railties 6.1.6 → 7.1.2

data/lib/rails/application.rb

@@ -4,12 +4,14 @@ require "yaml"
 require "active_support/core_ext/hash/keys"
 require "active_support/core_ext/object/blank"
 require "active_support/key_generator"
-require "active_support/message_verifier"
+require "active_support/message_verifiers"
+require "active_support/deprecation"
 require "active_support/encrypted_configuration"
 require "active_support/hash_with_indifferent_access"
 require "active_support/configuration_file"
 require "rails/engine"
 require "rails/secrets"
+require "rails/autoloaders"
 
 module Rails
   # An Engine with the responsibility of coordinating the whole boot process.
@@ -21,12 +23,12 @@ module Rails
   # Rails::Application::Bootstrap) and finishing initializers, after all the others
   # are executed (check Rails::Application::Finisher).
   #
-  # == Configuration
+  # == \Configuration
   #
   # Besides providing the same configuration as Rails::Engine and Rails::Railtie,
   # the application object has several specific configurations, for example
-  # "cache_classes", "consider_all_requests_local", "filter_parameters",
-  # "logger" and so forth.
+  # +enable_reloading+, +consider_all_requests_local+, +filter_parameters+,
+  # +logger+, and so forth.
   #
   # Check Rails::Application::Configuration to see them all.
   #
@@ -42,44 +44,21 @@ module Rails
   # == Booting process
   #
   # The application is also responsible for setting up and executing the booting
-  # process. From the moment you require "config/application.rb" in your app,
+  # process. From the moment you require <tt>config/application.rb</tt> in your app,
   # the booting process goes like this:
   #
-  #   1)  require "config/boot.rb" to set up load paths
-  #   2)  require railties and engines
-  #   3)  Define Rails.application as "class MyApp::Application < Rails::Application"
-  #   4)  Run config.before_configuration callbacks
-  #   5)  Load config/environments/ENV.rb
-  #   6)  Run config.before_initialize callbacks
-  #   7)  Run Railtie#initializer defined by railties, engines and application.
-  #       One by one, each engine sets up its load paths, routes and runs its config/initializers/* files.
-  #   8)  Custom Railtie#initializers added by railties, engines and applications are executed
-  #   9)  Build the middleware stack and run to_prepare callbacks
-  #   10) Run config.before_eager_load and eager_load! if eager_load is true
-  #   11) Run config.after_initialize callbacks
-  #
-  # == Multiple Applications
-  #
-  # If you decide to define multiple applications, then the first application
-  # that is initialized will be set to +Rails.application+, unless you override
-  # it with a different application.
-  #
-  # To create a new application, you can instantiate a new instance of a class
-  # that has already been created:
-  #
-  #   class Application < Rails::Application
-  #   end
-  #
-  #   first_application  = Application.new
-  #   second_application = Application.new(config: first_application.config)
-  #
-  # In the above example, the configuration from the first application was used
-  # to initialize the second application. You can also use the +initialize_copy+
-  # on one of the applications to create a copy of the application which shares
-  # the configuration.
-  #
-  # If you decide to define Rake tasks, runners, or initializers in an
-  # application other than +Rails.application+, then you must run them manually.
+  # 1.  <tt>require "config/boot.rb"</tt> to set up load paths.
+  # 2.  +require+ railties and engines.
+  # 3.  Define +Rails.application+ as <tt>class MyApp::Application < Rails::Application</tt>.
+  # 4.  Run +config.before_configuration+ callbacks.
+  # 5.  Load <tt>config/environments/ENV.rb</tt>.
+  # 6.  Run +config.before_initialize+ callbacks.
+  # 7.  Run <tt>Railtie#initializer</tt> defined by railties, engines, and application.
+  #     One by one, each engine sets up its load paths and routes, and runs its <tt>config/initializers/*</tt> files.
+  # 8.  Custom <tt>Railtie#initializers</tt> added by railties, engines, and applications are executed.
+  # 9.  Build the middleware stack and run +to_prepare+ callbacks.
+  # 10. Run +config.before_eager_load+ and +eager_load!+ if +eager_load+ is +true+.
+  # 11. Run +config.after_initialize+ callbacks.
   class Application < Engine
     autoload :Bootstrap,              "rails/application/bootstrap"
     autoload :Configuration,          "rails/application/configuration"
@@ -92,6 +71,8 @@ module Rails
       def inherited(base)
         super
         Rails.app_class = base
+        # lib has to be added to $LOAD_PATH unconditionally, even if it's in the
+        # autoload paths and config.add_autoload_paths_to_load_path is false.
         add_lib_to_load_path!(find_root(base.called_from))
         ActiveSupport.run_load_hooks(:before_configuration, base)
       end
@@ -118,7 +99,7 @@ module Rails
 
