hestia 0.0.2 → 0.0.3.pre
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gitignore +1 -1
- data/.travis.yml +10 -0
- data/{Gemfile → Gemfile.rails3} +2 -0
- data/Gemfile.rails4 +6 -0
- data/Gemfile.rails41 +6 -0
- data/README.md +3 -1
- data/Rakefile +8 -0
- data/hestia.gemspec +2 -1
- data/lib/hestia/railtie.rb +14 -1
- data/lib/hestia/signed_cookie_jar_extension.rb +2 -26
- data/lib/hestia/signed_cookie_jar_extension/action_pack_3.rb +32 -0
- data/lib/hestia/signed_cookie_jar_extension/action_pack_4.rb +37 -0
- data/lib/hestia/version.rb +1 -1
- data/spec/hestia/signed_cookie_jar_extension/action_pack_3_spec.rb +90 -0
- data/spec/hestia/signed_cookie_jar_extension/action_pack_4_spec.rb +101 -0
- data/spec/support/fake_rails.rb +19 -2
- metadata +35 -14
- data/spec/hestia/signed_cookie_jar_extension_spec.rb +0 -88
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b8e8e62c9ca8ecee1e9a243d822671bb507eaa2e
|
|
4
|
+
data.tar.gz: e9ce873f5d4420855180ef421fd12b46b2bebfd5
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a655fdfe1b08c0f02be060cf09c05d6ea8e1e1f3f6a14f733efff32c44df0073745fb669e8b1853ef6848250b443733150705a51240a256c9214a3af30556ace
|
|
7
|
+
data.tar.gz: 354e84440820b740ea261c2da5785dac2962203edd75ea1fc39867a01557ba2f75133df31beb0f58d24ad3f1c3c6f9cba6db8ae200977c89c8d28b989958b83e
|
data/.gitignore
CHANGED
data/.travis.yml
ADDED
data/{Gemfile → Gemfile.rails3}
RENAMED
data/Gemfile.rails4
ADDED
data/Gemfile.rails41
ADDED
data/README.md
CHANGED
|
@@ -49,7 +49,9 @@ You should already have `Rails.application.config.secret_token` set to a value (
|
|
|
49
49
|
|
|
50
50
|
### Rails 4
|
|
51
51
|
|
|
52
|
-
|
|
52
|
+
We support Rails 4.0 & 4.1. Rails 4.2 is unsupported at this time. (Pull requests welcome!)
|
|
53
|
+
|
|
54
|
+
Following the instructions for Rails 3.2 should work, but make sure you haven't set `config.secret_key_base` to a value otherwise Rails will take over and upgrade your cookies from signed to encrypted ones.
|
|
53
55
|
|
|
54
56
|
### Outside rails
|
|
55
57
|
|
data/Rakefile
CHANGED
data/hestia.gemspec
CHANGED
|
@@ -21,8 +21,9 @@ Gem::Specification.new do |spec|
|
|
|
21
21
|
spec.required_ruby_version = '>= 2.0'
|
|
22
22
|
|
|
23
23
|
spec.add_runtime_dependency "rack"
|
|
24
|
-
spec.add_runtime_dependency "actionpack", "
|
|
24
|
+
spec.add_runtime_dependency "actionpack", ">= 3.2.21", "< 4.2.0"
|
|
25
25
|
|
|
26
26
|
spec.add_development_dependency "bundler", "~> 1.7"
|
|
27
27
|
spec.add_development_dependency "rake", "~> 10.0"
|
|
28
|
+
spec.add_development_dependency "minitest"
|
|
28
29
|
end
|
data/lib/hestia/railtie.rb
CHANGED
|
@@ -7,7 +7,20 @@ module Hestia
|
|
|
7
7
|
# See README.md for how to configure this in your application.
|
|
8
8
|
#
|
|
9
9
|
initializer "hestia.signed_cookie_jar_extension", before: :load_config_initializers do
|
|
10
|
-
|
|
10
|
+
extension = case ActionPack::VERSION::MAJOR
|
|
11
|
+
when 3
|
|
12
|
+
Hestia::SignedCookieJarExtension::ActionPack3
|
|
13
|
+
when 4
|
|
14
|
+
if Rails.application.config.respond_to?(:secret_key_base) && Rails.application.config.secret_key_base
|
|
15
|
+
fail "Having `config.secret_token' and `config.secret_key_base' defined is not allowed in Hestia. Please refer to Hestia's Readme for more information."
