htauth 2.1.1 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e4b47d22265e7ed8e07665edec308a71ce4decb3ccc293699d7736a6ca0ddca1
-  data.tar.gz: 6127bf17e0c114580adac497ddf51f5822e4cfda49989e32bdf6af385dc83295
+  metadata.gz: ad5523ccfeacb957acb9cf2fae40e19e51bc92e10d093a950949fbe00bb50b1a
+  data.tar.gz: 280ed439110fd03ca5510ae81d8b17a4f0db21f4f0aed7360238bbcef83fe6c1
 SHA512:
-  metadata.gz: 39faa1fb2b894b7fc6329c2fc19ca63049a0645fe7c42c10e5ae0b708172d994e7b544074f901750273c4b0871ec454206f32d1f26027add807a7818ad87907a
-  data.tar.gz: 4d5112aec7a3839e797422ff429ee8e6bf14b968d46be97ef6e12a0c37196d1b6fbfa42772f6d488cec037f44fc37f85c69bd5a68ee8ee36fc7ad1f5d6ef84b6
+  metadata.gz: cc5ddd224ce189eeb5d16a60059a9fcab868ff65de9aad4efac3177425004d98b22d9af29f556d001ae0c083b31cdaef4cf723c7d1342739fc01c7be12841f42
+  data.tar.gz: 28a12fef7f3c7a96c9bdb186a71b06b8263da2c1f6b77dfcba45239129a17311d9fbcfa799aaf004efbf09876cc380de99bb91cab6be23ffefc23ce70286618b

data/HISTORY.md

@@ -1,4 +1,16 @@
 # Changelog
+## Version 2.3.0 - 2024-02-03
+
+* Add support for argon2 encryption [#18](https://github.com/copiousfreetime/htauth/pull/18)
+* Update supported ruby version, now supporting ruby 3.x only
+* Semaphore updates
+
+## Version 2.2.0 - 2023-02-06
+
+* Update ruby versions
+* Add to sempahore for CI
+* fix various spelling issues
+
 ## Version 2.1.1 - 2020-04-02
 
 * Update minimum ruby versions to modern versions

data/Manifest.txt

@@ -8,6 +8,7 @@ bin/htdigest-ruby
 bin/htpasswd-ruby
 lib/htauth.rb
 lib/htauth/algorithm.rb
+lib/htauth/argon2.rb
 lib/htauth/bcrypt.rb
 lib/htauth/cli.rb
 lib/htauth/cli/digest.rb
@@ -27,6 +28,7 @@ lib/htauth/plaintext.rb
 lib/htauth/sha1.rb
 lib/htauth/version.rb
 spec/algorithm_spec.rb
+spec/argon2_spec.rb
 spec/bcrypt_spec.rb
 spec/cli/digest_spec.rb
 spec/cli/passwd_spec.rb

data/README.md

@@ -1,29 +1,51 @@
 ## HTAuth
 
-* [Github](http://github.com/copiousfreetime/htauth/tree/master)
-* [![Build Status](https://travis-ci.org/copiousfreetime/htauth.svg?branch=master)](https://travis-ci.org/copiousfreetime/htauth)
+[![Build Status](https://copiousfreetime.semaphoreci.com/badges/htauth/branches/main.svg)](https://copiousfreetime.semaphoreci.com/projects/htauth)
+
+* [Homepage](http://github.com/copiousfreetime/htauth)
+* [Github](http://github.com/copiousfreetime/htauth)
 
 ## DESCRIPTION
 
-HTAuth is a pure ruby replacement for the Apache support programs htdigest and
-htpasswd.  Command line and API access are provided for access to htdigest and
-htpasswd files.
+HTAuth provides an API and commandline tools for managing Apache/httpd style
+htpasswd and htdigest files.
 
 ## FEATURES
 
-HTAuth provides to drop in commands *htdigest-ruby* and *htpasswd-ruby* that
-can manipulate the digest and passwd files in the same manner as Apache's
-original commands.
+HTAuth provides an API allowing direct manipulation of Apache/httpd style
+`htdigest` and `htpasswd` files. Supporting full programmatic manipulation and
+authentication of user credentials.
 
-*htdigest-ruby* and *htpasswd-ruby* are command line compatible with *htdigest*
-and *htpasswd*.  They support the same exact same command line options as the
-originals, and have some extras.
+HTAuth also includes drop-in, commandline compatible replacements for the Apache
+utilities `htpasswd` and `htdigest` with the respective `htpasswd-ruby` and
+`htdigest-ruby` commands.
 
