Fix/rails71 force hash digest class (#4122)

* In Rails 7.1, need to specify the hash digest class for decrypting rails 7.0 encrypted values * Remove unneeded hash digest set * Fix tests, re-encoded * Fixture tests
brave-intl · Jul 27, 2023 · ad21f1e · ad21f1e
1 parent 88f2887
commit ad21f1e
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 11 deletions.
diff --git a/config/application.rb b/config/application.rb
@@ -68,6 +68,9 @@ class Application < Rails::Application
     # config.time_zone = "Central Time (US & Canada)"
     # config.eager_load_paths << Rails.root.join("extras")
 
+    # Configure ActiveRecord Encryption
+    config.active_record.encryption.hash_digest_class = OpenSSL::Digest::SHA1
+    config.active_record.encryption.support_sha1_for_non_deterministic_encryption = true
     config.active_record.encryption.primary_key = Rails.configuration.pub_secrets[:active_record_encryption_primary_key]
     config.active_record.encryption.deterministic_key = Rails.configuration.pub_secrets[:active_record_encryption_deterministic_key]
     config.active_record.encryption.key_derivation_salt = Rails.configuration.pub_secrets[:active_record_encryption_key_derivation_salt]

diff --git a/config/initializers/new_framework_defaults_7_1.rb b/config/initializers/new_framework_defaults_7_1.rb
@@ -38,7 +38,9 @@
 # 2. If you have +config.active_support.key_generator_hash_digest_class+ configured as SHA256 (the new default
 # in 7.0), then you need to configure SHA-256 for Active Record Encryption:
 # Rails.application.config.active_record.encryption.hash_digest_class = OpenSSL::Digest::SHA256
-#
+
+ActiveRecord::Encryption.config.hash_digest_class = OpenSSL::Digest::SHA1
+
 # If you don't currently have data encrypted with Active Record encryption, you can disable this setting to
 # configure the default behavior starting 7.1+:
 # Rails.application.config.active_record.encryption.support_sha1_for_non_deterministic_encryption = false

diff --git a/test/fixtures/bitflyer_connections.yml b/test/fixtures/bitflyer_connections.yml
@@ -3,8 +3,8 @@ enabled_bitflyer_connection:
   recipient_id: 'bitflyer_pub_connectionABC'
   # run through console with
   # BitflyerConnection.attribute_types["access_token"].serialize('access_token')
-  access_token:  "{\"p\":\"0xnOKdDbiCtdeEFk\",\"h\":{\"iv\":\"TJ6Cl65f8nGNzIUL\",\"at\":\"zM37d8U9DlE5aeuZw9gdug==\"}}"
-  refresh_token:  "{\"p\":\"ziymXehmy9TdklEeqg==\",\"h\":{\"iv\":\"EEgxeAEDu02XafPW\",\"at\":\"AkwfcjxEbF752GYDrBiS+g==\"}}"
+  access_token:  "{\"p\":\"LnFCHdkg+hTCtajq\",\"h\":{\"iv\":\"bSij/D78+VQ1T06v\",\"at\":\"eSl/fGA7bB9EpY1XjpZLvg==\"}}"
+  refresh_token:  "{\"p\":\"nKVnnT7dnfh6MysCXg==\",\"h\":{\"iv\":\"VTxYzYeIoQQ9gam6\",\"at\":\"jD+1aWJ6I2XIj/hHQRuh0A==\"}}"
   display_name: 123
   access_expiration_time: "<%= 2.days.ago %>"
 

diff --git a/test/fixtures/gemini_connections.yml b/test/fixtures/gemini_connections.yml
@@ -17,17 +17,17 @@ connection_with_token:
   publisher: gemini_completed
   is_verified: true
   recipient_id: <%= SecureRandom.uuid %>
-  access_token:  "{\"p\":\"0xnOKdDbiCtdeEFk\",\"h\":{\"iv\":\"TJ6Cl65f8nGNzIUL\",\"at\":\"zM37d8U9DlE5aeuZw9gdug==\"}}"
-  refresh_token:  "{\"p\":\"ziymXehmy9TdklEeqg==\",\"h\":{\"iv\":\"EEgxeAEDu02XafPW\",\"at\":\"AkwfcjxEbF752GYDrBiS+g==\"}}"
+  access_token:  "{\"p\":\"LnFCHdkg+hTCtajq\",\"h\":{\"iv\":\"bSij/D78+VQ1T06v\",\"at\":\"eSl/fGA7bB9EpY1XjpZLvg==\"}}"
+  refresh_token:  "{\"p\":\"nKVnnT7dnfh6MysCXg==\",\"h\":{\"iv\":\"VTxYzYeIoQQ9gam6\",\"at\":\"jD+1aWJ6I2XIj/hHQRuh0A==\"}}"
   country: 'BE'
   status: 'Active'
 
