diff --git a/railties/lib/rails/secrets.rb b/railties/lib/rails/secrets.rb index a083914109..3d68e30d1d 100644 --- a/railties/lib/rails/secrets.rb +++ b/railties/lib/rails/secrets.rb @@ -1,4 +1,4 @@ -require "yaml" +require "active_support/message_encryptor" module Rails # Greatly inspired by Ara T. Howard's magnificent sekrets gem. 😘 @@ -12,6 +12,8 @@ module Rails end end + CIPHER = "aes-128-gcm" + @read_encrypted_secrets = false @root = File # Wonky, but ensures `join` uses the current directory. @@ -30,20 +32,22 @@ module Rails end def generate_key - cipher = new_cipher - SecureRandom.hex(cipher.key_len)[0, cipher.key_len] + SecureRandom.hex( + OpenSSL::Cipher.new(CIPHER).key_len + ) end def key - ENV["RAILS_MASTER_KEY"] || read_key_file || handle_missing_key + [(ENV["RAILS_MASTER_KEY"] || read_key_file || handle_missing_key)] + .pack("H*") end - def encrypt(text) - cipher(:encrypt, text) + def encrypt(data) + encryptor.encrypt_and_sign(data) end def decrypt(data) - cipher(:decrypt, data) + encryptor.decrypt_and_verify(data) end def read @@ -97,14 +101,8 @@ module Rails end end - def new_cipher - OpenSSL::Cipher.new("aes-256-cbc") - end - - def cipher(mode, data) - cipher = new_cipher.public_send(mode) - cipher.key = key - cipher.update(data) << cipher.final + def encryptor + @encryptor ||= ActiveSupport::MessageEncryptor.new(key, cipher: CIPHER) end end end diff --git a/railties/test/secrets_test.rb b/railties/test/secrets_test.rb index 36e42cf1f9..6650a37d2b 100644 --- a/railties/test/secrets_test.rb +++ b/railties/test/secrets_test.rb @@ -54,9 +54,10 @@ class Rails::SecretsTest < ActiveSupport::TestCase test "reading from key file" do run_secrets_generator do - File.binwrite("config/secrets.yml.key", "How do I know you feel it?") + key = "00112233445566778899aabbccddeeff" + File.binwrite("config/secrets.yml.key", key) - assert_equal "How do I know you feel it?", Rails::Secrets.key + assert_equal [key].pack("H*"), Rails::Secrets.key end end