htauth 1.2.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 68e39a2811eb3436eb1de8ceac4bf0fd4ad458b9
-  data.tar.gz: 3c432666f3fabec0d5b0ef6e3fc4720bfcf2dcb8
+  metadata.gz: 64406e1178b07885f40df5db23c5962c040dff9a
+  data.tar.gz: a4d90738e83e05cfc38e857426be2e95ed4e8700
 SHA512:
-  metadata.gz: 3139d1a21b6e3ccd5a31fc6cb27d1f39ef1d898fc50e078b154f90659fbdc9fb8f119d56fb9c182e1af95422d9e308fb9632a4a9fc8f47781c1837a28d3bb8da
-  data.tar.gz: 8bb24b28ce66741222787a1c965e27e5d6c3f5d43aae96699e6d95f1f671d59876ccb2f3476e5db4154dbb39e4dbe272649f1245432fc38962be0bf98cd5a179
+  metadata.gz: 680bdc7d37adccad0a9358fdf391440abce27e8adc65e50dfeb394d0fbd884f3c3d951c2688590e33ef841a4bfb699035b167c2b57a764d93858b0dce1eb878e
+  data.tar.gz: 5c39dd6133939c4ce2eb3845fcac8135f355fc141930ade586bfeca16cc43d5fe4df556891cdb44be7de26ff862fd2aa8dd4b5ff22adb3bb5d10ba90eb61771b

data/HISTORY.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## Version 2.0.0 - 2015-09-13
+
+* Remove highline dependency - [#9](https://github.com/copiousfreetime/htauth/pull/9)
+* Tomdoc the public interface - [#10](https://github.com/copiousfreetime/htauth/issues/10)
+* Extract the commandline objects to their own module - [#2](https://github.com/copiousfreetime/htauth/issues/2)
+* Use a secure comparison when comparing digests - [#11](https://github.com/copiousfreetime/htauth/issues/11)
+
 ## Version 1.2.0 2015-07-18
 
 * Clarify project license (its MIT) - [#7](https://github.com/copiousfreetime/htauth/issues/7)

data/Manifest.txt

@@ -8,28 +8,30 @@ bin/htdigest-ruby
 bin/htpasswd-ruby
 lib/htauth.rb
 lib/htauth/algorithm.rb
+lib/htauth/cli.rb
+lib/htauth/cli/digest.rb
+lib/htauth/cli/passwd.rb
+lib/htauth/console.rb
 lib/htauth/crypt.rb
-lib/htauth/digest.rb
 lib/htauth/digest_entry.rb
 lib/htauth/digest_file.rb
 lib/htauth/entry.rb
-lib/htauth/errors.rb
+lib/htauth/error.rb
 lib/htauth/file.rb
 lib/htauth/md5.rb
-lib/htauth/passwd.rb
 lib/htauth/passwd_entry.rb
 lib/htauth/passwd_file.rb
 lib/htauth/plaintext.rb
 lib/htauth/sha1.rb
 lib/htauth/version.rb
+spec/cli/digest_spec.rb
+spec/cli/passwd_spec.rb
 spec/crypt_spec.rb
 spec/digest_entry_spec.rb
 spec/digest_file_spec.rb
-spec/digest_spec.rb
 spec/md5_spec.rb
 spec/passwd_entry_spec.rb
 spec/passwd_file_spec.rb
-spec/passwd_spec.rb
 spec/plaintext_spec.rb
 spec/sha1_spec.rb
 spec/spec_helper.rb

data/README.md

@@ -1,6 +1,5 @@
 ## HTAuth
 
-* [Homepage](http://copiousfreetime.rubyforge.org/htauth)
 * [Github](http://github.com/copiousfreetime/htauth/tree/master)
 * email jeremy at copiousfreetime dot org
 

data/Rakefile

@@ -11,8 +11,6 @@ This.ruby_gemspec do |spec|
   spec.add_development_dependency( 'minitest' , '~> 5.0' )
   spec.add_development_dependency( 'rdoc'     , '~> 4.0' )
   spec.add_development_dependency( 'simplecov', '~> 0.9' )
-
-  spec.add_dependency("highline", "~> 1.6")
 end
 
