devise-encryptable 0.1.0

data/gemfiles/Gemfile.rails-3.1.x

@@ -0,0 +1,15 @@
+source 'https://rubygems.org'
+
+gem "devise-encryptable", :path => ".."
+
+gem 'devise', :git => "git://github.com/plataformatec/devise.git", :branch => "removing_encryptable"
+gem 'minitest'
+gem 'rails', "3.1.4"
+gem 'sqlite3'
+
+gem 'mocha', :require => false
+
+gem 'pry'
+gem 'pry-doc'
+gem 'pry-nav'
+gem 'awesome_print'

data/gemfiles/Gemfile.rails-3.1.x.lock

@@ -0,0 +1,136 @@
+GIT
+  remote: git://github.com/plataformatec/devise.git
+  revision: 0d868b9ec1e0c7d3a041bb65c2889b5bd23d65dc
+  branch: removing_encryptable
+  specs:
+    devise (2.1.0.rc)
+      bcrypt-ruby (~> 3.0)
+      orm_adapter (~> 0.0.7)
+      railties (~> 3.1)
+      warden (~> 1.1.1)
+
+PATH
+  remote: ..
+  specs:
+    devise-encryptable (0.0.1)
+      devise (~> 2.1.0.rc)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actionmailer (3.1.4)
+      actionpack (= 3.1.4)
+      mail (~> 2.3.0)
+    actionpack (3.1.4)
+      activemodel (= 3.1.4)
+      activesupport (= 3.1.4)
+      builder (~> 3.0.0)
+      erubis (~> 2.7.0)
+      i18n (~> 0.6)
+      rack (~> 1.3.6)
+      rack-cache (~> 1.1)
+      rack-mount (~> 0.8.2)
+      rack-test (~> 0.6.1)
+      sprockets (~> 2.0.3)
+    activemodel (3.1.4)
+      activesupport (= 3.1.4)
+      builder (~> 3.0.0)
+      i18n (~> 0.6)
+    activerecord (3.1.4)
+      activemodel (= 3.1.4)
+      activesupport (= 3.1.4)
+      arel (~> 2.2.3)
+      tzinfo (~> 0.3.29)
+    activeresource (3.1.4)
+      activemodel (= 3.1.4)
+      activesupport (= 3.1.4)
+    activesupport (3.1.4)
+      multi_json (~> 1.0)
+    arel (2.2.3)
+    awesome_print (1.0.2)
+    bcrypt-ruby (3.0.1)
+    builder (3.0.0)
+    coderay (1.0.6)
+    erubis (2.7.0)
+    hike (1.2.1)
+    i18n (0.6.0)
+    json (1.7.1)
+    mail (2.3.3)
+      i18n (>= 0.4.0)
+      mime-types (~> 1.16)
+      treetop (~> 1.4.8)
+    metaclass (0.0.1)
+    method_source (0.7.1)
+    mime-types (1.18)
+    minitest (3.0.0)
+    mocha (0.11.4)
+      metaclass (~> 0.0.1)
+    multi_json (1.3.4)
+    orm_adapter (0.0.7)
+    polyglot (0.3.3)
+    pry (0.9.9.4)
+      coderay (~> 1.0.5)
+      method_source (~> 0.7.1)
+      slop (>= 2.4.4, < 3)
+    pry-doc (0.4.1)
+      pry (>= 0.9.0)
+      yard (~> 0.7.4)
+    pry-nav (0.2.1)
+      pry (~> 0.9.9)
+    rack (1.3.6)
+    rack-cache (1.2)
+      rack (>= 0.4)
+    rack-mount (0.8.3)
+      rack (>= 1.0.0)
+    rack-ssl (1.3.2)
+      rack
+    rack-test (0.6.1)
+      rack (>= 1.0)
+    rails (3.1.4)
+      actionmailer (= 3.1.4)
+      actionpack (= 3.1.4)
+      activerecord (= 3.1.4)
+      activeresource (= 3.1.4)
+      activesupport (= 3.1.4)
+      bundler (~> 1.0)
+      railties (= 3.1.4)
+    railties (3.1.4)
+      actionpack (= 3.1.4)
+      activesupport (= 3.1.4)
+      rack-ssl (~> 1.3.2)
+      rake (>= 0.8.7)
+      rdoc (~> 3.4)
+      thor (~> 0.14.6)
+    rake (0.9.2.2)
+    rdoc (3.12)
+      json (~> 1.4)
+    slop (2.4.4)
+    sprockets (2.0.4)
+      hike (~> 1.2)
+      rack (~> 1.0)
+      tilt (~> 1.1, != 1.3.0)
+    sqlite3 (1.3.6)
+    thor (0.14.6)
+    tilt (1.3.3)
+    treetop (1.4.10)
+      polyglot
+      polyglot (>= 0.3.1)
+    tzinfo (0.3.33)
+    warden (1.1.1)
+      rack (>= 1.0)
+    yard (0.7.5)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  awesome_print
+  devise!
+  devise-encryptable!
+  minitest
+  mocha
+  pry
+  pry-doc
+  pry-nav
+  rails (= 3.1.4)
+  sqlite3