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
Hestia::SignedCookieJarExtension::ActionPack4
|
|
19
|
+
else
|
|
20
|
+
raise "Unsupported version of action_pack: #{ActionPack::VERSION::STRING.inspect}"
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
ActionDispatch::Cookies::SignedCookieJar.prepend(extension)
|
|
11
24
|
end
|
|
12
25
|
end
|
|
13
26
|
end
|
|
@@ -1,30 +1,6 @@
|
|
|
1
1
|
module Hestia
|
|
2
2
|
module SignedCookieJarExtension
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
# In rails, `secrets' will be given the value of `Rails.application.config.secret_token'. That's the current secret token.
|
|
6
|
-
# This also reads from `Rails.application.config.deprecated_secret_token` for deprecated token(s) to use. It can be undefined, a
|
|
7
|
-
# string or an array of string.
|
|
8
|
-
#
|
|
9
|
-
# parent_jar [ActionDispatch::Cookies] the parent jar creating this signed cookie jar
|
|
10
|
-
# secret [String] current secret token. Used to verify & sign cookies.
|
|
11
|
-
#
|
|
12
|
-
def initialize(parent_jar, secret)
|
|
13
|
-
super
|
|
14
|
-
|
|
15
|
-
# Find the deprecated secrets, if there are any
|
|
16
|
-
deprecated_secrets = if Rails.application.config.respond_to?(:deprecated_secret_token)
|
|
17
|
-
# This could be a single string!
|
|
18
|
-
Array(Rails.application.config.deprecated_secret_token)
|
|
19
|
-
else
|
|
20
|
-
[]
|
|
21
|
-
end
|
|
22
|
-
|
|
23
|
-
# Ensure all the deprecated secret tokens are considered secure (__original_initalize__ checked the current secret for this)
|
|
24
|
-
deprecated_secrets.each { |secret| ensure_secret_secure(secret) }
|
|
25
|
-
|
|
26
|
-
# Finally, override @verifier with our own multi verifier containing all the secrets
|
|
27
|
-
@verifier = Hestia::MessageMultiVerifier.new(current_secret: secret, deprecated_secrets: deprecated_secrets)
|
|
28
|
-
end
|
|
3
|
+
autoload :ActionPack3, "hestia/signed_cookie_jar_extension/action_pack_3"
|
|
4
|
+
autoload :ActionPack4, "hestia/signed_cookie_jar_extension/action_pack_4"
|
|
29
5
|
end
|
|
30
6
|
end
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
module Hestia
|
|
2
|
+
module SignedCookieJarExtension
|
|
3
|
+
module ActionPack3
|
|
4
|
+
# Public: overridden #initialize method
|
|
5
|
+
#
|
|
6
|
+
# In rails, `secrets' will be given the value of `Rails.application.config.secret_token'. That's the current secret token.
|
|
7
|
+
# This also reads from `Rails.application.config.deprecated_secret_token` for deprecated token(s) to use. It can be undefined, a
|
|
8
|
+
# string or an array of string.
|
|
9
|
+
#
|
|
10
|
+
# parent_jar [ActionDispatch::Cookies] the parent jar creating this signed cookie jar
|
|
11
|
+
# secret [String] current secret token. Used to verify & sign cookies.
|
|
12
|
+
#
|
|
13
|
+
def initialize(parent_jar, secret)
|
|
14
|
+
super
|
|
15
|
+
|
|
16
|
+
# Find the deprecated secrets, if there are any
|
|
17
|
+
deprecated_secrets = if Rails.application.config.respond_to?(:deprecated_secret_token)