 load 'tasks/default.rake'

data/bin/htdigest-ruby

@@ -1,14 +1,7 @@
 #!/usr/bin/env ruby
 
-begin 
-  require 'highline'
-rescue LoadError
-  require 'rubygems'
-  require 'highline'
-end
-
 begin
-  require 'htauth'
+  require 'htauth/cli'
 rescue LoadError 
   path = File.expand_path(File.join(File.dirname(__FILE__),"..","lib"))
   raise if $:.include?(path)
@@ -16,4 +9,4 @@ rescue LoadError
   retry
 end
 
-HTAuth::Digest.new.run(ARGV, ENV)
+HTAuth::CLI::Digest.new.run(ARGV, ENV)

data/bin/htpasswd-ruby

@@ -1,14 +1,7 @@
 #!/usr/bin/env ruby
 
 begin
-  require 'highline'
-rescue LoadError
-  require 'rubygems'
-  require 'highline'
-end
-
-begin
-  require 'htauth'
+  require 'htauth/cli'
 rescue LoadError 
   path = File.expand_path(File.join(File.dirname(__FILE__),"..","lib"))
   raise if $:.include?(path)
@@ -16,4 +9,4 @@ rescue LoadError
   retry
 end
 
-HTAuth::Passwd.new.run(ARGV, ENV)
+HTAuth::CLI::Passwd.new.run(ARGV, ENV)

data/lib/htauth.rb

@@ -30,15 +30,14 @@ end
 
 require 'htauth/version'
 require 'htauth/algorithm'
+require 'htauth/console'
 require 'htauth/crypt'
-require 'htauth/digest'
 require 'htauth/digest_entry'
 require 'htauth/digest_file'
 require 'htauth/entry'
-require 'htauth/errors'
+require 'htauth/error'
 require 'htauth/file'
 require 'htauth/md5'
-require 'htauth/passwd'
 require 'htauth/passwd_entry'
 require 'htauth/passwd_file'
 require 'htauth/plaintext'

data/lib/htauth/algorithm.rb

@@ -1,11 +1,29 @@
+require 'htauth/error'
+require 'securerandom'
 module HTAuth
-  class InvalidAlgorithmError < StandardError ; end
-  # base class all the Passwd algorithms derive from
+  class InvalidAlgorithmError < Error; end
+
+  # Internal: Base class all the password algorithms derive from
+  #
   class Algorithm
 
     SALT_CHARS    = (%w[ . / ] + ("0".."9").to_a + ('A'..'Z').to_a + ('a'..'z').to_a).freeze
-    DEFAULT       = "md5"
-    EXISTING      = "existing"
+
+    # Public: flag for the md5 algorithm
+    MD5           = "md5".freeze
+    # Public: flag for the sha1 algorithm
+    SHA1          = "sha1".freeze
+    # Public: flag for the plaintext algorithm
+    PLAINTEXT     = "plaintext".freeze
+    # Public: flag for the crypt algorithm
+    CRYPT         = "crypt".freeze
+
+    # Public: flag for the default algorithm
+    DEFAULT       = MD5
+
+    # Public: flag to indicate using the existing algorithm of the entry
+    EXISTING      = "existing".freeze
+
 
     class << self
       def algorithm_from_name(a_name, params = {})
@@ -16,14 +34,14 @@ module HTAuth
       def algorithms_from_field(password_field)
         matches = []
 
