RubyGems - scottwb-encrypted_cookie_store - Versions diffs - 0.3.0 - Mend

scottwb-encrypted_cookie_store 0.3.0

Files changed (15) hide show

data/.rspec +2 -0
data/Gemfile +11 -0
data/Gemfile.lock +89 -0
data/LICENSE.txt +25 -0
data/README.md +113 -0
data/Rakefile +81 -0
data/VERSION +1 -0
data/lib/encrypted_cookie_store.rb +2 -0
data/lib/encrypted_cookie_store/constants.rb +3 -0
data/lib/encrypted_cookie_store/encrypted_cookie_store.rb +145 -0
data/lib/encrypted_cookie_store/railtie.rb +10 -0
data/lib/tasks/encrypted_cookie_store.rake +7 -0
data/scottwb-encrypted_cookie_store.gemspec +64 -0
data/spec/encrypted_cookie_store_spec.rb +88 -0
metadata +159 -0

data/.rspec ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ --colour
2	+ --format documentation

data/Gemfile ADDED Viewed

@@ -0,0 +1,11 @@
+source 'http://rubygems.org'
+gem 'rails', "~> 3.0.0"
+group :development do
+  gem 'rake'
+  gem 'bundler', "~> 1.0.0"
+  gem 'rspec', "~> 2.6.0"
+  gem 'jeweler', "~> 1.6.1"
+end

data/Gemfile.lock ADDED Viewed

@@ -0,0 +1,89 @@
+GEM
+  remote: http://rubygems.org/
+  specs:
+    abstract (1.0.0)
+    actionmailer (3.0.7)
+      actionpack (= 3.0.7)
+      mail (~> 2.2.15)
+    actionpack (3.0.7)
+      activemodel (= 3.0.7)
+      activesupport (= 3.0.7)
+      builder (~> 2.1.2)
+      erubis (~> 2.6.6)
+      i18n (~> 0.5.0)
+      rack (~> 1.2.1)
+      rack-mount (~> 0.6.14)
+      rack-test (~> 0.5.7)
+      tzinfo (~> 0.3.23)
+    activemodel (3.0.7)
+      activesupport (= 3.0.7)
+      builder (~> 2.1.2)
+      i18n (~> 0.5.0)
+    activerecord (3.0.7)
+      activemodel (= 3.0.7)
+      activesupport (= 3.0.7)
+      arel (~> 2.0.2)
+      tzinfo (~> 0.3.23)
+    activeresource (3.0.7)
+      activemodel (= 3.0.7)
+      activesupport (= 3.0.7)
+    activesupport (3.0.7)
+    arel (2.0.10)
+    builder (2.1.2)
+    diff-lcs (1.1.2)
+    erubis (2.6.6)
+      abstract (>= 1.0.0)
+    git (1.2.5)
+    i18n (0.5.0)
+    jeweler (1.6.1)
+      bundler (~> 1.0.0)
+      git (>= 1.2.5)
+      rake
+    mail (2.2.19)
+      activesupport (>= 2.3.6)
+      i18n (>= 0.4.0)
+      mime-types (~> 1.16)
+      treetop (~> 1.4.8)
+    mime-types (1.16)
+    polyglot (0.3.1)
+    rack (1.2.3)
+    rack-mount (0.6.14)
+      rack (>= 1.0.0)
+    rack-test (0.5.7)
+      rack (>= 1.0)
+    rails (3.0.7)
+      actionmailer (= 3.0.7)
+      actionpack (= 3.0.7)
+      activerecord (= 3.0.7)
+      activeresource (= 3.0.7)
+      activesupport (= 3.0.7)
+      bundler (~> 1.0)
+      railties (= 3.0.7)
+    railties (3.0.7)
+      actionpack (= 3.0.7)
+      activesupport (= 3.0.7)
+      rake (>= 0.8.7)
+      thor (~> 0.14.4)
+    rake (0.9.0)
+    rspec (2.6.0)
+      rspec-core (~> 2.6.0)
+      rspec-expectations (~> 2.6.0)
+      rspec-mocks (~> 2.6.0)
+    rspec-core (2.6.3)
+    rspec-expectations (2.6.0)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.6.0)
+    thor (0.14.6)
+    treetop (1.4.9)
+      polyglot (>= 0.3.1)
+    tzinfo (0.3.27)
+PLATFORMS
+  ruby
+DEPENDENCIES
+  bundler (~> 1.0.0)
+  jeweler (~> 1.6.1)
+  rails (~> 3.0.0)
+  rake
+  rspec (~> 2.6.0)

data/LICENSE.txt ADDED Viewed

@@ -0,0 +1,25 @@
+Copyright (c) 2009 - 2010 Phusion
+All rights reserved.
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name of the Phusion nor the names of its contributors
+      may be used to endorse or promote products derived from this software
+      without specific prior written permission.
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/README.md ADDED Viewed

