hestia 0.0.2 → 0.0.3.pre

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b3380572d332563a5ed975221d56004cdfc3a64d
-  data.tar.gz: 81129fa82814411368a4bedb26dff30adfba7176
+  metadata.gz: b8e8e62c9ca8ecee1e9a243d822671bb507eaa2e
+  data.tar.gz: e9ce873f5d4420855180ef421fd12b46b2bebfd5
 SHA512:
-  metadata.gz: e8336da91bca46b66e53de4cce6ed0950095bb0786e8a524ef97cec8757422db3a4bffbd121f34ab4fa3ca38fe7a39701562dba571290765d70a1f1da4e2c206
-  data.tar.gz: e258c450198f9a30b3a84097b0f4fa55ab8bb85b374539c91ba8c89be2182c21fff48a2c3fbbc2559f6bd2c5a0362dae46719e7396ec7ad4615d6cdf6d5daf02
+  metadata.gz: a655fdfe1b08c0f02be060cf09c05d6ea8e1e1f3f6a14f733efff32c44df0073745fb669e8b1853ef6848250b443733150705a51240a256c9214a3af30556ace
+  data.tar.gz: 354e84440820b740ea261c2da5785dac2962203edd75ea1fc39867a01557ba2f75133df31beb0f58d24ad3f1c3c6f9cba6db8ae200977c89c8d28b989958b83e

data/.gitignore

@@ -1,6 +1,6 @@
 /.bundle/
 /.yardoc
-/Gemfile.lock
+/Gemfile*.lock
 /_yardoc/
 /coverage/
 /doc/

data/.travis.yml

@@ -0,0 +1,10 @@
+language: ruby
+sudo: false
+cache: bundler
+rvm:
+  - 2.1
+  - 2.2
+gemfile:
+  - Gemfile.rails3
+  - Gemfile.rails4
+  - Gemfile.rails41

data/{Gemfile → Gemfile.rails3}

@@ -2,3 +2,5 @@ source 'https://rubygems.org'
 
 # Specify your gem's dependencies in hestia.gemspec
 gemspec
+
+gem "actionpack", "~> 3.0"

data/Gemfile.rails4

@@ -0,0 +1,6 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in hestia.gemspec
+gemspec
+
+gem "actionpack", "~> 4.0.0"

data/Gemfile.rails41

@@ -0,0 +1,6 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in hestia.gemspec
+gemspec
+
+gem "actionpack", "~> 4.1.0"

data/README.md

@@ -49,7 +49,9 @@ You should already have `Rails.application.config.secret_token` set to a value (
 
 ### Rails 4
 
-Untested thus far. Pull requests welcome! ;-)
+We support Rails 4.0 & 4.1. Rails 4.2 is unsupported at this time. (Pull requests welcome!)
+
+Following the instructions for Rails 3.2 should work, but make sure you haven't set `config.secret_key_base` to a value otherwise Rails will take over and upgrade your cookies from signed to encrypted ones.
 
 ### Outside rails
 

data/Rakefile

@@ -6,3 +6,11 @@ Rake::TestTask.new("spec") do |t|
 end
 
 task(:default => :spec)
+
+namespace :spec do
+  task :all do
+    Dir["Gemfile*"].reject {|name| name[".lock"] }.each do |gemfile|
+      sh "BUNDLE_GEMFILE=#{gemfile} bundle exec rake spec"
+    end
+  end
+end

data/hestia.gemspec

@@ -21,8 +21,9 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = '>= 2.0'
 
   spec.add_runtime_dependency "rack"
-  spec.add_runtime_dependency "actionpack", "~> 3.2", ">= 3.2.21"
+  spec.add_runtime_dependency "actionpack", ">= 3.2.21", "< 4.2.0"
 
   spec.add_development_dependency "bundler", "~> 1.7"
   spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "minitest"
 end

data/lib/hestia/railtie.rb

@@ -7,7 +7,20 @@ module Hestia
     # See README.md for how to configure this in your application.
     #
     initializer "hestia.signed_cookie_jar_extension", before: :load_config_initializers do
-      ActionDispatch::Cookies::SignedCookieJar.prepend(Hestia::SignedCookieJarExtension)
+      extension = case ActionPack::VERSION::MAJOR
+      when 3
+        Hestia::SignedCookieJarExtension::ActionPack3
+      when 4
+        if Rails.application.config.respond_to?(:secret_key_base) && Rails.application.config.secret_key_base
+          fail "Having `config.secret_token' and `config.secret_key_base' defined is not allowed in Hestia. Please refer to Hestia's Readme for more information."
+        end
+
+        Hestia::SignedCookieJarExtension::ActionPack4
+      else
+        raise "Unsupported version of action_pack: #{ActionPack::VERSION::STRING.inspect}"
+      end
+
+      ActionDispatch::Cookies::SignedCookieJar.prepend(extension)
     end
   end
 end

