door_mat 0.0.5

data/lib/door_mat/controller.rb

@@ -0,0 +1,117 @@
+
+module DoorMat
+  module Controller
+
+    def sign_out
+      DoorMat::Session.clear_current_session
+      DoorMat::Session.destroy_if_linked_to(cookies)
+
+      DoorMat::AccessToken.clear_current_access_token
+      DoorMat::AccessToken.destroy_if_linked_to(cookies)
+    end
+
+    def lockdown(**options)
+      o = {
+          log_level: :error,
+          log_message: "LOCKDOWN: No log message specified",
+          redirect_to: nil
+      }
+      options = o.merge(options.to_h)
+
+      DoorMat.configuration.logger.send(options[:log_level] , options[:log_message])
+
+      sign_out
+
+      redirect_to options[:redirect_to] || config_url_redirect(:lockdown_default_redirect_url)
+    end
+
+    def handle_unverified_request
+      super
+    rescue ActionController::InvalidAuthenticityToken => e
+      raise e
+    ensure
+      lockdown(log_level: :warn, log_message: 'WARN: handle_unverified_request')
+    end
+
+    def require_valid_session
+      unless DoorMat::Session.current_session.valid?
+        DoorMat::Session.from(cookies, request)
+      else
+        DoorMat.configuration.logger.error "ERROR: are you calling require_valid_session more than once?"
+      end
+      unless DoorMat::Session.current_session.valid?
+        set_session_redirect_to
+
+        redirect_to door_mat.sign_in_url
+      end
+    end
+
+    def require_confirmed_email
+      unless DoorMat::Session.current_session.valid? && (DoorMat::Session.current_session.email.confirmed? || DoorMat::Session.current_session.email.primary?)
+        redirect_to door_mat.email_confirmation_required_url
+      end
+    end
+
+    # To assign a custom amount of delay for a specific filter,
+    # use as follow for a delay of 1 minute:
+    # before_filter -> {require_password_reconfirm(1)}
+    def require_password_reconfirm(minutes_old=nil)
+      minutes_old ||= DoorMat.configuration.password_reconfirm_delay
+
+      if DoorMat::Session.current_session.invalid? || DoorMat::Session.current_session.is_older_than(minutes_old)
+        set_session_redirect_to
+        redirect_to door_mat.reconfirm_password_url
+      end
+    end
+
+    def protected_by_password_less_session(pls_symbols)
+      pls_symbols = Array(pls_symbols)
+      redirect_url = send("#{pls_symbols.first}_url".to_sym)
+
+      if DoorMat::AccessToken.is_cookie_present? cookies
+        DoorMat::AccessToken.validate_from_cookie(cookies, request)
+        if DoorMat::AccessToken.current_access_token.valid? && pls_symbols.include?(DoorMat::AccessToken.current_access_token.token_for.to_sym)
+          return if DoorMat::AccessToken.current_access_token.used? || DoorMat::AccessToken.current_access_token.multiple_use?
+        end
+        DoorMat::AccessToken.destroy_if_linked_to(cookies)
+      end
+
+      set_session_redirect_to
+      redirect_to redirect_url
+    end
+
+    def update_session_last_activity_time
+
+      if DoorMat::Session.current_session.valid?
+        DoorMat::Session.current_session.updated_at = DateTime.current
+        DoorMat::Session.current_session.save
+      end
+
+      if DoorMat::AccessToken.current_access_token.valid?
+        DoorMat::AccessToken.current_access_token.updated_at = DateTime.current
+        DoorMat::AccessToken.current_access_token.save
+      end
+
+    end
+
+    def main_app_root_url
+      [:main_app, :root_url].inject(self) { |lhs, rhs| lhs.send(rhs) }
+    end
+
+    def config_url_redirect(url_token)
+      config_url = DoorMat.configuration.send(url_token)
+      config_url.inject(self) { |lhs, rhs| lhs.send(rhs) } || main_app_root_url
+    end
+
+    private
+
+    def set_session_redirect_to
+      if request.get? && DoorMat.configuration.allow_redirect_to_requested_url
+        session[:redirect_to] = request.url
+      else
+        session.delete(:redirect_to)
+      end
+    end
+
+  end
+end