data/lib/devise-encryptable.rb

@@ -0,0 +1 @@
+require "devise/encryptable/encryptable"

data/lib/devise/encryptable/encryptable.rb

@@ -0,0 +1,28 @@
+module Devise
+
+  # Declare encryptors length which are used in migrations.
+  ENCRYPTORS_LENGTH = {
+    :sha1   => 40,
+    :sha512 => 128,
+    :clearance_sha1 => 40,
+    :restful_authentication_sha1 => 40,
+    :authlogic_sha512 => 128
+  }
+
+  # Used to define the password encryption algorithm.
+  mattr_accessor :encryptor
+  @@encryptor = nil
+
+  module Encryptable
+    module Encryptors
+      autoload :AuthlogicSha512, 'devise/encryptable/encryptors/authlogic_sha512'
+      autoload :Base, 'devise/encryptable/encryptors/base'
+      autoload :ClearanceSha1, 'devise/encryptable/encryptors/clearance_sha1'
+      autoload :RestfulAuthenticationSha1, 'devise/encryptable/encryptors/restful_authentication_sha1'
+      autoload :Sha1, 'devise/encryptable/encryptors/sha1'
+      autoload :Sha512, 'devise/encryptable/encryptors/sha512'
+    end
+  end
+end
+
+Devise.add_module(:encryptable, :model => 'devise/encryptable/model')

data/lib/devise/encryptable/encryptors/authlogic_sha512.rb

@@ -0,0 +1,21 @@
+require "digest/sha2"
+
+module Devise
+  module Encryptable
+    module Encryptors
+      # = AuthlogicSha512
+      # Simulates Authlogic's default encryption mechanism.
+      # Warning: it uses Devise's stretches configuration to port Authlogic's one. Should be set to 20 in the initializer to simulate
+      #  the default behavior.
+      class AuthlogicSha512 < Base
+        # Generates a default password digest based on salt, pepper and the
+        # incoming password.
+        def self.digest(password, stretches, salt, pepper)
+          digest = [password, salt].flatten.join('')
+          stretches.times { digest = Digest::SHA512.hexdigest(digest) }
+          digest
+        end
+      end
+    end
+  end
+end

data/lib/devise/encryptable/encryptors/base.rb

@@ -0,0 +1,26 @@
+module Devise
+  # Implements a way of adding different encryptions.
+  # The class should implement a self.digest method that taks the following params:
+  #   - password
+  #   - stretches: the number of times the encryption will be applied
+  #   - salt: the password salt as defined by devise
+  #   - pepper: Devise config option
+  #
+  module Encryptable
+    module Encryptors
+      class Base
+        def self.digest
+          raise NotImplemented
+        end
+
+        def self.salt(stretches)
+          Devise.friendly_token[0,20]
+        end
+
+        def self.compare(encrypted_password, password, stretches, salt, pepper)
+          Devise.secure_compare(encrypted_password, digest(password, stretches, salt, pepper))
+        end
+      end
+    end
+  end
+end

data/lib/devise/encryptable/encryptors/clearance_sha1.rb

@@ -0,0 +1,19 @@
+require "digest/sha1"
+
+module Devise
+  module Encryptable
+    module Encryptors
+      # = ClearanceSha1
+      # Simulates Clearance's default encryption mechanism.
+      # Warning: it uses Devise's pepper to port the concept of REST_AUTH_SITE_KEY
+      # Warning: it uses Devise's stretches configuration to port the concept of REST_AUTH_DIGEST_STRETCHES
+      class ClearanceSha1 < Base
+        # Generates a default password digest based on salt, pepper and the
+        # incoming password.
+        def self.digest(password, stretches, salt, pepper)
+          Digest::SHA1.hexdigest("--#{salt}--#{password}--")
+        end
+      end
+    end
+  end
+end

data/lib/devise/encryptable/encryptors/restful_authentication_sha1.rb

@@ -0,0 +1,24 @@
+require "digest/sha1"
+
+module Devise
+  module Encryptable
+    module Encryptors
+      # = RestfulAuthenticationSha1
+      # Simulates Restful Authentication's default encryption mechanism.
+      # Warning: it uses Devise's pepper to port the concept of REST_AUTH_SITE_KEY
+      # Warning: it uses Devise's stretches configuration to port the concept of REST_AUTH_DIGEST_STRETCHES. Should be set to 10 in
+      # the initializer to simulate the default behavior.
+      class RestfulAuthenticationSha1 < Base
+
+        # Generates a default password digest based on salt, pepper and the
+        # incoming password.
+        def self.digest(password, stretches, salt, pepper)
+          digest = pepper
+          stretches.times { digest = Digest::SHA1.hexdigest([digest, salt, password, pepper].flatten.join('--')) }
+          digest
+        end
+
+      end
+    end
+  end
+end

data/lib/devise/encryptable/encryptors/sha1.rb

@@ -0,0 +1,27 @@
+require "digest/sha1"
+
+module Devise
+  module Encryptable
+    module Encryptors
+      # = Sha1
+      # Uses the Sha1 hash algorithm to encrypt passwords.
+      class Sha1 < Base
+        # Generates a default password digest based on stretches, salt, pepper and the
+        # incoming password.
+        def self.digest(password, stretches, salt, pepper)
+          digest = pepper
+          stretches.times { digest = self.secure_digest(salt, digest, password, pepper) }
+          digest
+        end
+
+      private
+
+        # Generate a SHA1 digest joining args. Generated token is something like
+        #   --arg1--arg2--arg3--argN--
+        def self.secure_digest(*tokens)
+          ::Digest::SHA1.hexdigest('--' << tokens.flatten.join('--') << '--')
+        end
+      end
+    end
+  end
+end

data/lib/devise/encryptable/encryptors/sha512.rb

@@ -0,0 +1,27 @@
+require "digest/sha2"
+
+module Devise
+  module Encryptable
+    module Encryptors
+      # = Sha512
+      # Uses the Sha512 hash algorithm to encrypt passwords.
+      class Sha512 < Base
+        # Generates a default password digest based on salt, pepper and the
+        # incoming password.
+        def self.digest(password, stretches, salt, pepper)
+          digest = pepper
+          stretches.times { digest = self.secure_digest(salt, digest, password, pepper) }
+          digest
+        end
+
+      private
+
+        # Generate a Sha512 digest joining args. Generated token is something like
+        #   --arg1--arg2--arg3--argN--
+        def self.secure_digest(*tokens)
+          ::Digest::SHA512.hexdigest('--' << tokens.flatten.join('--') << '--')
+        end
+      end
+    end
+  end
+end