data/lib/hestia/signed_cookie_jar_extension.rb

@@ -1,30 +1,6 @@
 module Hestia
   module SignedCookieJarExtension
-    # Public: overridden #initialize method
-    #
-    # In rails, `secrets' will be given the value of `Rails.application.config.secret_token'. That's the current secret token.
-    # This also reads from `Rails.application.config.deprecated_secret_token` for deprecated token(s) to use. It can be undefined, a
-    # string or an array of string.
-    #
-    # parent_jar [ActionDispatch::Cookies] the parent jar creating this signed cookie jar
-    # secret [String] current secret token. Used to verify & sign cookies.
-    #
-    def initialize(parent_jar, secret)
-      super
-
-      # Find the deprecated secrets, if there are any
-      deprecated_secrets = if Rails.application.config.respond_to?(:deprecated_secret_token)
-        # This could be a single string!
-        Array(Rails.application.config.deprecated_secret_token)
-      else
-        []
-      end
-
-      # Ensure all the deprecated secret tokens are considered secure (__original_initalize__ checked the current secret for this)
-      deprecated_secrets.each { |secret| ensure_secret_secure(secret) }
-
-      # Finally, override @verifier with our own multi verifier containing all the secrets
-      @verifier = Hestia::MessageMultiVerifier.new(current_secret: secret, deprecated_secrets: deprecated_secrets)
-    end
+    autoload :ActionPack3, "hestia/signed_cookie_jar_extension/action_pack_3"
+    autoload :ActionPack4, "hestia/signed_cookie_jar_extension/action_pack_4"
   end
 end

data/lib/hestia/signed_cookie_jar_extension/action_pack_3.rb

@@ -0,0 +1,32 @@
+module Hestia
+  module SignedCookieJarExtension
+    module ActionPack3
+      # Public: overridden #initialize method
+      #
+      # In rails, `secrets' will be given the value of `Rails.application.config.secret_token'. That's the current secret token.
+      # This also reads from `Rails.application.config.deprecated_secret_token` for deprecated token(s) to use. It can be undefined, a
+      # string or an array of string.
+      #
+      # parent_jar [ActionDispatch::Cookies] the parent jar creating this signed cookie jar
+      # secret [String] current secret token. Used to verify & sign cookies.
+      #
+      def initialize(parent_jar, secret)
+        super
+
+        # Find the deprecated secrets, if there are any
+        deprecated_secrets = if Rails.application.config.respond_to?(:deprecated_secret_token)
+          # This could be a single string!
+          Array(Rails.application.config.deprecated_secret_token)
+        else
+          []
+        end
+
+        # Ensure all the deprecated secret tokens are considered secure (`super` checked the current secret for this)
+        deprecated_secrets.each { |secret| ensure_secret_secure(secret) }
+
+        # Finally, override @verifier with our own multi verifier containing all the secrets
+        @verifier = Hestia::MessageMultiVerifier.new(current_secret: secret, deprecated_secrets: deprecated_secrets)
+      end
+    end
+  end
+end

data/lib/hestia/signed_cookie_jar_extension/action_pack_4.rb

@@ -0,0 +1,37 @@
+module Hestia
+  module SignedCookieJarExtension
+    module ActionPack4
+      # Public: overridden #initialize method
+      #
+      # In rails, `secrets' will be given the value of `Rails.application.config.secret_token'. That's the current secret token.
+      # This also reads from `Rails.application.config.deprecated_secret_token` for deprecated token(s) to use. It can be undefined, a
+      # string or an array of string.
+      #
+      # parent_jar [ActionDispatch::Cookies] the parent jar creating this signed cookie jar
+      # secret [String] current secret token. Used to verify & sign cookies.
+      #
+      def initialize(parent_jar, key_generator, options = {})
+        super
+
+        # Find the deprecated secrets, if there are any
+        deprecated_secrets = if Rails.application.config.respond_to?(:deprecated_secret_token)
+          # This could be a single string!
+          Array(Rails.application.config.deprecated_secret_token)
+        else
+          []
+        end
+
+        # Grab the `config.secret_token` value from its generator
+        active_secret = key_generator.generate_key(@options[:signed_cookie_salt])
+
+        # Take the deprecated secrets through the same generator code
+        deprecated_secrets.map do |secret|
+          ActiveSupport::LegacyKeyGenerator.new(secret).generate_key(@options[:signed_cookie_salt])
+        end
+
+        # Finally, override @verifier with our own multi verifier containing all the secrets
+        @verifier = Hestia::MessageMultiVerifier.new(current_secret: active_secret, deprecated_secrets: deprecated_secrets)
+      end
+    end
+  end
+end

