env)
+      private
+      # overrides method in ActionDispatch::Session::CookieStore
+      def unpacked_cookie_data(env)
+        env['encrypted_cookie_store.cookie'] ||= begin
+          stale_session_check! do
+            request = ActionDispatch::Request.new(env)
+            if data = unmarshal(request.cookie_jar.signed[@key])
+              data.stringify_keys!
+            end
+            data ||= {}
+            env['encrypted_cookie_store.original_cookie'] = data.deep_dup.except(:timestamp)
+            data
+          end
+        end
+      end
-    @options[:expire_after] = env[EXPIRE_AFTER_KEY] || options[:expire_after] || @options[:expire_after]
-    options[:expire_after] = @options[:expire_after]
+      # overrides method in ActionDispatch::Session::CookieStore
+      def set_session(env, sid, session_data, options)
+        session_data = super
+        session_data.delete(:timestamp)
+        marshal(session_data, options)
+      end
-    if !(options[:secure] && !request.ssl?) && (!session_data.is_a?(ActionController::Session::AbstractStore::SessionHash) || session_data.loaded? || options[:expire_after])
-      session_data.send(:load!) if session_data.is_a?(ActionController::Session::AbstractStore::SessionHash) && !session_data.loaded?
+      # overrides method in Rack::Session::Cookie
+      def load_session(env)
+        if time = timestamp(env)
+          env['encrypted_cookie_store.session_refreshed_at'] ||= Time.at(time).utc
+        end
+        super
+      end
-      persistent_session_id!(session_data)
+      # overrides method in Rack::Session::Abstract::ID
+      def commit_session?(env, session, options)
+        can_commit = super
+        can_commit && (session_changed?(env, session) || refresh_session?(env, options))
+      end
-      old_session_data = nil if options[:expire_after] && old_timestamp && Time.now.utc.to_i > old_timestamp + options[:refresh_interval]
-      return [status, headers, body] if session_data == old_session_data
-      session_data = marshal(session_data.to_hash)
+      def timestamp(env)
+        unpacked_cookie_data(env)["timestamp"]
+      end
-      raise CookieOverflow if session_data.size > MAX
+      def session_changed?(env, session)
+        (session || {}).to_hash.stringify_keys.except(:timestamp) != (env['encrypted_cookie_store.original_cookie'] || {})
+      end
-      cookie = Hash.new
-      cookie[:value] = session_data
-      unless options[:expire_after].nil?
-        cookie[:expires] = Time.now + options[:expire_after]
+      def refresh_session?(env, options)
+        if options[:expire_after] && options[:refresh_interval] && time = timestamp(env)
+          Time.now.utc.to_i > time + options[:refresh_interval]
+        else
+          false
+        end
       end
-      Rack::Utils.set_cookie_header!(headers, @key, cookie.merge(options))
-    end
+      def marshal(data, options={})
+        @data_cipher.encrypt
+        @data_cipher.key = @encryption_key
-    [status, headers, body]
-  end
-private
-  def secret
-    @secret
-  end
+        session_data     = Marshal.dump(data)
+        iv               = @data_cipher.random_iv
+        if @compress
+          compressed_session_data = deflate(session_data, 5)
+          compressed_session_data = session_data if compressed_session_data.length >= session_data.length
+        else
+          compressed_session_data = session_data
+        end
+        encrypted_session_data = @data_cipher.update(compressed_session_data) << @data_cipher.final
+        timestamp        = Time.now.utc.to_i if options[:expire_after]
+        digest           = OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new(@digest), @secret, session_data + timestamp.to_s)
-  def marshal(session)
-    @data_cipher.encrypt
-    @data_cipher.key = @encryption_key
-    session_data     = Marshal.dump(session)
-    iv               = @data_cipher.random_iv
-    if @compress
-      compressed_session_data = deflate(session_data, 5)
-      compressed_session_data = session_data if compressed_session_data.length >= session_data.length
-    else
-      compressed_session_data = session_data
-    end
-    encrypted_session_data = @data_cipher.update(compressed_session_data) << @data_cipher.final
-    timestamp        = Time.now.utc.to_i if @options[:expire_after]
-    digest           = OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new(@digest), secret, session_data + timestamp.to_s)
+        result = "#{base64(iv)}#{compressed_session_data == session_data ? '.' : ' '}#{base64(encrypted_session_data)}.#{base64(digest)}"
+        result << ".#{base64([timestamp].pack('N'))}" if options[:expire_after]
+        result
+      end
-    result = "#{base64(iv)}#{compressed_session_data == session_data ? '.' : ' '}#{base64(encrypted_session_data)}.#{base64(digest)}"
-    result << ".#{base64([timestamp].pack('N'))}" if @options[:expire_after]
-    result
-  end
+      def unmarshal(data, options={})