data/lib/devise/encryptable/model.rb

@@ -0,0 +1,86 @@
+require 'devise/strategies/database_authenticatable'
+
+module Devise
+  module Models
+    # Encryptable module adds support to several encryptors wrapping
+    # them in a salt and pepper mechanism to increase security.
+    #
+    # == Options
+    #
+    # Encryptable adds the following options to devise_for:
+    #
+    #   * +pepper+: a random string used to provide a more secure hash.
+    #
+    #   * +encryptor+: the encryptor going to be used. By default is nil.
+    #
+    # == Examples
+    #
+    #    User.find(1).valid_password?('password123') # returns true/false
+    #
+    module Encryptable
+      extend ActiveSupport::Concern
+
+      included do
+        attr_reader :password, :current_password
+        attr_accessor :password_confirmation
+      end
+
+      def self.required_fields(klass)
+        [:password_salt]
+      end
+
+      # Generates password salt when setting the password.
+      def password=(new_password)
+        self.password_salt = self.class.password_salt if new_password.present?
+        super
+      end
+
+      # Validates the password considering the salt.
+      def valid_password?(password)
+        return false if encrypted_password.blank?
+        encryptor_class.compare(encrypted_password, password, self.class.stretches, authenticatable_salt, self.class.pepper)
+      end
+
+      # Overrides authenticatable salt to use the new password_salt
+      # column. authenticatable_salt is used by `valid_password?`
+      # and by other modules whenever there is a need for a random
+      # token based on the user password.
+      def authenticatable_salt
+        self.password_salt
+      end
+
+    protected
+
+      # Digests the password using the configured encryptor.
+      def password_digest(password)
+        if password_salt.present?
+          encryptor_class.digest(password, self.class.stretches, authenticatable_salt, self.class.pepper)
+        end
+      end
+
+      def encryptor_class
+        self.class.encryptor_class
+      end
+
+      module ClassMethods
+        Devise::Models.config(self, :encryptor)
+
+        # Returns the class for the configured encryptor.
+        def encryptor_class
+          @encryptor_class ||= case encryptor
+            when :bcrypt
+              raise "In order to use bcrypt as encryptor, simply remove :encryptable from your devise model"
+            when nil
+              raise "You need to give an :encryptor as option in order to use :encryptable"
+            else
+              Devise::Encryptable::Encryptors.const_get(encryptor.to_s.classify)
+          end
+        end
+
+        def password_salt
+          self.encryptor_class.salt(self.stretches)
+        end
+      end
+    end
+  end
+end

data/lib/devise/encryptable/version.rb

@@ -0,0 +1,5 @@
+module Devise
+  module Encryptable
+    VERSION = "0.1.0"
+  end
+end

data/test/devise/encryptable/encryptable_test.rb

@@ -0,0 +1,65 @@
+require "test_helper"
+
+class EncryptableTest < ActiveSupport::TestCase
+  include Support::Assertions
+  include Support::Factories
+  include Support::Swappers
+
+  def encrypt_password(admin, pepper=Admin.pepper, stretches=Admin.stretches, encryptor=Admin.encryptor_class)
+    encryptor.digest('123456', stretches, admin.password_salt, pepper)
+  end
+
+  test 'should generate salt while setting password' do
+    assert_present create_admin.password_salt
+  end
+
+  test 'should not change password salt when updating' do
+    admin = create_admin
+    salt = admin.password_salt
+    admin.expects(:password_salt=).never
+    admin.save!
+    assert_equal salt, admin.password_salt
+  end
+
+  test 'should generate a base64 hash using SecureRandom for password salt' do
+    swap_with_encryptor Admin, :sha1 do
+      SecureRandom.expects(:base64).with(15).returns('01lI').once
+      salt = create_admin.password_salt
+      assert_not_equal '01lI', salt
+      assert_equal 4, salt.size
+    end
+  end
+
+  test 'should not generate salt if password is blank' do
+    assert_blank create_admin(:password => nil).password_salt
+    assert_blank create_admin(:password => '').password_salt
+  end
+
+  test 'should encrypt password again if password has changed' do
+    admin = create_admin
+    encrypted_password = admin.encrypted_password
+    admin.password = admin.password_confirmation = 'new_password'
+    admin.save!
+    assert_not_equal encrypted_password, admin.encrypted_password
+  end
+
+  test 'should respect encryptor configuration' do
+    swap_with_encryptor Admin, :sha512 do
+      admin = create_admin
+      assert_equal admin.encrypted_password, encrypt_password(admin, Admin.pepper, Admin.stretches, Devise::Encryptable::Encryptors::Sha512)
+    end
+  end
+
+  test 'should not validate password when salt is nil' do
+    admin = create_admin
+    admin.password_salt = nil
+    admin.save
+    assert_not admin.valid_password?('123456')
+  end
+
+  test 'required_fields should contain the fields that Devise uses' do
+    assert_same_content Devise::Models::Encryptable.required_fields(Admin), [
+      :password_salt
+    ]
+  end
+end