kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity

Default Secrets to AES-128-GCM, using ActiveSupport::MessageEncryptor

Browse source 
Fixes #28135.
This commit is contained in:
Stephen Touset 2017-02-23 14:41:40 -08:00
parent 771637269d
commit 6aa6f9ae44
2 changed files with 16 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
railties/lib/rails/secrets.rb
View file

@ -1,4 +1,4 @@
require "yaml" require "active_support/message_encryptor"
module Rails module Rails
# Greatly inspired by Ara T. Howard's magnificent sekrets gem. 😘 # Greatly inspired by Ara T. Howard's magnificent sekrets gem. 😘
@ -12,6 +12,8 @@ module Rails
end end
end end
CIPHER = "aes-128-gcm"
@read_encrypted_secrets = false @read_encrypted_secrets = false
@root = File # Wonky, but ensures `join` uses the current directory. @root = File # Wonky, but ensures `join` uses the current directory.
@ -30,20 +32,22 @@ module Rails
end end
def generate_key def generate_key
cipher = new_cipher SecureRandom.hex(
SecureRandom.hex(cipher.key_len)[0, cipher.key_len] OpenSSL::Cipher.new(CIPHER).key_len
)
end end
def key def key
ENV["RAILS_MASTER_KEY"] || read_key_file || handle_missing_key [(ENV["RAILS_MASTER_KEY"] || read_key_file || handle_missing_key)]
.pack("H*")
end end
def encrypt(text) def encrypt(data)
cipher(:encrypt, text) encryptor.encrypt_and_sign(data)
end end
def decrypt(data) def decrypt(data)
cipher(:decrypt, data) encryptor.decrypt_and_verify(data)
end end
def read def read
@ -97,14 +101,8 @@ module Rails
end end
end end
def new_cipher def encryptor
OpenSSL::Cipher.new("aes-256-cbc") @encryptor ||= ActiveSupport::MessageEncryptor.new(key, cipher: CIPHER)
end
def cipher(mode, data)
cipher = new_cipher.public_send(mode)
cipher.key = key
cipher.update(data) << cipher.final
end end
end end
end end

5
railties/test/secrets_test.rb
View file

@ -54,9 +54,10 @@ class Rails::SecretsTest < ActiveSupport::TestCase
test "reading from key file" do test "reading from key file" do
run_secrets_generator do run_secrets_generator do
File.binwrite("config/secrets.yml.key", "How do I know you feel it?") key = "00112233445566778899aabbccddeeff"
File.binwrite("config/secrets.yml.key", key)
assert_equal "How do I know you feel it?", Rails::Secrets.key assert_equal [key].pack("H*"), Rails::Secrets.key
end end
end end