+        return nil unless data
+        compressed = !!data.index(' ')
+        b64_iv, b64_encrypted_session_data, b64_digest, b64_timestamp = data.split(/\.| /, 4)
+        if b64_iv && b64_encrypted_session_data && b64_digest
+          iv                     = unbase64(b64_iv)
+          encrypted_session_data = unbase64(b64_encrypted_session_data)
+          digest                 = unbase64(b64_digest)
+          timestamp              = unbase64(b64_timestamp).unpack('N').first if b64_timestamp
+          @data_cipher.decrypt
+          @data_cipher.key = @encryption_key
+          @data_cipher.iv = iv
+          session_data = @data_cipher.update(encrypted_session_data) << @data_cipher.final
+          session_data = inflate(session_data) if compressed
+          return nil unless digest == OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new(@digest), @secret, session_data + timestamp.to_s)
+          if options[:expire_after]
+            return nil unless timestamp && Time.now.utc.to_i <= timestamp + options[:expire_after]
+          end
+          loaded_data = Marshal.load(session_data) || nil
+          loaded_data[:timestamp] = timestamp if loaded_data && timestamp
+          loaded_data
+        else
+          nil
+        end
+      rescue Zlib::DataError, OpenSSLCipherError
+        nil
+      end
-  def unmarshal(cookie)
-    if cookie
-      compressed = !!cookie.index(' ')
-      b64_iv, b64_encrypted_session_data, b64_digest, b64_timestamp = cookie.split(/\.| /, 4)
-      if b64_iv && b64_encrypted_session_data && b64_digest
-        iv                     = unbase64(b64_iv)
-        encrypted_session_data = unbase64(b64_encrypted_session_data)
-        digest                 = unbase64(b64_digest)
-        timestamp              = unbase64(b64_timestamp).unpack('N').first if b64_timestamp
-        @data_cipher.decrypt
-        @data_cipher.key = @encryption_key
-        @data_cipher.iv = iv
-        session_data = @data_cipher.update(encrypted_session_data) << @data_cipher.final
-        session_data = inflate(session_data) if compressed
-        return [nil, nil, nil] unless digest == OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new(@digest), secret, session_data + timestamp.to_s)
-        if @options[:expire_after]
-          return [nil, nil, nil] unless timestamp
-          return [nil, nil, timestamp] unless Time.now.utc.to_i - timestamp < @options[:expire_after]
+      # To prevent users from using an insecure encryption key like "Password" we make sure that the
+      # encryption key they've provided is at least 30 characters in length.
+      def ensure_encryption_key_secure
+        if @encryption_key.blank?
+          raise ArgumentError, "An encryption key is required for encrypting the " +
+              "cookie session data. Please set config.action_controller.session = { " +
+              "..., :encryption_key => \"some random string of at least " +
+              "16 bytes\", ... } in config/environment.rb"
         end
-        loaded_data = nil
-        begin
-          loaded_data = Marshal.load(session_data)
-        rescue
-          @logger.error("Could not unmarshal session_data: #{session_data.inspect}") if @logger
+        if @encryption_key.size < 16 * 2
+          raise ArgumentError, "The EncryptedCookieStore encryption key must be a " +
+              "hexadecimal string of at least 16 bytes. " +
+              "The value that you've provided, \"#{@encryption_key}\", is " +
+              "#{@encryption_key.size / 2} bytes. You could use the following (randomly " +
+              "generated) string as encryption key: " +
+              ActiveSupport::SecureRandom.hex(16)
         end
-        [loaded_data, session_data, timestamp]
-      else
-        [nil, nil, nil]
       end
-    else
-      [nil, nil, nil]
-    end
-  rescue Zlib::DataError
-    [nil, nil, nil]
-  rescue OpenSSLCipherError
-    [nil, nil, nil]
-  end
-  def all_unpacked_cookie_data(env)
-    env["action_dispatch.request.unsigned_session_cookie"] ||= begin
-      stale_session_check! do
-        request = Rack::Request.new(env)
-        session_data = request.cookies[@key]
-        unmarshal(session_data) || {}
+      def base64(data)
+        ::Base64.encode64(data).tr('+/', '-_').gsub(/=|\n/, '')
       end
-    end
-  end
-  def unpacked_cookie_data(env)
-    all_unpacked_cookie_data(env).first
-  end
+      def unbase64(data)
+        ::Base64.decode64(data.tr('-_', '+/').ljust((data.length + 4 - 1) / 4 * 4, '='))
+      end
-  def session_refreshed_at(timestamp)
-    Time.at(timestamp).utc if timestamp
-  end
+      # compress
+      def deflate(string, level)
+        z = Zlib::Deflate.new(level)
+        dst = z.deflate(string, Zlib::FINISH)
+        z.close
+        dst
+      end
-  # To prevent users from using an insecure encryption key like "Password" we make sure that the
-  # encryption key they've provided is at least 30 characters in length.
