htauth 2.0.0 → 2.1.0

data/lib/htauth/console.rb

@@ -20,12 +20,16 @@ module HTAuth
 
     def ask(prompt)
       output.print prompt
-      answer = input.noecho(&:gets)
+      answer = read_answer
       output.puts
       raise ConsoleError, "No input given" if answer.nil?
       answer.strip!
       raise ConsoleError, "No input given" if answer.length == 0
       return answer
     end
+
+    def read_answer
+      input.noecho(&:gets)
+    end
   end
 end

data/lib/htauth/crypt.rb

@@ -4,12 +4,23 @@ module HTAuth
   # Internal: The basic crypt algorithm
   class Crypt < Algorithm
 
-    def initialize(params = {})
-      @salt = params[:salt] || params['salt'] || gen_salt
+    ENTRY_LENGTH = 13
+    ENTRY_REGEX = %r{\A[^$:\s]{#{ENTRY_LENGTH}}\z}
+
+    def self.handles?(password_entry)
+      ENTRY_REGEX.match?(password_entry)
     end
 
-    def prefix
-      ""
+    def self.extract_salt_from_existing_password_field(existing)
+      existing[0,2]
+    end
+
+    def initialize(params = {})
+      if existing = (params['existing'] || params[:existing]) then
+        @salt = self.class.extract_salt_from_existing_password_field(existing)
+      else
+        @salt = params[:salt] || params['salt'] || gen_salt
+      end
     end
 
     def encode(password)

data/lib/htauth/descendant_tracker.rb

@@ -0,0 +1,46 @@
+module HTAuth
+  #
+  # Use by either
+  #
+  #   class Foo
+  #     extend DescendantTracker
+  #   end
+  #
+  # or
+  #
+  #   class Foo
+  #     class << self
+  #       include DescendantTracker
+  #     end
+  #   end
+  #
+  # It will track all the classes that inherit from the extended class and keep
+  # them in a Set that is available via the 'children' method.
+  #
+  module DescendantTracker
+    def inherited( klass )
+      return unless klass.instance_of?( Class )
+      self.children << klass
+    end
+
+    #
+    # The list of children that are registered
+    #
+    def children
+      unless defined? @children
+        @children = Array.new
+      end
+      return @children
+    end
+
+    #
+    # find the child that returns truthy for then given method and
+    # parameters
+    #
+    def find_child( method, *args )
+      children.find do |child|
+        child.send( method, *args )
+      end
+    end
+  end
+end

data/lib/htauth/md5.rb

@@ -6,21 +6,41 @@ module HTAuth
   # as used in the apache htpasswd -m option
   class Md5 < Algorithm
 
-    DIGEST_LENGTH = 16
+    DIGEST_LENGTH  = 16
+    PAD_LENGTH     = 6
+    PREFIX         = "$apr1$".freeze
+    SALT_CHARS_STR = SALT_CHARS.join('')
+    ENTRY_REGEX    = %r[
+      \A
+      #{Regexp.escape(PREFIX)}
+      [#{SALT_CHARS_STR}]{#{SALT_LENGTH}}
+      #{Regexp.escape("$")}
+      [#{SALT_CHARS_STR}]{#{DIGEST_LENGTH + PAD_LENGTH}}
+      \z
+      ]x
+
+    def self.handles?(password_entry)
+      ENTRY_REGEX.match?(password_entry)
+    end
 
-    def initialize(params = {})
-      @salt = params['salt'] || params[:salt] || gen_salt
+    def self.extract_salt_from_existing_password_field(existing)
+      p = existing.split("$")
+      return p[2]
     end
 
-    def prefix
-      "$apr1$"
+    def initialize(params = {})
+      if existing = (params['existing'] || params[:existing]) then
+        @salt = self.class.extract_salt_from_existing_password_field(existing)
+      else
+        @salt = params[:salt] || params['salt'] || gen_salt
+      end
     end
 
     # this algorigthm pulled straight from apr_md5_encode() and converted to ruby syntax
     def encode(password)
       primary = ::Digest::MD5.new
       primary << password
-      primary << prefix
+      primary << PREFIX
       primary << @salt
 
       md5_t = ::Digest::MD5.digest("#{password}#{@salt}#{password}")
@@ -46,7 +66,7 @@ module HTAuth
 
       pd = primary.digest
 
-      encoded_password = "#{prefix}#{@salt}$"
+      encoded_password = "#{PREFIX}#{@salt}$"
 
