hestia 0.2.0 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +8 -0
- data/Gemfile.rails50 +6 -0
- data/Gemfile.rails51 +6 -0
- data/README.md +3 -1
- data/hestia.gemspec +1 -1
- data/lib/hestia.rb +6 -0
- data/lib/hestia/message_multi_verifier.rb +5 -0
- data/lib/hestia/railtie.rb +4 -6
- data/lib/hestia/signed_cookie_jar_extension.rb +1 -0
- data/lib/hestia/signed_cookie_jar_extension/action_pack_5.rb +41 -0
- data/lib/hestia/version.rb +1 -1
- data/spec/hestia/message_multi_verifier_spec.rb +7 -4
- data/spec/hestia/signed_cookie_jar_extension/action_pack_5_spec.rb +103 -0
- data/spec/support/fake_cookie_jar.rb +11 -0
- metadata +12 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b0f6ffbc2dc06c7139b927a99e5f477395d1802b
|
|
4
|
+
data.tar.gz: 414c8a89a1886f14f86f10431b2a4909ce07ff46
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3ec6e236bcda0203191b22bd4e5535684365c6bbf2d564a26e8126191a333fb6c419f5f6f03dbaddbfa3d0bb5b6e1cfb9dbab4a2985fa60c039ff342dc097cc0
|
|
7
|
+
data.tar.gz: 7dfe2db894bf9c5f194319f0a3a1d95851b932a0434fa7630bed2c9da23e35f9b6cbe0bc35aa9bbcf070f583b4a563f81fbc864f3abc262b0c4b310c216e6c67
|
data/.travis.yml
CHANGED
data/Gemfile.rails50
ADDED
data/Gemfile.rails51
ADDED
data/README.md
CHANGED
|
@@ -37,6 +37,8 @@ We currently support (& test against):
|
|
|
37
37
|
* Rails 3.2
|
|
38
38
|
* Rails 4.1
|
|
39
39
|
* Rails 4.2
|
|
40
|
+
* Rails 5.0
|
|
41
|
+
* Rails 5.1
|
|
40
42
|
|
|
41
43
|
Pull requests always welcome to support other versions!
|
|
42
44
|
|
|
@@ -61,7 +63,7 @@ You should already have `Rails.application.config.secret_token` set to a value (
|
|
|
61
63
|
|
|
62
64
|
*You can also set `config.deprecated_secret_token` to an array of strings to allow incoming cookies to be valid when signed with any of the secrets.*
|
|
63
65
|
|
|
64
|
-
### Rails 4.1, 4.2
|
|
66
|
+
### Rails 4.1, 4.2, 5.0, 5.1
|
|
65
67
|
|
|
66
68
|
Following the instructions for Rails 3.2 should work, but make sure you haven't set `config.secret_key_base` to a value otherwise Rails will take over and upgrade your cookies from signed to encrypted ones.
|
|
67
69
|
|
data/hestia.gemspec
CHANGED
|
@@ -21,7 +21,7 @@ Gem::Specification.new do |spec|
|
|
|
21
21
|
spec.required_ruby_version = '>= 2.0'
|
|
22
22
|
|
|
23
23
|
spec.add_runtime_dependency "rack"
|
|
24
|
-
spec.add_runtime_dependency "actionpack", ">= 3.2.21", "< 5.
|
|
24
|
+
spec.add_runtime_dependency "actionpack", ">= 3.2.21", "< 5.2.0"
|
|
25
25
|
|
|
26
26
|
spec.add_development_dependency "bundler", "~> 1.7"
|
|
27
27
|
spec.add_development_dependency "rake", "~> 10.0"
|
data/lib/hestia.rb
CHANGED
|
@@ -2,4 +2,10 @@ module Hestia
|
|
|
2
2
|
autoload :MessageMultiVerifier, "hestia/message_multi_verifier"
|
|
3
3
|
autoload :SignedCookieJarExtension, "hestia/signed_cookie_jar_extension"
|
|
4
4
|
autoload :VERSION, "hestia/version"
|
|
5
|
+
|
|
6
|
+
def self.check_secret_key_base
|
|
7
|
+
if Rails.application.config.respond_to?(:secret_key_base) && Rails.application.config.secret_key_base
|
|
8
|
+
fail "Having `config.secret_token' and `config.secret_key_base' defined is not allowed in Hestia. Please refer to Hestia's Readme for more information."