|
|
18
|
+
# This could be a single string!
|
|
19
|
+
Array(Rails.application.config.deprecated_secret_token)
|
|
20
|
+
else
|
|
21
|
+
[]
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
# Ensure all the deprecated secret tokens are considered secure (`super` checked the current secret for this)
|
|
25
|
+
deprecated_secrets.each { |secret| ensure_secret_secure(secret) }
|
|
26
|
+
|
|
27
|
+
# Finally, override @verifier with our own multi verifier containing all the secrets
|
|
28
|
+
@verifier = Hestia::MessageMultiVerifier.new(current_secret: secret, deprecated_secrets: deprecated_secrets)
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
end
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
module Hestia
|
|
2
|
+
module SignedCookieJarExtension
|
|
3
|
+
module ActionPack4
|
|
4
|
+
# Public: overridden #initialize method
|
|
5
|
+
#
|
|
6
|
+
# In rails, `secrets' will be given the value of `Rails.application.config.secret_token'. That's the current secret token.
|
|
7
|
+
# This also reads from `Rails.application.config.deprecated_secret_token` for deprecated token(s) to use. It can be undefined, a
|
|
8
|
+
# string or an array of string.
|
|
9
|
+
#
|
|
10
|
+
# parent_jar [ActionDispatch::Cookies] the parent jar creating this signed cookie jar
|
|
11
|
+
# secret [String] current secret token. Used to verify & sign cookies.
|
|
12
|
+
#
|
|
13
|
+
def initialize(parent_jar, key_generator, options = {})
|
|
14
|
+
super
|
|
15
|
+
|
|
16
|
+
# Find the deprecated secrets, if there are any
|
|
17
|
+
deprecated_secrets = if Rails.application.config.respond_to?(:deprecated_secret_token)
|
|
18
|
+
# This could be a single string!
|
|
19
|
+
Array(Rails.application.config.deprecated_secret_token)
|
|
20
|
+
else
|
|
21
|
+
[]
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
# Grab the `config.secret_token` value from its generator
|
|
25
|
+
active_secret = key_generator.generate_key(@options[:signed_cookie_salt])
|
|
26
|
+
|
|
27
|
+
# Take the deprecated secrets through the same generator code
|
|
28
|
+
deprecated_secrets.map do |secret|
|
|
29
|
+
ActiveSupport::LegacyKeyGenerator.new(secret).generate_key(@options[:signed_cookie_salt])
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
# Finally, override @verifier with our own multi verifier containing all the secrets
|
|
33
|
+
@verifier = Hestia::MessageMultiVerifier.new(current_secret: active_secret, deprecated_secrets: deprecated_secrets)
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
end
|
|
37
|
+
end
|
data/lib/hestia/version.rb
CHANGED
|
@@ -0,0 +1,90 @@
|
|
|
1
|
+
require_relative "../../spec_helper"
|
|
2
|
+
require_relative "../../support/fake_rails"
|
|
3
|
+
|
|
4
|
+
# Call our railtie block to setup the initializers array
|
|
5
|
+
require "hestia/railtie"
|
|
6
|
+
|
|
7
|
+
module Hestia
|
|
8
|
+
if ActionPack::VERSION::MAJOR == 3
|
|
9
|
+
describe SignedCookieJarExtension::ActionPack3 do
|
|
10
|
+
before do
|
|
11
|
+
Rails.clean
|
|
12
|
+
load_railtie
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
it "is prepended into signed cookie jar ancestors" do
|
|
16
|
+
ActionDispatch::Cookies::SignedCookieJar.ancestors.first.must_equal SignedCookieJarExtension::ActionPack3