     attr_accessor :assets, :sandbox
     alias_method :sandbox?, :sandbox
-    attr_reader :reloaders, :reloader, :executor
+    attr_reader :reloaders, :reloader, :executor, :autoloaders
 
     delegate :default_url_options, :default_url_options=, to: :routes
 
@@ -133,13 +114,17 @@ module Rails
       @app_env_config    = nil
       @ordered_railties  = nil
       @railties          = nil
-      @message_verifiers = {}
+      @key_generators    = {}
+      @message_verifiers = nil
+      @deprecators       = nil
       @ran_load_hooks    = false
 
       @executor          = Class.new(ActiveSupport::Executor)
       @reloader          = Class.new(ActiveSupport::Reloader)
       @reloader.executor = @executor
 
+      @autoloaders = Rails::Autoloaders.new
+
       # are these actually used?
       @initial_variable_values = initial_variable_values
       @block = block
@@ -169,15 +154,53 @@ module Rails
       routes_reloader.reload!
     end
 
-    # Returns the application's KeyGenerator
-    def key_generator
+    # Returns a key generator (ActiveSupport::CachingKeyGenerator) for a
+    # specified +secret_key_base+. The return value is memoized, so additional
+    # calls with the same +secret_key_base+ will return the same key generator
+    # instance.
+    def key_generator(secret_key_base = self.secret_key_base)
       # number of iterations selected based on consultation with the google security
       # team. Details at https://github.com/rails/rails/pull/6952#issuecomment-7661220
-      @caching_key_generator ||= ActiveSupport::CachingKeyGenerator.new(
+      @key_generators[secret_key_base] ||= ActiveSupport::CachingKeyGenerator.new(
         ActiveSupport::KeyGenerator.new(secret_key_base, iterations: 1000)
       )
     end
 
+    # Returns a message verifier factory (ActiveSupport::MessageVerifiers). This
+    # factory can be used as a central point to configure and create message
+    # verifiers (ActiveSupport::MessageVerifier) for your application.
+    #
+    # By default, message verifiers created by this factory will generate
+    # messages using the default ActiveSupport::MessageVerifier options. You can
+    # override these options with a combination of
+    # ActiveSupport::MessageVerifiers#clear_rotations and
+    # ActiveSupport::MessageVerifiers#rotate. However, this must be done prior
+    # to building any message verifier instances. For example, in a
+    # +before_initialize+ block:
+    #
+    #   # Use `url_safe: true` when generating messages
+    #   config.before_initialize do |app|
+    #     app.message_verifiers.clear_rotations
+    #     app.message_verifiers.rotate(url_safe: true)
+    #   end
+    #
+    # Message verifiers created by this factory will always use a secret derived
+    # from #secret_key_base when generating messages. +clear_rotations+ will not
+    # affect this behavior. However, older +secret_key_base+ values can be
+    # rotated for verifying messages:
+    #
+    #   # Fall back to old `secret_key_base` when verifying messages
+    #   config.before_initialize do |app|
+    #     app.message_verifiers.rotate(secret_key_base: "old secret_key_base")
+    #   end
+    #
+    def message_verifiers
+      @message_verifiers ||=
+        ActiveSupport::MessageVerifiers.new do |salt, secret_key_base: self.secret_key_base|
+          key_generator(secret_key_base).generate_key(salt)
+        end.rotate_defaults
+    end
+
     # Returns a message verifier object.
     #
     # This verifier can be used to generate and verify signed messages in the application.
@@ -195,15 +218,22 @@ module Rails
     #     Rails.application.message_verifier('sensitive_data').verify(message)
     #     # => 'my sensible data'
     #
-    # See the +ActiveSupport::MessageVerifier+ documentation for more information.
+    # See the ActiveSupport::MessageVerifier documentation for more information.
     def message_verifier(verifier_name)
-      @message_verifiers[verifier_name] ||= begin
-        secret = key_generator.generate_key(verifier_name.to_s)
-        ActiveSupport::MessageVerifier.new(secret)
+      message_verifiers[verifier_name]
+    end
+
+    # A managed collection of deprecators (ActiveSupport::Deprecation::Deprecators).
+    # The collection's configuration methods affect all deprecators in the
+    # collection. Additionally, the collection's +silence+ method silences all
+    # deprecators in the collection for the duration of a given block.
+    def deprecators
+      @deprecators ||= ActiveSupport::Deprecation::Deprecators.new.tap do |deprecators|
+        deprecators[:railties] = Rails.deprecator
       end
     end
 
