kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity

Use derived keys everywhere, http_authentication was missing it

Browse source
This commit is contained in:
Santiago Pastorino 2012-11-02 20:26:11 -02:00
parent fb0cea2b8c
commit 5d23925f84
7 changed files with 14 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
actionpack/lib/action_controller/metal/http_authentication.rb
View file

@ -249,9 +249,8 @@ module ActionController
end
def secret_token(request)
secret = request.env["action_dispatch.secret_token"]
raise "You must set config.secret_token in your app's config" if secret.blank?
secret
key_generator = request.env["action_dispatch.key_generator"]
key_generator.generate_key('http authentication')
end
# Uses an MD5 digest based on time to generate a value to be used only once.

4
actionpack/test/controller/http_digest_authentication_test.rb
View file

@ -1,4 +1,6 @@
require 'abstract_unit'
# FIXME remove DummyKeyGenerator and this require in 4.1
require 'active_support/key_generator'
class HttpDigestAuthenticationTest < ActionController::TestCase
class DummyDigestController < ActionController::Base
@ -41,7 +43,7 @@ class HttpDigestAuthenticationTest < ActionController::TestCase
setup do
# Used as secret in generating nonce to prevent tampering of timestamp
@secret = "session_options_secret"
@request.env["action_dispatch.secret_token"] = @secret
@request.env["action_dispatch.key_generator"] = ActiveSupport::DummyKeyGenerator.new(@secret)
end
teardown do

5
railties/lib/rails/application.rb
View file

@ -120,7 +120,6 @@ module Rails
# Currently stores:
#
# * "action_dispatch.parameter_filter" => config.filter_parameters,
# * "action_dispatch.secret_token" => config.secret_token,
# * "action_dispatch.show_exceptions" => config.action_dispatch.show_exceptions,
# * "action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local,
# * "action_dispatch.logger" => Rails.logger,
@ -135,11 +134,13 @@ module Rails
ActiveSupport::Deprecation.warn "You didn't set config.secret_token_key. " +
"This should be used instead of the old deprecated config.secret_token. " +
"Set config.secret_token_key instead of config.secret_token in config/initializers/secret_token.rb"
if config.secret_token.blank?
raise "You must set config.secret_token_key in your app's config"
end
end
super.merge({
"action_dispatch.parameter_filter" => config.filter_parameters,
"action_dispatch.secret_token" => config.secret_token,
"action_dispatch.show_exceptions" => config.action_dispatch.show_exceptions,
"action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local,
"action_dispatch.logger" => Rails.logger,

8
railties/lib/rails/application/configuration.rb
View file

@ -10,12 +10,12 @@ module Rails
:cache_classes, :cache_store, :consider_all_requests_local, :console,
:eager_load, :exceptions_app, :file_watcher, :filter_parameters,
:force_ssl, :helpers_paths, :logger, :log_formatter, :log_tags,
:railties_order, :relative_url_root, :secret_token_key,
:railties_order, :relative_url_root, :secret_token, :secret_token_key,
:serve_static_assets, :ssl_options, :static_cache_control, :session_options,
:time_zone, :reload_classes_only_on_change,
:queue, :queue_consumer, :beginning_of_week
attr_writer :secret_token, :log_level
attr_writer :log_level
attr_reader :encoding
def initialize(*)
@ -146,10 +146,6 @@ module Rails
def whiny_nils=(*)
ActiveSupport::Deprecation.warn "config.whiny_nils option is deprecated and no longer works"
end
def secret_token
@secret_token_key || @secret_token
end
end
end
end

1
railties/test/abstract_unit.rb
View file

@ -14,5 +14,6 @@ require 'rails/all'
module TestApp
class Application < Rails::Application
config.root = File.dirname(__FILE__)
config.secret_token_key = 'b3c631c314c0bbca50c1b2843150fe33'
end
end

18
railties/test/application/configuration_test.rb
View file

@ -225,23 +225,6 @@ module ApplicationTests
assert_equal Pathname.new(app_path).join("somewhere"), Rails.public_path
end
test "config.secret_token_key is sent in env" do
make_basic_app do |app|
app.config.secret_token_key = 'b3c631c314c0bbca50c1b2843150fe33'
app.config.session_store :disabled
end
class ::OmgController < ActionController::Base
def index
cookies.signed[:some_key] = "some_value"
render text: env["action_dispatch.secret_token"]
end
end
get "/"
assert_equal 'b3c631c314c0bbca50c1b2843150fe33', last_response.body
end
test "Use key_generator when secret_token_key is set" do
make_basic_app do |app|
app.config.secret_token_key = 'b3c631c314c0bbca50c1b2843150fe33'
@ -588,7 +571,6 @@ module ApplicationTests
assert_respond_to app, :env_config
assert_equal app.env_config['action_dispatch.parameter_filter'], app.config.filter_parameters
assert_equal app.env_config['action_dispatch.secret_token'], app.config.secret_token
assert_equal app.env_config['action_dispatch.show_exceptions'], app.config.action_dispatch.show_exceptions
assert_equal app.env_config['action_dispatch.logger'], Rails.logger
assert_equal app.env_config['action_dispatch.backtrace_cleaner'], Rails.backtrace_cleaner

4
railties/test/application/middleware/remote_ip_test.rb
View file

@ -1,4 +1,6 @@
require 'isolation/abstract_unit'
# FIXME remove DummyKeyGenerator and this require in 4.1
require 'active_support/key_generator'
module ApplicationTests
class RemoteIpTest < ActiveSupport::TestCase
@ -8,7 +10,7 @@ module ApplicationTests
remote_ip = nil
env = Rack::MockRequest.env_for("/").merge(env).merge!(
'action_dispatch.show_exceptions' => false,
'action_dispatch.secret_token' => 'b3c631c314c0bbca50c1b2843150fe33'
'action_dispatch.key_generator' => ActiveSupport::DummyKeyGenerator.new('b3c631c314c0bbca50c1b2843150fe33')
)
endpoint = Proc.new do |e|