google-authenticator-rails 1.3.0 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6e07d6a504c407dcba055225bbf2104d5983bf25
-  data.tar.gz: 93f1201bd747aa4347a29451eaca75aafd47d592
+  metadata.gz: 1b0e27a878d00efaf2b62b132ee490bed3b51135
+  data.tar.gz: 20d199184ac7af414fa73af13f2ca25f09df9818
 SHA512:
-  metadata.gz: d0669bb6d3a4ab9302f5949e04a8c55ae773897616677df1e41c7d822ba96d378a76db1c6fa9d4ef737542407523ec138926ddbcfd0c2741d0048a5e3927b001
-  data.tar.gz: 8b6d963870e3c18b50cc4b4869e84d8caf147f098589e43981291678bb4eb6920176d4899278ca4d4b194a43ab6c5abc26fa5c683e467fdebf7aed3506c97326
+  metadata.gz: 17402d2412a5d8eef21fc856f3db1c50df5258e141144b2680842836429e5ef69d286246519296d6a0112de3150c30e2203e1b6b543635632dcca4f756dc7f94
+  data.tar.gz: 139193758c98d494c3b143edf136190b0d4f90ab6800af6d077464c8e2d0ed464b205d1c2089803e5296ea396c0045038e49fa686fbc74c3dc00329e623893df

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,46 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at jared.online@gmail.com. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

data/README.md

@@ -327,6 +327,33 @@ If you want to manually destroy the MFA cookie (for example, when a user logs ou
 UserMfaSession::destroy
 ```
 
+## Storing Secrets in Encrypted Form
+
+Normally, if an attacker gets access to the application database, they will be able to generate correct authentication codes,
+elmininating the security gains from two-factor authentication. If the application's ```secret_key_base``` is handled more securely
+than the database (by, for example, never putting it on the server filesystem), protection against database compromise can
+be gained by setting the ```:encrypt_secrets``` option to ```true```. Newly-created secrets will then be stored in encrypted
+form.
+
+Existing non-encrypted secrets for all models for which the ```:encrypt_secrets``` option has been set to ```true```
+can be encrypted by running
+```bash
+  rails google_authenticator:encrypt_secrets
+```
+This may be reversed by running
+```bash
+  rails google_authenticator:decrypt_secrets
+```
+then by removing, or setting ```false```, the ```:encrypt_secrets``` option.
+
+If ```secret_key_base``` needs to change, set ```old_secret_key_base``` to the old key in ```config/secrets.yml``` before generating the new key.
+Then run
+```bash
+  rails google_authenticator:reencrypt_secrets
+```
+to change all encrypted google secret fields to use the new key.
+
+
 ## Contributing
 
 1. Fork it

data/google-authenticator.gemspec

@@ -22,6 +22,7 @@ Gem::Specification.new do |gem|
   gem.version       = Google::Authenticator::Rails::VERSION
 
   gem.add_dependency "rotp", "= 1.6.1"
+  gem.add_dependency "rails"
   gem.add_dependency "activerecord"
   gem.add_dependency "google-qr"
   gem.add_dependency "actionpack"

data/lib/google-authenticator-rails.rb

@@ -1,5 +1,6 @@
 # Stuff the gem requires
 #
+require 'rails'
 require 'active_support'
 require 'active_record'
 require 'openssl'
@@ -23,6 +24,12 @@ GOOGLE_AUTHENTICATOR_RAILS_PATH = File.dirname(__FILE__) + "/google-authenticato
 # Sets up some basic accessors for use with the ROTP module
 #
 module GoogleAuthenticatorRails
+  class Railtie < Rails::Railtie
+    rake_tasks do
+      load 'tasks/google_authenticator.rake'
+    end
+  end
+    
   # Drift is set to 6 because ROTP drift is not inclusive. This allows a drift of 5 seconds.
   DRIFT = 6
 

data/lib/google-authenticator-rails/active_record/acts_as_google_authenticated.rb

@@ -20,6 +20,7 @@ module GoogleAuthenticatorRails # :nodoc:
       #
       #   @user = user.new
       #   @user.set_google_secret           # => true
+      #   @user.google_secret_value         # => 16-character decrypted secret
       #   @user.google_qr_uri               # => http://path.to.google/qr?with=params
       #   @user.google_authentic?(123456)   # => true
       #
@@ -84,18 +85,22 @@ module GoogleAuthenticatorRails # :nodoc:
         #             to ""
         #   [:qr_size] the size of the QR code generated by `google_qr_uri`, defaults
         #              to "200x200"
+        #   If [:encrypt_secrets] is true, secrets will be encrypted with a key derived from
+        #              `secret_key_base`.