data/lib/door_mat/crypto.rb

@@ -0,0 +1,49 @@
+require 'door_mat/crypto/secure_compare'
+require 'door_mat/crypto/password_hash'
+require 'door_mat/crypto/symmetric_store'
+require 'door_mat/crypto/asymmetric_store'
+require 'door_mat/crypto/fast_hash'
+
+module DoorMat
+  module Crypto
+
+    def self.encrypt_shared(secrets, with_key)
+      Array(secrets).map do |s|
+        DoorMat::Crypto::SymmetricStore.encrypt(s, with_key)[:ciphertext]
+      end
+    end
+
+    def self.decrypt_shared(secrets, with_key)
+      Array(secrets).map do |s|
+        DoorMat::Crypto::SymmetricStore.decrypt(s, with_key)
+      end
+    end
+
+    def self.current_skip_crypto_callback
+      RequestStore.store[:current_skip_crypto_callback] ||= DoorMat::Crypto::SkipCallback.new
+    end
+
+    def self.skip_crypto_callback
+      DoorMat::Crypto.current_skip_crypto_callback.skip!
+      yield
+    ensure
+      DoorMat::Crypto.current_skip_crypto_callback.reset
+    end
+
+    class SkipCallback
+      def initialize
+        @skip = false
+      end
+      def skip?
+        @skip
+      end
+      def skip!
+        @skip = true
+      end
+      def reset
+        @skip = false
+      end
+    end
+
+  end
+end

data/lib/door_mat/crypto/asymmetric_store.rb

@@ -0,0 +1,77 @@
+require 'openssl'
+
+module DoorMat
+  module Crypto
+    module AsymmetricStore
+
+      def encrypt(plaintext, public_key)
+        raise ArgumentError, 'Plaintext exceeds maximum length of 245 bytes' if plaintext.to_str.bytesize > 245
+        Base64.strict_encode64(public_key.public_encrypt(plaintext.to_str))
+      end
+      module_function :encrypt
+
+      def decrypt(ciphertext, private_key)
+        private_key.private_decrypt(Base64.strict_decode64(ciphertext.to_str))
+      end
+      module_function :decrypt
+
+      def generate_pem_encrypted_pkey_pair_and_key
+        pkey = OpenSSL::PKey::RSA.generate(2048)
+        c = cipher()
+        c.encrypt
+        c.random_iv
+        key = c.random_key
+        pem_encrypted_pkey = ''
+
+        begin
+
+          pem_encrypted_pkey = pkey.to_pem(c, key)
+
+        rescue OpenSSL::PKey::RSAError => e
+          DoorMat.configuration.logger.error "ERROR: spurious error - #{e} for key _#{key}_"
+          key = c.random_key
+          retry
+        end
+
+        {
+            key: Base64.strict_encode64(key),
+            pem_encrypted_pkey: pem_encrypted_pkey
+        }
+      end
+      module_function :generate_pem_encrypted_pkey_pair_and_key
+
+      def private_key_from_pem_encrypted_pkey_pair(pem_encrypted_pkey, key)
+        OpenSSL::PKey::RSA.new(pem_encrypted_pkey.to_str, decode_key(key.to_str))
+      end
+      module_function :private_key_from_pem_encrypted_pkey_pair
+
+      def public_key_from_pem_encrypted_pkey_pair(pem_encrypted_pkey, key)
+        OpenSSL::PKey::RSA.new(pem_encrypted_pkey.to_str, decode_key(key.to_str)).public_key
+      end
+      module_function :public_key_from_pem_encrypted_pkey_pair
+
+      def pem_public_key_from_pem_encrypted_pkey_pair(pem_encrypted_pkey, key)
+        public_key_from_pem_encrypted_pkey_pair(pem_encrypted_pkey.to_str, key.to_str).to_pem
+      end
+      module_function :pem_public_key_from_pem_encrypted_pkey_pair
+
+      def public_key_from_pem_public_key(pem_public_key)
+        OpenSSL::PKey::RSA.new(pem_public_key.to_str).public_key
+      end
+      module_function :public_key_from_pem_public_key
+
+      def cipher
+        OpenSSL::Cipher.new('DES-EDE3-CBC')
+      end
+      module_function :cipher
+
+      def decode_key(key)
+        Base64.strict_decode64(key.to_str).tap do |decoded_key|
+          raise ArgumentError, "Key must be exactly 24 bytes in length" if decoded_key.bytesize != 24
+        end
+      end
+      module_function :decode_key
+
+    end
+  end
+end

