-
-
Notifications
You must be signed in to change notification settings - Fork 6.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Opt in to remaining Rails 7.1 defaults #30332
Opt in to remaining Rails 7.1 defaults #30332
Conversation
57ed14c
to
dacd7e4
Compare
dacd7e4
to
9ec35cf
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have not managed to identify which config change causes this, but this PR still makes TOTP secret decryption fail with:
ActiveRecord::Encryption::Errors::Decryption (ActiveRecord::Encryption::Errors::Decryption):
activerecord (7.1.3.4) lib/active_record/encryption/encryptor.rb:58:in `rescue in decrypt'
activerecord (7.1.3.4) lib/active_record/encryption/encryptor.rb:52:in `decrypt'
activerecord (7.1.3.4) lib/active_record/encryption/encrypted_attribute_type.rb:90:in `block in decrypt'
activerecord (7.1.3.4) lib/active_record/encryption/scheme.rb:69:in `with_context'
activerecord (7.1.3.4) lib/active_record/encryption/encrypted_attribute_type.rb:15:in `with_context'
activerecord (7.1.3.4) lib/active_record/encryption/encrypted_attribute_type.rb:85:in `decrypt'
activerecord (7.1.3.4) lib/active_record/encryption/encrypted_attribute_type.rb:36:in `deserialize'
activemodel (7.1.3.4) lib/active_model/attribute_set/builder.rb:52:in `block in fetch_value'
activemodel (7.1.3.4) lib/active_model/attribute_set/builder.rb:46:in `fetch'
activemodel (7.1.3.4) lib/active_model/attribute_set/builder.rb:46:in `fetch_value'
does that mean we should have set this to SHA256 before we ever started using ActiveRecord Encryption but we are now stuck out of it?
|
This seems to be linked to rails/rails#50604 Indeed, the following is not a sufficient patch: diff --git a/config/initializers/active_record_encryption.rb b/config/initializers/active_record_encryption.rb
index 777bafc273..21e95f7506 100644
--- a/config/initializers/active_record_encryption.rb
+++ b/config/initializers/active_record_encryption.rb
@@ -32,4 +32,5 @@ Rails.application.configure do
config.active_record.encryption.deterministic_key = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY')
config.active_record.encryption.key_derivation_salt = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT')
config.active_record.encryption.primary_key = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY')
+ config.active_record.encryption.support_sha1_for_non_deterministic_encryption = true
end But if I in addition disable eager loading, it works: diff --git a/config/environments/production.rb b/config/environments/production.rb
index a39843e956..f86ebdec94 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -12,7 +12,7 @@ Rails.application.configure do
# your application in memory, allowing both threaded web servers
# and those relying on copy on write to perform better.
# Rake tasks automatically ignore this option for performance.
- config.eager_load = true
+ config.eager_load = false
# Full error reports are disabled and caching is turned on.
config.consider_all_requests_local = false |
Using the suggestion from that issue, the following appears to work: diff --git a/config/initializers/active_record_encryption.rb b/config/initializers/active_record_encryption.rb
index 777bafc273..64b6077976 100644
--- a/config/initializers/active_record_encryption.rb
+++ b/config/initializers/active_record_encryption.rb
@@ -32,4 +32,8 @@ Rails.application.configure do
config.active_record.encryption.deterministic_key = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY')
config.active_record.encryption.key_derivation_salt = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT')
config.active_record.encryption.primary_key = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY')
+ config.active_record.encryption.support_sha1_for_non_deterministic_encryption = true
+
+ # Use configs now! (to be removed if using Rails 7.1.4+)
+ ActiveRecord::Encryption.configure(**config.active_record.encryption)
end |
9ec35cf
to
9d77b01
Compare
Interesting ... I had the fix from that issue ( Added here, with a TODO note pointing to that issue. |
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have yet to extensively test it in a real environment, but it looks good so far.
I believe that the remainder of the options which were not already enabled here (in the file deleted in this PR) are safe to enable at this point, and we can flip over to the 7.1 defaults.
However - I know we also want to be deliberate with how people step through upgrades, and we may want the 4.3 release to include an update to Rails 7.1 (4.2.x is on Rails 7.0) but NOT immediately enable all these defaults.
Vaguely related previous PRs:
bin/rails app:update
with Rails 7.1 #27522Opening this to step through the final remaining changes in this diff, and coordinate the interaction of release timing/versions with when to make this change.