 connection_not_verified:
   publisher: gemini_not_completed
   is_verified: false
   status: 'Active'
-  access_token:  'access_token'
-  refresh_token:  'refresh_token'
+  access_token:  "{\"p\":\"LnFCHdkg+hTCtajq\",\"h\":{\"iv\":\"bSij/D78+VQ1T06v\",\"at\":\"eSl/fGA7bB9EpY1XjpZLvg==\"}}"
+  refresh_token:  "{\"p\":\"nKVnnT7dnfh6MysCXg==\",\"h\":{\"iv\":\"VTxYzYeIoQQ9gam6\",\"at\":\"jD+1aWJ6I2XIj/hHQRuh0A==\"}}"
 
 top_referrer_gemini_connected:
   publisher: top_referrer_gemini

diff --git a/test/fixtures/totp_registrations.yml b/test/fixtures/totp_registrations.yml
@@ -3,14 +3,14 @@ default:
   last_logged_in_at: <%= 2.days.ago %>
   # run through console with
   # TotpRegistration.attribute_types["secret"].serialize('secret')
-  secret: "{\"p\":\"5kxhOkHv\",\"h\":{\"iv\":\"II+8QVZ22uR1ne9h\",\"at\":\"7tMHak2HET8WNisv5eXOwQ==\"}}"
+  secret: "{\"p\":\"yqWaK64e\",\"h\":{\"iv\":\"MzF4S8HgP1iRs/2x\",\"at\":\"wuShPjrQ9VYKLXi3OrLwng==\"}}"
 
 verified_totp:
   publisher: verified_totp_only
   last_logged_in_at: <%= 2.days.ago %>
-  secret: "{\"p\":\"5kxhOkHv\",\"h\":{\"iv\":\"II+8QVZ22uR1ne9h\",\"at\":\"7tMHak2HET8WNisv5eXOwQ==\"}}"
+  secret: "{\"p\":\"yqWaK64e\",\"h\":{\"iv\":\"MzF4S8HgP1iRs/2x\",\"at\":\"wuShPjrQ9VYKLXi3OrLwng==\"}}"
 
 admin:
   publisher: admin
   last_logged_in_at: <%= 2.days.ago %>
-  secret: "{\"p\":\"5kxhOkHv\",\"h\":{\"iv\":\"II+8QVZ22uR1ne9h\",\"at\":\"7tMHak2HET8WNisv5eXOwQ==\"}}"
+  secret: "{\"p\":\"yqWaK64e\",\"h\":{\"iv\":\"MzF4S8HgP1iRs/2x\",\"at\":\"wuShPjrQ9VYKLXi3OrLwng==\"}}"
diff --git a/test/fixtures/user_authentication_tokens.yml b/test/fixtures/user_authentication_tokens.yml
@@ -2,7 +2,7 @@ default_user_authentication_token: &default_user_authentication_token
   authentication_token_expires_at: "<%= DateTime.now + PublisherTokenGenerator::TOKEN_TTL %>"
   # authenticity_token run through console with
   # UserAuthenticationToken.attribute_types["authentication_token"].serialize("authentication_token")
-  authentication_token: "{\"p\":\"dBDREEAcd7w3X2nBYe1YV5MynrE=\",\"h\":{\"iv\":\"VAqlrnHXGfEoC2x6\",\"at\":\"eKWA4q2rzcqJZwJ4YVhVkA==\"}}"
+  authentication_token: "{\"p\":\"2eXOx53fs0/AzeJdmiPPuVAR+PE=\",\"h\":{\"iv\":\"tTfjtUUCwZGPE9mu\",\"at\":\"DBlolp810/sk8qxfmqHiQg==\"}}"
   user: default
 
 completed_user_authentication_token: