Use SHA256 to encrypt messages and cookies

Note that enabling this options means all encrypted messages and cookies generated the application become invalid, so we're adding a cookie rotator in order to keep sessions from expiring when upgrading the application, as recommended in the "Upgrading Ruby on Rails" guideline [1]. Since we haven't seen any Consul Democracy applications using encrypted messages and these messages become invalid with this change, we're also removing the pre-Rails 5.2 encryption to authenticate messages (AES-256-CBC) and switching to the default one since Rails 5.2 (AES-256-GCM). Since the configured encryption is used by the cookie rotator initializer (through the ActiveSupport::MessageEncryptor.key_len method), at first I thought this might affect the cookie rotator, but it doesn't: upgrading works as expected, and existing sessions are still active. I'm adding a comment to remove the initializer once all cookies have been migrated. I've added "Rails 7.1" in the comment because we usually check for these comments when upgrading Rails, but we rarely check for them when after releasing new versions of Consul Democracy. [1] https://guides.rubyonrails.org/v7.0/upgrading_ruby_on_rails.html#key-generator-digest-class-changing-to-use-sha256
2024-03-28 23:14:58 +01:00
parent f384451d9f
commit b3f5705121
4 changed files with 25 additions and 5 deletions
--- a/config/initializers/cookie_rotator.rb
+++ b/config/initializers/cookie_rotator.rb
@@ -0,0 +1,23 @@
+# This code was copied from:
+# https://guides.rubyonrails.org/v7.0/upgrading_ruby_on_rails.html#key-generator-digest-class-changing-to-use-sha256
+# TODO: safe to remove after upgrading to Rails 7.1 or releasing a new
+# version of Consul Democracy
+Rails.application.config.after_initialize do
+  Rails.application.config.action_dispatch.cookies_rotations.tap do |cookies|
+    authenticated_encrypted_cookie_salt = Rails.application.config.action_dispatch.authenticated_encrypted_cookie_salt
+    signed_cookie_salt = Rails.application.config.action_dispatch.signed_cookie_salt
+
+    secret_key_base = Rails.application.secret_key_base
+
+    key_generator = ActiveSupport::KeyGenerator.new(
+      secret_key_base, iterations: 1000, hash_digest_class: OpenSSL::Digest::SHA1
+    )
+    key_len = ActiveSupport::MessageEncryptor.key_len
+
+    old_encrypted_secret = key_generator.generate_key(authenticated_encrypted_cookie_salt, key_len)
+    old_signed_secret = key_generator.generate_key(signed_cookie_salt)
+
+    cookies.rotate :encrypted, old_encrypted_secret
+    cookies.rotate :signed, old_signed_secret
+  end
+end
--- a/config/initializers/new_framework_defaults_7_0.rb
+++ b/config/initializers/new_framework_defaults_7_0.rb
@@ -23,7 +23,7 @@ Rails.application.config.action_view.button_to_generates_button_tag = true
 #
 # See upgrading guide for more information on how to build a rotator.
 # https://guides.rubyonrails.org/v7.0/upgrading_ruby_on_rails.html
-# Rails.application.config.active_support.key_generator_hash_digest_class = OpenSSL::Digest::SHA256
+Rails.application.config.active_support.key_generator_hash_digest_class = OpenSSL::Digest::SHA256

 # Change the digest class for ActiveSupport::Digest.
 # Changing this default means that for example Etags change and