|
|
9
|
+
end
|
|
10
|
+
end
|
|
5
11
|
end
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
require "active_support/message_verifier"
|
|
2
|
+
require "active_support/message_encryptor"
|
|
2
3
|
|
|
3
4
|
module Hestia
|
|
4
5
|
class MessageMultiVerifier
|
|
@@ -40,6 +41,10 @@ module Hestia
|
|
|
40
41
|
# Returns deserialized value
|
|
41
42
|
# Raises ActiveSupport::MessageVerifier::InvalidSignature
|
|
42
43
|
def verify(signed_message)
|
|
44
|
+
verified(signed_message)
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
def verified(signed_message)
|
|
43
48
|
errored_verifier_count = 0
|
|
44
49
|
|
|
45
50
|
# Make sure we check *all* verifiers, every time we're called, to prevent timing attacks.
|
data/lib/hestia/railtie.rb
CHANGED
|
@@ -11,13 +11,11 @@ module Hestia
|
|
|
11
11
|
when 3
|
|
12
12
|
Hestia::SignedCookieJarExtension::ActionPack3
|
|
13
13
|
when 4
|
|
14
|
-
|
|
15
|
-
fail "Having `config.secret_token' and `config.secret_key_base' defined is not allowed in Hestia. Please refer to Hestia's Readme for more information."
|
|
16
|
-
end
|
|
17
|
-
|
|
14
|
+
Hestia.check_secret_key_base
|
|
18
15
|
Hestia::SignedCookieJarExtension::ActionPack4
|
|
19
|
-
|
|
20
|
-
|
|
16
|
+
when 5
|
|
17
|
+
Hestia.check_secret_key_base
|
|
18
|
+
Hestia::SignedCookieJarExtension::ActionPack5
|
|
21
19
|
end
|
|
22
20
|
|
|
23
21
|
ActionDispatch::Cookies::SignedCookieJar.prepend(extension)
|
|
@@ -2,5 +2,6 @@ module Hestia
|
|
|
2
2
|
module SignedCookieJarExtension
|
|
3
3
|
autoload :ActionPack3, "hestia/signed_cookie_jar_extension/action_pack_3"
|
|
4
4
|
autoload :ActionPack4, "hestia/signed_cookie_jar_extension/action_pack_4"
|
|
5
|
+
autoload :ActionPack5, "hestia/signed_cookie_jar_extension/action_pack_5"
|
|
5
6
|
end
|
|
6
7
|
end
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
require 'active_support/version'
|
|
2
|
+
|
|
3
|
+
module Hestia
|
|
4
|
+
module SignedCookieJarExtension
|
|
5
|
+
module ActionPack5
|
|
6
|
+
# Public: overridden #initialize method
|
|
7
|
+
#
|
|
8
|
+
# In rails, `secrets' will be given the value of `Rails.application.config.secret_token'. That's the current secret token.
|
|
9
|
+
# This also reads from `Rails.application.config.deprecated_secret_token` for deprecated token(s) to use. It can be undefined, a
|
|
10
|
+
# string or an array of string.
|
|
11
|
+
#
|
|
12
|
+
# parent_jar [ActionDispatch::Cookies] the parent jar creating this signed cookie jar
|
|
13
|
+
# secret [String] current secret token. Used to verify & sign cookies.
|
|
14
|
+
#
|
|
15
|
+
def initialize(parent_jar)
|
|
16
|
+
super
|
|
17
|
+
|
|
18
|
+
# Find the deprecated secrets, if there are any
|
|
19
|
+
deprecated_secrets = if Rails.application.config.respond_to?(:deprecated_secret_token)
