secret_token_migration 0.0.2

data/.gitignore

@@ -0,0 +1,18 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+log/*

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in secret_token_migration.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Tieg Zaharia
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,68 @@
+# SecretTokenMigration
+
+```
+★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★
+★ WARNING: this is intended for maintenance. If your `secret_token` was compromised, REPLACE IT instead of using this ★
+★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★
+```
+
+The most basic convention for maintaining session state in Rails apps has been this:
+
+``` ruby
+def login(user)
+  session[:user_id] = user.id
+end
+```
+
+The Rails session is just a cookie that includes a signed digest of the contents, using a `secret_token`.
+
+But sometimes you need to change your `secret_token`, which would in these most basic cases logout most of your users.
+
+This gem provides a graceful way to change your `secret_token` without logging out **most** of your active users.
+
+## Example Situations 
+
+* You use the same `secret_token` in all of your environments, but decide that you want to separate them.
+* Your `secret_token` was found logged in some third-party software, **but** you have no evidence that it was compromised, and want to change it.
+* Regular swapping of `secret_token` as a precaution.
+
+## How It Works
+
+Regularly, you set a `MyApp::Application.config.secret_token` in your Rails app. By requiring this gem, setting `secret_token` to a new value, and including a `MyApp::Application.config.deprecated_secret_token` set to the old value, users with sessions digested with the old value will be gracefully transitioned to a session digested with the new value. When you feel comfortable that most active users have transitioned, you can remove this gem and the `deprecated_secret_token` config variable.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'secret_token_migration'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install secret_token_migration
+
+## Usage
+
+1. In your `config/initializers/secret_token.rb` file, set the `secret_token` to a new, secure value.
+2. Add this line:
+  `MyApp::Application.config.deprecated_secret_token = [THE_OLD_SECRET_TOKEN_VALUE]`
+3. Optionally, add some instrumentation (described below) to track how many users have been transitioned.
+
+## Instrumentation
+
+You can also subscribe to `MessageVerifier` digesting to track when a deprecated secret_token is used (eg, for graphing):
+
+``` ruby
+ActiveSupport::Notifications.subscribe "deprecated_secret.active_support" do
+  Rails.logger.info "deprecated secret_token used"
+end
+```
+
+## Reminder
+
+If your `secret_token` **has** been compromised, don't bother with this library. You need to switch it ASAP and deal with all users being logged out.
+
+

data/Rakefile

@@ -0,0 +1,12 @@
+require "bundler/gem_tasks"
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task :default => :test

data/lib/secret_token_migration/action_dispatch/cookies.rb

@@ -0,0 +1,34 @@
+module ActionDispatch
+  class Cookies
+    DEPRECATED_TOKEN_KEY = "action_dispatch.deprecated_secret_token".freeze    
+
+    class CookieJar
+      class << self
+        def build_with_deprecated_secret(request)
+          build_without_deprecated_secret(request).tap do |hash|
+            hash.instance_variable_set(:@deprecated_secret, request.env[DEPRECATED_TOKEN_KEY])
+          end
+        end
+        alias_method_chain :build, :deprecated_secret # apologies
+      end
+
+      def signed
+        @signed ||= if @deprecated_secret
+          ActionDispatch::Cookies::SignedCookieWithDeprecatedTokenJar.new(self, @secret, {:deprecated_secret => @deprecated_secret})
+        else
+          ActionDispatch::Cookies::SignedCookieJar.new(self, @secret)
+        end
+      end
+    end
+    
+    class SignedCookieWithDeprecatedTokenJar < ActionDispatch::Cookies::SignedCookieJar
+      def initialize(parent_jar, secret, options={})
+        ensure_secret_secure(secret)
+        ensure_secret_secure(options[:deprecated_secret])
+        @parent_jar = parent_jar
+        @verifier   = ActiveSupport::MessageVerifier.new(secret, options)
+        @verifier.instance_variable_set(:@deprecated_secret, options[:deprecated_secret])
+      end
+    end
+  end
+end