-Additionally, you can access all the functionality of *htdigest-ruby* and
-*htpasswd-ruby* through an API.
+Additionally, support for the [argon2](https://github.com/technion/ruby-argon2)
+password hashing algorithm is provided for most platforms.
 
 ## SYNOPSIS
 
+### API Usage
+
+    HTAuth::DigestFile.open("some.htdigest") do |df|
+      df.add_or_update('someuser', 'myrealm', 'a password')
+      df.delete('someolduser', 'myotherrealm')
+    end
+
+    HTAuth::PasswdFile.open("some.htpasswd", HTAuth::File::CREATE) do |pf|
+      pf.add('someuser', 'a password', 'md5')
+      pf.add('someotheruser', 'a different password', 'sha1')
+    end
+
+    HTAuth::PasswdFile.open("some.htpasswd", HTAuth::File::ALTER) do |pf|
+      pf.update('someuser', 'a password', 'bcrypt')
+    end
+
+    HTAuth::PasswdFile.open("some.htpasswd") do |pf|
+      pf.authenticated?('someuser', 'a password')
+    end
+
+
 ### htpasswd-ruby command line application
 
     Usage:
@@ -33,7 +55,8 @@ Additionally, you can access all the functionality of *htdigest-ruby* and
             htpasswd-ruby -n[imBdps] [-C cost] username
             htpasswd-ruby -nb[mBdps] [-C cost] username password
 
-        -b, --batch      Batch mode, get the password from the command line, rather than prompt
+            --argon2     Force argon2 encryption of the password.
+        -b, --batch      Batch mode, get the password from the command line, rather than prompt.
         -B, --bcrypt     Force bcrypt encryption of the password.
         -C, --cost COST  Set the computing time used for the bcrypt algorithm
                          (higher is more secure but slower, default: 5, valid: 4 to 31).
@@ -47,9 +70,7 @@ Additionally, you can access all the functionality of *htdigest-ruby* and
         -p, --plaintext  Do not encrypt the password (plaintext).
         -s, --sha1       Force SHA encryption of the password.
         -v, --version    Show version info.
-            --verify     Verify password for the specified user
-
-    The SHA algorihtm does not use a salt and is less secure than the MD5 algorithm.
+            --verify     Verify password for the specified user.
 
 ### htdigest-ruby command line application
 
@@ -59,30 +80,31 @@ Additionally, you can access all the functionality of *htdigest-ruby* and
         -h, --help     Display this help.
         -v, --version  Show version info.
 
-### API Usage
+## Supported Hash Algorithms
 
-    HTAuth::DigestFile.open("some.htdigest") do |df|
-      df.add_or_update('someuser', 'myrealm', 'a password')
-      df.delete('someolduser', 'myotherrealm')
-    end
+Out of the box, `htauth` supports the classic algorithms that ship with Apache
+`htpasswd`.
 
-    HTAuth::PasswdFile.open("some.htpasswd", HTAuth::File::CREATE) do |pf|
-      pf.add('someuser', 'a password', 'md5')
-      pf.add('someotheruser', 'a different password', 'sha1')
-    end
+- Built in
+    - Generally accepted
+        - MD5 (default for compatibility reasons)
+        - bcrypt (probably the better choice)
 
-    HTAuth::PasswdFile.open("some.htpasswd", HTAuth::File::ALTER) do |pf|
-      pf.update('someuser', 'a password', 'bcrypt')
-    end
+    - **Not Recommended** - available only for backwards compatibility with `htpasswd`
+        - SHA1
+        - crypt
+        - plaintext
 
-    HTAuth::PasswdFile.open("some.htpasswd") do |pf|
-      pf.authenticated?('someuser', 'a password')
-    end
+- Available with the installation of additional libraries:
+    - argon2 - to use, add `gem 'argon2'` to your `Gemfile`. `argon2` will
+      now be a valid algorithm to use in `HTAuth::PasswdFile` API. Currently
+      argon2 is not supported on windows as the upstream `argon2` gem does not
+      support windows.
 