-        if password_field.index(sub_klasses['sha1'].new.prefix) then
-          matches << sub_klasses['sha1'].new
-        elsif password_field.index(sub_klasses['md5'].new.prefix) then
+        if password_field.index(sub_klasses[SHA1].new.prefix) then
+          matches << sub_klasses[SHA1].new
+        elsif password_field.index(sub_klasses[MD5].new.prefix) then
           p = password_field.split("$")
-          matches << sub_klasses['md5'].new( :salt => p[2] )
+          matches << sub_klasses[MD5].new( :salt => p[2] )
         else
-          matches << sub_klasses['plaintext'].new
-          matches << sub_klasses['crypt'].new( :salt => password_field[0,2] )
+          matches << sub_klasses[PLAINTEXT].new
+          matches << sub_klasses[CRYPT].new( :salt => password_field[0,2] )
         end
 
         return matches
@@ -37,19 +55,41 @@ module HTAuth
       def sub_klasses
         @sub_klasses ||= {}
       end
+
+      # Internal: Constant time string comparison.
+      #
+      # From https://github.com/rack/rack/blob/master/lib/rack/utils.rb
+      #
+      # NOTE: the values compared should be of fixed length, such as strings
+      # that have already been processed by HMAC. This should not be used
+      # on variable length plaintext strings because it could leak length info
+      # via timing attacks.
+      def secure_compare(a, b)
+        return false unless a.bytesize == b.bytesize
+
+        l = a.unpack("C*")
+
+        r, i = 0, -1
+        b.each_byte { |v| r |= v ^ l[i+=1] }
+        r == 0
+      end
     end
 
+    # Internal
     def prefix ; end
+
+    # Internal
     def encode(password) ; end
 
-    # 8 bytes of random items from SALT_CHARS
+    # Internal: 8 bytes of random items from SALT_CHARS
     def gen_salt
       chars = []
-      8.times { chars << SALT_CHARS[rand(SALT_CHARS.size)] }
-      chars.join('')     
+      8.times { chars << SALT_CHARS[SecureRandom.random_number(SALT_CHARS.size)] }
+      chars.join('')
     end
 
-    # this is not the Base64 encoding, this is the to64() method from apr
+    # Internal: this is not the Base64 encoding, this is the to64() 
+    # method from the apache protable runtime library
     def to_64(number, rounds)
       r = StringIO.new
       rounds.times do |x|

data/lib/htauth/cli.rb

@@ -0,0 +1,8 @@
+require 'htauth'
+module HTAuth
+  module CLI
+
+  end
+end
+require 'htauth/cli/digest'
+require 'htauth/cli/passwd'

