From 8d1a848e606a86af0665c474e7f030d06a2ab011 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javi=20Mart=C3=ADn?= Date: Mon, 9 Dec 2024 14:53:33 +0100 Subject: [PATCH 1/2] Remove code to rotate non-SHA256 cookies This code was added in commit b3f570512 in order to rotate existing cookies used by Consul Democracy 2.1 and earlier. Since the code was included in Consul Democracy 2.2, existing installation using Consul Democracy 2.2 will have already rotated the old cookies, which means we don't need the cookie rotator anymore. --- .rubocop.yml | 1 - ...tive_storage_message_and_cookie_rotator.rb | 36 ------------------- .../active_storage_message_rotator.rb | 12 +++++++ 3 files changed, 12 insertions(+), 37 deletions(-) delete mode 100644 config/initializers/active_storage_message_and_cookie_rotator.rb create mode 100644 config/initializers/active_storage_message_rotator.rb diff --git a/.rubocop.yml b/.rubocop.yml index 0a5d2c226..d94263840 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -165,7 +165,6 @@ Layout/LineLength: - "config/environments/staging.rb" - "config/initializers/devise.rb" - "config/initializers/backtrace_silencers.rb" - - "config/initializers/active_storage_message_and_cookie_rotator.rb" - "db/migrate/*create_delayed_jobs.rb" - "db/migrate/*create_active_storage_variant_records.active_storage.rb" - "app/models/budget/stats.rb" diff --git a/config/initializers/active_storage_message_and_cookie_rotator.rb b/config/initializers/active_storage_message_and_cookie_rotator.rb deleted file mode 100644 index c6a97ab74..000000000 --- a/config/initializers/active_storage_message_and_cookie_rotator.rb +++ /dev/null @@ -1,36 +0,0 @@ -# This code was copied from: -# https://github.com/hotwired/turbo-rails/blob/v1.4.0/UPGRADING.md#key-digest-changes-in-111 -# Removing this code will make ActiveStorage image URLs generated with Rails 6.1 -# or earlier inaccessible, causing images attached with CKEditor or linked from -# somewhere else not to be rendered. -Rails.application.config.after_initialize do |app| - key_generator = ActiveSupport::KeyGenerator.new( - app.secret_key_base, iterations: 1000, hash_digest_class: OpenSSL::Digest::SHA1 - ) - - app.message_verifier("ActiveStorage").rotate(key_generator.generate_key("ActiveStorage")) -end - -# This code was copied from: -# https://guides.rubyonrails.org/v7.0/upgrading_ruby_on_rails.html#key-generator-digest-class-changing-to-use-sha256 -# TODO: safe to remove after upgrading to Rails 7.1 or releasing a new -# version of Consul Democracy -Rails.application.config.after_initialize do - Rails.application.config.action_dispatch.cookies_rotations.tap do |cookies| - authenticated_encrypted_cookie_salt = Rails.application.config.action_dispatch.authenticated_encrypted_cookie_salt - signed_cookie_salt = Rails.application.config.action_dispatch.signed_cookie_salt - - secret_key_base = Rails.application.secret_key_base - - key_generator = ActiveSupport::KeyGenerator.new( - secret_key_base, iterations: 1000, hash_digest_class: OpenSSL::Digest::SHA1 - ) - key_len = ActiveSupport::MessageEncryptor.key_len - - old_encrypted_secret = key_generator.generate_key(authenticated_encrypted_cookie_salt, key_len) - old_signed_secret = key_generator.generate_key(signed_cookie_salt) - - cookies.rotate :encrypted, old_encrypted_secret - cookies.rotate :signed, old_signed_secret - end -end diff --git a/config/initializers/active_storage_message_rotator.rb b/config/initializers/active_storage_message_rotator.rb new file mode 100644 index 