 ## CREDITS
 
 * [The Apache Software Foundation](http://www.apache.org/)
-* all the folks who contributed to htdigest and htpassword
+* all the folks who contributed to htdigest and htpasswd
 
 ## MIT LICENSE
 

data/Rakefile

@@ -8,11 +8,14 @@ This.homepage = "http://github.com/copiousfreetime/#{ This.name }"
 
 This.ruby_gemspec do |spec|
   spec.add_dependency( 'bcrypt', '~> 3.1' )
+  spec.add_dependency( 'base64', '~> 0.2' )
 
-  spec.add_development_dependency( 'rake'     , '~> 13.0')
-  spec.add_development_dependency( 'minitest' , '~> 5.5' )
-  spec.add_development_dependency( 'rdoc'     , '~> 6.2' )
-  spec.add_development_dependency( 'simplecov', '~> 0.17' )
+  spec.add_development_dependency( 'argon2'   , '~> 2.3')
+  spec.add_development_dependency( 'rake'     , '~> 13.1')
+  spec.add_development_dependency( 'minitest' , '~> 5.21' )
+  spec.add_development_dependency( 'minitest-junit' , '~> 1.1' )
+  spec.add_development_dependency( 'rdoc'     , '~> 6.6' )
+  spec.add_development_dependency( 'simplecov', '~> 0.21' )
 
   spec.metadata = {
     "bug_tracker_uri" => "https://github.com/copiousfreetime/htauth/issues",

data/bin/htdigest-ruby

@@ -1,7 +1,7 @@
 #!/usr/bin/env ruby
 
 begin
-  require 'htauth/cli'
+  require 'htauth/cli/digest'
 rescue LoadError 
   path = File.expand_path(File.join(File.dirname(__FILE__),"..","lib"))
   raise if $:.include?(path)

data/bin/htpasswd-ruby

@@ -1,7 +1,7 @@
 #!/usr/bin/env ruby
 
 begin
-  require 'htauth/cli'
+  require 'htauth/cli/passwd'
 rescue LoadError 
   path = File.expand_path(File.join(File.dirname(__FILE__),"..","lib"))
   raise if $:.include?(path)

data/lib/htauth/algorithm.rb

@@ -13,6 +13,8 @@ module HTAuth
     SALT_CHARS    = (%w[ . / ] + ("0".."9").to_a + ('A'..'Z').to_a + ('a'..'z').to_a).freeze
     SALT_LENGTH   = 8
 
+    # Public: flag for the argon2 algorithm
+    ARGON2        = "argon2".freeze
     # Public: flag for the bcrypt algorithm
     BCRYPT        = "bcrypt".freeze
     # Public: flag for the md5 algorithm
@@ -84,7 +86,17 @@ module HTAuth
     end
 
     # Internal
-    def encode(password) ; end
+    def encode(password)
+      raise NotImplementedError, "#{self.class.name} must implement #{self.class.name}.encode(password)"
+    end
+
+    # Internal: Does the given password match the digest, the default just
+    # encodes and secure compares the result, different algorithms may overide
+    # this method
+    def verify_password?(password, digest)
+      encoded = encode(password)
+      self.class.secure_compare(encoded, digest)
+    end
 
     # Internal: 8 bytes of random items from SALT_CHARS
     def gen_salt(length = SALT_LENGTH)
@@ -92,7 +104,8 @@ module HTAuth
     end
 
     # Internal: this is not the Base64 encoding, this is the to64()
-    # method from the apache protable runtime library
+    # method from the Apache Portable Runtime (APR) library
+    # https://github.com/apache/apr/blob/trunk/crypto/apr_md5.c#L493-L502
     def to_64(number, rounds)
       r = StringIO.new
       rounds.times do |x|