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
it "defines initialize" do
|
|
20
|
+
# #initialize doesn't show up in {instance_,}methods({false,true}) for some reason, so do this instead
|
|
21
|
+
# This will throw a NameError if we don't define it
|
|
22
|
+
SignedCookieJarExtension::ActionPack3.instance_method(:initialize)
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
describe "signed cookie jar instance with no deprecated token" do
|
|
26
|
+
before do
|
|
27
|
+
@parent_jar = Object.new
|
|
28
|
+
@secret = "a" * 30
|
|
29
|
+
@jar = ActionDispatch::Cookies::SignedCookieJar.new(@parent_jar, @secret)
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
it "calls the original initialize method" do
|
|
33
|
+
@jar.instance_variable_get(:@parent_jar).must_equal @parent_jar
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
describe "validator" do
|
|
37
|
+
before do
|
|
38
|
+
@verifier = @jar.instance_variable_get(:@verifier)
|
|
39
|
+
end
|
|
40
|
+
it "is a multi message validator" do
|
|
41
|
+
@verifier.must_be_kind_of(MessageMultiVerifier)
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
it "has the correct secrets stored" do
|
|
45
|
+
secrets = @verifier.instance_variable_get(:@verifiers).map { |x| x.instance_variable_get(:@secret) }
|
|
46
|
+
secrets.must_equal [@secret]
|
|
47
|
+
end
|
|
48
|
+
end
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
describe "signed cookie jar instance with deprecated token" do
|
|
52
|
+
before do
|
|
53
|
+
@parent_jar = Object.new
|
|
54
|
+
@secret = "a" * 30
|
|
55
|
+
@deprecated_secret = "b" * 30
|
|
56
|
+
Rails.application.config.deprecated_secret_token = @deprecated_secret
|
|
57
|
+
@jar = ActionDispatch::Cookies::SignedCookieJar.new(@parent_jar, @secret)
|
|
58
|
+
end
|
|
59
|
+
|
|
60
|
+
it "calls the original initialize method" do
|
|
61
|
+
@jar.instance_variable_get(:@parent_jar).must_equal @parent_jar
|
|
62
|
+
end
|
|
63
|
+
|
|
64
|
+
describe "validator" do
|
|
65
|
+
before do
|
|
66
|
+
@verifier = @jar.instance_variable_get(:@verifier)
|
|
67
|
+
end
|
|
68
|
+
it "is a multi message validator" do
|
|
69
|
+
@verifier.must_be_kind_of(MessageMultiVerifier)
|
|
70
|
+
end
|
|
71
|
+
|
|
72
|
+
it "has the correct secrets stored" do
|
|
73
|
+
secrets = @verifier.instance_variable_get(:@verifiers).map { |x| x.instance_variable_get(:@secret) }
|
|
74
|
+
secrets.must_equal [@secret, @deprecated_secret]
|
|
75
|
+
end
|
|
76
|
+
end
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
private
|
|
80
|
+
|
|
81
|
+
def load_railtie
|
|
82
|
+
if (init = Rails::Railtie.initializers.first)
|
|
83
|
+
_, _, block = init
|
|
84
|
+
block.call
|
|
85
|
+
end
|
|
86
|
+
end
|
|
87
|
+
|
|
88
|
+
end
|
|
89
|
+
end
|
|
90
|
+
end
|
|
@@ -0,0 +1,101 @@
|
|
|
1
|
+
require_relative "../../spec_helper"
|
|
2
|
+
require_relative "../../support/fake_rails"
|
|
3
|
+
|
|
4
|
+
# Call our railtie block to setup the initializers array
|
|
5
|
+
require "hestia/railtie"
|
|
6
|
+
|
|
7
|
+
module Hestia
|
|
8
|
+
if ActionPack::VERSION::MAJOR == 4
|
|
9
|
+
describe SignedCookieJarExtension::ActionPack4 do
|
|
10
|
+
before do
|
|
11
|
+
Rails.clean
|
|
12
|
+
load_railtie
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
it "is prepended into signed cookie jar ancestors" do
