Detach Messages::Rotator from SecureCompareRotator

jonathanhefner · jonathanhefner · commit 9e5c7cfd9aca · 2023-02-08T15:20:01.000-06:00
Prior to this commit, `ActiveSupport::SecureCompareRotator` used
`ActiveSupport::Messages::Rotator` for part of its rotation logic, even
though `SecureCompareRotator` is entirely unrelated to messages.  This
made it precarious to alter `Messages::Rotator`, especially because
`Messages::Rotator` was `prepend`ed to `SecureCompareRotator` rather
than `include`d.

This commit reimplements `SecureCompareRotator` without
`Messages::Rotator`, which simplifies the logic and, as a bonus,
improves performance:

  ```ruby
  # frozen_string_literal: true
  require "benchmark/ips"
  require "active_support/all"

  comparer = ActiveSupport::SecureCompareRotator.new("new secret")
  comparer.rotate("old secret")

  Benchmark.ips do |x|
    x.report("compare old") do
      comparer.secure_compare!("old secret")
    end
  end
  ```

__Before__

  ```
  Warming up --------------------------------------
           compare old    72.073k i/100ms
  Calculating -------------------------------------
           compare old    719.844k (± 1.0%) i/s -      3.604M in   5.006682s
  ```

__After__

  ```
  Warming up --------------------------------------
           compare old   147.486k i/100ms
  Calculating -------------------------------------
           compare old      1.473M (± 0.9%) i/s -      7.374M in   5.006655s
  ```
diff --git a/activesupport/lib/active_support/secure_compare_rotator.rb b/activesupport/lib/active_support/secure_compare_rotator.rb
@@ -29,23 +29,28 @@ module ActiveSupport
   #   end
   class SecureCompareRotator
     include SecurityUtils
-    prepend Messages::Rotator
 
     InvalidMatch = Class.new(StandardError)
 
-    def initialize(value, **_options)
+    def initialize(value, on_rotation: nil)
       @value = value
+      @rotate_values = []
+      @on_rotation = on_rotation
     end
 
-    def secure_compare!(other_value, on_rotation: @on_rotation)
-      secure_compare(@value, other_value) ||
-        run_rotations(on_rotation) { |wrapper| wrapper.secure_compare!(other_value) } ||
-        raise(InvalidMatch)
+    def rotate(previous_value)
+      @rotate_values << previous_value
     end
 
-    private
-      def build_rotation(previous_value, **_options)
-        self.class.new(previous_value)
+    def secure_compare!(other_value, on_rotation: @on_rotation)
+      if secure_compare(@value, other_value)
+        true
+      elsif @rotate_values.any? { |value| secure_compare(value, other_value) }
+        on_rotation&.call
+        true
+      else
+        raise InvalidMatch
       end
+    end
   end
 end