data/lib/htauth/cli/digest.rb

@@ -0,0 +1,130 @@
+require 'htauth/version'
+require 'htauth/error'
+require 'htauth/digest_file'
+require 'htauth/console'
+
+require 'ostruct'
+require 'optparse'
+
+module HTAuth
+  module CLI
+    # Internal: Implemenation of the commandline htdigest-ruby
+    class Digest
+
+      MAX_PASSWD_LENGTH = 255
+
+      attr_accessor :digest_file
+
+      def initialize
+        @digest_file = nil
+        @option_parser = nil
+        @options = nil
+      end
+
+      def options
+        if @options.nil? then
+          @options                = ::OpenStruct.new
+          @options.show_version   = false
+          @options.show_help      = false
+          @options.file_mode      = DigestFile::ALTER
+          @options.passwdfile     = nil
+          @options.realm          = nil
+          @options.username       = nil
+          @options.delete_entry   = false
+        end
+        @options
+      end
+
+      def option_parser
+        if not @option_parser then
+          @option_parser = OptionParser.new do |op|
+            op.banner = "Usage: #{op.program_name} [options] passwordfile realm username"
+            op.on("-c", "--create", "Create a new digest password file; this overwrites an existing file.") do |c|
+              options.file_mode = DigestFile::CREATE
+            end
+
+            op.on("-D", "--delete", "Delete the specified user.") do |d|
+              options.delete_entry = d
+            end
+
+            op.on("-h", "--help", "Display this help.") do |h|
+              options.show_help = h
+            end
+
+            op.on("-v", "--version", "Show version info.") do |v|
+              options.show_version = v
+            end
+          end
+        end
+        @option_parser
+      end
+
+      def show_help
+        $stdout.puts option_parser
+        exit 1
+      end
+
+      def show_version
+        $stdout.puts "#{option_parser.program_name}: version #{HTAuth::VERSION}"
+        exit 1
+      end
+
+      def parse_options(argv)
+        begin
+          option_parser.parse!(argv)
+          show_version if options.show_version
+          show_help if options.show_help or argv.size < 3
+
+          options.passwdfile = argv.shift
+          options.realm      = argv.shift
+          options.username   = argv.shift
+        rescue ::OptionParser::ParseError => pe
+          $stderr.puts "ERROR: #{option_parser.program_name} - #{pe}"
+          $stderr.puts "Try `#{option_parser.program_name} --help` for more information"
+          exit 1
+        end
+      end
+
+      def run(argv, env = ENV)
+        begin
+          parse_options(argv)
+          digest_file = DigestFile.new(options.passwdfile, options.file_mode)
+
+          if options.delete_entry then
+            digest_file.delete(options.username, options.realm)
+          else
+            console = Console.new
+
+            action = digest_file.has_entry?(options.username, options.realm) ? "Changing" : "Adding"
+
+            console.say "#{action} password for #{options.username} in realm #{options.realm}."
+
+            pw_in       = console.ask("        New password: ")
+            raise PasswordError, "password '#{pw_in}' too long" if pw_in.length >= MAX_PASSWD_LENGTH
+
+            pw_validate = console.ask("Re-type new password: ")
+            raise PasswordError, "They don't match, sorry." unless pw_in == pw_validate
+
+            digest_file.add_or_update(options.username, options.realm, pw_in)
+          end
+
+          digest_file.save!
+
+        rescue HTAuth::FileAccessError => fae
+          msg = "Could not open password file #{options.passwdfile} "
+          $stderr.puts "#{msg}: #{fae.message}"
+          $stderr.puts fae.backtrace.join("\n")
+          exit 1
+        rescue HTAuth::Error => pe
+          $stderr.puts "#{pe.message}"
+          exit 1
+        rescue SignalException => se
+          $stderr.puts
+          $stderr.puts "Interrupted #{se}"
+          exit 1
+        end
+        exit 0
+      end
+    end
+  end
+end