data/lib/htauth/argon2.rb

@@ -0,0 +1,77 @@
+require 'htauth/algorithm'
+begin
+  require 'argon2'
+rescue LoadError
+end
+
+module HTAuth
+  # Internal:  Support of the argon2id algorithm and password format.
+
+  class Argon2 < Algorithm
+    class NotSupportedError < ::HTAuth::InvalidAlgorithmError
+      def message
+        "Unfortunately Argon2 passwords are not supported on `#{RUBY_PLATFORM} at this time. This because the upstream argon2 gem does not support windows."
+      end
+    end
+    class NotInstalledError < ::HTAuth::InvalidAlgorithmError
+      def message
+        "Argon2 passwords are supported if the `argon2' gem is installed. Add `gem 'argon2', '~> 2.3'` to your Gemfile"
+      end
+    end
+
+    # from upstream, used to help make a nice error message if its not installed
+    # https://github.com/technion/ruby-argon2/blob/3388d7e05e8b486ea4ba8bd2aeb1e9988f025f13/lib/argon2/hash_format.rb#L45
+    PREFIX = /^\$argon2(id?|d).{,113}/.freeze
+    ARGON2_GEM_INSTALLED = defined?(::Argon2)
+
+    def self.supported?
+      !::Gem.win_platform?
+    end
+
+    def self.ensure_available!
+      raise NotSupportedError unless supported?
+      raise NotInstalledError unless ARGON2_GEM_INSTALLED
+    end
+
+    attr_accessor :options
+
+     def self.handles?(password_entry)
+      return false unless PREFIX.match?(password_entry)
+      ensure_available!
+
+      return ::Argon2::Password.valid_hash?(password_entry)
+     end
+
+     def self.extract_options_from_existing_password_field(existing)
+       hash_format = ::Argon2::HashFormat.new(existing)
+
+       # m_cost on the input is the 2**m_cost, but in the hash its the number of
+       # bytes, so need to convert it back to a power of 2, which is the
+       # log2(m_cost)
+
+       {
+         t_cost: hash_format.t_cost,
+         m_cost: ::Math.log2(hash_format.m_cost).floor,
+         p_cost: hash_format.p_cost,
+       }
+     end
+
+     def initialize(params = { profile: :rfc_9106_low_memory })
+       self.class.ensure_available!
+       if existing = (params['existing'] || params[:existing]) then
+         @options = self.class.extract_options_from_existing_password_field(existing)
+       else
+         @options = params
+       end
+     end
+
+     def encode(password)
+       argon2 = ::Argon2::Password.new(options)
+       argon2.create(password)
+     end
+
+    def verify_password?(password, digest)
+      ::Argon2::Password.verify_password(password, digest)
+    end
+  end
+end

data/lib/htauth/bcrypt.rb

@@ -31,5 +31,10 @@ module HTAuth
     def encode(password)
       ::BCrypt::Password.create(password, :cost => cost)
     end
+
+    def verify_password?(password, digest)
+      bc = ::BCrypt::Password.new(digest)
+      bc.is_password?(password)
+    end
   end
 end

data/lib/htauth/cli/digest.rb

@@ -1,7 +1,4 @@
-require 'htauth/version'
-require 'htauth/error'
-require 'htauth/digest_file'
-require 'htauth/console'
+require 'htauth/cli'
 
 require 'ostruct'
 require 'optparse'

data/lib/htauth/cli/passwd.rb

@@ -1,6 +1,4 @@
-require 'htauth/error'
-require 'htauth/passwd_file'
-require 'htauth/console'
+require 'htauth/cli'
 
 require 'ostruct'
 require 'optparse'
@@ -44,8 +42,8 @@ module HTAuth
           @option_parser = OptionParser.new(nil, 16) do |op|
             op.banner = <<-EOB
 Usage:
-        #{op.program_name} [-cimBdpsD] [-C cost] passwordfile username
-        #{op.program_name} -b[cmBdpsD] [-C cost] passwordfile username password
+        #{op.program_name} [-acimBdpsD] [--verify] [-C cost] passwordfile username
+        #{op.program_name} -b[acmBdpsD] [--verify] [-C cost] passwordfile username password
 
         #{op.program_name} -n[imBdps] [-C cost] username
         #{op.program_name} -nb[mBdps] [-C cost] username password
@@ -53,7 +51,11 @@ Usage:
 
             op.separator ""
 
-            op.on("-b", "--batch", "Batch mode, get the password from the command line, rather than prompt") do |b|
+            op.on("--argon2", "Force argon2 encryption of the password.") do |a|
+              options.algorithm = Algorithm::ARGON2
+            end
+
+            op.on("-b", "--batch", "Batch mode, get the password from the command line, rather than prompt.") do |b|
               options.batch_mode = b
             end
 
@@ -118,7 +120,7 @@ Usage:
               options.show_version = v
             end
 
-            op.on("--verify", "Verify password for the specified user") do |v|
+            op.on("--verify", "Verify password for the specified user.") do |v|
               options.operation << :verify
             end
 

data/lib/htauth/cli.rb

@@ -1,8 +1,7 @@
 require 'htauth'
+require 'htauth/console'
 module HTAuth
   module CLI
 
   end
 end
-require 'htauth/cli/digest'
-require 'htauth/cli/passwd'

data/lib/htauth/digest_entry.rb

@@ -1,5 +1,6 @@
 require 'htauth/error'
 require 'htauth/entry'
+require 'htauth/algorithm'
 require 'digest/md5'
 
 module HTAuth

data/lib/htauth/passwd_entry.rb

@@ -62,7 +62,7 @@ module HTAuth
     # Internal: Create a new Entry with the given user, password, and algorithm
     def initialize(user, password = nil, alg = Algorithm::DEFAULT, alg_params = {} )
       @user      = user
-      alg = Algorithm::DEFAULT if alg == Algorithm::EXISTING 
+      alg = Algorithm::DEFAULT if alg == Algorithm::EXISTING
       @algorithm = Algorithm.algorithm_from_name(alg, alg_params)
       @digest    = calc_digest(password)
     end
@@ -106,25 +106,14 @@ module HTAuth
     end
 
