Merge pull request #40213 from dbussink/allow-setting-digest-class

Add an ActiveSupport option to allow setting a digest class

activesupport/lib/active_support/railtie.rb

@@ -85,8 +85,17 @@ module ActiveSupport
     initializer "active_support.set_hash_digest_class" do |app|
       config.after_initialize do
         if app.config.active_support.use_sha1_digests
+          ActiveSupport::Deprecation.warn(<<-MSG.squish)
+            config.active_support.use_sha1_digests is deprecated and will
+            be removed from Rails 6.2. Use config.active_support.hash_digest_class
+            instead.
+          MSG
           ActiveSupport::Digest.hash_digest_class = ::Digest::SHA1
         end
+
+        if klass = app.config.active_support.hash_digest_class
+          ActiveSupport::Digest.hash_digest_class = klass
+        end
       end
     end
   end

guides/source/configuring.md

@@ -819,7 +819,7 @@ There are a few configuration options available in Active Support:
 
 * `config.active_support.time_precision` sets the precision of JSON encoded time values. Defaults to `3`.
 
-* `config.active_support.use_sha1_digests` specifies whether to use SHA-1 instead of MD5 to generate non-sensitive digests, such as the ETag header.
+* `config.active_support.hash_digest_class` allows configuring the digest class to use to generate non-sensitive digests, such as the ETag header.
 
 * `config.active_support.use_authenticated_message_encryption` specifies whether to use AES-256-GCM authenticated encryption as the default cipher for encrypting messages instead of AES-256-CBC.
 
@@ -1035,7 +1035,7 @@ text/javascript image/svg+xml application/postscript application/x-shockwave-fla
 - `config.active_record.cache_versioning`: `true`
 - `config.action_dispatch.use_authenticated_cookie_encryption`: `true`
 - `config.active_support.use_authenticated_message_encryption`: `true`
-- `config.active_support.use_sha1_digests`: `true`
+- `config.active_support.hash_digest_class`: `::Digest::SHA1`
 - `config.action_controller.default_protect_from_forgery`: `true`
 - `config.action_view.form_with_generates_ids`: `true`
 

railties/CHANGELOG.md

@@ -1,3 +1,9 @@
+*   Deprecate `config.active_support.use_sha1_digests`
+
+    `config.active_support.use_sha1_digests` is deprecated. It is replaced with `config.active_support.hash_digest_class` which allows setting the desired Digest instead. The Rails version defaults have been updated to use this new method as well so the behavior there is unchanged.
+
+    *Dirkjan Bussink*
+
 *   Change the default logging level from :debug to :info to avoid inadvertent exposure of personally
     identifiable information (PII) in production environments.
 

railties/lib/rails/application/configuration.rb

@@ -115,7 +115,7 @@ module Rails
 
           if respond_to?(:active_support)
             active_support.use_authenticated_message_encryption = true
-            active_support.use_sha1_digests = true
+            active_support.hash_digest_class = ::Digest::SHA1
           end
 
           if respond_to?(:action_controller)

railties/test/application/configuration_test.rb

@@ -2225,6 +2225,18 @@ module ApplicationTests
       assert_equal Digest::SHA1, ActiveSupport::Digest.hash_digest_class
     end
 
+    test "ActiveSupport::Digest.hash_digest_class can be configured via config.active_support.hash_digest_class" do
+      remove_from_config '.*config\.load_defaults.*\n'
+
+      app_file "config/initializers/custom_digest_class.rb", <<-RUBY
+        Rails.application.config.active_support.hash_digest_class = Digest::SHA256
+      RUBY
+
+      app "development"
+
+      assert_equal Digest::SHA256, ActiveSupport::Digest.hash_digest_class
+    end
+
     test "custom serializers should be able to set via config.active_job.custom_serializers in an initializer" do
       class ::DummySerializer < ActiveJob::Serializers::ObjectSerializer; end