data/lib/htauth/cli/passwd.rb

@@ -0,0 +1,179 @@
+require 'htauth/error'
+require 'htauth/passwd_file'
+require 'htauth/console'
+
+require 'ostruct'
+require 'optparse'
+
+module HTAuth
+  module CLI
+    # Internal: Implemenation of the commandline htpasswd-ruby
+    class Passwd
+
+      MAX_PASSWD_LENGTH = 255
+
+      attr_accessor :passwd_file
+
+      def initialize
+        @passwd_file = nil
+        @option_parser = nil
+        @options = nil
+      end
+
+      def options
+        if @options.nil? then
+          @options                = ::OpenStruct.new
+          @options.batch_mode     = false
+          @options.file_mode      = File::ALTER
+          @options.passwdfile     = nil
+          @options.algorithm      = Algorithm::EXISTING
+          @options.send_to_stdout = false
+          @options.show_version   = false
+          @options.show_help      = false
+          @options.username       = nil
+          @options.delete_entry   = false
+          @options.password       = ""
+        end
+        @options
+      end
+
+      def option_parser
+        if not @option_parser then
+          @option_parser = OptionParser.new do |op|
+            op.banner = <<-EOB
+Usage: 
+            #{op.program_name} [-cmdpsD] passwordfile username
+            #{op.program_name} -b[cmdpsD] passwordfile username password
+
+            #{op.program_name} -n[mdps] username
+            #{op.program_name} -nb[mdps] username password
+            EOB
+
+            op.separator ""
+
+            op.on("-b", "--batch", "Batch mode, get the password from the command line, rather than prompt") do |b|
+              options.batch_mode = b
+            end
+
+            op.on("-c", "--create", "Create a new file; this overwrites an existing file.") do |c|
+              options.file_mode = HTAuth::File::CREATE
+            end
+
+            op.on("-d", "--crypt", "Force CRYPT encryption of the password.") do |c|
+              options.algorithm = Algorithm::CRYPT
+            end
+
+            op.on("-D", "--delete", "Delete the specified user.") do |d|
+              options.delete_entry = d
+            end
+
+            op.on("-h", "--help", "Display this help.") do |h|
+              options.show_help = h
+            end
+
+            op.on("-m", "--md5", "Force MD5 encryption of the password (default).") do |m|
+              options.algorithm = Algorithm::MD5
+            end
+
+            op.on("-n", "--stdout", "Do not update the file; Display the results on stdout instead.") do |n|
+              options.send_to_stdout = true
+              options.passwdfile     = HTAuth::File::STDOUT_FLAG
+            end
+
+            op.on("-p", "--plaintext", "Do not encrypt the password (plaintext).") do |p|
+              options.algorithm = Algorithm::PLAINTEXT
+            end
+
+            op.on("-s", "--sha1", "Force SHA encryption of the password.") do |s|
+              options.algorithm = Algorithm::SHA1
+            end
+
+            op.on("-v", "--version", "Show version info.") do |v|
+              options.show_version = v
+            end
+
+            op.separator ""
+
+            op.separator "The SHA algorihtm does not use a salt and is less secure than the MD5 algorithm"
+          end
+        end
+        @option_parser
+      end
+
+      def show_help
+        $stdout.puts option_parser
+        exit 1
+      end
+
+      def show_version
+        $stdout.puts "#{option_parser.program_name}: version #{HTAuth::VERSION}"
+        exit 1
+      end
+
+      def parse_options(argv)
+        begin
+          option_parser.parse!(argv)
+          show_version if options.show_version
+          show_help if options.show_help 
+
+          raise ::OptionParser::ParseError, "Unable to send to stdout AND create a new file" if options.send_to_stdout and (options.file_mode == File::CREATE)
+          raise ::OptionParser::ParseError, "a username is needed" if options.send_to_stdout and argv.size < 1
+          raise ::OptionParser::ParseError, "a username and password are needed" if options.send_to_stdout and options.batch_mode  and ( argv.size < 2 ) 
+          raise ::OptionParser::ParseError, "a passwordfile, username and password are needed " if not options.send_to_stdout and options.batch_mode and ( argv.size < 3 )
+          raise ::OptionParser::ParseError, "a passwordfile and username are needed" if argv.size < 2
+
+          options.passwdfile = argv.shift unless options.send_to_stdout
+          options.username   = argv.shift
+          options.password   = argv.shift if options.batch_mode
+
+        rescue ::OptionParser::ParseError => pe
+          $stderr.puts "ERROR: #{option_parser.program_name} - #{pe}"
+          show_help
+          exit 1
+        end
+      end
+
+      def run(argv, env = ENV)
+        begin
+          parse_options(argv)
+          passwd_file = PasswdFile.new(options.passwdfile, options.file_mode)
+
+          if options.delete_entry then
+            passwd_file.delete(options.username)
+          else
+            unless options.batch_mode 
+              console = Console.new
+
+              action = passwd_file.has_entry?(options.username) ? "Changing" : "Adding"
+
+              console.say "#{action} password for #{options.username}."
+
+              pw_in       = console.ask("        New password: ")
+              raise PasswordError, "password '#{pw_in}' too long" if pw_in.length >= MAX_PASSWD_LENGTH
+
+              pw_validate = console.ask("Re-type new password: ")
+              raise PasswordError, "They don't match, sorry." unless pw_in == pw_validate
+              options.password = pw_in
+            end
+            passwd_file.add_or_update(options.username, options.password, options.algorithm)
+          end
+
+          passwd_file.save! 
+
+        rescue HTAuth::FileAccessError => fae
+          msg = "Password file failure (#{options.passwdfile}) "
+          $stderr.puts "#{msg}: #{fae.message}"
+          exit 1
+        rescue HTAuth::Error => pe
+          $stderr.puts "#{pe.message}"
+          exit 1
+        rescue SignalException => se
+          $stderr.puts
+          $stderr.puts "Interrupted #{se}"
+          exit 1
+        end
+        exit 0
+      end
+    end
+  end
+end