data/lib/secret_token_migration/active_support/message_verifier.rb

@@ -0,0 +1,19 @@
+class ActiveSupport::MessageVerifier
+  def verify(signed_message)
+    raise InvalidSignature if signed_message.blank?
+
+    data, digest = signed_message.split("--")
+    if data.present? && digest.present? && secure_compare(digest, generate_digest(data))
+      @serializer.load(::Base64.decode64(data))
+    elsif data.present? && digest.present? && @deprecated_secret && secure_compare(digest, generate_deprecated_digest(data))
+      ActiveSupport::Notifications.instrument("deprecated_secret.active_support")
+      @serializer.load(::Base64.decode64(data))
+    else
+      raise InvalidSignature
+    end
+  end
+
+  def generate_deprecated_digest(data)
+    OpenSSL::HMAC.hexdigest(OpenSSL::Digest.const_get(@digest).new, @deprecated_secret, data)
+  end
+end

data/lib/secret_token_migration/railtie.rb

@@ -0,0 +1,19 @@
+require 'secret_token_migration'
+
+module SecretTokenMigration
+  require 'rails'
+
+  class Railtie < Rails::Railtie
+    initializer 'secret_token_migration.insert_into_application' do
+      ActiveSupport.on_load :before_configuration do
+        SecretTokenMigration::Railtie.insert
+      end
+    end
+
+    def self.insert
+      require 'secret_token_migration/railties/application'
+      require 'secret_token_migration/action_dispatch/cookies'
+      require 'secret_token_migration/active_support/message_verifier'
+    end
+  end
+end

data/lib/secret_token_migration/railties/application.rb

@@ -0,0 +1,14 @@
+module Rails
+  class Application
+    class Configuration
+      attr_accessor :deprecated_secret_token
+    end
+
+    def env_config_with_deprecated_secret_token
+      @env_config ||= env_config_without_deprecated_secret_token.merge({
+        "action_dispatch.deprecated_secret_token" => config.deprecated_secret_token
+      })
+    end
+    alias_method_chain :env_config, :deprecated_secret_token
+  end
+end

data/lib/secret_token_migration/version.rb

@@ -0,0 +1,3 @@
+module SecretTokenMigration
+  VERSION = "0.0.2"
+end

data/lib/secret_token_migration.rb

@@ -0,0 +1,5 @@
+require "secret_token_migration/version"
+require "secret_token_migration/railtie"
+
+module SecretTokenMigration
+end

data/secret_token_migration.gemspec

@@ -0,0 +1,24 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'secret_token_migration/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = "secret_token_migration"
+  gem.version       = SecretTokenMigration::VERSION
+  gem.authors       = ["Tieg Zaharia"]
+  gem.email         = ["tieg.zaharia@gmail.com"]
+  gem.description   = %q{A gem for the maintaneance of secret_tokens.}
+  gem.summary       = %q{Easy way to switch to a secret_token while not 
+                        logging out most of your users.}
+  gem.homepage      = "https://github.com/tiegz/secret_token_migration"
+
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+  gem.add_dependency "rails", "~> 3.2.11"
+
+  gem.add_development_dependency "shoulda", "~> 3.3.2"
+end