|
|
16
|
+
ActionDispatch::Cookies::SignedCookieJar.ancestors.first.must_equal SignedCookieJarExtension::ActionPack4
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
it "defines initialize" do
|
|
20
|
+
# #initialize doesn't show up in {instance_,}methods({false,true}) for some reason, so do this instead
|
|
21
|
+
# This will throw a NameError if we don't define it
|
|
22
|
+
SignedCookieJarExtension::ActionPack4.instance_method(:initialize)
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
describe "signed cookie jar instance with no deprecated token" do
|
|
26
|
+
before do
|
|
27
|
+
@parent_jar = Object.new
|
|
28
|
+
@secret = "a" * 30
|
|
29
|
+
@jar = ActionDispatch::Cookies::SignedCookieJar.new(@parent_jar, ActiveSupport::LegacyKeyGenerator.new(@secret))
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
it "calls the original initialize method" do
|
|
33
|
+
@jar.instance_variable_get(:@parent_jar).must_equal @parent_jar
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
describe "validator" do
|
|
37
|
+
before do
|
|
38
|
+
@verifier = @jar.instance_variable_get(:@verifier)
|
|
39
|
+
end
|
|
40
|
+
it "is a multi message validator" do
|
|
41
|
+
@verifier.must_be_kind_of(MessageMultiVerifier)
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
it "has the correct secrets stored" do
|
|
45
|
+
secrets = @verifier.instance_variable_get(:@verifiers).map { |x| x.instance_variable_get(:@secret) }
|
|
46
|
+
secrets.must_equal [@secret]
|
|
47
|
+
end
|
|
48
|
+
end
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
describe "signed cookie jar instance with deprecated token" do
|
|
52
|
+
before do
|
|
53
|
+
@parent_jar = Object.new
|
|
54
|
+
@secret = "a" * 30
|
|
55
|
+
@deprecated_secret = "b" * 30
|
|
56
|
+
Rails.application.config.deprecated_secret_token = @deprecated_secret
|
|
57
|
+
@jar = ActionDispatch::Cookies::SignedCookieJar.new(@parent_jar, ActiveSupport::LegacyKeyGenerator.new(@secret))
|
|
58
|
+
end
|
|
59
|
+
|
|
60
|
+
it "calls the original initialize method" do
|
|
61
|
+
@jar.instance_variable_get(:@parent_jar).must_equal @parent_jar
|
|
62
|
+
end
|
|
63
|
+
|
|
64
|
+
describe "validator" do
|
|
65
|
+
before do
|
|
66
|
+
@verifier = @jar.instance_variable_get(:@verifier)
|
|
67
|
+
end
|
|
68
|
+
it "is a multi message validator" do
|
|
69
|
+
@verifier.must_be_kind_of(MessageMultiVerifier)
|
|
70
|
+
end
|
|
71
|
+
|
|
72
|
+
it "has the correct secrets stored" do
|
|
73
|
+
secrets = @verifier.instance_variable_get(:@verifiers).map { |x| x.instance_variable_get(:@secret) }
|
|
74
|
+
secrets.must_equal [@secret, @deprecated_secret]
|
|
75
|
+
end
|
|
76
|
+
end
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
describe "with secret_key_base defined in config" do
|
|
80
|
+
it "blows up" do
|
|
81
|
+
Rails.clean
|
|
82
|
+
|
|
83
|
+
Rails.application.config.secret_token = "a" * 64
|
|
84
|
+
Rails.application.config.secret_key_base = "b" * 64
|
|
85
|
+
|
|
86
|
+
-> { load_railtie }.must_raise(RuntimeError)
|
|
87
|
+
end
|
|
88
|
+
end
|
|
89
|
+
|
|
90
|
+
private
|
|
91
|
+
|
|
92
|
+
def load_railtie
|
|
93
|
+
if (init = Rails::Railtie.initializers.first)
|
|
94
|
+
_, _, block = init
|
|
95
|
+
block.call
|
|
96
|
+
end
|
|
97