       # apr_md5_encode has this comment about a 60Mhz Pentium above this loop.
       1000.times do |x|

data/lib/htauth/passwd_entry.rb

@@ -12,6 +12,8 @@ module HTAuth
     attr_accessor :digest
     # Internal: the algorithm used to create the digest of this entry
     attr_reader   :algorithm
+    # Internal: the algorithm arguments used to create the digest of this entry
+    attr_reader   :algorithm_args
 
     class << self
       # Internal: Create an instance of this class from a line of text
@@ -23,7 +25,7 @@ module HTAuth
         parts = is_entry!(line)
         d = PasswdEntry.new(parts[0])
         d.digest = parts[1]
-        d.algorithm = Algorithm.algorithms_from_field(parts[1])
+        d.algorithm = Algorithm.algorithm_from_field(parts[1])
         return d
       end
 
@@ -67,23 +69,31 @@ module HTAuth
 
     # Internal: set the algorithm for the entry
     def algorithm=(alg)
-      if alg.kind_of?(Array) then
-        if alg.size == 1 then
-          @algorithm = alg.first
-        else
-          @algorithm = alg
-        end
+      return @algorithm if Algorithm::EXISTING == alg
+      case alg
+      when String
+        @algorithm = Algorithm.algorithm_from_name(alg)
+      when ::HTAuth::Algorithm
+        @algorithm = alg
       else
-        @algorithm = Algorithm.algorithm_from_name(alg) unless Algorithm::EXISTING == alg
+        raise InvalidAlgorithmError, "Unable to assign #{alg} to algorithm"
       end
       return @algorithm
     end
 
+    # Internal: set fields on the algorithm
+    def algorithm_args=(args)
+      args.each do |key, value|
+        method = "#{key}="
+        @algorithm.send(method, value) if @algorithm.respond_to?(method)
+      end
+    end
+
     # Internal: Update the password of the entry with its new value
     #
     # If we have an array of algorithms, then we set it to CRYPT
     def password=(new_password)
-      if algorithm.kind_of?(Array) then
+      if algorithm.kind_of?(HTAuth::Plaintext) then
         @algorithm = Algorithm.algorithm_from_name(Algorithm::CRYPT)
       end
       @digest = calc_digest(new_password)
@@ -102,14 +112,9 @@ module HTAuth
     # circuiting
     def authenticated?(check_password)
       authed = false
-      if algorithm.kind_of?(Array) then
-        algorithm.each do |alg|
-          encoded = alg.encode(check_password)
-          if Algorithm.secure_compare(encoded, digest) then
-            @algorithm = alg
-            authed = true
-          end
-        end
+      if algorithm.kind_of?(Bcrypt) then
+        bc = ::BCrypt::Password.new(digest)
+        authed = bc.is_password?(check_password)
       else
         encoded = algorithm.encode(check_password)
         authed  = Algorithm.secure_compare(encoded, digest)

data/lib/htauth/passwd_file.rb

@@ -66,9 +66,13 @@ module HTAuth
     # The file is not written to disk until #save! is called.
     #
     # username  - the username of the entry
-    # password  - the username of the entry
+    # password  - the password of the entry
     # algorithm - the algorithm to use (default: "md5"). Valid options are:
-    #             "md5", "sha1", "plaintext", or "crypt"
+    #             "md5", "bcrypt", "sha1", "plaintext", or "crypt"
+    # algorithm_args - key-value pairs of arguments that are passed to the
+    #                  algorithm, currently this is only used to pass the cost
+    #                  to the bcrypt algorithm
+    #
     #
     # Examples
     #
@@ -79,20 +83,23 @@ module HTAuth
     #   passwd_file.save!
     #
     # Returns nothing.
-    def add_or_update(username, password, algorithm = Algorithm::DEFAULT)
+    def add_or_update(username, password, algorithm = Algorithm::DEFAULT, algorithm_args = {})
       if has_entry?(username) then
-        update(username, password, algorithm)
+        update(username, password, algorithm, algorithm_args)
       else
-        add(username, password, algorithm)
+        add(username, password, algorithm, algorithm_args)
       end
     end
 