-    # Convenience for loading config/foo.yml for the current Rails env.
+    # Convenience for loading config/foo.yml for the current \Rails env.
     #
     # Examples:
     #
@@ -247,9 +277,11 @@ module Rails
         config, shared = all_configs[env.to_sym], all_configs[:shared]
 
         if shared
-          config = {} if config.nil?
-          if config.is_a?(Hash)
+          config = {} if config.nil? && shared.is_a?(Hash)
+          if config.is_a?(Hash) && shared.is_a?(Hash)
             config = shared.deep_merge(config)
+          elsif config.nil?
+            config = shared
           end
         end
 
@@ -263,16 +295,17 @@ module Rails
       end
     end
 
-    # Stores some of the Rails initial environment parameters which
+    # Stores some of the \Rails initial environment parameters which
     # will be used by middlewares and engines to configure themselves.
     def env_config
-      @app_env_config ||= begin
-        super.merge(
-          "action_dispatch.parameter_filter" => config.filter_parameters,
+      @app_env_config ||= super.merge(
+          "action_dispatch.parameter_filter" => filter_parameters,
           "action_dispatch.redirect_filter" => config.filter_redirect,
           "action_dispatch.secret_key_base" => secret_key_base,
           "action_dispatch.show_exceptions" => config.action_dispatch.show_exceptions,
           "action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local,
+          "action_dispatch.log_rescued_responses" => config.action_dispatch.log_rescued_responses,
+          "action_dispatch.debug_exception_log_level" => ActiveSupport::Logger.const_get(config.action_dispatch.debug_exception_log_level.to_s.upcase),
           "action_dispatch.logger" => Rails.logger,
           "action_dispatch.backtrace_cleaner" => Rails.backtrace_cleaner,
           "action_dispatch.key_generator" => key_generator,
@@ -295,7 +328,6 @@ module Rails
           "action_dispatch.content_security_policy_nonce_directives" => config.content_security_policy_nonce_directives,
           "action_dispatch.permissions_policy" => config.permissions_policy,
         )
-      end
     end
 
     # If you try to define a set of Rake tasks on the instance, these will get
@@ -355,26 +387,26 @@ module Rails
     # are changing config.root inside your application definition or having a custom
     # Rails application, you will need to add lib to $LOAD_PATH on your own in case
     # you need to load files in lib/ during the application configuration as well.
-    def self.add_lib_to_load_path!(root) #:nodoc:
-      path = File.join root, "lib"
+    def self.add_lib_to_load_path!(root) # :nodoc:
+      path = File.join(root, "lib")
       if File.exist?(path) && !$LOAD_PATH.include?(path)
         $LOAD_PATH.unshift(path)
       end
     end
 
-    def require_environment! #:nodoc:
+    def require_environment! # :nodoc:
       environment = paths["config/environment"].existent.first
       require environment if environment
     end
 
-    def routes_reloader #:nodoc:
+    def routes_reloader # :nodoc:
       @routes_reloader ||= RoutesReloader.new
     end
 
     # Returns an array of file paths appended with a hash of
     # directories-extensions suitable for ActiveSupport::FileUpdateChecker
     # API.
-    def watchable_args #:nodoc:
+    def watchable_args # :nodoc:
       files, dirs = config.watchable_files.dup, config.watchable_dirs.dup
 
       ActiveSupport::Dependencies.autoload_paths.each do |path|
@@ -386,26 +418,29 @@ module Rails
 