@@ -0,0 +1,113 @@
+EncryptedCookieStore
+====================
+EncryptedCookieStore is similar to Ruby on Rails's CookieStore (it saves
+session data in a cookie), but it uses encryption so that people can't read
+what's in the session data. This makes it possible to store sensitive data
+in the session.
+This version of EncryptedCookieStore is written for Rails 3.0.0+. It will not work with Rails 3.0.0.beta3 or earlier. It does not yet work with Rails 3.1. It has been tested with:
+  * 3.0.0
+  * 3.0.7
+  * 3.0.8.rc4
+The original version for Rails 2.3 can be found here: https://github.com/FooBarWidget/encrypted_cookie_store
+For a version that probably works with Rails 3.0.0.beta - 3.0.0.beta3, check here: https://github.com/twoism-dev/encrypted_cookie_store
+Installation and usage
+----------------------
+First, install it:
+    gem install scottwb-encrypted_cookie_store
+Then, add it to you bundler Gemfile:
+    gem 'scottwb-encrypted_cookie_store', :require => 'encrypted_cookie_store'
+Then edit `config/initializers/session_store.rb` and set your session store to
+EncryptedCookieStore:
+    MyApp::Application.config.session_store(
+      EncryptedCookieStore::EncryptedCookieStore,
+      :key            => '_myapp_session',
+      :encryption_key => '966a4....'
+    )
+The encryption key *must* be a hexadecimal string of exactly 32 bytes. It
+should be entirely random, because otherwise it can make the encryption weak.
+You can generate a new encryption key by running `rake secret:encryption_key`.
+This command will output a random encryption key that you can then copy and
+paste into your environment.rb.
+You also need to make sure you have a secret token defined in `config/initializers/secret_token.rb`, just as you work for the standard CookieStore, e.g.:
+    MyApp::Application.config.secret_token = 'f75bb....'
+Operational details
+-------------------
+Upon generating cookie data, EncryptedCookieStore generates a new, random
+initialization vector for encrypting the session data. This initialization
+vector is then encrypted with 128-bit AES in ECB mode. The session data is
+first protected with an HMAC to prevent tampering. The session data, along
+with the HMAC, are then encrypted using 256-bit AES in CFB mode with the
+generated initialization vector. This encrypted session data + HMAC are
+then stored, along with the encrypted initialization vector, into the cookie.
+Upon unmarshalling the cookie data, EncryptedCookieStore decrypts the
+encrypted initialization vector and use that to decrypt the encrypted
+session data + HMAC. The decrypted session data is then verified against
+the HMAC.
+The reason why HMAC verification occurs after decryption instead of before
+decryption is because we want to be able to detect changes to the encryption
+key and changes to the HMAC secret key, as well as migrations from CookieStore.
+Verifying after decryption allows us to automatically invalidate such old
+session cookies.
+EncryptedCookieStore is quite fast: it is able to marshal and unmarshal a
+simple session object 5000 times in 8.7 seconds on a MacBook Pro with a 2.4
+Ghz Intel Core 2 Duo (in battery mode). This is about 0.174 ms per
+marshal+unmarshal action. See `rake benchmark` in the EncryptedCookieStore
+sources for details.
+EncryptedCookieStore vs other session stores
+--------------------------------------------
+EncryptedCookieStore inherits all the benefits of CookieStore:
+ * It works out of the box without the need to setup a seperate data store (e.g. database table, daemon, etc).
+ * It does not require any maintenance. Old, stale sessions do not need to be manually cleaned up, as is the case with PStore and ActiveRecordStore.
+ * Compared to MemCacheStore, EncryptedCookieStore can "hold" an infinite number of sessions at any time.
+ * It can be scaled across multiple servers without any additional setup.
+ * It is fast.
+ * It is more secure than CookieStore because it allows you to store sensitive data in the session.
+There are of course drawbacks as well:
+ * It is prone to session replay attacks. These kind of attacks are explained in the [Ruby on Rails Security Guide](http://guides.rubyonrails.org/security.html#session-storage). Therefore you should never store anything along the lines of `is_admin` in the session.
+ * You can store at most a little less than 4 KB of data in the session because that's the size limit of a cookie. "A little less" because EncryptedCookieStore also stores a small amount of bookkeeping data in the cookie.
+ * Although encryption makes it more secure than CookieStore, there's still a chance that a bug in EncryptedCookieStore renders it insecure. We welcome everyone to audit this code. There's also a chance that weaknesses in AES are found in the near future which render it insecure. If you are storing *really* sensitive information in the session, e.g. social security numbers, or plans for world domination, then you should consider using ActiveRecordStore or some other server-side store.
+JRuby: Illegal Key Size error
+-----------------------------
+If you get this error (and your code works with MRI)...
+    Illegal key size
+    [...]/vendor/plugins/encrypted_cookie_store/lib/encrypted_cookie_store.rb:62:in `marshal'
+...then it probably means you don't have the "unlimited strength" policy files
+installed for your JVM.
+[Download and install them.](http://www.ngs.ac.uk/tools/jcepolicyfiles)
+You probably have the "strong" version if they are already there.
+As a workaround, you can change the cipher type from 256-bit AES to 128-bit by
+inserting the following in `config/initializer/session_store.rb`:
+    EncryptedCookieStore.data_cipher_type = 'aes-128-cfb'.freeze  # was 256
+Please note that after changing to 128-bit AES, EncryptedCookieStore still
+requires a 32 bytes hexadecimal encryption key, although only half of the key
+is actually used.