     # Public: Add a new record to the file.
     #
     # username  - the username of the entry
-    # password  - the username of the entry
+    # password  - the password of the entry
     # algorithm - the algorithm to use (default: "md5"). Valid options are:
-    #             "md5", "sha1", "plaintext", or "crypt"
+    #             "md5", "bcrypt", "sha1", "plaintext", or "crypt"
+    # algorithm_args - key-value pairs of arguments that are passed to the
+    #                  algorithm, currently this is only used to pass the cost
+    #                  to the bcrypt algorithm
     #
     # Examples
     #
@@ -102,11 +109,14 @@ module HTAuth
     #   passwd_file.add("newuser", "password", "sha1")
     #   passwd_file.save!
     #
+    #   passwd_file.add("newuser", "password", "bcrypt", { cost: 12 })
+    #   passwd_file.save!
+    #
     # Returns nothing.
     # Raises PasswdFileError if the give username already exists.
-    def add(username, password, algorithm = Algorithm::DEFAULT)
+    def add(username, password, algorithm = Algorithm::DEFAULT, algorithm_args = {})
       raise PasswdFileError, "Unable to add already existing user #{username}" if has_entry?(username)
-      new_entry = PasswdEntry.new(username, password, algorithm)
+      new_entry = PasswdEntry.new(username, password, algorithm, algorithm_args)
       new_index = @lines.size
       @lines << new_entry.to_s
       @entries[new_entry.key] = { 'entry' => new_entry, 'line_index' => new_index }
@@ -121,9 +131,12 @@ module HTAuth
     # setting the `algorithm` parameter.
     #
     # username  - the username of the entry
-    # password  - the username of the entry
+    # password  - the password of the entry
     # algorithm - the algorithm to use (default: "existing"). Valid options are:
-    #             "existing", "md5", "sha1", "plaintext", or "crypt"
+    #             "existing", "md5", "bcrypt", "sha1", "plaintext", or "crypt"
+    # algorithm_args - key-value pairs of arguments that are passed to the
+    #                  algorithm, currently this is only used to pass the cost
+    #                  to the bcrypt algorithm
     #
     # Examples
     #
@@ -133,12 +146,16 @@ module HTAuth
     #   passwd_file.update("newuser", "password", "sha1")
     #   passwd_file.save!
     #
+    #   passwd_file.update("newuser", "password", "bcrypt", { cost: 12 })
+    #   passwd_file.save!
+    #
     # Returns nothing.
     # Raises PasswdFileError if the give username does not exist.
-    def update(username, password, algorithm = Algorithm::EXISTING)
+    def update(username, password, algorithm = Algorithm::EXISTING, algorithm_args = {})
       raise PasswdFileError, "Unable to update non-existent user #{username}" unless has_entry?(username)
       ir = internal_record(username)
       ir['entry'].algorithm = algorithm
+      ir['entry'].algorithm_args = algorithm_args.dup
       ir['entry'].password = password
       @lines[ir['line_index']] = ir['entry'].to_s
       dirty!
@@ -164,6 +181,23 @@ module HTAuth
       return ir['entry'].dup
     end
 
+    # Public: authenticates the password of a given username
+    #
+    # Check the password file for the given user, and check the input password
+    # against the existing one.
+    #
+    # Examples
+    #
+    #   authenticated = password_file.authenticated?("alice", "a secret")
+    #
+    # Returns true or false if the user exists
+    # Raises PasswordFileErrorif the given username does not exist
+    def authenticated?(username, password)
+      raise PasswdFileError, "Unable to authenticate a non-existent user #{username}" unless has_entry?(username)
+      ir = internal_record(username)
+      return ir['entry'].authenticated?(password)
+    end
+
     # Internal: returns the class used for each entry
     #
     # Returns a Class

data/lib/htauth/plaintext.rb

@@ -3,12 +3,19 @@ require 'htauth/algorithm'
 module HTAuth
   # Internal: the plaintext algorithm, which does absolutly nothing
   class Plaintext < Algorithm
-    # ignore parameters
-    def initialize(params = {})
+
+    ENTRY_REGEX = /\A[^$:]*\Z/
+
+    def self.entry_matches?(entry)
+      ENTRY_REGEX.match?(entry)
     end
 