+        #
         def acts_as_google_authenticated(options = {})
-          @google_label_column  = options[:column_name]           || :email
-          @google_label_method  = options[:method]                || :default_google_label_method
-          @google_secret_column = options[:google_secret_column]  || :google_secret
-          @google_lookup_token  = options[:lookup_token]          || :persistence_token
-          @google_drift         = options[:drift]                 || GoogleAuthenticatorRails::DRIFT
-          @google_issuer        = options[:issuer]
-          @google_qr_size       = options[:qr_size]               || '200x200'
+          @google_label_column      = options[:column_name]           || :email
+          @google_label_method      = options[:method]                || :default_google_label_method
+          @google_secret_column     = options[:google_secret_column]  || :google_secret
+          @google_lookup_token      = options[:lookup_token]          || :persistence_token
+          @google_drift             = options[:drift]                 || GoogleAuthenticatorRails::DRIFT
+          @google_issuer            = options[:issuer]
+          @google_qr_size           = options[:qr_size]               || '200x200'
+          @google_secrets_encrypted = !!options[:encrypt_secrets]
 
           puts ":skip_attr_accessible is no longer required.  Called from #{Kernel.caller[0]}}" if options.has_key?(:skip_attr_accessible)
 
-          [:google_label_column, :google_label_method, :google_secret_column, :google_lookup_token, :google_drift, :google_issuer, :google_qr_size].each do |cattr|
+          [:google_label_column, :google_label_method, :google_secret_column, :google_lookup_token, :google_drift, :google_issuer, :google_qr_size, :google_secrets_encrypted].each do |cattr|
             self.singleton_class.class_eval { attr_reader cattr }
           end
 

data/lib/google-authenticator-rails/active_record/helpers.rb

@@ -1,9 +1,19 @@
 module GoogleAuthenticatorRails # :nodoc:
+  mattr_accessor :secret_encryptor
   module ActiveRecord  # :nodoc:
     module Helpers
+      def google_secret_value
+        if @google_secret_value_cached
+          @google_secret_value
+        else
+          @google_secret_value_cached = true
+          secret_in_db = google_secret_column_value
+          @google_secret_value = secret_in_db && self.class.google_secrets_encrypted ? google_secret_encryptor.decrypt_and_verify(secret_in_db) : secret_in_db
+        end
+      end
+      
       def set_google_secret
-        self.__send__("#{self.class.google_secret_column}=", GoogleAuthenticatorRails::generate_secret)
-        save
+        change_google_secret_to!(GoogleAuthenticatorRails::generate_secret)
       end
 
       def google_authentic?(code)
@@ -29,19 +39,38 @@ module GoogleAuthenticatorRails # :nodoc:
       def google_token_value
         self.__send__(self.class.google_lookup_token)
       end
+      
+      def encrypt_google_secret!
+        change_google_secret_to!(google_secret_column_value)
+      end
 
       private
       def default_google_label_method
         self.__send__(self.class.google_label_column)
       end
-
-      def google_secret_value
+      
+      def google_secret_column_value
         self.__send__(self.class.google_secret_column)
       end
 
+      def change_google_secret_to!(secret, encrypt = self.class.google_secrets_encrypted)
+        @google_secret_value = secret
+        self.__send__("#{self.class.google_secret_column}=", secret && encrypt ? google_secret_encryptor.encrypt_and_sign(secret) : secret)
+        @google_secret_value_cached = true
+        save!