data/lib/hestia/version.rb

@@ -1,3 +1,3 @@
 module Hestia
-  VERSION = "0.0.2"
+  VERSION = "0.0.3.pre"
 end

data/spec/hestia/signed_cookie_jar_extension/action_pack_3_spec.rb

@@ -0,0 +1,90 @@
+require_relative "../../spec_helper"
+require_relative "../../support/fake_rails"
+
+# Call our railtie block to setup the initializers array
+require "hestia/railtie"
+
+module Hestia
+  if ActionPack::VERSION::MAJOR == 3
+    describe SignedCookieJarExtension::ActionPack3 do
+      before do
+        Rails.clean
+        load_railtie
+      end
+
+      it "is prepended into signed cookie jar ancestors" do
+        ActionDispatch::Cookies::SignedCookieJar.ancestors.first.must_equal SignedCookieJarExtension::ActionPack3
+      end
+
+      it "defines initialize" do
+        # #initialize doesn't show up in {instance_,}methods({false,true}) for some reason, so do this instead
+        # This will throw a NameError if we don't define it
+        SignedCookieJarExtension::ActionPack3.instance_method(:initialize)
+      end
+
+      describe "signed cookie jar instance with no deprecated token" do
+        before do
+          @parent_jar = Object.new
+          @secret = "a" * 30
+          @jar = ActionDispatch::Cookies::SignedCookieJar.new(@parent_jar, @secret)
+        end
+
+        it "calls the original initialize method" do
+          @jar.instance_variable_get(:@parent_jar).must_equal @parent_jar
+        end
+
+        describe "validator" do
+          before do
+            @verifier = @jar.instance_variable_get(:@verifier)
+          end
+          it "is a multi message validator" do
+            @verifier.must_be_kind_of(MessageMultiVerifier)
+          end
+
+          it "has the correct secrets stored" do
+            secrets = @verifier.instance_variable_get(:@verifiers).map { |x| x.instance_variable_get(:@secret) }
+            secrets.must_equal [@secret]
+          end
+        end
+      end
+
+      describe "signed cookie jar instance with deprecated token" do
+        before do
+          @parent_jar = Object.new
+          @secret = "a" * 30
+          @deprecated_secret = "b" * 30
+          Rails.application.config.deprecated_secret_token = @deprecated_secret
+          @jar = ActionDispatch::Cookies::SignedCookieJar.new(@parent_jar, @secret)
+        end
+
+        it "calls the original initialize method" do
+          @jar.instance_variable_get(:@parent_jar).must_equal @parent_jar
+        end
+
+        describe "validator" do
+          before do
+            @verifier = @jar.instance_variable_get(:@verifier)
+          end
+          it "is a multi message validator" do
+            @verifier.must_be_kind_of(MessageMultiVerifier)
+          end
+
+          it "has the correct secrets stored" do
+            secrets = @verifier.instance_variable_get(:@verifiers).map { |x| x.instance_variable_get(:@secret) }
+            secrets.must_equal [@secret, @deprecated_secret]
+          end
+        end
+      end
+
+      private
+
+      def load_railtie
+        if (init = Rails::Railtie.initializers.first)
+          _, _, block = init
+          block.call
+        end
+      end
+
+    end
+  end
+end