|
|
20
|
+
# This could be a single string!
|
|
21
|
+
Array(Rails.application.config.deprecated_secret_token)
|
|
22
|
+
else
|
|
23
|
+
[]
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
# Grab the `config.secret_token` value from its generator
|
|
27
|
+
active_secret = key_generator.generate_key(request.signed_cookie_salt)
|
|
28
|
+
|
|
29
|
+
# Take the deprecated secrets through the same generator code
|
|
30
|
+
deprecated_secrets.map do |secret|
|
|
31
|
+
ActiveSupport::LegacyKeyGenerator.new(secret).generate_key(request.signed_cookie_salt)
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
serializer = ActiveSupport.version.to_s > "4.1" ? ActiveSupport::MessageEncryptor::NullSerializer : ActionDispatch::Cookies::NullSerializer
|
|
35
|
+
|
|
36
|
+
# Finally, override @verifier with our own multi verifier containing all the secrets
|
|
37
|
+
@verifier = Hestia::MessageMultiVerifier.new(current_secret: active_secret, deprecated_secrets: deprecated_secrets, options: {serializer: serializer})
|
|
38
|
+
end
|
|
39
|
+
end
|
|
40
|
+
end
|
|
41
|
+
end
|
data/lib/hestia/version.rb
CHANGED
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
require_relative "../spec_helper"
|
|
2
|
+
require "action_pack/version"
|
|
2
3
|
|
|
3
4
|
module Hestia
|
|
4
5
|
describe MessageMultiVerifier do
|
|
@@ -91,11 +92,13 @@ module Hestia
|
|
|
91
92
|
multi_verifier.verify(legacy_cookie).must_equal "cookie dough"
|
|
92
93
|
end
|
|
93
94
|
|
|
94
|
-
|
|
95
|
-
|
|
95
|
+
if ActionPack::VERSION::MAJOR < 5
|
|
96
|
+
it "verifies a message of `nil' successfully" do
|
|
97
|
+
nil_cookie = singular_verifier.generate(nil)
|
|
96
98
|
|
|
97
|
-
|
|
98
|
-
|
|
99
|
+
singular_verifier.verify(nil_cookie).must_equal(nil)
|
|
100
|
+
multi_verifier.verify(nil_cookie).must_equal(nil)
|
|
101
|
+
end
|
|
99
102
|
end
|
|
100
103
|
|
|
101
104
|
it "verifies successfully when using custom digest" do
|
|
@@ -0,0 +1,103 @@
|
|
|
1
|
+
require_relative "../../spec_helper"
|
|
2
|
+
require_relative "../../support/fake_rails"
|
|
3
|
+
require_relative "../../support/fake_cookie_jar"
|
|
4
|
+
require "action_dispatch/middleware/cookies"
|
|
5
|
+
|
|
6
|
+
# Call our railtie block to setup the initializers array
|
|
7
|
+
require "hestia/railtie"
|
|
8
|
+
|
|
9
|
+
module Hestia
|
|
10
|
+
if ActionPack::VERSION::MAJOR == 5
|
|
11
|
+
describe SignedCookieJarExtension::ActionPack5 do
|
|
12
|
+
before do
|
|
13
|
+
Rails.clean
|
|
14
|
+
load_railtie
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
it "is prepended into signed cookie jar ancestors" do
|
|
18
|
+
ActionDispatch::Cookies::SignedCookieJar.ancestors.first.must_equal SignedCookieJarExtension::ActionPack5
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
it "defines initialize" do
|
|
22
|
+
# #initialize doesn't show up in {instance_,}methods({false,true}) for some reason, so do this instead
|
|
23
|
+
# This will throw a NameError if we don't define it
|
|
24
|
+
SignedCookieJarExtension::ActionPack5.instance_method(:initialize)
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
describe "signed cookie jar instance with no deprecated token" do
|
|
28
|
+
before do
|
|
29
|
+
@secret = "a" * 30
|
|
30
|
+
@parent_jar = FakeCookieJar.new(@secret)
|
|
31
|
+
@jar = ActionDispatch::Cookies::SignedCookieJar.new(@parent_jar)