-    def prefix
-      ""
+    def self.handles?(password_entry)
+      false
+    end
+
+    # ignore parameters
+    def initialize(params = {})
     end
 
     def encode(password)

data/lib/htauth/sha1.rb

@@ -8,16 +8,19 @@ module HTAuth
   #
   class Sha1 < Algorithm
 
-    # ignore the params
-    def initialize(params = {}) 
+    PREFIX      = '{SHA}'.freeze
+    ENTRY_REGEX = %r[\A#{Regexp.escape(PREFIX)}[A-Za-z0-9+\/=]{28}\z].freeze
+
+    def self.handles?(password_entry)
+      ENTRY_REGEX.match?(password_entry)
     end
 
-    def prefix
-      "{SHA}"
+    # ignore the params
+    def initialize(params = {}) 
     end
 
     def encode(password)
-      "#{prefix}#{Base64.encode64(::Digest::SHA1.digest(password)).strip}"
+      "#{PREFIX}#{Base64.encode64(::Digest::SHA1.digest(password)).strip}"
     end
   end
 end

data/lib/htauth/version.rb

@@ -1,4 +1,4 @@
 module HTAuth
   # Public: The version of the htauth library
-  VERSION = "2.0.0"
+  VERSION = "2.1.0"
 end

data/spec/algorithm_spec.rb

@@ -0,0 +1,8 @@
+require 'spec_helper'
+require 'htauth/algorithm'
+
+describe HTAuth::Algorithm do
+  it "raises an error if it encouners an unknown algorithm" do
+    _ { HTAuth::Algorithm.algorithm_from_name("unknown") }.must_raise(::HTAuth::InvalidAlgorithmError)
+  end
+end

data/spec/bcrypt_spec.rb

@@ -0,0 +1,33 @@
+require 'spec_helper'
+require 'htauth/bcrypt'
+
+describe HTAuth::Bcrypt do
+  it "encrypts the same way that apache does by default" do
+    apache_hash = '$2y$05$X7XeXxp0uAO92AGG2P4/fu0mj7MrRDQnlBTkwZLd9rKiH2OUBb9/K'
+    reparsed    = ::BCrypt::Password.new(apache_hash)
+    cost        = reparsed.cost
+
+    _(cost).must_equal HTAuth::Bcrypt::DEFAULT_APACHE_COST
+    _(reparsed.is_password?("a secret")).must_equal true
+
+    bcrypt      = HTAuth::Bcrypt.new(:cost => cost)
+    local_hash  = bcrypt.encode("a secret")
+
+    _(local_hash.is_password?("a secret")).must_equal true
+    _(local_hash.cost).must_equal cost
+  end
+
+  it "encrypts the same way that apache does with different cost" do
+    apache_hash = '$2y$12$O3mBah33UilOkwXrS0kXuOPFBKLBCIp7V.AVvEZQcbnAM5SJLQnfq'
+    reparsed    = ::BCrypt::Password.new(apache_hash)
+    cost        = reparsed.cost
+
+    _(reparsed.is_password?("a secret")).must_equal true
+
+    bcrypt      = HTAuth::Bcrypt.new(:cost => cost)
+    local_hash  = bcrypt.encode("a secret")
+
+    _(local_hash.is_password?("a secret")).must_equal true
+    _(local_hash.cost).must_equal cost
+  end
+end

data/spec/cli/digest_spec.rb

@@ -41,8 +41,8 @@ describe HTAuth::CLI::Digest do
     begin
       @rdigest.run([ "-h" ])
     rescue SystemExit => se
-      se.status.must_equal 1
-      @stdout.string.must_match( /passwordfile realm username/m )
+      _(se.status).must_equal 1
+      _(@stdout.string).must_match( /passwordfile realm username/m )
     end
   end
 
@@ -50,8 +50,8 @@ describe HTAuth::CLI::Digest do
     begin
       @rdigest.run([ "--version" ])
     rescue SystemExit => se
-      se.status.must_equal 1
-      @stdout.string.must_match( /version #{HTAuth::VERSION}/ )
+      _(se.status).must_equal 1
+      _(@stdout.string).must_match( /version #{HTAuth::VERSION}/ )
     end
   end
 