data/Rakefile ADDED Viewed

@@ -0,0 +1,81 @@
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'rake'
+require 'jeweler'
+Jeweler::Tasks.new do |gem|
+  gem.name              = "scottwb-encrypted_cookie_store"
+  gem.homepage          = "https://github.com/scottwb/encrypted_cookie_store"
+  gem.summary           = "A Rails 3.0 version of Encrypted Cookie Store by FooBarWidget"
+  gem.description       = "A Rails 3.0 version of Encrypted Cookie Store by FooBarWidget"
+  gem.email             = "scottwb@gmail.com"
+  gem.authors           = ["FooBarWidget", "Scott W. Bradley"]
+end
+Jeweler::RubygemsDotOrgTasks.new
+require 'rspec/core'
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec) do |spec|
+  spec.pattern = FileList['spec/**/*_spec.rb']
+end
+task :default => :spec
+desc "Run benchmark"
+task :benchmark do
+  $LOAD_PATH.unshift(File.expand_path("lib"))
+  require 'rubygems'
+  require 'benchmark'
+  require "rails"
+  require 'action_controller'
+  require 'encrypted_cookie_store'
+  secret = "b6a30e998806a238c4bad45cc720ed55e56e50d9f00fff58552e78a20fe8262df61" <<
+           "42fcfdb0676018bb9767ed560d4a624fb7f3603b4e53c77ec189ae3853bd1"
+  encryption_key = "dd458e790c3b995e3606384c58efc53da431db892f585aa3ca2a17eabe6df75b"
+  store  = EncryptedCookieStore::EncryptedCookieStore.new(
+    nil,
+    :secret => secret,
+    :key => 'my_app',
+    :encryption_key => encryption_key
+  )
+  object = {
+    :hello => "world",
+    :user_id => 1234,
+    :is_admin => true,
+    :shopping_cart => ["Tea x 1", "Carrots x 13", "Pocky x 20", "Pen x 4"],
+    :session_id => "b6a30e998806a238c4bad45cc720ed55e56e50d9f00ff"
+  }
+  count  = 50_000
+  puts "Marshalling and unmarshalling #{count} times..."
+  result = Benchmark.measure do
+    count.times do
+      data = store.send(:set_session, nil, nil, object)
+      store.send(:unmarshal, data)
+    end
+  end
+  puts result
+  printf "%.3f ms per marshal+unmarshal action\n", result.real * 1000 / count
+end
+require "rake/rdoctask"
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+  rdoc.rdoc_dir = "rdoc"
+  rdoc.title    = "scottwb-encrypted_cookie_store #{version}"
+  rdoc.rdoc_files.include("README*")
+  rdoc.rdoc_files.include("lib/**/*.rb")
+  #rdoc.main = "README.md"
+end