data/lib/door_mat/crypto/fast_hash.rb

@@ -0,0 +1,17 @@
+require 'openssl'
+
+module DoorMat
+  module Crypto
+    module FastHash
+      
+      def sha256(data)
+        sha256 = OpenSSL::Digest::SHA256.new
+        Base64.urlsafe_encode64(
+          sha256.digest(data.to_str)
+        )
+      end
+      module_function :sha256
+
+    end
+  end
+end

data/lib/door_mat/crypto/password_hash.rb

@@ -0,0 +1,39 @@
+require 'openssl'
+require 'bcrypt'
+
+module DoorMat
+  module Crypto
+    module PasswordHash
+
+      def pbkdf2_salt(salt_length=nil, password_length=nil, iterations=nil)
+        salt_length ||= DoorMat.configuration.crypto_pbkdf2_salt_length
+        password_length ||= DoorMat.configuration.crypto_pbkdf2_password_length
+        iterations ||= DoorMat.configuration.crypto_pbkdf2_iterations
+
+        [password_length, iterations, OpenSSL::Random.random_bytes(salt_length)].map { |s| Base64.strict_encode64(s.to_s)}.join('--')
+      end
+      module_function :pbkdf2_salt
+
+      def pbkdf2_hash(password, salt)
+        length, iterations, salt = salt.to_str.split('--').map { |s| Base64.strict_decode64(s) }
+        Base64.strict_encode64(
+            OpenSSL::PKCS5.pbkdf2_hmac_sha1(password.to_str, salt, Integer(iterations), Integer(length))
+        )
+      end
+      module_function :pbkdf2_hash
+
+      def bcrypt_salt(cost=nil)
+        cost ||= DoorMat.configuration.crypto_bcrypt_cost
+        BCrypt::Engine.generate_salt(Integer(cost))
+      end
+      module_function :bcrypt_salt
+
+      def bcrypt_hash(password, salt=nil)
+        salt ||= bcrypt_salt
+        BCrypt::Engine.hash_secret(password.to_str, salt.to_str)
+      end
+      module_function :bcrypt_hash
+
+    end
+  end
+end

data/lib/door_mat/crypto/secure_compare.rb

@@ -0,0 +1,23 @@
+require "securerandom"
+
+module DoorMat
+  module Crypto
+
+    # http://groups.google.com/group/rubyonrails-security/browse_thread/thread/da57f883530352ee#
+    # constant-time comparison algorithm to prevent timing attacks
+    def secure_compare(lhs, rhs, constant_length=nil)
+      constant_length ||= DoorMat.configuration.crypto_secure_compare_default_length
+      constant_length = [constant_length.to_int, lhs.to_str.bytesize, rhs.to_str.bytesize].max
+      random_padding = SecureRandom.random_bytes(constant_length)
+
+      l = lhs.to_str.ljust(constant_length, random_padding).unpack "C#{constant_length}"
+      r = rhs.to_str.ljust(constant_length, random_padding).unpack "C#{constant_length}"
+
+      result = 0
+      l.zip(r) { |a,b| result |= a ^ b }
+      0 == result
+    end
+    module_function :secure_compare
+
+  end
+end