-  def ensure_encryption_key_secure(encryption_key)
-    if encryption_key.blank?
-      raise ArgumentError, "An encryption key is required for encrypting the " +
-        "cookie session data. Please set config.action_controller.session = { " +
-        "..., :encryption_key => \"some random string of at least " +
-        "16 bytes\", ... } in config/environment.rb"
-    end
+      # decompress
+      def inflate(string)
+        zstream = Zlib::Inflate.new
+        buf = zstream.inflate(string)
+        zstream.finish
+        zstream.close
+        buf
+      end
-    if encryption_key.size < 16 * 2
-      raise ArgumentError, "The EncryptedCookieStore encryption key must be a " +
-        "hexadecimal string of at least 16 bytes. " +
-        "The value that you've provided, \"#{encryption_key}\", is " +
-        "#{encryption_key.size / 2} bytes. You could use the following (randomly " +
-        "generated) string as encryption key: " +
-        ActiveSupport::SecureRandom.hex(16)
+      def unhex(hex_data)
+        [hex_data].pack("H*")
+      end
     end
   end
-  def verifier_for(secret, digest)
-    nil
-  end
-  def base64(data)
-    ActiveSupport::Base64.encode64(data).tr('+/', '-_').gsub(/=|\n/, '')
-  end
-  def unbase64(data)
-    ActiveSupport::Base64.decode64(data.tr('-_', '+/').ljust((data.length + 4 - 1) / 4 * 4, '='))
-  end
-    # aka compress
-  def deflate(string, level)
-    z = Zlib::Deflate.new(level)
-    dst = z.deflate(string, Zlib::FINISH)
-    z.close
-    dst
-  end
-  # aka decompress
-  def inflate(string)
-    zstream = Zlib::Inflate.new
-    buf = zstream.inflate(string)
-    zstream.finish
-    zstream.close
-    buf
-  end
-  def unhex(hex_data)
-    [hex_data].pack("H*")
-  end
 end
+EncryptedCookieStore = ActionDispatch::Session::EncryptedCookieStore

metadata CHANGED Viewed

@@ -1,7 +1,8 @@
 --- !ruby/object:Gem::Specification
 name: encrypted_cookie_store-instructure
 version: !ruby/object:Gem::Version
-  version: 1.0.8
+  version: 1.1.0
+  prerelease:
 platform: ruby
 authors:
 - Cody Cutrer
@@ -10,8 +11,88 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-12-20 00:00:00.000000000 Z
-dependencies: []
+date: 2013-11-13 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: actionpack
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.2'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: debugger
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: A secure version of Rails' built in CookieStore
 email:
 executables: []
@@ -21,30 +102,31 @@ extra_rdoc_files:
 files:
 - LICENSE.txt
 - README.markdown
-- encrypted_cookie_store-instructure.gemspec
 - lib/encrypted_cookie_store.rb
+- encrypted_cookie_store-instructure.gemspec
 homepage: http://github.com/ccutrer/encrypted_cookie_store
 licenses: []
-metadata: {}
 post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.3.0
+rubygems_version: 1.8.23
 signing_key:
-specification_version: 4
-summary: EncryptedCookieStore for Ruby on Rails 2.3
+specification_version: 3
+summary: EncryptedCookieStore for Ruby on Rails 3.2
 test_files: []
 has_rdoc:

checksums.yaml DELETED Viewed

@@ -1,15 +0,0 @@
----
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    OTNlMTI1ODU0MzA1OWU5NGFmOTFkMTk4NjEyNTVjNzVkZjAxOTAxNA==
-  data.tar.gz: !binary |-
-    N2Q3MGExZTg4MDgyMWZhMmMxNjc2ZWFlNGVhY2I5MTRmZmRjNDM5OQ==
-SHA512:
-  metadata.gz: !binary |-
-    MDNiZjdkOTQ3YzMyMGU2N2I5NzI0Zjg5N2ExNGJmM2M5ZjdkNjFlNTFlZThm
-    MWRjNjU1ZGFiNWZlNjRlZWFjMWMzY2VlYjVjZjZlOGQzMWNjMjdjMzM4Zjk1
-    MDA5Yzc5YmFhZDg2YzE5ZTA1MGExOWYyODEyZDY0ZDc4YWU1MGI=
-  data.tar.gz: !binary |-
-    ZWQwNzg1MjFlZWY0ZGRjYzBlZWM0MWZlMzJiNmJhNDc4NDY0OGIwMTJmYzRi
-    NzU1OTlhYzQ5Yzg0MDQ5NDFlMjM2NTE4OTFhODE2MGU4ZTU4ZDVjZDlkMTk1
-    ODExNjQzZjg1MDcwOTM1MzdhM2JiOTNlODM2NDc0YTFlYjRlMTg=