     # Initialize the application passing the given group. By default, the
     # group is :default
-    def initialize!(group = :default) #:nodoc:
+    def initialize!(group = :default) # :nodoc:
       raise "Application has been already initialized." if @initialized
       run_initializers(group, self)
       @initialized = true
       self
     end
 
-    def initializers #:nodoc:
+    def initializers # :nodoc:
       Bootstrap.initializers_for(self) +
       railties_initializers(super) +
       Finisher.initializers_for(self)
     end
 
-    def config #:nodoc:
+    def config # :nodoc:
       @config ||= Application::Configuration.new(self.class.find_root(self.class.called_from))
     end
 
     attr_writer :config
 
     def secrets
+      Rails.deprecator.warn(<<~MSG.squish)
+        `Rails.application.secrets` is deprecated in favor of `Rails.application.credentials` and will be removed in Rails 7.2.
+      MSG
       @secrets ||= begin
         secrets = ActiveSupport::OrderedOptions.new
         files = config.paths["config/secrets"].existent
@@ -422,62 +457,78 @@ module Rails
     attr_writer :secrets, :credentials
 
     # The secret_key_base is used as the input secret to the application's key generator, which in turn
-    # is used to create all MessageVerifiers/MessageEncryptors, including the ones that sign and encrypt cookies.
+    # is used to create all ActiveSupport::MessageVerifier and ActiveSupport::MessageEncryptor instances,
+    # including the ones that sign and encrypt cookies.
     #
     # In development and test, this is randomly generated and stored in a
-    # temporary file in <tt>tmp/development_secret.txt</tt>.
+    # temporary file in <tt>tmp/local_secret.txt</tt>.
+    #
+    # You can also set <tt>ENV["SECRET_KEY_BASE_DUMMY"]</tt> to trigger the use of a randomly generated
+    # secret_key_base that's stored in a temporary file. This is useful when precompiling assets for
+    # production as part of a build step that otherwise does not need access to the production secrets.
     #
-    # In all other environments, we look for it first in ENV["SECRET_KEY_BASE"],
-    # then credentials.secret_key_base, and finally secrets.secret_key_base. For most applications,
+    # Dockerfile example: <tt>RUN SECRET_KEY_BASE_DUMMY=1 bundle exec rails assets:precompile</tt>.
+    #
+    # In all other environments, we look for it first in <tt>ENV["SECRET_KEY_BASE"]</tt>,
+    # then +credentials.secret_key_base+, and finally +secrets.secret_key_base+. For most applications,
     # the correct place to store it is in the encrypted credentials file.
     def secret_key_base
-      if Rails.env.development? || Rails.env.test?
-        secrets.secret_key_base ||= generate_development_secret
+      if Rails.env.local? || ENV["SECRET_KEY_BASE_DUMMY"]
+        config.secret_key_base ||= generate_local_secret
       else
         validate_secret_key_base(
-          ENV["SECRET_KEY_BASE"] || credentials.secret_key_base || secrets.secret_key_base
+          ENV["SECRET_KEY_BASE"] || credentials.secret_key_base || begin
+            secret_skb = secrets_secret_key_base
+
+            if secret_skb.equal?(config.secret_key_base)
+              config.secret_key_base
+            else
+              Rails.deprecator.warn(<<~MSG.squish)
+                Your `secret_key_base is configured in `Rails.application.secrets`,
+                which is deprecated in favor of `Rails.application.credentials` and
+                will be removed in Rails 7.2.
+              MSG
+
+              secret_skb
+            end
+          end
         )
       end
     end
 
-    # Decrypts the credentials hash as kept in +config/credentials.yml.enc+. This file is encrypted with
-    # the Rails master key, which is either taken from <tt>ENV["RAILS_MASTER_KEY"]</tt> or from loading
-    # +config/master.key+.
-    # If specific credentials file exists for current environment, it takes precedence, thus for +production+
-    # environment look first for +config/credentials/production.yml.enc+ with master key taken
-    # from <tt>ENV["RAILS_MASTER_KEY"]</tt> or from loading +config/credentials/production.key+.
-    # Default behavior can be overwritten by setting +config.credentials.content_path+ and +config.credentials.key_path+.
+    # Returns an ActiveSupport::EncryptedConfiguration instance for the
+    # credentials file specified by +config.credentials.content_path+.
+    #
+    # By default, +config.credentials.content_path+ will point to either
+    # <tt>config/credentials/#{environment}.yml.enc</tt> for the current
+    # environment (for example, +config/credentials/production.yml.enc+ for the
+    # +production+ environment), or +config/credentials.yml.enc+ if that file
+    # does not exist.
+    #
+    # The encryption key is taken from either <tt>ENV["RAILS_MASTER_KEY"]</tt>,
+    # or from the file specified by +config.credentials.key_path+. By default,
+    # +config.credentials.key_path+ will point to either
+    # <tt>config/credentials/#{environment}.key</tt> for the current
+    # environment, or +config/master.key+ if that file does not exist.
     def credentials
       @credentials ||= encrypted(config.credentials.content_path, key_path: config.credentials.key_path)
     end
 