+      end
+
       def google_issuer
         self.class.google_issuer
       end
+      
+      def google_secret_encryptor
+        GoogleAuthenticatorRails.secret_encryptor ||= GoogleAuthenticatorRails::ActiveRecord::Helpers.get_google_secret_encryptor
+      end
+      
+      def self.get_google_secret_encryptor
+        ActiveSupport::MessageEncryptor.new(Rails.application.key_generator.generate_key('Google-secret encryption key', 32))
+      end
     end
   end
 end

data/lib/google-authenticator-rails/version.rb

@@ -1,7 +1,7 @@
 module Google
   module Authenticator
     module Rails
-      VERSION = "1.3.0"
+      VERSION = "1.4.0"
     end
   end
 end

data/lib/tasks/google_authenticator.rake

@@ -0,0 +1,46 @@
+namespace :google_authenticator do
+
+  def do_encrypt(already_encrypted, op_name)
+    ActiveRecord::Base.transaction do
+      match_op = " #{already_encrypted ? '>' : '='} 16"
+      # Adapted from https://stackoverflow.com/a/8248849/7478194
+      Dir[Rails.root.join('app/models/*.rb').to_s].each do |filename|
+        klass = File.basename(filename, '.rb').camelize.constantize
+        next unless klass.ancestors.include?(ActiveRecord::Base) && klass.try(:google_secrets_encrypted)
+        puts "#{op_name} model #{klass.name.inspect} (table #{klass.table_name.inspect})"
+        klass.where("LENGTH(#{klass.google_secret_column})#{match_op}").find_each do |record|
+          yield record
+        end
+      end
+    end
+  end
+  
+  desc 'Encrypt all secret columns (add the :encrypt_secret options *before* running)'
+  task encrypt_secrets: :environment do
+    do_encrypt(false, 'Encrypting') { |record| record.encrypt_google_secret! }
+  end
+
+  desc 'Re-encrypt all secret columns from old_secret_key_base to secret_key_base'
+  task reencrypt_secrets: :environment do
+    if Rails.application.secrets.old_secret_key_base.blank?
+      puts 'old_secret_key_base is not set in config/secrets.yml'
+    else
+      secret_encryptor = GoogleAuthenticatorRails::ActiveRecord::Helpers.get_google_secret_encryptor
+      Rails.application.secrets[:secret_key_base] = Rails.application.secrets.old_secret_key_base
+      Rails.application.instance_eval { @caching_key_generator = nil }
+      old_secret_encryptor = GoogleAuthenticatorRails::ActiveRecord::Helpers.get_google_secret_encryptor
+      do_encrypt(true, 'Re-encrypting') do |record|
+        GoogleAuthenticatorRails.secret_encryptor = old_secret_encryptor
+        plain_secret = record.google_secret_value
+        GoogleAuthenticatorRails.secret_encryptor = secret_encryptor
+        record.send(:change_google_secret_to!, plain_secret)
+      end
+    end
+  end
+  
+  desc 'Decrypt all secret columns (remove the :encrypt_secret options *after* running)'
+  task decrypt_secrets: :environment do
+    do_encrypt(true, 'Decrypting') { |record| record.send(:change_google_secret_to!, record.google_secret_value, false) }
+  end  
+
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: google-authenticator-rails
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.4.0
 platform: ruby
 authors:
 - Jared McFarland
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-06-10 00:00:00.000000000 Z
+date: 2017-10-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rotp
@@ -24,6 +24,20 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 1.6.1
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
@@ -133,6 +147,7 @@ files:
 - ".rspec"
 - ".travis.yml"
 - Appraisals
+- CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
 - Gemfile
 - LICENSE
@@ -157,6 +172,7 @@ files:
 - lib/google-authenticator-rails/session/base.rb
 - lib/google-authenticator-rails/session/persistence.rb
 - lib/google-authenticator-rails/version.rb
+- lib/tasks/google_authenticator.rake
 - spec/action_controller/integration_spec.rb
 - spec/action_controller/rails_adapter_spec.rb
 - spec/google_authenticator_spec.rb
@@ -182,7 +198,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.8
+rubygems_version: 2.6.14
 signing_key: 
 specification_version: 4
 summary: Add the ability to use the Google Authenticator with ActiveRecord.