     # Public: Check if the given password is the password of this entry
-    # check the password and make sure it works, in the case that the algorithm is unknown it
-    # tries all of the ones that it thinks it could be, and marks the algorithm if it matches
-    # when looking for a matche, we always compare all of them, no short
-    # circuiting
+    #
     def authenticated?(check_password)
-      authed = false
-      if algorithm.kind_of?(Bcrypt) then
-        bc = ::BCrypt::Password.new(digest)
-        authed = bc.is_password?(check_password)
-      else
-        encoded = algorithm.encode(check_password)
-        authed  = Algorithm.secure_compare(encoded, digest)
-      end
-      return authed
+      algorithm.verify_password?(check_password, @digest)
     end
 
     # Internal: Returns the key of this entry
     def key
-      return "#{user}"
+      "#{user}"
     end
 
     # Internal: Returns the file line for this entry

data/lib/htauth/passwd_file.rb

@@ -11,9 +11,9 @@ module HTAuth
   # Examples
   #
   #   ::HTAuth::PasswdFile.open("my.passwd") do |pf|
-  #     pf.has_entry?('myuser', 'myrealm')
-  #     pf.add_or_update('someuser', 'myrealm', 'a password')
-  #     pf.delete('someolduser', 'myotherrealm')
+  #     pf.has_entry?('myuser')
+  #     pf.add_or_update('someuser', 'a password')
+  #     pf.delete('someolduser')
   #   end
   #
   class PasswdFile < HTAuth::File
@@ -68,7 +68,7 @@ module HTAuth
     # username  - the username of the entry
     # password  - the password of the entry
     # algorithm - the algorithm to use (default: "md5"). Valid options are:
-    #             "md5", "bcrypt", "sha1", "plaintext", or "crypt"
+    #             "md5", "bcrypt", "argon2", "sha1", "plaintext", or "crypt"
     # algorithm_args - key-value pairs of arguments that are passed to the
     #                  algorithm, currently this is only used to pass the cost
     #                  to the bcrypt algorithm
@@ -96,7 +96,7 @@ module HTAuth
     # username  - the username of the entry
     # password  - the password of the entry
     # algorithm - the algorithm to use (default: "md5"). Valid options are:
-    #             "md5", "bcrypt", "sha1", "plaintext", or "crypt"
+    #             "md5", "bcrypt", "argon2", "sha1", "plaintext", or "crypt"
     # algorithm_args - key-value pairs of arguments that are passed to the
     #                  algorithm, currently this is only used to pass the cost
     #                  to the bcrypt algorithm
@@ -133,7 +133,7 @@ module HTAuth
     # username  - the username of the entry
     # password  - the password of the entry
     # algorithm - the algorithm to use (default: "existing"). Valid options are:
-    #             "existing", "md5", "bcrypt", "sha1", "plaintext", or "crypt"
+    #             "existing", "md5", "bcrypt", "argon2", "sha1", "plaintext", or "crypt"
     # algorithm_args - key-value pairs of arguments that are passed to the
     #                  algorithm, currently this is only used to pass the cost
     #                  to the bcrypt algorithm

data/lib/htauth/sha1.rb

@@ -16,7 +16,7 @@ module HTAuth
     end
 
     # ignore the params
-    def initialize(params = {}) 
+    def initialize(params = {})
     end
 
     def encode(password)

data/lib/htauth/version.rb

@@ -1,4 +1,4 @@
 module HTAuth
   # Public: The version of the htauth library
-  VERSION = "2.1.1"
+  VERSION = "2.3.0"
 end

data/lib/htauth.rb

@@ -30,7 +30,7 @@ end
 
 require 'htauth/version'
 require 'htauth/algorithm'
-require 'htauth/console'
+require 'htauth/argon2'
 require 'htauth/bcrypt'
 require 'htauth/crypt'
 require 'htauth/digest_entry'

data/spec/algorithm_spec.rb

@@ -1,5 +1,4 @@
 require 'spec_helper'
-require 'htauth/algorithm'
 
 describe HTAuth::Algorithm do
   it "raises an error if it encouners an unknown algorithm" do