|
+
end
|
|
98
|
+
|
|
99
|
+
end
|
|
100
|
+
end
|
|
101
|
+
end
|
data/spec/support/fake_rails.rb
CHANGED
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
require "rack"
|
|
2
|
+
require "action_pack/version"
|
|
2
3
|
require "action_dispatch/middleware/cookies"
|
|
3
4
|
|
|
4
5
|
# Guard in case we're accidentally loaded when rails is
|
|
5
6
|
unless defined?(Rails)
|
|
6
|
-
|
|
7
7
|
# Fake out rails for testing Hestia::Railtie
|
|
8
8
|
class Rails
|
|
9
9
|
def self.clean
|
|
@@ -12,7 +12,24 @@ unless defined?(Rails)
|
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
def self.application
|
|
15
|
-
@application ||=
|
|
15
|
+
@application ||= FakeApp.new
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
class FakeApp
|
|
19
|
+
def config
|
|
20
|
+
@config ||= FakeConfig.new
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
class FakeConfig
|
|
25
|
+
attr_accessor :secret_key_base, :secret_token, :deprecated_secret_token
|
|
26
|
+
|
|
27
|
+
# Rails' config respond_to? returns nil if the value of that option is nil
|
|
28
|
+
def respond_to?(name)
|
|
29
|
+
if %i(secret_key_base secret_token deprecated_secret_token).include?(name)
|
|
30
|
+
!!public_send(name)
|
|
31
|
+
end
|
|
32
|
+
end
|
|
16
33
|
end
|
|
17
34
|
|
|
18
35
|
# Hestia::Railtie will subclass this
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: hestia
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.3.pre
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Caius Durling
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-
|
|
11
|
+
date: 2015-07-13 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack
|
|
@@ -28,22 +28,22 @@ dependencies:
|
|
|
28
28
|
name: actionpack
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
30
30
|
requirements:
|
|
31
|
-
- - "~>"
|
|
32
|
-
- !ruby/object:Gem::Version
|
|
33
|
-
version: '3.2'
|
|
34
31
|
- - ">="
|
|
35
32
|
- !ruby/object:Gem::Version
|
|
36
33
|
version: 3.2.21
|
|
34
|
+
- - "<"
|
|
35
|
+
- !ruby/object:Gem::Version
|
|
36
|
+
version: 4.2.0
|
|
37
37
|
type: :runtime
|
|
38
38
|
prerelease: false
|
|
39
39
|
version_requirements: !ruby/object:Gem::Requirement
|
|
40
40
|
requirements:
|
|
41
|
-
- - "~>"
|
|
42
|
-
- !ruby/object:Gem::Version
|
|
43
|
-
version: '3.2'
|
|
44
41
|
- - ">="
|
|
45
42
|
- !ruby/object:Gem::Version
|
|
46
43
|
version: 3.2.21
|
|
44
|
+
- - "<"
|
|
45
|
+
- !ruby/object:Gem::Version
|
|
46
|
+
version: 4.2.0
|
|
47
47
|
- !ruby/object:Gem::Dependency
|
|
48
48
|
name: bundler
|
|
49
49
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -72,6 +72,20 @@ dependencies:
|
|
|
72
72
|
- - "~>"
|
|
73
73
|
- !ruby/object:Gem::Version
|
|
74
74
|
version: '10.0'
|
|
75
|
+
- !ruby/object:Gem::Dependency
|
|
76
|
+
name: minitest
|
|
77
|
+
requirement: !ruby/object:Gem::Requirement
|
|
78
|
+
requirements:
|
|
79
|
+
- - ">="
|
|
80
|
+
- !ruby/object:Gem::Version
|
|
81
|
+
version: '0'
|
|
82
|
+
type: :development
|
|
83
|
+
prerelease: false
|
|
84
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
85
|
+
requirements:
|
|
86
|
+
- - ">="
|
|
87
|
+
- !ruby/object:Gem::Version
|
|
88
|
+
version: '0'
|
|
75
89
|
description: |-
|
|
76
90
|
Support for deprecating/rotating signed cookie secret tokens in rails.
