quo_vadis 2.1.6 → 2.1.7

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +6 -0
  3. data/app/views/quo_vadis/logs/index.html.erb +1 -1
  4. data/lib/quo_vadis/crypt.rb +12 -6
  5. data/lib/quo_vadis/version.rb +1 -1
  6. data/test/integration/sessions_test.rb +1 -1
  7. data/test/models/crypt_test.rb +19 -0
  8. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 7ae53bae73aaf968a8edec5148304394b411eace9c0df39069c6b240e90a6ea9
4
- data.tar.gz: 4980707b8a6670298f0d99f7f1a554767c12323055d5103057c3028837da49af
3
+ metadata.gz: f2f5586e06a0e01dd89d66bf9cae01317b0d302ba51e5a82cfcb4bc00dc0ea85
4
+ data.tar.gz: f37f34fbae6ab23081643aff844525b4ca8795c9e5057cbce737e7348d6a254f
5
5
  SHA512:
6
- metadata.gz: 00f025682cb8623ff02713e15bf25fdcc8c2a2964273bbc9f450f562375d18dd508ae1e729657cfa2275f2cb92672ef75b278edf8dbebd75cb2d6064d6c974b9
7
- data.tar.gz: c017aa443847c3d62dd17e8e384f50db13e11f63189008787be7d896ebc80a362318328139537859d8613a240607362ef2bd81c5022a99a358086f77d079bedf
6
+ metadata.gz: de242f63f325f1520fb9fb209535a4dfcff1c6f3f2e80d6620bce3e940c1000d5452145e83b6917e9106deb844aa4f467be922880c92bbb357da2dcb6bbf563b
7
+ data.tar.gz: d706a441437cab9af6ee75f3581cc18df8edfd17414317555eecd58a1c984f7cc62a085297158fb5a42f9d244bcfdbde98bd6792220434a6118e32f801c0241e
data/CHANGELOG.md CHANGED
@@ -4,6 +4,12 @@
4
4
  ## HEAD
5
5
 
6
6
 
7
+ ## 2.1.7 (30 May 2022)
8
+
9
+ * Use SHA256 digest for encryption.
10
+ * Use <time> element in logs view.
11
+
12
+
7
13
  ## 2.1.6 (30 May 2022)
8
14
 
9
15
  * Fix typo in session scope.
data/app/views/quo_vadis/logs/index.html.erb CHANGED
@@ -12,7 +12,7 @@
12
12
  <tbody>
13
13
  <% @logs.each do |log| %>
14
14
  <tr>
15
- <td><%= log.created_at %></td>
15
+ <td><time datetime="<%= log.created_at.to_formatted_s(:iso8601) %>"><%= log.created_at.to_formatted_s('%-d %B %Y') %></time></td>
16
16
  <td><%= QuoVadis.translate "log.action.#{log.action}" %></td>
17
17
  <td><%= log.ip %></td>
18
18
  <td><%= log.metadata.empty? ? '' : log.metadata.map {|k,v| "#{k}: #{v}"}.join(', ') %></td>
data/lib/quo_vadis/crypt.rb CHANGED
@@ -8,7 +8,7 @@ module QuoVadis
8
8
  return '' if value == ''
9
9
 
10
10
  salt = SecureRandom.hex KEY_LENGTH
11
- crypt = encryptor key(salt)
11
+ crypt = encryptor salt
12
12
  ciphertext = crypt.encrypt_and_sign value
13
13
  [salt, ciphertext].join SEPARATOR
14
14
  end
@@ -18,7 +18,7 @@ module QuoVadis
18
18
  return '' if value == ''
19
19
 
20
20
  salt, data = value.split SEPARATOR
21
- crypt = encryptor key(salt)
21
+ crypt = encryptor salt
22
22
  crypt.decrypt_and_verify(data)
23
23
  end
24
24
 
@@ -27,12 +27,18 @@ module QuoVadis
27
27
  KEY_LENGTH = ActiveSupport::MessageEncryptor.key_len
28
28
  SEPARATOR = '$$'
29
29
 
30
- def self.encryptor(key)
31
- ActiveSupport::MessageEncryptor.new(key)
30
+ def self.encryptor(salt)
31
+ key_sha256 = key salt, OpenSSL::Digest::SHA256
32
+ key_sha1 = key salt, OpenSSL::Digest::SHA1
33
+ ActiveSupport::MessageEncryptor.new(key_sha256).tap { |crypt|
34
+ crypt.rotate key_sha1
35
+ }
32
36
  end
33
37
 
34
- def self.key(salt)
35
- ActiveSupport::KeyGenerator.new(secret).generate_key(salt, KEY_LENGTH)
38
+ def self.key(salt, hash_digest_class)
39
+ ActiveSupport::KeyGenerator
40
+ .new(secret, hash_digest_class: hash_digest_class)
41
+ .generate_key(salt, KEY_LENGTH)
36
42
  end
37
43
 
38
44
  def self.secret
data/lib/quo_vadis/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module QuoVadis
4
- VERSION = '2.1.6'
4
+ VERSION = '2.1.7'
5
5
  end
data/test/integration/sessions_test.rb CHANGED
@@ -54,7 +54,7 @@ class SessionsTest < IntegrationTest
54
54
  phone.get quo_vadis.sessions_path
55
55
  phone.assert_response :success
56
56
  phone.assert_select 'td', 'This session'
57
- phone.assert_select 'td input[type=submit][value="Log out"]', 1
57
+ phone.assert_select 'td button[type=submit]', text: 'Log out', count: 1
58
58
 
59
59
  # on phone, log out the desktop session
60
60
  phone.delete quo_vadis.session_path(QuoVadis::Session.first.id)
data/test/models/crypt_test.rb CHANGED
@@ -4,6 +4,13 @@ class CryptTest < ActiveSupport::TestCase
4
4
 
5
5
  setup do
6
6
  @crypt = QuoVadis::Crypt
7
+
8
+ @crypt_sha1 = Class.new(QuoVadis::Crypt) do
9
+ def self.encryptor(salt)
10
+ key_sha1 = key salt, OpenSSL::Digest::SHA1
11
+ ActiveSupport::MessageEncryptor.new key_sha1
12
+ end
13
+ end
7
14
  end
8
15
 
9
16
  test 'round trip' do
@@ -19,4 +26,16 @@ class CryptTest < ActiveSupport::TestCase
19
26
  refute_equal ciphertext, @crypt.encrypt(plaintext)
20
27
  end
21
28
 
29
+ test 'rotation' do
30
+ # This test only works if our test Rails contains this commit:
31
+ # https://github.com/rails/rails/commit/447e28347eb46e2ad5dc625de616152bd1b69a32
32
+ return unless ActiveSupport::KeyGenerator.respond_to? :hash_digest_class
33
+
34
+ plaintext = 'the quick brown fox'
35
+ # Encrypt with SHA1 digest
36
+ ciphertext_sha1 = @crypt_sha1.encrypt plaintext
37
+ # Ensure code can decrypt it.
38
+ assert_equal plaintext, @crypt.decrypt(ciphertext_sha1)
39
+ end
40
+
22
41
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: quo_vadis
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.1.6
4
+ version: 2.1.7
5
5
  platform: ruby
6
6
  authors:
7
7
  - Andy Stewart