data/spec/argon2_spec.rb

@@ -0,0 +1,28 @@
+require 'spec_helper'
+require 'argon2'
+
+describe HTAuth::Argon2 do
+
+  it "decodes the hash back to the original options" do
+    hash    = '$argon2id$v=19$m=65536,t=3,p=4$V1ln1M4o1RS7SzWHAtqyWQ$jEHi1Qo2FSBgLAPpOa1mPx6OD/twtjj8M1AlVZwamPg'
+    options = HTAuth::Argon2.extract_options_from_existing_password_field(hash)
+    _(options).must_equal ::Argon2::Profiles[:rfc_9106_low_memory]
+  end
+
+  it "encrypts the same way that argon2 does by default" do
+    argon2 = HTAuth::Argon2.new
+    hash   = argon2.encode("a secret")
+    _(::Argon2::Password.verify_password('a secret', hash)).must_equal true
+  end
+
+  it "allow changing the parameters directly" do
+    hash    = '$argon2id$v=19$m=262144,t=3,p=4$7DRAuE1yIHPHqISmcyaJTg$M0EErpbxqv8dvrMrQMoGDEA7KQCw67jGdXwtCbRINFs'
+    options = HTAuth::Argon2.extract_options_from_existing_password_field(hash)
+
+    options[:m_cost] = 11
+
+    argon2     = HTAuth::Argon2.new(options)
+    local_hash = argon2.encode("a secret")
+    _(::Argon2::Password.verify_password('a secret', local_hash)).must_equal true
+  end
+end

data/spec/bcrypt_spec.rb

@@ -1,5 +1,4 @@
 require 'spec_helper'
-require 'htauth/bcrypt'
 
 describe HTAuth::Bcrypt do
   it "encrypts the same way that apache does by default" do

data/spec/cli/passwd_spec.rb

@@ -129,7 +129,23 @@ describe HTAuth::CLI::Passwd do
       _(@stderr.string).must_match( /ERROR:/m )
       _(se.status).must_equal 1
     end
- 
+  end
+
+  it "creates a new file with one argon2 entry" do
+    begin
+      @stdin.puts "a secret"
+      @stdin.puts "a secret"
+      @stdin.rewind
+      @htauth.run([ "--argon", "-c", @new_file, "agatha" ])
+    rescue SystemExit => se
+      _(se.status).must_equal 0
+      l = IO.readlines(@new_file)
+      fields = l.first.split(':')
+      _(fields.first).must_equal "agatha"
+      argon2_hash = fields.last
+
+      _(::Argon2::Password.valid_hash?(argon2_hash)).wont_be_nil
+    end
   end
 
   it "does not verify the password from stdin on -i option" do

data/spec/crypt_spec.rb

@@ -1,5 +1,4 @@
 require 'spec_helper'
-require 'htauth/crypt'
 
 describe HTAuth::Crypt do
   it "encrypts the same way that apache does" do

data/spec/digest_entry_spec.rb

@@ -1,5 +1,4 @@
 require 'spec_helper'
-require 'htauth/digest_entry'
 
 describe HTAuth::DigestEntry do
   before(:each) do

data/spec/digest_file_spec.rb

@@ -1,5 +1,4 @@
 require 'spec_helper'
-require 'htauth/digest_file'
 require 'tempfile'
 
 describe HTAuth::DigestFile do

data/spec/md5_spec.rb

@@ -1,6 +1,4 @@
-require File.join(File.dirname(__FILE__),"spec_helper.rb")
-
-require 'htauth/md5'
+require 'spec_helper'
 
 describe HTAuth::Md5 do
   it "encrypts the same way that apache does" do

data/spec/passwd_entry_spec.rb

@@ -1,5 +1,4 @@
 require 'spec_helper'
-require 'htauth/passwd_entry'
 
 describe HTAuth::PasswdEntry do
   before(:each) do
@@ -32,6 +31,14 @@ describe HTAuth::PasswdEntry do
     _(bob.digest).must_equal "b secret"
   end
 
+  it "encypts correctly for argon2" do
+    # Don't do this in real life, do not pass in a salt, let the algorithm generate it internally
+    salt = ";L\xCDMRO\v\x13;\x012\x9B'\xEE\\i"
+    agatha = HTAuth::PasswdEntry.new("agatha","ag secret", "argon2", {salt_do_not_supply: salt} )
+    expected = "$argon2id$v=19$m=65536,t=3,p=4$O0zNTVJPCxM7ATKbJ+5caQ$e7wIsl7AY+uIbN+1StYOKkVCJhOrvX7BxAlQ+sPC+Nc"
+    _(agatha.digest).must_equal expected
+  end
+
   it "encrypts with crypt as a default, when parsed from crypt()'d line" do
     bob2 = HTAuth::PasswdEntry.from_line(@bob.to_s)
     _(bob2.algorithm).must_be_instance_of(HTAuth::Crypt)
@@ -97,6 +104,12 @@ describe HTAuth::PasswdEntry do
     _(s2.authenticated?("b secret")).must_equal true
   end
 