|
|
77
91
|
Handles silently accepting cookies signed with different secrets and sending back cookies signed with new secret.
|
|
@@ -82,7 +96,10 @@ extensions: []
|
|
|
82
96
|
extra_rdoc_files: []
|
|
83
97
|
files:
|
|
84
98
|
- ".gitignore"
|
|
85
|
-
-
|
|
99
|
+
- ".travis.yml"
|
|
100
|
+
- Gemfile.rails3
|
|
101
|
+
- Gemfile.rails4
|
|
102
|
+
- Gemfile.rails41
|
|
86
103
|
- LICENSE.txt
|
|
87
104
|
- README.md
|
|
88
105
|
- Rakefile
|
|
@@ -92,10 +109,13 @@ files:
|
|
|
92
109
|
- lib/hestia/message_multi_verifier.rb
|
|
93
110
|
- lib/hestia/railtie.rb
|
|
94
111
|
- lib/hestia/signed_cookie_jar_extension.rb
|
|
112
|
+
- lib/hestia/signed_cookie_jar_extension/action_pack_3.rb
|
|
113
|
+
- lib/hestia/signed_cookie_jar_extension/action_pack_4.rb
|
|
95
114
|
- lib/hestia/version.rb
|
|
96
115
|
- spec/hestia/message_multi_verifier_spec.rb
|
|
97
116
|
- spec/hestia/railtie_spec.rb
|
|
98
|
-
- spec/hestia/
|
|
117
|
+
- spec/hestia/signed_cookie_jar_extension/action_pack_3_spec.rb
|
|
118
|
+
- spec/hestia/signed_cookie_jar_extension/action_pack_4_spec.rb
|
|
99
119
|
- spec/spec_helper.rb
|
|
100
120
|
- spec/support/fake_rails.rb
|
|
101
121
|
homepage: https://github.com/fac/hestia
|
|
@@ -113,18 +133,19 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
113
133
|
version: '2.0'
|
|
114
134
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
115
135
|
requirements:
|
|
116
|
-
- - "
|
|
136
|
+
- - ">"
|
|
117
137
|
- !ruby/object:Gem::Version
|
|
118
|
-
version:
|
|
138
|
+
version: 1.3.1
|
|
119
139
|
requirements: []
|
|
120
140
|
rubyforge_project:
|
|
121
|
-
rubygems_version: 2.
|
|
141
|
+
rubygems_version: 2.2.3
|
|
122
142
|
signing_key:
|
|
123
143
|
specification_version: 4
|
|
124
144
|
summary: Support for deprecating/rotating signed cookie secret tokens in rails
|
|
125
145
|
test_files:
|
|
126
146
|
- spec/hestia/message_multi_verifier_spec.rb
|
|
127
147
|
- spec/hestia/railtie_spec.rb
|
|
128
|
-
- spec/hestia/
|
|
148
|
+
- spec/hestia/signed_cookie_jar_extension/action_pack_3_spec.rb
|
|
149
|
+
- spec/hestia/signed_cookie_jar_extension/action_pack_4_spec.rb
|
|
129
150
|
- spec/spec_helper.rb
|
|
130
151
|
- spec/support/fake_rails.rb
|
|
@@ -1,88 +0,0 @@
|
|
|
1
|
-
require_relative "../spec_helper"
|
|
2
|
-
require_relative "../support/fake_rails"
|
|
3
|
-
|
|
4
|
-
# Call our railtie block to setup the initializers array
|
|
5
|
-
require "hestia/railtie"
|
|
6
|
-
|
|
7
|
-
module Hestia
|
|
8
|
-
describe SignedCookieJarExtension do
|
|
9
|
-
before do
|
|
10
|
-
Rails.clean
|
|
11
|
-
load_railtie
|
|
12
|
-
end
|
|
13
|
-
|
|
14
|
-
it "is prepended into signed cookie jar ancestors" do
|
|
15
|
-