-    # Shorthand to decrypt any encrypted configurations or files.
-    #
-    # For any file added with <tt>rails encrypted:edit</tt> call +read+ to decrypt
-    # the file with the master key.
-    # The master key is either stored in +config/master.key+ or <tt>ENV["RAILS_MASTER_KEY"]</tt>.
-    #
-    #   Rails.application.encrypted("config/mystery_man.txt.enc").read
-    #   # => "We've met before, haven't we?"
-    #
-    # It's also possible to interpret encrypted YAML files with +config+.
-    #
-    #   Rails.application.encrypted("config/credentials.yml.enc").config
-    #   # => { next_guys_line: "I don't think so. Where was it you think we met?" }
-    #
-    # Any top-level configs are also accessible directly on the return value:
+    # Returns an ActiveSupport::EncryptedConfiguration instance for an encrypted
+    # file. By default, the encryption key is taken from either
+    # <tt>ENV["RAILS_MASTER_KEY"]</tt>, or from the +config/master.key+ file.
     #
-    #   Rails.application.encrypted("config/credentials.yml.enc").next_guys_line
-    #   # => "I don't think so. Where was it you think we met?"
+    #   my_config = Rails.application.encrypted("config/my_config.enc")
     #
-    # The files or configs can also be encrypted with a custom key. To decrypt with
-    # a key in the +ENV+, use:
+    #   my_config.read
+    #   # => "foo:\n  bar: 123\n"
     #
-    #   Rails.application.encrypted("config/special_tokens.yml.enc", env_key: "SPECIAL_TOKENS")
+    #   my_config.foo.bar
+    #   # => 123
     #
-    # Or to decrypt with a file, that should be version control ignored, relative to +Rails.root+:
-    #
-    #   Rails.application.encrypted("config/special_tokens.yml.enc", key_path: "config/special_tokens.key")
+    # Encrypted files can be edited with the <tt>bin/rails encrypted:edit</tt>
+    # command. (See the output of <tt>bin/rails encrypted:edit --help</tt> for
+    # more information.)
     def encrypted(path, key_path: "config/master.key", env_key: "RAILS_MASTER_KEY")
       ActiveSupport::EncryptedConfiguration.new(
         config_path: Rails.root.join(path),
@@ -487,11 +538,11 @@ module Rails
       )
     end
 
-    def to_app #:nodoc:
+    def to_app # :nodoc:
       self
     end
 
-    def helpers_paths #:nodoc:
+    def helpers_paths # :nodoc:
       config.helpers_paths
     end
 
@@ -511,19 +562,20 @@ module Rails
       ordered_railties.flatten - [self]
     end
 
+    def load_generators(app = self) # :nodoc:
+      app.ensure_generator_templates_added
+      super
+    end
+
     # Eager loads the application code.
     def eager_load!
-      if Rails.autoloaders.zeitwerk_enabled?
-        Rails.autoloaders.each(&:eager_load)
-      else
-        super
-      end
+      Rails.autoloaders.each(&:eager_load)
     end
 
   protected
     alias :build_middleware_stack :app
 
-    def run_tasks_blocks(app) #:nodoc:
+    def run_tasks_blocks(app) # :nodoc:
       railties.each { |r| r.run_tasks_blocks(app) }
       super
       load "rails/tasks.rb"
@@ -534,28 +586,28 @@ module Rails
       end
     end
 
-    def run_generators_blocks(app) #:nodoc:
+    def run_generators_blocks(app) # :nodoc:
       railties.each { |r| r.run_generators_blocks(app) }
       super
     end
 