+  it "authenticates correctly against argon2" do
+    s = HTAuth::PasswdEntry.new("agatha", "ag secret", "argon2")
+    s2 = HTAuth::PasswdEntry.from_line(s.to_s)
+    _(s2.authenticated?("ag secret")).must_equal true
+  end
+
   it "can update the cost of an entry after initialization before encoding password" do
     s = HTAuth::PasswdEntry.new("brenda", "b secret", "bcrypt")
     _(s.algorithm.cost).must_equal(::HTAuth::Bcrypt::DEFAULT_APACHE_COST)
@@ -108,7 +121,7 @@ describe HTAuth::PasswdEntry do
     _(s2.algorithm.cost).must_equal(12)
   end
 
-  it "raises an error if assinging an invalid algorithm" do
+  it "raises an error if assigning an invalid algorithm" do
     b = HTAuth::PasswdEntry.new("brenda", "b secret", "bcrypt")
     _ { b.algorithm = 42 }.must_raise(HTAuth::InvalidAlgorithmError)
   end

data/spec/sha1_spec.rb

@@ -1,5 +1,4 @@
 require 'spec_helper'
-require 'htauth/sha1'
 
 describe HTAuth::Sha1 do
   it "encrypts the same way that apache does" do

data/spec/spec_helper.rb

@@ -1,10 +1,6 @@
-if RUBY_VERSION >= '1.9.2' then
-  require 'simplecov'
-  puts "Using coverage!"
-  SimpleCov.start if ENV['COVERAGE']
-end
+require 'simplecov'
+SimpleCov.start if ENV['COVERAGE']
 
-gem 'minitest'
 require 'minitest/autorun'
 require 'minitest/pride'
 
@@ -26,3 +22,4 @@ class ConsoleIO < StringIO
     yield self
   end
 end
+require 'htauth'

data/tasks/default.rake

@@ -36,11 +36,13 @@ task :develop => "develop:default"
 # Minitest - standard TestTask
 #------------------------------------------------------------------------------
 begin
-  require 'rake/testtask'
-  Rake::TestTask.new( :test ) do |t|
-    t.ruby_opts    = %w[ -w ]
-    t.libs         = %w[ lib spec test ]
-    t.pattern      = "{test,spec}/**/{test_*,*_spec}.rb"
+  require 'minitest/test_task'
+  Minitest::TestTask.create( :test) do |t|
+    t.libs << "lib"
+    t.libs << "spec"
+    t.libs << "test"
+    t.warning = true
+    t.test_globs = "{test,spec}/**/{test_*,*_spec}.rb"
   end
 
   task :test_requirements
@@ -143,14 +145,20 @@ namespace :fixme do
   end
 
   def local_fixme_files
-    This.manifest.select { |p| p =~ %r|^tasks/| }
+    local_files = This.manifest.select { |p| p =~ %r|^tasks/| }
+    local_files << ".semaphore/semaphore.yml"
   end
 
   def outdated_fixme_files
     local_fixme_files.select do |local|
       upstream     = fixme_project_path( local )
-      upstream.exist? &&
-        ( Digest::SHA256.file( local ) != Digest::SHA256.file( upstream ) )
+      if upstream.exist? then
+        if File.exist?( local ) then
+          ( Digest::SHA256.file( local ) != Digest::SHA256.file( upstream ) )
+        else
+          true
+        end
+      end
     end
   end
 