data/VERSION ADDED Viewed

	@@ -0,0 +1 @@
1	+ 0.3.0

data/lib/encrypted_cookie_store.rb ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ require 'encrypted_cookie_store/railtie'
2	+ require 'encrypted_cookie_store/encrypted_cookie_store'

data/lib/encrypted_cookie_store/constants.rb ADDED Viewed

@@ -0,0 +1,3 @@
+module EncryptedCookieStoreConstants
+	ENCRYPTION_KEY_SIZE = 32
+end

data/lib/encrypted_cookie_store/encrypted_cookie_store.rb ADDED Viewed

@@ -0,0 +1,145 @@
+require 'openssl'
+require 'encrypted_cookie_store/constants'
+module EncryptedCookieStore
+  class EncryptedCookieStore < ActionDispatch::Session::CookieStore
+  	OpenSSLCipherError = OpenSSL::Cipher.const_defined?(:CipherError) ? OpenSSL::Cipher::CipherError : OpenSSL::CipherError
+  	include EncryptedCookieStoreConstants
+  	class << self
+  		attr_accessor :iv_cipher_type
+  		attr_accessor :data_cipher_type
+  	end
+  	self.iv_cipher_type   = "aes-128-ecb".freeze
+  	self.data_cipher_type = "aes-256-cfb".freeze
+  	def initialize(app, options = {})
+  		ensure_encryption_key_secure(options[:encryption_key])
+  		@encryption_key = unhex(options[:encryption_key]).freeze
+  		@iv_cipher      = OpenSSL::Cipher::Cipher.new(EncryptedCookieStore.iv_cipher_type)
+  		@data_cipher    = OpenSSL::Cipher::Cipher.new(EncryptedCookieStore.data_cipher_type)
+  		super(app, options)
+  	end
+  private
+  	# Like ActiveSupport::MessageVerifier, but does not base64-encode data.
+  	class MessageVerifier
+  		def initialize(secret, digest = 'SHA1')
+  			@secret = secret
+  			@digest = digest
+  		end
+  		def verify(signed_message)
+  			digest, data = signed_message.split("--", 2)
+  			if digest != generate_digest(data)
+  				raise ActiveSupport::MessageVerifier::InvalidSignature
+  			else
+  				Marshal.load(data)
+  			end
+  		end
+  		def generate(value)
+  			data   = Marshal.dump(value)
+  			digest = generate_digest(data)
+  			"#{digest}--#{data}"
+  		end
+  	private
+  		def generate_digest(data)
+  			OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new(@digest), @secret, data)
+  		end
+  	end
+  	def set_session(env, sid, session_data)
+  		# We hmac-then-encrypt instead of encrypt-then-hmac so that we
+  		# can properly detect:
+  		# - changes to the encryption key or initialization vector
+  		# - a migration from the unencrypted CookieStore.
+  		#
+  		# Being able to detect these allows us to invalidate the old session data.
+  		@iv_cipher.encrypt
+  		@data_cipher.encrypt
+  		@iv_cipher.key   = @encryption_key
+  		@data_cipher.key = @encryption_key
+  		clear_session_data = super(env, sid, session_data)
+  		iv               = @data_cipher.random_iv
+  		@data_cipher.iv  = iv
+  		encrypted_iv     = @iv_cipher.update(iv) << @iv_cipher.final
+  		encrypted_session_data = @data_cipher.update(Marshal.dump(clear_session_data)) << @data_cipher.final
+  		"#{base64(encrypted_iv)}--#{base64(encrypted_session_data)}"
+  	end
+    def unpacked_cookie_data(env)
+      env["action_dispatch.request.unsigned_session_cookie"] ||= begin
+        stale_session_check! do
+          request = ActionDispatch::Request.new(env)
+          if data = request.cookie_jar.signed[@key] && data.is_a?(String)
+            unmarshal(data)
+          else
+            {}
+          end
+        end
+      end
+  	end
+  	def unmarshal(cookie)
+  		if cookie
+  			b64_encrypted_iv, b64_encrypted_session_data = cookie.split("--", 2)
+  			if b64_encrypted_iv && b64_encrypted_session_data
+  				encrypted_iv           = ActiveSupport::Base64.decode64(b64_encrypted_iv)
+  				encrypted_session_data = ActiveSupport::Base64.decode64(b64_encrypted_session_data)
+  				@iv_cipher.decrypt
+  				@iv_cipher.key = @encryption_key
+  				iv = @iv_cipher.update(encrypted_iv) << @iv_cipher.final
+  				@data_cipher.decrypt
+  				@data_cipher.key = @encryption_key
+  				@data_cipher.iv = iv
+  				session_data = Marshal.load(@data_cipher.update(encrypted_session_data) << @data_cipher.final) rescue nil
+  			end
+  		else
+  			nil
+  		end
+  	rescue OpenSSLCipherError
+  		nil
+  	end
+  	# To prevent users from using an insecure encryption key like "Password" we make sure that the
+  	# encryption key they've provided is at least 30 characters in length.
+          def ensure_encryption_key_secure(encryption_key)
+  		if encryption_key.blank?
+  			raise ArgumentError, "An encryption key is required for encrypting the " +
+  				"cookie session data. Please set config.action_controller.session = { " +
+  				"..., :encryption_key => \"some random string of exactly " +
+  				"#{ENCRYPTION_KEY_SIZE * 2} bytes\", ... } in config/environment.rb"
+  		end
+  		if encryption_key.size != ENCRYPTION_KEY_SIZE * 2
+  			raise ArgumentError, "The EncryptedCookieStore encryption key must be a " +
+  				"hexadecimal string of exactly #{ENCRYPTION_KEY_SIZE * 2} bytes. " +
+  				"The value that you've provided, \"#{encryption_key}\", is " +
+  				"#{encryption_key.size} bytes. You could use the following (randomly " +
+  				"generated) string as encryption key: " +
+  				ActiveSupport::SecureRandom.hex(ENCRYPTION_KEY_SIZE)
+  		end
+  	end
+  	def verifier_for(secret, digest)
+  		key = secret.respond_to?(:call) ? secret.call : secret
+  		MessageVerifier.new(key, digest)
+  	end
+  	def base64(data)
+  		ActiveSupport::Base64.encode64s(data)
+  	end
+  	def unhex(hex_data)
+  		[hex_data].pack("H*")
+  	end
+  end
+end