data/spec/hestia/signed_cookie_jar_extension/action_pack_4_spec.rb

@@ -0,0 +1,101 @@
+require_relative "../../spec_helper"
+require_relative "../../support/fake_rails"
+
+# Call our railtie block to setup the initializers array
+require "hestia/railtie"
+
+module Hestia
+  if ActionPack::VERSION::MAJOR == 4
+    describe SignedCookieJarExtension::ActionPack4 do
+      before do
+        Rails.clean
+        load_railtie
+      end
+
+      it "is prepended into signed cookie jar ancestors" do
+        ActionDispatch::Cookies::SignedCookieJar.ancestors.first.must_equal SignedCookieJarExtension::ActionPack4
+      end
+
+      it "defines initialize" do
+        # #initialize doesn't show up in {instance_,}methods({false,true}) for some reason, so do this instead
+        # This will throw a NameError if we don't define it
+        SignedCookieJarExtension::ActionPack4.instance_method(:initialize)
+      end
+
+      describe "signed cookie jar instance with no deprecated token" do
+        before do
+          @parent_jar = Object.new
+          @secret = "a" * 30
+          @jar = ActionDispatch::Cookies::SignedCookieJar.new(@parent_jar, ActiveSupport::LegacyKeyGenerator.new(@secret))
+        end
+
+        it "calls the original initialize method" do
+          @jar.instance_variable_get(:@parent_jar).must_equal @parent_jar
+        end
+
+        describe "validator" do
+          before do
+            @verifier = @jar.instance_variable_get(:@verifier)
+          end
+          it "is a multi message validator" do
+            @verifier.must_be_kind_of(MessageMultiVerifier)
+          end
+
+          it "has the correct secrets stored" do
+            secrets = @verifier.instance_variable_get(:@verifiers).map { |x| x.instance_variable_get(:@secret) }
+            secrets.must_equal [@secret]
+          end
+        end
+      end
+
+      describe "signed cookie jar instance with deprecated token" do
+        before do
+          @parent_jar = Object.new
+          @secret = "a" * 30
+          @deprecated_secret = "b" * 30
+          Rails.application.config.deprecated_secret_token = @deprecated_secret
+          @jar = ActionDispatch::Cookies::SignedCookieJar.new(@parent_jar, ActiveSupport::LegacyKeyGenerator.new(@secret))
+        end
+
+        it "calls the original initialize method" do
+          @jar.instance_variable_get(:@parent_jar).must_equal @parent_jar
+        end
+
+        describe "validator" do
+          before do
+            @verifier = @jar.instance_variable_get(:@verifier)
+          end
+          it "is a multi message validator" do
+            @verifier.must_be_kind_of(MessageMultiVerifier)
+          end
+
+          it "has the correct secrets stored" do
+            secrets = @verifier.instance_variable_get(:@verifiers).map { |x| x.instance_variable_get(:@secret) }
+            secrets.must_equal [@secret, @deprecated_secret]
+          end
+        end
+      end
+
+      describe "with secret_key_base defined in config" do
+        it "blows up" do
+          Rails.clean
+
+          Rails.application.config.secret_token = "a" * 64
+          Rails.application.config.secret_key_base = "b" * 64
+
+          -> { load_railtie }.must_raise(RuntimeError)
+        end
+      end
+
+      private
+
+      def load_railtie
+        if (init = Rails::Railtie.initializers.first)
+          _, _, block = init
+          block.call
+        end
+      end
+
+    end
+  end
+end

data/spec/support/fake_rails.rb

@@ -1,9 +1,9 @@
 require "rack"
+require "action_pack/version"
 require "action_dispatch/middleware/cookies"
 
 # Guard in case we're accidentally loaded when rails is
 unless defined?(Rails)
-
   # Fake out rails for testing Hestia::Railtie
   class Rails
     def self.clean
@@ -12,7 +12,24 @@ unless defined?(Rails)
     end
 
     def self.application
-      @application ||= OpenStruct.new(:config => OpenStruct.new)
+      @application ||= FakeApp.new
+    end
+
+    class FakeApp
+      def config
+        @config ||= FakeConfig.new
+      end
+    end
+
+    class FakeConfig
+      attr_accessor :secret_key_base, :secret_token, :deprecated_secret_token
+
+      # Rails' config respond_to? returns nil if the value of that option is nil
+      def respond_to?(name)
+        if %i(secret_key_base secret_token deprecated_secret_token).include?(name)
+          !!public_send(name)
+        end
+      end
     end
 