data/test/action_dispatch/cookies_test.rb

@@ -0,0 +1,41 @@
+require_relative '../test_helper'
+
+class CookiesTest < ActiveSupport::TestCase
+  context "with only regular token" do
+    setup do
+      @old_cookies = ActionDispatch::Cookies::CookieJar.build(ActionController::TestRequest.new({
+        "action_dispatch.secret_token" => "old" * 50
+      }))
+
+      @deprecated_cookies = ActionDispatch::Cookies::CookieJar.build(ActionController::TestRequest.new({
+        "action_dispatch.secret_token" => "new" * 50,
+        "action_dispatch.deprecated_secret_token" => "old" * 50
+      }))
+
+      @new_cookies = ActionDispatch::Cookies::CookieJar.build(ActionController::TestRequest.new({
+        "action_dispatch.secret_token" => "new" * 50,
+      }))
+
+      @old_cookies.signed["foo"] = "bar"
+    end
+
+    should "use correct class for signed cookies" do
+      assert_equal ActionDispatch::Cookies::SignedCookieJar, 
+        @old_cookies.signed.class
+      assert_equal ActionDispatch::Cookies::SignedCookieWithDeprecatedTokenJar, 
+        @deprecated_cookies.signed.class
+      assert_equal ActionDispatch::Cookies::SignedCookieJar, 
+        @new_cookies.signed.class
+    end
+
+    should "read/write the old value with a deprecated token cookie" do
+      @deprecated_cookies["foo"] = @old_cookies["foo"] # without 'signed', fetches the digested value
+      assert_equal "bar", @deprecated_cookies.signed["foo"]
+    end
+
+    should "not read/write the old value with a new token cookie" do
+      @new_cookies["foo"] = @old_cookies["foo"] # without 'signed', fetches the digested value
+      assert_equal nil, @new_cookies.signed["foo"]
+    end
+  end
+end

data/test/railties/application_test.rb

@@ -0,0 +1,26 @@
+require_relative '../test_helper'
+
+class RailsApplicationTest < ActiveSupport::TestCase
+  context "a rails application" do
+    subject do
+      Class.new(Rails::Application).tap do |app|
+        app.config.deprecated_secret_token = "b"*128
+        app.config.secret_token = "a"*128
+      end
+    end
+
+    teardown do
+      Rails.application = nil
+    end
+
+    should "have secret_token" do
+      assert subject.env_config["action_dispatch.secret_token"].present?
+      assert_equal 128, subject.env_config["action_dispatch.secret_token"].length
+    end
+
+    should "have deprecated_secret_token" do
+      assert subject.env_config["action_dispatch.deprecated_secret_token"].present?
+      assert_equal 128, subject.env_config["action_dispatch.deprecated_secret_token"].length
+    end
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,14 @@
+ENV["RAILS_ENV"] = "test"
+
+require 'test/unit'
+require 'rails'
+require 'active_support/test_case'
+require 'action_controller/test_case'
+require 'action_dispatch/testing/integration'
+require 'shoulda'
+require 'secret_token_migration'
+
+# the railtie logic
+require 'secret_token_migration/railties/application'
+require 'secret_token_migration/action_dispatch/cookies'
+require 'secret_token_migration/active_support/message_verifier'

metadata

@@ -0,0 +1,96 @@
+--- !ruby/object:Gem::Specification
+name: secret_token_migration
+version: !ruby/object:Gem::Version
+  version: 0.0.2
+  prerelease: 
+platform: ruby
+authors:
+- Tieg Zaharia
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-01-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.2.11
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.2.11
+- !ruby/object:Gem::Dependency
+  name: shoulda
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.3.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.3.2
+description: A gem for the maintaneance of secret_tokens.
+email:
+- tieg.zaharia@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/secret_token_migration.rb
+- lib/secret_token_migration/action_dispatch/cookies.rb
+- lib/secret_token_migration/active_support/message_verifier.rb
+- lib/secret_token_migration/railtie.rb
+- lib/secret_token_migration/railties/application.rb
+- lib/secret_token_migration/version.rb
+- secret_token_migration.gemspec
+- test/action_dispatch/cookies_test.rb
+- test/railties/application_test.rb
+- test/test_helper.rb
+homepage: https://github.com/tiegz/secret_token_migration
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: Easy way to switch to a secret_token while not  logging out most of your
+  users.
+test_files:
+- test/action_dispatch/cookies_test.rb
+- test/railties/application_test.rb
+- test/test_helper.rb