data/lib/encrypted_cookie_store/railtie.rb ADDED Viewed

@@ -0,0 +1,10 @@
+module EncryptedCookieStore
+  class Railtie < Rails::Railtie
+    initializer "encrypted_cookie_store_railtie.boot" do |app|
+    end
+    rake_tasks do
+      load 'tasks/encrypted_cookie_store.rake'
+    end
+  end
+end

data/lib/tasks/encrypted_cookie_store.rake ADDED Viewed

@@ -0,0 +1,7 @@
+namespace :secret do
+	desc "Generate an encryption key for EncryptedCookieStore that's cryptographically secure."
+	task :encryption_key do
+		require 'encrypted_cookie_store/constants'
+		puts ActiveSupport::SecureRandom.hex(EncryptedCookieStoreConstants::ENCRYPTION_KEY_SIZE)
+	end
+end

data/scottwb-encrypted_cookie_store.gemspec ADDED Viewed

@@ -0,0 +1,64 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
+# -*- encoding: utf-8 -*-
+Gem::Specification.new do |s|
+  s.name = %q{scottwb-encrypted_cookie_store}
+  s.version = "0.3.0"
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["FooBarWidget", "Scott W. Bradley"]
+  s.date = %q{2011-05-31}
+  s.description = %q{A Rails 3.0 version of Encrypted Cookie Store by FooBarWidget}
+  s.email = %q{scottwb@gmail.com}
+  s.extra_rdoc_files = [
+    "LICENSE.txt",
+    "README.md"
+  ]
+  s.files = [
+    ".rspec",
+    "Gemfile",
+    "Gemfile.lock",
+    "LICENSE.txt",
+    "README.md",
+    "Rakefile",
+    "VERSION",
+    "lib/encrypted_cookie_store.rb",
+    "lib/encrypted_cookie_store/constants.rb",
+    "lib/encrypted_cookie_store/encrypted_cookie_store.rb",
+    "lib/encrypted_cookie_store/railtie.rb",
+    "lib/tasks/encrypted_cookie_store.rake",
+    "scottwb-encrypted_cookie_store.gemspec",
+    "spec/encrypted_cookie_store_spec.rb"
+  ]
+  s.homepage = %q{https://github.com/scottwb/encrypted_cookie_store}
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.6.2}
+  s.summary = %q{A Rails 3.0 version of Encrypted Cookie Store by FooBarWidget}
+  if s.respond_to? :specification_version then
+    s.specification_version = 3
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<rails>, ["~> 3.0.0"])
+      s.add_development_dependency(%q<rake>, [">= 0"])
+      s.add_development_dependency(%q<bundler>, ["~> 1.0.0"])
+      s.add_development_dependency(%q<rspec>, ["~> 2.6.0"])
+      s.add_development_dependency(%q<jeweler>, ["~> 1.6.1"])
+    else
+      s.add_dependency(%q<rails>, ["~> 3.0.0"])
+      s.add_dependency(%q<rake>, [">= 0"])
+      s.add_dependency(%q<bundler>, ["~> 1.0.0"])
+      s.add_dependency(%q<rspec>, ["~> 2.6.0"])
+      s.add_dependency(%q<jeweler>, ["~> 1.6.1"])
+    end
+  else
+    s.add_dependency(%q<rails>, ["~> 3.0.0"])
+    s.add_dependency(%q<rake>, [">= 0"])
+    s.add_dependency(%q<bundler>, ["~> 1.0.0"])
+    s.add_dependency(%q<rspec>, ["~> 2.6.0"])
+    s.add_dependency(%q<jeweler>, ["~> 1.6.1"])
+  end
+end

data/spec/encrypted_cookie_store_spec.rb ADDED Viewed

@@ -0,0 +1,88 @@
+$LOAD_PATH.unshift(File.expand_path(File.dirname(__FILE__) + "/../lib"))
+require 'rubygems'
+gem 'rails', '>= 3.0.0'
+require 'rails'
+require 'action_controller'
+require 'encrypted_cookie_store'
+describe EncryptedCookieStore::EncryptedCookieStore do
+	SECRET = "b6a30e998806a238c4bad45cc720ed55e56e50d9f00fff58552e78a20fe8262df61" <<
+		"42fcfdb0676018bb9767ed560d4a624fb7f3603b4e53c77ec189ae3853bd1"
+	GOOD_ENCRYPTION_KEY = "dd458e790c3b995e3606384c58efc53da431db892f585aa3ca2a17eabe6df75b"
+	ANOTHER_GOOD_ENCRYPTION_KEY = "ce6a45c34607d2048d735b0a31a769de4e1512eb83c7012059a66937158a8975"
+	OBJECT = { :user_id => 123, :admin => true, :message => "hello world!" }
+	def create(options = {})
+		EncryptedCookieStore::EncryptedCookieStore.new(nil, options.reverse_merge(
+			:key => 'key',
+			:secret => SECRET
+		))
+	end
+	it "checks whether an encryption key is given" do
+		lambda { create }.should raise_error(ArgumentError, /encryption key is required/)
+	end
+	it "checks whether the encryption key has the correct size" do
+		encryption_key = "too small"
+		block = lambda { create(:encryption_key => encryption_key) }
+		block.should raise_error(ArgumentError, /must be a hexadecimal string of exactly \d+ bytes/)
+	end
+	specify "marshalling and unmarshalling data works" do
+		data   = create(:encryption_key => GOOD_ENCRYPTION_KEY).send(:set_session, nil, nil, OBJECT)
+		object = create(:encryption_key => GOOD_ENCRYPTION_KEY).send(:unmarshal, data)
+		object[:user_id].should == 123
+		object[:admin].should be_true
+		object[:message].should == "hello world!"
+	end
+	it "uses a different initialization vector every time data is marshalled" do
+		store  = create(:encryption_key => GOOD_ENCRYPTION_KEY)
+		data1  = store.send(:set_session, nil, nil, OBJECT)
+		data2  = store.send(:set_session, nil, nil, OBJECT)
+		data3  = store.send(:set_session, nil, nil, OBJECT)
+		data4  = store.send(:set_session, nil, nil, OBJECT)
+		data1.should_not == data2
+		data1.should_not == data3
+		data1.should_not == data4
+	end
+	it "invalidates the data if the encryption key is changed" do
+		data   = create(:encryption_key => GOOD_ENCRYPTION_KEY).send(:set_session, nil, nil, OBJECT)
+		object = create(:encryption_key => ANOTHER_GOOD_ENCRYPTION_KEY).send(:unmarshal, data)
+		object.should be_nil
+	end
+	it "invalidates the data if the IV cannot be decrypted" do
+		store = create(:encryption_key => GOOD_ENCRYPTION_KEY)
+		data  = store.send(:set_session, nil, nil, OBJECT)
+		iv_cipher = store.instance_variable_get(:@iv_cipher)
+		iv_cipher.should_receive(:update).and_raise(EncryptedCookieStore::EncryptedCookieStore::OpenSSLCipherError)
+		store.send(:unmarshal, data).should be_nil
+	end
+        # FIXME: This test case is broken. The super classes' structure have changed since Rails 3.0.0.beta3
+        #        and we're no longer getting a string to unmarshal, since this have been pushed up to rack.
+	#it "invalidates the data if we just migrated from CookieStore" do
+	#	old_store = ActionDispatch::Session::CookieStore.new(nil, :key => 'key', :secret => SECRET)
+	#	legacy_data = old_store.send(:set_session, nil, nil, OBJECT)
+	#	store = create(:encryption_key => GOOD_ENCRYPTION_KEY)
+	#	store.send(:unmarshal, legacy_data).should be_nil
+	#end
+	it "invalidates the data if it was tampered with" do
+		store = create(:encryption_key => GOOD_ENCRYPTION_KEY)
+		data = store.send(:set_session, nil, nil, OBJECT)
+		b64_encrypted_iv, b64_encrypted_session_data = data.split("--", 2)
+		b64_encrypted_session_data[0..1] = "AA"
+		data = "#{b64_encrypted_iv}--#{b64_encrypted_session_data}"
+		store.send(:unmarshal, data).should be_nil
+	end
+	it "invalidates the data if it looks like garbage" do
+		store = create(:encryption_key => GOOD_ENCRYPTION_KEY)
+		garbage = "\202d\3477 jTf\274\360\200z\355\334N3\001\0036\321qLu\027\320\325*%:%\270D"
+		store.send(:unmarshal, garbage).should be_nil
+	end
+end

metadata ADDED Viewed

@@ -0,0 +1,159 @@
+--- !ruby/object:Gem::Specification
+name: scottwb-encrypted_cookie_store
+version: !ruby/object:Gem::Version
+  hash: 19
+  prerelease:
+  segments:
+  - 0
+  - 3
+  - 0
+  version: 0.3.0
+platform: ruby
+authors:
+- FooBarWidget
+- Scott W. Bradley
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2011-05-31 00:00:00 -07:00
+default_executable:
+dependencies:
+- !ruby/object:Gem::Dependency
+  prerelease: false
+  type: :runtime
+  requirement: &id001 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        hash: 7
+        segments:
+        - 3
+        - 0
+        - 0
+        version: 3.0.0
+  name: rails
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency
+  prerelease: false
+  type: :development
+  requirement: &id002 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        hash: 3
+        segments:
+        - 0
+        version: "0"
+  name: rake
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency
+  prerelease: false
+  type: :development
+  requirement: &id003 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        hash: 23
+        segments:
+        - 1
+        - 0
+        - 0
+        version: 1.0.0
+  name: bundler
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency
+  prerelease: false
+  type: :development
+  requirement: &id004 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        hash: 23
+        segments:
+        - 2
+        - 6
+        - 0
+        version: 2.6.0
+  name: rspec
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency
+  prerelease: false
+  type: :development
+  requirement: &id005 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        hash: 13
+        segments:
+        - 1
+        - 6
+        - 1
+        version: 1.6.1
+  name: jeweler
+  version_requirements: *id005
+description: A Rails 3.0 version of Encrypted Cookie Store by FooBarWidget
+email: scottwb@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files:
+- LICENSE.txt
+- README.md
+files:
+- .rspec
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- VERSION
+- lib/encrypted_cookie_store.rb
+- lib/encrypted_cookie_store/constants.rb
+- lib/encrypted_cookie_store/encrypted_cookie_store.rb
+- lib/encrypted_cookie_store/railtie.rb
+- lib/tasks/encrypted_cookie_store.rake
+- scottwb-encrypted_cookie_store.gemspec
+- spec/encrypted_cookie_store_spec.rb
+has_rdoc: true
+homepage: https://github.com/scottwb/encrypted_cookie_store
+licenses: []
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      hash: 3
+      segments:
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      hash: 3
+      segments:
+      - 0
+      version: "0"
+requirements: []
+rubyforge_project:
+rubygems_version: 1.6.2
+signing_key:
+specification_version: 3
+summary: A Rails 3.0 version of Encrypted Cookie Store by FooBarWidget
+test_files: []