     # Hestia::Railtie will subclass this

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: hestia
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.0.3.pre
 platform: ruby
 authors:
 - Caius Durling
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-05-12 00:00:00.000000000 Z
+date: 2015-07-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -28,22 +28,22 @@ dependencies:
   name: actionpack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.2'
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.2.21
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 4.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.2'
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.2.21
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 4.2.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -72,6 +72,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: |-
   Support for deprecating/rotating signed cookie secret tokens in rails.
   Handles silently accepting cookies signed with different secrets and sending back cookies signed with new secret.
@@ -82,7 +96,10 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
-- Gemfile
+- ".travis.yml"
+- Gemfile.rails3
+- Gemfile.rails4
+- Gemfile.rails41
 - LICENSE.txt
 - README.md
 - Rakefile
@@ -92,10 +109,13 @@ files:
 - lib/hestia/message_multi_verifier.rb
 - lib/hestia/railtie.rb
 - lib/hestia/signed_cookie_jar_extension.rb
+- lib/hestia/signed_cookie_jar_extension/action_pack_3.rb
+- lib/hestia/signed_cookie_jar_extension/action_pack_4.rb
 - lib/hestia/version.rb
 - spec/hestia/message_multi_verifier_spec.rb
 - spec/hestia/railtie_spec.rb
-- spec/hestia/signed_cookie_jar_extension_spec.rb
+- spec/hestia/signed_cookie_jar_extension/action_pack_3_spec.rb
+- spec/hestia/signed_cookie_jar_extension/action_pack_4_spec.rb
 - spec/spec_helper.rb
 - spec/support/fake_rails.rb
 homepage: https://github.com/fac/hestia
@@ -113,18 +133,19 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '2.0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.6
+rubygems_version: 2.2.3
 signing_key: 
 specification_version: 4
 summary: Support for deprecating/rotating signed cookie secret tokens in rails
 test_files:
 - spec/hestia/message_multi_verifier_spec.rb
 - spec/hestia/railtie_spec.rb
-- spec/hestia/signed_cookie_jar_extension_spec.rb
+- spec/hestia/signed_cookie_jar_extension/action_pack_3_spec.rb
+- spec/hestia/signed_cookie_jar_extension/action_pack_4_spec.rb
 - spec/spec_helper.rb
 - spec/support/fake_rails.rb

data/spec/hestia/signed_cookie_jar_extension_spec.rb

@@ -1,88 +0,0 @@
-require_relative "../spec_helper"
-require_relative "../support/fake_rails"
-
-# Call our railtie block to setup the initializers array
-require "hestia/railtie"
-
-module Hestia
-  describe SignedCookieJarExtension do
-    before do
-      Rails.clean
-      load_railtie
-    end
-
-    it "is prepended into signed cookie jar ancestors" do
-      ActionDispatch::Cookies::SignedCookieJar.ancestors.first.must_equal SignedCookieJarExtension
-    end
-
-    it "defines initialize" do
-      # #initialize doesn't show up in {instance_,}methods({false,true}) for some reason, so do this instead
-      # This will throw a NameError if we don't define it
-      SignedCookieJarExtension.instance_method(:initialize)
-    end
-
-    describe "signed cookie jar instance with no deprecated token" do
-      before do
-        @parent_jar = Object.new
-        @secret = "a" * 30
-        @jar = ActionDispatch::Cookies::SignedCookieJar.new(@parent_jar, @secret)
-      end
-
-      it "calls the original initialize method" do
-        @jar.instance_variable_get(:@parent_jar).must_equal @parent_jar
-      end
-
-      describe "validator" do
-        before do
-          @verifier = @jar.instance_variable_get(:@verifier)
-        end
-        it "is a multi message validator" do
-          @verifier.must_be_kind_of(MessageMultiVerifier)
-        end
-
-        it "has the correct secrets stored" do
-          secrets = @verifier.instance_variable_get(:@verifiers).map { |x| x.instance_variable_get(:@secret) }
-          secrets.must_equal [@secret]
-        end
-      end
-    end
-
-    describe "signed cookie jar instance with deprecated token" do
-      before do
-        @parent_jar = Object.new
-        @secret = "a" * 30
-        @deprecated_secret = "b" * 30
-        Rails.application.config[:deprecated_secret_token] = @deprecated_secret
-        @jar = ActionDispatch::Cookies::SignedCookieJar.new(@parent_jar, @secret)
-      end
-
-      it "calls the original initialize method" do
-        @jar.instance_variable_get(:@parent_jar).must_equal @parent_jar
-      end
-
-      describe "validator" do
-        before do
-          @verifier = @jar.instance_variable_get(:@verifier)
-        end
-        it "is a multi message validator" do
-          @verifier.must_be_kind_of(MessageMultiVerifier)
-        end
-
-        it "has the correct secrets stored" do
-          secrets = @verifier.instance_variable_get(:@verifiers).map { |x| x.instance_variable_get(:@secret) }
-          secrets.must_equal [@secret, @deprecated_secret]
-        end
-      end
-    end
-
-    private
-
-    def load_railtie
-      if (init = Rails::Railtie.initializers.first)
-        _, _, block = init
-        block.call
-      end
-    end
-
-  end
-end