ActionDispatch::Cookies::SignedCookieJar.ancestors.first.must_equal SignedCookieJarExtension
|
|
16
|
-
end
|
|
17
|
-
|
|
18
|
-
it "defines initialize" do
|
|
19
|
-
# #initialize doesn't show up in {instance_,}methods({false,true}) for some reason, so do this instead
|
|
20
|
-
# This will throw a NameError if we don't define it
|
|
21
|
-
SignedCookieJarExtension.instance_method(:initialize)
|
|
22
|
-
end
|
|
23
|
-
|
|
24
|
-
describe "signed cookie jar instance with no deprecated token" do
|
|
25
|
-
before do
|
|
26
|
-
@parent_jar = Object.new
|
|
27
|
-
@secret = "a" * 30
|
|
28
|
-
@jar = ActionDispatch::Cookies::SignedCookieJar.new(@parent_jar, @secret)
|
|
29
|
-
end
|
|
30
|
-
|
|
31
|
-
it "calls the original initialize method" do
|
|
32
|
-
@jar.instance_variable_get(:@parent_jar).must_equal @parent_jar
|
|
33
|
-
end
|
|
34
|
-
|
|
35
|
-
describe "validator" do
|
|
36
|
-
before do
|
|
37
|
-
@verifier = @jar.instance_variable_get(:@verifier)
|
|
38
|
-
end
|
|
39
|
-
it "is a multi message validator" do
|
|
40
|
-
@verifier.must_be_kind_of(MessageMultiVerifier)
|
|
41
|
-
end
|
|
42
|
-
|
|
43
|
-
it "has the correct secrets stored" do
|
|
44
|
-
secrets = @verifier.instance_variable_get(:@verifiers).map { |x| x.instance_variable_get(:@secret) }
|
|
45
|
-
secrets.must_equal [@secret]
|
|
46
|
-
end
|
|
47
|
-
end
|
|
48
|
-
end
|
|
49
|
-
|
|
50
|
-
describe "signed cookie jar instance with deprecated token" do
|
|
51
|
-
before do
|
|
52
|
-
@parent_jar = Object.new
|
|
53
|
-
@secret = "a" * 30
|
|
54
|
-
@deprecated_secret = "b" * 30
|
|
55
|
-
Rails.application.config[:deprecated_secret_token] = @deprecated_secret
|
|
56
|
-
@jar = ActionDispatch::Cookies::SignedCookieJar.new(@parent_jar, @secret)
|
|
57
|
-
end
|
|
58
|
-
|
|
59
|
-
it "calls the original initialize method" do
|
|
60
|
-
@jar.instance_variable_get(:@parent_jar).must_equal @parent_jar
|
|
61
|
-
end
|
|
62
|
-
|
|
63
|
-
describe "validator" do
|
|
64
|
-
before do
|
|
65
|
-
@verifier = @jar.instance_variable_get(:@verifier)
|
|
66
|
-
end
|
|
67
|
-
it "is a multi message validator" do
|
|
68
|
-
@verifier.must_be_kind_of(MessageMultiVerifier)
|
|
69
|
-
end
|
|
70
|
-
|
|
71
|
-
it "has the correct secrets stored" do
|
|
72
|
-
secrets = @verifier.instance_variable_get(:@verifiers).map { |x| x.instance_variable_get(:@secret) }
|
|
73
|
-
secrets.must_equal [@secret, @deprecated_secret]
|
|
74
|
-
end
|
|
75
|
-
end
|
|
76
|
-
end
|
|
77
|
-
|
|
78
|
-
private
|
|
79
|
-
|
|
80
|
-
def load_railtie
|
|
81
|
-
if (init = Rails::Railtie.initializers.first)
|
|
82
|
-
_, _, block = init
|
|
83
|
-
block.call
|
|
84
|
-
end
|
|
85
|
-
end
|
|
86
|
-
|
|
87
|
-
end
|
|
88
|
-
end
|