Opt in to remaining Rails 7.1 defaults #30332
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mjankowski
commented
May 16, 2024
mjankowski
commented
May 16, 2024
mjankowski
commented
May 16, 2024
mjankowski
commented
May 16, 2024
mjankowski
commented
May 16, 2024
mjankowski
commented
May 16, 2024
mjankowski
force-pushed
the
rails-7-1-defaults-enable
branch
from
57ed14c
to
dacd7e4
Compare
mjankowski
force-pushed
the
rails-7-1-defaults-enable
branch
from
dacd7e4
to
9ec35cf
Compare
ClearlyClaire
requested changes
Jun 7, 2024
There was a problem hiding this comment.
I have not managed to identify which config change causes this, but this PR still makes TOTP secret decryption fail with:
ActiveRecord::Encryption::Errors::Decryption (ActiveRecord::Encryption::Errors::Decryption):
activerecord (7.1.3.4) lib/active_record/encryption/encryptor.rb:58:in `rescue in decrypt'
activerecord (7.1.3.4) lib/active_record/encryption/encryptor.rb:52:in `decrypt'
activerecord (7.1.3.4) lib/active_record/encryption/encrypted_attribute_type.rb:90:in `block in decrypt'
activerecord (7.1.3.4) lib/active_record/encryption/scheme.rb:69:in `with_context'
activerecord (7.1.3.4) lib/active_record/encryption/encrypted_attribute_type.rb:15:in `with_context'
activerecord (7.1.3.4) lib/active_record/encryption/encrypted_attribute_type.rb:85:in `decrypt'
activerecord (7.1.3.4) lib/active_record/encryption/encrypted_attribute_type.rb:36:in `deserialize'
activemodel (7.1.3.4) lib/active_model/attribute_set/builder.rb:52:in `block in fetch_value'
activemodel (7.1.3.4) lib/active_model/attribute_set/builder.rb:46:in `fetch'
activemodel (7.1.3.4) lib/active_model/attribute_set/builder.rb:46:in `fetch_value'
|
does that mean we should have set this to SHA256 before we ever started using ActiveRecord Encryption but we are now stuck out of it?
|
|
This seems to be linked to rails/rails#50604 Indeed, the following is not a sufficient patch: diff --git a/config/initializers/active_record_encryption.rb b/config/initializers/active_record_encryption.rb
index 777bafc273..21e95f7506 100644
--- a/config/initializers/active_record_encryption.rb
+++ b/config/initializers/active_record_encryption.rb
@@ -32,4 +32,5 @@ Rails.application.configure do
config.active_record.encryption.deterministic_key = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY')
config.active_record.encryption.key_derivation_salt = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT')
config.active_record.encryption.primary_key = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY')
+ config.active_record.encryption.support_sha1_for_non_deterministic_encryption = true
endBut if I in addition disable eager loading, it works: diff --git a/config/environments/production.rb b/config/environments/production.rb
index a39843e956..f86ebdec94 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -12,7 +12,7 @@ Rails.application.configure do
# your application in memory, allowing both threaded web servers
# and those relying on copy on write to perform better.
# Rake tasks automatically ignore this option for performance.
- config.eager_load = true
+ config.eager_load = false
# Full error reports are disabled and caching is turned on.
config.consider_all_requests_local = false |
|
Using the suggestion from that issue, the following appears to work: diff --git a/config/initializers/active_record_encryption.rb b/config/initializers/active_record_encryption.rb
index 777bafc273..64b6077976 100644
--- a/config/initializers/active_record_encryption.rb
+++ b/config/initializers/active_record_encryption.rb
@@ -32,4 +32,8 @@ Rails.application.configure do
config.active_record.encryption.deterministic_key = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY')
config.active_record.encryption.key_derivation_salt = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT')
config.active_record.encryption.primary_key = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY')
+ config.active_record.encryption.support_sha1_for_non_deterministic_encryption = true
+
+ # Use configs now! (to be removed if using Rails 7.1.4+)
+ ActiveRecord::Encryption.configure(**config.active_record.encryption)
end |
mjankowski
force-pushed
the
rails-7-1-defaults-enable
branch
from
9ec35cf
to
9d77b01
Compare
|
Interesting ... I had the fix from that issue ( Added here, with a TODO note pointing to that issue. |
ClearlyClaire
requested changes
Jun 7, 2024
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
ClearlyClaire
approved these changes
Jun 7, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I believe that the remainder of the options which were not already enabled here (in the file deleted in this PR) are safe to enable at this point, and we can flip over to the 7.1 defaults.
However - I know we also want to be deliberate with how people step through upgrades, and we may want the 4.3 release to include an update to Rails 7.1 (4.2.x is on Rails 7.0) but NOT immediately enable all these defaults.
Vaguely related previous PRs:
bin/rails app:updatewith Rails 7.1 #27522Opening this to step through the final remaining changes in this diff, and coordinate the interaction of release timing/versions with when to make this change.