@@ -201,7 +209,7 @@ task :gemspec do
 end
 
 # .rbc files from ruby 2.0
-CLOBBER << FileList["**/*.rbc"]
+CLOBBER << "**/*.rbc"
 
 # The standard gem packaging task, everyone has it.
 require 'rubygems/package_task'
@@ -213,19 +221,19 @@ end
 # Release - the steps we go through to do a final release, this is pulled from
 #           a compbination of mojombo's rakegem, hoe and hoe-git
 #
-# 1) make sure we are on the master branch
+# 1) make sure we are on the main branch
 # 2) make sure there are no uncommitted items
 # 3) check the manifest and make sure all looks good
 # 4) build the gem
 # 5) do an empty commit to have the commit message of the version
 # 6) tag that commit as the version
-# 7) push master
+# 7) push main
 # 8) push the tag
 # 7) pus the gem
 #------------------------------------------------------------------------------
 task :release_check do
-  unless `git branch` =~ /^\* master$/
-    abort "You must be on the master branch to release!"
+  unless `git branch` =~ /^\* main/
+    abort "You must be on the main branch to release!"
   end
   unless `git status` =~ /^nothing to commit/m
     abort "Nope, sorry, you have unfinished business"
@@ -236,7 +244,7 @@ desc "Create tag v#{This.version}, build and push #{This.platform_gemspec.full_n
 task :release => [ :release_check, 'manifest:check', :gem ] do
   sh "git commit --allow-empty -a -m 'Release #{This.version}'"
   sh "git tag -a -m 'v#{This.version}' v#{This.version}"
-  sh "git push origin master"
+  sh "git push origin main"
   sh "git push origin v#{This.version}"
   sh "gem push pkg/#{This.platform_gemspec.full_name}.gem"
 end

data/tasks/this.rb

@@ -25,7 +25,7 @@ class ThisProject
   #
   # Yields self
   def initialize(&block)
-    @exclude_from_manifest = Regexp.union(/\.(git|DS_Store)/,
+    @exclude_from_manifest = Regexp.union(/\.(git|DS_Store|semaphore)/,
                                           /^(doc|coverage|pkg|tmp|Gemfile(\.lock)?)/,
                                           /^[^\/]+\.gemspec/,
                                           /\.(swp|jar|bundle|so|rvmrc|travis.yml|byebug_history|fossa.yml|ruby-version)$/,
@@ -146,7 +146,7 @@ class ThisProject
       spec.rdoc_options = [ "--main"  , 'README.md',
                             "--markup", "tomdoc" ]
 
-      spec.required_ruby_version = '>= 2.2.2'
+      spec.required_ruby_version = '>= 2.3.0'
     end
   end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: htauth
 version: !ruby/object:Gem::Version
-  version: 2.1.1
+  version: 2.3.0
 platform: ruby
 authors:
 - Jeremy Hinegardner
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-04-02 00:00:00.000000000 Z
+date: 2024-02-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -24,65 +24,106 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.1'
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: argon2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '13.0'
+        version: '13.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '13.0'
+        version: '13.1'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.5'
+        version: '5.21'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.21'
+- !ruby/object:Gem::Dependency
+  name: minitest-junit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.5'
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: rdoc
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '6.2'
+        version: '6.6'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '6.2'
+        version: '6.6'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.17'
+        version: '0.21'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.17'
-description: HTAuth is a pure ruby replacement for the Apache support programs htdigest
-  and htpasswd.  Command line and API access are provided for access to htdigest and
-  htpasswd files.
+        version: '0.21'
+description: HTAuth provides an API and commandline tools for managing Apache/httpd
+  style htpasswd and htdigest files.
 email: jeremy@copiousfreetime.org
 executables:
 - htdigest-ruby
@@ -104,6 +145,7 @@ files:
 - bin/htpasswd-ruby
 - lib/htauth.rb
 - lib/htauth/algorithm.rb
+- lib/htauth/argon2.rb
 - lib/htauth/bcrypt.rb
 - lib/htauth/cli.rb
 - lib/htauth/cli/digest.rb
@@ -123,6 +165,7 @@ files:
 - lib/htauth/sha1.rb
 - lib/htauth/version.rb
 - spec/algorithm_spec.rb
+- spec/argon2_spec.rb
 - spec/bcrypt_spec.rb
 - spec/cli/digest_spec.rb
 - spec/cli/passwd_spec.rb
@@ -153,7 +196,7 @@ metadata:
   changelog_uri: https://github.com/copiousfreetime/htauth/blob/master/HISTORY.md
   homepage_uri: https://github.com/copiousfreetime/htauth
   source_code_uri: https://github.com/copiousfreetime/htauth
-post_install_message: 
+post_install_message:
 rdoc_options:
 - "--main"
 - README.md
@@ -165,21 +208,21 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.2.2
+      version: 2.3.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.5.3
+signing_key:
 specification_version: 4
-summary: HTAuth is a pure ruby replacement for the Apache support programs htdigest
-  and htpasswd.  Command line and API access are provided for access to htdigest and
-  htpasswd files.
+summary: HTAuth provides an API and commandline tools for managing Apache/httpd style
+  htpasswd and htdigest files.
 test_files:
 - spec/algorithm_spec.rb
+- spec/argon2_spec.rb
 - spec/bcrypt_spec.rb
 - spec/cli/digest_spec.rb
 - spec/cli/passwd_spec.rb