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
it "calls the original initialize method" do
|
|
35
|
+
@jar.instance_variable_get(:@parent_jar).must_equal @parent_jar
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
describe "validator" do
|
|
39
|
+
before do
|
|
40
|
+
@verifier = @jar.instance_variable_get(:@verifier)
|
|
41
|
+
end
|
|
42
|
+
it "is a multi message validator" do
|
|
43
|
+
@verifier.must_be_kind_of(MessageMultiVerifier)
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
it "has the correct secrets stored" do
|
|
47
|
+
secrets = @verifier.instance_variable_get(:@verifiers).map { |x| x.instance_variable_get(:@secret) }
|
|
48
|
+
secrets.must_equal [@secret]
|
|
49
|
+
end
|
|
50
|
+
end
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
describe "signed cookie jar instance with deprecated token" do
|
|
54
|
+
before do
|
|
55
|
+
@secret = "a" * 30
|
|
56
|
+
@parent_jar = FakeCookieJar.new(@secret)
|
|
57
|
+
@deprecated_secret = "b" * 30
|
|
58
|
+
Rails.application.config.deprecated_secret_token = @deprecated_secret
|
|
59
|
+
@jar = ActionDispatch::Cookies::SignedCookieJar.new(@parent_jar)
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
it "calls the original initialize method" do
|
|
63
|
+
@jar.instance_variable_get(:@parent_jar).must_equal @parent_jar
|
|
64
|
+
end
|
|
65
|
+
|
|
66
|
+
describe "validator" do
|
|
67
|
+
before do
|
|
68
|
+
@verifier = @jar.instance_variable_get(:@verifier)
|
|
69
|
+
end
|
|
70
|
+
it "is a multi message validator" do
|
|
71
|
+
@verifier.must_be_kind_of(MessageMultiVerifier)
|
|
72
|
+
end
|
|
73
|
+
|
|
74
|
+
it "has the correct secrets stored" do
|
|
75
|
+
secrets = @verifier.instance_variable_get(:@verifiers).map { |x| x.instance_variable_get(:@secret) }
|
|
76
|
+
secrets.must_equal [@secret, @deprecated_secret]
|
|
77
|
+
end
|
|
78
|
+
end
|
|
79
|
+
end
|
|
80
|
+
|
|
81
|
+
describe "with secret_key_base defined in config" do
|
|
82
|
+
it "blows up" do
|
|
83
|
+
Rails.clean
|
|
84
|
+
|
|
85
|
+
Rails.application.config.secret_token = "a" * 64
|
|
86
|
+
Rails.application.config.secret_key_base = "b" * 64
|
|
87
|
+
|
|
88
|
+
-> { load_railtie }.must_raise(RuntimeError)
|
|
89
|
+
end
|
|
90
|
+
end
|
|
91
|
+
|
|
92
|
+
private
|
|
93
|
+
|
|
94
|
+
def load_railtie
|
|
95
|
+
if (init = Rails::Railtie.initializers.first)
|
|
96
|
+
_, _, block = init
|
|
97
|
+
block.call
|
|
98
|
+
end
|
|
99
|
+
end
|
|
100
|
+
|
|
101
|
+
end
|
|
102
|
+
end
|
|
103
|
+
end
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
class FakeCookieJar
|
|
2
|
+
attr_reader :request, :key_generator, :signed_cookie_salt, :cookies_digest
|
|
3
|
+
|
|
4
|
+
def initialize(secret)
|
|
5
|
+
@secret = secret
|
|
6
|
+
@request = self
|
|
7
|
+
@signed_cookie_salt = nil
|
|
8
|
+
@cookies_digest = nil
|
|
9
|
+
@key_generator = ActiveSupport::LegacyKeyGenerator.new(@secret)
|
|
10
|
+
end
|
|
11
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: hestia
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Caius Durling
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2017-11-30 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack
|
|
@@ -33,7 +33,7 @@ dependencies:
|
|
|
33
33
|
version: 3.2.21
|
|
34
34
|
- - "<"
|
|
35
35
|
- !ruby/object:Gem::Version
|
|
36
|
-
version: 5.