000000000..1a187a42c --- /dev/null +++ b/config/initializers/active_storage_message_rotator.rb @@ -0,0 +1,12 @@ +# This code was copied from: +# https://github.com/hotwired/turbo-rails/blob/v1.4.0/UPGRADING.md#key-digest-changes-in-111 +# Removing this code will make ActiveStorage image URLs generated with Rails 6.1 +# or earlier inaccessible, causing images attached with CKEditor or linked from +# somewhere else not to be rendered. +Rails.application.config.after_initialize do |app| + key_generator = ActiveSupport::KeyGenerator.new( + app.secret_key_base, iterations: 1000, hash_digest_class: OpenSSL::Digest::SHA1 + ) + + app.message_verifier("ActiveStorage").rotate(key_generator.generate_key("ActiveStorage")) +end From d7c373509aef580ee8611bc5b4d03609b2954111 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javi=20Mart=C3=ADn?= Date: Mon, 9 Dec 2024 15:02:18 +0100 Subject: [PATCH 2/2] Remove tasks to upgrade to version 2.2 Note that, while we're no longer including them as part of the `execute_release_2.2.0_tasks` task, we're keeping the tasks to remove duplicate poll voters and poll options just in case there are some unexpected issues when adding a unique database index while upgrading to version 2.3.0. We'll remove them in version 2.4.0. --- lib/tasks/consul.rake | 10 +++------- lib/tasks/db.rake | 11 ----------- spec/lib/tasks/db_spec.rb | 27 --------------------------- 3 files changed, 3 insertions(+), 45 deletions(-) delete mode 100644 spec/lib/tasks/db_spec.rb diff --git a/lib/tasks/consul.rake b/lib/tasks/consul.rake index 64225f60b..a43bdaaf6 100644 --- a/lib/tasks/consul.rake +++ b/lib/tasks/consul.rake @@ -3,12 +3,8 @@ namespace :consul do task execute_release_tasks: ["settings:rename_setting_keys", "settings:add_new_settings", "cache:clear", - "execute_release_2.2.0_tasks"] + "execute_release_2.3.0_tasks"] - desc "Runs tasks needed to upgrade from 2.1.1 to 2.2.0" - task "execute_release_2.2.0_tasks": [ - "db:mask_ips", - "polls:remove_duplicate_voters", - "polls:populate_option_id" - ] + desc "Runs tasks needed to upgrade from 2.2.2 to 2.3.0" + task "execute_release_2.3.0_tasks": [] end diff --git a/lib/tasks/db.rake b/lib/tasks/db.rake index c8b50e7cc..3c1d00166 100644 --- a/lib/tasks/db.rake +++ b/lib/tasks/db.rake @@ -4,15 +4,4 @@ namespace :db do I18n.enforce_available_locales = false Tenant.switch(args[:tenant]) { load(Rails.root.join("db", "dev_seeds.rb")) } end - - desc "Mask IPs collected with Ahoy" - task mask_ips: :environment do - ApplicationLogger.new.info "Masking tracked IPs collected with Ahoy" - - Tenant.run_on_each do - Visit.find_each do |visit| - visit.update_column :ip, Ahoy.mask_ip(visit.ip) - end - end - end end diff --git a/spec/lib/tasks/db_spec.rb b/spec/lib/tasks/db_spec.rb deleted file mode 100644 index 084128d2e..000000000 --- a/spec/lib/tasks/db_spec.rb +++ /dev/null @@ -1,27 +0,0 @@ -require "rails_helper" - -describe "rake db:mask_ips" do - before { Rake::Task["db:mask_ips"].reenable } - - it "mask IPs on all tenants" do - create(:visit, ip: "1.1.1.1") - create(:visit, ip: "1.1.1.2") - create(:visit, ip: "1.1.2.2") - - create(:tenant, schema: "myhometown") - - Tenant.switch("myhometown") do - create(:visit, ip: "1.1.1.1") - create(:visit, ip: "1.1.1.2") - create(:visit, ip: "1.1.3.3") - end - - Rake.application.invoke_task("db:mask_ips") - - expect(Visit.pluck(:ip)).to match_array %w[1.1.1.0 1.1.1.0 1.1.2.0] - - Tenant.switch("myhometown") do - expect(Visit.pluck(:ip)).to match_array %w[1.1.1.0 1.1.1.0 1.1.3.0] - end - end -end