-    def run_runner_blocks(app) #:nodoc:
+    def run_runner_blocks(app) # :nodoc:
       railties.each { |r| r.run_runner_blocks(app) }
       super
     end
 
-    def run_console_blocks(app) #:nodoc:
+    def run_console_blocks(app) # :nodoc:
       railties.each { |r| r.run_console_blocks(app) }
       super
     end
 
-    def run_server_blocks(app) #:nodoc:
+    def run_server_blocks(app) # :nodoc:
       railties.each { |r| r.run_server_blocks(app) }
       super
     end
 
     # Returns the ordered railties for this application considering railties_order.
-    def ordered_railties #:nodoc:
+    def ordered_railties # :nodoc:
       @ordered_railties ||= begin
         order = config.railties_order.map do |railtie|
           if railtie == :main_app
@@ -577,7 +629,7 @@ module Rails
       end
     end
 
-    def railties_initializers(current) #:nodoc:
+    def railties_initializers(current) # :nodoc:
       initializers = []
       ordered_railties.reverse.flatten.each do |r|
         if r == self
@@ -589,7 +641,7 @@ module Rails
       initializers
     end
 
-    def default_middleware_stack #:nodoc:
+    def default_middleware_stack # :nodoc:
       default_stack = DefaultMiddlewareStack.new(self, config, paths)
       default_stack.build_stack
     end
@@ -604,21 +656,35 @@ module Rails
       end
     end
 
-    private
-      def generate_development_secret
-        if secrets.secret_key_base.nil?
-          key_file = Rails.root.join("tmp/development_secret.txt")
+    def ensure_generator_templates_added
+      configured_paths = config.generators.templates
+      configured_paths.unshift(*(paths["lib/templates"].existent - configured_paths))
+    end
 
-          if !File.exist?(key_file)
+    private
+      def generate_local_secret
+        if config.secret_key_base.nil?
+          key_file = Rails.root.join("tmp/local_secret.txt")
+
+          if File.exist?(key_file)
+            config.secret_key_base = File.binread(key_file)
+          elsif secrets_secret_key_base
+            config.secret_key_base = secrets_secret_key_base
+          else
             random_key = SecureRandom.hex(64)
             FileUtils.mkdir_p(key_file.dirname)
             File.binwrite(key_file, random_key)
+            config.secret_key_base = File.binread(key_file)
           end
-
-          secrets.secret_key_base = File.binread(key_file)
         end
 
-        secrets.secret_key_base
+        config.secret_key_base
+      end
+
+      def secrets_secret_key_base
+        Rails.deprecator.silence do
+          secrets.secret_key_base
+        end
       end
 
       def build_request(env)
@@ -635,5 +701,14 @@ module Rails
       def coerce_same_site_protection(protection)
         protection.respond_to?(:call) ? protection : proc { protection }
       end
+
+      def filter_parameters
+        if config.precompile_filter_parameters
+          config.filter_parameters.replace(
+            ActiveSupport::ParameterFilter.precompile_filters(config.filter_parameters)
+          )
+        end
+        config.filter_parameters
+      end
   end
 end

data/lib/rails/application_controller.rb

@@ -1,14 +1,14 @@
 # frozen_string_literal: true
 
 class Rails::ApplicationController < ActionController::Base # :nodoc:
-  self.view_paths = File.expand_path("templates", __dir__)
+  prepend_view_path File.expand_path("templates", __dir__)
   layout "application"
 
   before_action :disable_content_security_policy_nonce!
 
   content_security_policy do |policy|
-    policy.script_src :unsafe_inline
-    policy.style_src :unsafe_inline
+    policy.script_src :self, :unsafe_inline
+    policy.style_src :self, :unsafe_inline
   end
 
   private

data/lib/rails/autoloaders/inflector.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require "active_support/inflector"
+
+module Rails
+  class Autoloaders
+    module Inflector # :nodoc:
+      # Concurrent::Map is not needed. This is a private class, and overrides
+      # must be defined while the application boots.
+      @overrides = {}
+
+      def self.camelize(basename, _abspath)
+        @overrides[basename] || basename.camelize
+      end
+
+      def self.inflect(overrides)
+        @overrides.merge!(overrides)
+      end
+    end
+  end
+end