From 7a25f5b98723b7fe4cd9196387c20b124f15b9e7 Mon Sep 17 00:00:00 2001 From: Chris Roos Date: Wed, 11 Oct 2023 12:08:02 +0100 Subject: [PATCH 1/2] Use type argument in User.serialize In order to avoid the following deprecation warning when upgrading to Rails 7.1.0: > DEPRECATION WARNING: Passing the class as positional argument is > deprecated and will be removed in Rails 7.2. --- app/models/user.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/models/user.rb b/app/models/user.rb index d63d0646..f2e4b5ae 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -2,5 +2,5 @@ class User < ApplicationRecord include GDS::SSO::User - serialize :permissions, Array + serialize :permissions, type: Array end From 11489db82b0142839f5ade7695d2a81e27997df2 Mon Sep 17 00:00:00 2001 From: Chris Roos Date: Thu, 12 Oct 2023 11:31:15 +0100 Subject: [PATCH 2/2] Remove cookie rotator added for upgrade to Rails 7 Rails 7 changed the default digest class for the key generator from SHA1 to SHA256[1]. The code removed in this commit was added on 15 Mar 2022 in 05a41d8778d6a368a8743163757f91579b0b9103. The intention was to allow any cookies encrypted using the SHA1 key generator to be read and re-encrypted using SHA256. I can't see any record of us manually setting encrypted cookies using `cookies.encrypted`[2] so I think this would have only applied to our sessions which are stored using the (encrypted) CookieStore[3]. Given that this rotator was added 17 months ago I think it's safe to remove it (i.e. I would expect all existing sessions from 17 months ago to have been rotated). Note that although we don't make any calls to `session` in authenticating-proxy, there are calls to `session` in the gds-sso Gem that's included in this app: - GDS::SSO::FailureApp#store_location![4] - AuthenticationsController#callback[5] - lib/gds-sso/warden_config.rb[6] [1]: https://guides.rubyonrails.org/v7.0/upgrading_ruby_on_rails.html#key-generator-digest-class-changing-to-use-sha256 [2]: https://api.rubyonrails.org/v7.1.1/classes/ActionDispatch/Cookies.html [3]: https://api.rubyonrails.org/classes/ActionDispatch/Session/CookieStore.html [4]: https://github.com/alphagov/gds-sso/blob/v18.1.0/lib/gds-sso/failure_app.rb#L48 [5]: https://github.com/alphagov/gds-sso/blob/v18.1.0/app/controllers/authentications_controller.rb#L8 [6]: https://github.com/alphagov/gds-sso/blob/v18.1.0/lib/gds-sso/warden_config.rb#L15 --- config/application.rb | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/config/application.rb b/config/application.rb index b9924762..fd024832 100644 --- a/config/application.rb +++ b/config/application.rb @@ -23,22 +23,5 @@ class Application < Rails::Application # # config.time_zone = "Central Time (US & Canada)" # config.eager_load_paths << Rails.root.join("extras") - - # Rotate SHA1 cookies to SHA256 (the new Rails 7 default) - # TODO: Remove this after existing user sessions have been rotated - # https://guides.rubyonrails.org/v7.0/upgrading_ruby_on_rails.html#key-generator-digest-class-changing-to-use-sha256 - Rails.application.config.action_dispatch.cookies_rotations.tap do |cookies| - salt = Rails.application.config.action_dispatch.authenticated_encrypted_cookie_salt - secret_key_base = Rails.application.secrets.secret_key_base - next if secret_key_base.blank? - - key_generator = ActiveSupport::KeyGenerator.new( - secret_key_base, iterations: 1000, hash_digest_class: OpenSSL::Digest::SHA1 - ) - key_len = ActiveSupport::MessageEncryptor.key_len - secret = key_generator.generate_key(salt, key_len) - - cookies.rotate :encrypted, secret - end end end