data/lib/door_mat/crypto/symmetric_store.rb

@@ -0,0 +1,68 @@
+require 'openssl'
+
+module DoorMat
+  module Crypto
+    module SymmetricStore
+
+      def encrypt(plaintext, key=nil)
+        c = cipher()
+        c.encrypt
+        key = if key.nil?
+                c.random_key
+              else
+                c.key = decode_key(key.to_str)
+              end
+        iv = c.random_iv
+        plaintext_str = plaintext.to_str
+        if plaintext_str.blank?
+          return {
+              key: Base64.strict_encode64(key),
+              ciphertext: ""
+          }
+        end
+        encrypted_string = c.update(plaintext_str) + c.final
+        encoding = plaintext_str.encoding.name
+
+        {
+            key: Base64.strict_encode64(key),
+            ciphertext: [encoding, c.auth_tag, iv, encrypted_string].map { |s| Base64.strict_encode64(s)}.join('--')
+        }
+      end
+      module_function :encrypt
+
+      def decrypt(ciphertext, key)
+        return "" if ciphertext.to_str.blank?
+
+        c = cipher()
+        c.decrypt
+        c.key = decode_key(key.to_str)
+        encoding, auth_tag, iv, encrypted_string = ciphertext.to_str.split('--').map { |s| Base64.strict_decode64(s) }
+        c.iv = iv
+        c.auth_tag = auth_tag
+        plaintext_str = c.update(encrypted_string) + c.final
+        plaintext_str.force_encoding(encoding)
+      end
+      module_function :decrypt
+
+      def cipher
+        OpenSSL::Cipher.new('aes-256-gcm')
+      end
+      module_function :cipher
+
+      def decode_key(key)
+        Base64.strict_decode64(key.to_str).tap do |decoded_key|
+          raise ArgumentError, "Key must be exactly 32 bytes in length" if decoded_key.bytesize != 32
+        end
+      end
+      module_function :decode_key
+
+      def random_key
+        c = cipher()
+        c.encrypt
+        Base64.strict_encode64(c.random_key)
+      end
+      module_function :random_key
+
+    end
+  end
+end

data/lib/door_mat/engine.rb

@@ -0,0 +1,23 @@
+module DoorMat
+  class Engine < ::Rails::Engine
+    isolate_namespace DoorMat
+
+    initializer "door_mat.filter" do |app|
+      app.config.filter_parameters += [:password]
+    end
+
+    # http://pivotallabs.com/leave-your-migrations-in-your-rails-engines/
+    initializer :append_migrations do |app|
+      unless app.root.to_s.match root.to_s
+        config.paths["db/migrate"].expanded.each do |expanded_path|
+          app.config.paths["db/migrate"] << expanded_path
+        end
+      end
+    end
+
+    config.generators do |g|
+      g.test_framework :rspec, :fixture => false
+      g.fixture_replacement :factory_girl, :dir => 'spec/factories'
+    end
+  end
+end

data/lib/door_mat/process/actor_password_change.rb

@@ -0,0 +1,65 @@
+module DoorMat
+  module Process
+    class ActorPasswordChange
+
+      def self.after_password_reset(actor, new_password, recovery_key)
+        Session.clear_current_session
+        return false unless Session.current_session.recovery_key_restore(actor, recovery_key)
+        with(actor, new_password, nil, false)
+      end
+
+      def self.with(actor, new_password, old_password='', save_session=true)
+        actor.with_lock do
+
+          unless old_password.nil?
+            return false unless actor.authenticate(old_password)
+          end
+
+          session = DoorMat::Session.current_session
+          if save_session
+            session = DoorMat::Session.current_session.reload
+            unless session.valid?
+              return false
+            end
+          end
+
+          actor.re_key_with(new_password)
+          session.re_key_with(actor, new_password)
+
+          pem_key = session.decrypt(actor.encrypted_pem_key)
+          actor.encrypted_pem_key = session.encrypt(pem_key)
+
+          actor.save!
+          session.save! if save_session
+
+          keys = Actor.reflections.keys.select {|item| Actor.reflections[item].klass.methods.include?(:attr_symmetric_store)}
+          keys.each do |key|
+            collection = actor.send(key)
+            unless collection.blank?
+              if collection.respond_to? :find_each
+                collection.find_each do |record|
+                  record.save!
+                end
+              else
+                collection.save!
+              end
+            end
+          end
+
+          actor.keep_only_this_session! session
+
+        end
+
+        ActivityDownloadRecoveryKey.for(actor)
+        true
+      rescue ActiveRecord::RecordNotFound => e
+        DoorMat.configuration.logger.warn "WARN: Failed to change actor password - #{e}"
+        false
+      rescue Exception => e
+        DoorMat.configuration.logger.error "ERROR: Failed to change actor password - #{e}"
+        raise e
+      end
+
+    end
+  end
+end