|
|
36
|
+
version: 5.2.0
|
|
37
37
|
type: :runtime
|
|
38
38
|
prerelease: false
|
|
39
39
|
version_requirements: !ruby/object:Gem::Requirement
|
|
@@ -43,7 +43,7 @@ dependencies:
|
|
|
43
43
|
version: 3.2.21
|
|
44
44
|
- - "<"
|
|
45
45
|
- !ruby/object:Gem::Version
|
|
46
|
-
version: 5.
|
|
46
|
+
version: 5.2.0
|
|
47
47
|
- !ruby/object:Gem::Dependency
|
|
48
48
|
name: bundler
|
|
49
49
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -100,6 +100,8 @@ files:
|
|
|
100
100
|
- Gemfile.rails3
|
|
101
101
|
- Gemfile.rails41
|
|
102
102
|
- Gemfile.rails42
|
|
103
|
+
- Gemfile.rails50
|
|
104
|
+
- Gemfile.rails51
|
|
103
105
|
- LICENSE.txt
|
|
104
106
|
- README.md
|
|
105
107
|
- Rakefile
|
|
@@ -111,12 +113,15 @@ files:
|
|
|
111
113
|
- lib/hestia/signed_cookie_jar_extension.rb
|
|
112
114
|
- lib/hestia/signed_cookie_jar_extension/action_pack_3.rb
|
|
113
115
|
- lib/hestia/signed_cookie_jar_extension/action_pack_4.rb
|
|
116
|
+
- lib/hestia/signed_cookie_jar_extension/action_pack_5.rb
|
|
114
117
|
- lib/hestia/version.rb
|
|
115
118
|
- spec/hestia/message_multi_verifier_spec.rb
|
|
116
119
|
- spec/hestia/railtie_spec.rb
|
|
117
120
|
- spec/hestia/signed_cookie_jar_extension/action_pack_3_spec.rb
|
|
118
121
|
- spec/hestia/signed_cookie_jar_extension/action_pack_4_spec.rb
|
|
122
|
+
- spec/hestia/signed_cookie_jar_extension/action_pack_5_spec.rb
|
|
119
123
|
- spec/spec_helper.rb
|
|
124
|
+
- spec/support/fake_cookie_jar.rb
|
|
120
125
|
- spec/support/fake_rails.rb
|
|
121
126
|
homepage: https://github.com/fac/hestia
|
|
122
127
|
licenses:
|
|
@@ -138,7 +143,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
138
143
|
version: '0'
|
|
139
144
|
requirements: []
|
|
140
145
|
rubyforge_project:
|
|
141
|
-
rubygems_version: 2.6.
|
|
146
|
+
rubygems_version: 2.6.13
|
|
142
147
|
signing_key:
|
|
143
148
|
specification_version: 4
|
|
144
149
|
summary: Support for deprecating/rotating signed cookie secret tokens in rails
|
|
@@ -147,5 +152,7 @@ test_files:
|
|
|
147
152
|
- spec/hestia/railtie_spec.rb
|
|
148
153
|
- spec/hestia/signed_cookie_jar_extension/action_pack_3_spec.rb
|
|
149
154
|
- spec/hestia/signed_cookie_jar_extension/action_pack_4_spec.rb
|
|
155
|
+
- spec/hestia/signed_cookie_jar_extension/action_pack_5_spec.rb
|
|
150
156
|
- spec/spec_helper.rb
|
|
157
|
+
- spec/support/fake_cookie_jar.rb
|
|
151
158
|
- spec/support/fake_rails.rb
|