@@ -62,8 +62,8 @@ describe HTAuth::CLI::Digest do
       @stdin.rewind
       @rdigest.run([ "-c", @new_file, "htauth", "bob" ])
     rescue SystemExit => se
-      se.status.must_equal 0
-      IO.read(@new_file).must_equal IO.readlines(DIGEST_ORIGINAL_TEST_FILE).first
+      _(se.status).must_equal 0
+      _(IO.read(@new_file)).must_equal IO.readlines(DIGEST_ORIGINAL_TEST_FILE).first
     end
   end
 
@@ -74,8 +74,8 @@ describe HTAuth::CLI::Digest do
       @stdin.rewind
       @rdigest.run([ "-c", @tf.path, "htauth", "bob"])
     rescue SystemExit => se
-      se.status.must_equal 0
-      IO.read(@tf.path).must_equal IO.read(DIGEST_DELETE_TEST_FILE)
+      _(se.status).must_equal 0
+      _(IO.read(@tf.path)).must_equal IO.read(DIGEST_DELETE_TEST_FILE)
     end
   end
 
@@ -86,8 +86,8 @@ describe HTAuth::CLI::Digest do
       @stdin.rewind
       @rdigest.run([ @tf.path, "htauth-new", "charlie" ])
     rescue SystemExit => se
-      se.status.must_equal 0
-      IO.read(@tf.path).must_equal IO.read(DIGEST_ADD_TEST_FILE)
+      _(se.status).must_equal 0
+      _(IO.read(@tf.path)).must_equal IO.read(DIGEST_ADD_TEST_FILE)
     end
   end
 
@@ -98,9 +98,9 @@ describe HTAuth::CLI::Digest do
       @stdin.rewind
       @rdigest.run([ @tf.path, "htauth", "alice" ])
     rescue SystemExit => se
-      @stderr.string.must_equal ""
-      se.status.must_equal 0
-      IO.read(@tf.path).must_equal IO.read(DIGEST_UPDATE_TEST_FILE)
+      _(@stderr.string).must_equal ""
+      _(se.status).must_equal 0
+      _(IO.read(@tf.path)).must_equal IO.read(DIGEST_UPDATE_TEST_FILE)
     end
   end
 
@@ -108,9 +108,9 @@ describe HTAuth::CLI::Digest do
     begin
       @rdigest.run([ "-d", @tf.path, "htauth", "alice" ])
     rescue SystemExit => se
-      @stderr.string.must_equal ""
-      se.status.must_equal 0
-      IO.read(@tf.path).must_equal IO.read(DIGEST_DELETE_TEST_FILE)
+      _(@stderr.string).must_equal ""
+      _(se.status).must_equal 0
+      _(IO.read(@tf.path)).must_equal IO.read(DIGEST_DELETE_TEST_FILE)
     end
   end
 
@@ -121,8 +121,8 @@ describe HTAuth::CLI::Digest do
       @stdin.rewind
       @rdigest.run([ "-c", "/etc/you-cannot-create-me", "htauth", "alice"])
     rescue SystemExit => se
-      @stderr.string.must_match( %r{Could not open password file /etc/you-cannot-create-me}m )
-      se.status.must_equal 1
+      _(@stderr.string).must_match( %r{Could not open password file /etc/you-cannot-create-me}m )
+      _(se.status).must_equal 1
     end
   end
 
@@ -133,8 +133,8 @@ describe HTAuth::CLI::Digest do
       @stdin.rewind
       @rdigest.run([ @tf.path, "htauth", "alice"])
     rescue SystemExit => se
-      @stderr.string.must_match( /They don't match, sorry./m )
-      se.status.must_equal 1
+      _(@stderr.string).must_match( /They don't match, sorry./m )
+      _(se.status).must_equal 1
     end
   end
 
@@ -142,9 +142,8 @@ describe HTAuth::CLI::Digest do
     begin
       @rdigest.run(["--blah"])
     rescue SystemExit => se
-      @stderr.string.must_match( /ERROR:/m )
-      se.status.must_equal 1
+      _(@stderr.string).must_match( /ERROR:/m )
+      _(se.status).must_equal 1
     end
   end
-
 end