htauth 2.0.0 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 64406e1178b07885f40df5db23c5962c040dff9a
-  data.tar.gz: a4d90738e83e05cfc38e857426be2e95ed4e8700
+SHA256:
+  metadata.gz: 1a0330f64106269682197c83a695b2efbb98b05e367ba56a90aef1794cdc27dd
+  data.tar.gz: 4fd5c4452211b4747543941477c65eb83a33ed075d4dd352b1763f00daaabcb5
 SHA512:
-  metadata.gz: 680bdc7d37adccad0a9358fdf391440abce27e8adc65e50dfeb394d0fbd884f3c3d951c2688590e33ef841a4bfb699035b167c2b57a764d93858b0dce1eb878e
-  data.tar.gz: 5c39dd6133939c4ce2eb3845fcac8135f355fc141930ade586bfeca16cc43d5fe4df556891cdb44be7de26ff862fd2aa8dd4b5ff22adb3bb5d10ba90eb61771b
+  metadata.gz: 0f5cee2bcf691c57abf009a02a5d383839c1b5ae9f38345785398a258f72936b593e1672f74e62bc10f87124f12b2783b0587c4dfc5d73b413391d996824d0b1
+  data.tar.gz: c583805c7ee4a2f33d7297df69dc118d8abc60b91ece304c04b84c2e873bed1c8abd8dff31624a8fffd32fe008e22dcc38aa47677dd7bae143f32eba73a02287

data/HISTORY.md

@@ -1,4 +1,11 @@
 # Changelog
+## Version 2.1.0 - 2020-04-02
+
+* Update minimum ruby versions to modern versions
+* Support bcrypt password entries [#12](https://github.com/copiousfreetime/htauth/issues/12)
+* Support authentication at the password file level
+* implement --verify commandline option (-v in apache htpasswd)
+* implement --stdin commandline option (-i in apache htpasswd)
 
 ## Version 2.0.0 - 2015-09-13
 

data/Manifest.txt

@@ -8,11 +8,13 @@ bin/htdigest-ruby
 bin/htpasswd-ruby
 lib/htauth.rb
 lib/htauth/algorithm.rb
+lib/htauth/bcrypt.rb
 lib/htauth/cli.rb
 lib/htauth/cli/digest.rb
 lib/htauth/cli/passwd.rb
 lib/htauth/console.rb
 lib/htauth/crypt.rb
+lib/htauth/descendant_tracker.rb
 lib/htauth/digest_entry.rb
 lib/htauth/digest_file.rb
 lib/htauth/entry.rb
@@ -24,6 +26,8 @@ lib/htauth/passwd_file.rb
 lib/htauth/plaintext.rb
 lib/htauth/sha1.rb
 lib/htauth/version.rb
+spec/algorithm_spec.rb
+spec/bcrypt_spec.rb
 spec/cli/digest_spec.rb
 spec/cli/passwd_spec.rb
 spec/crypt_spec.rb

data/README.md

@@ -1,7 +1,7 @@
 ## HTAuth
 
 * [Github](http://github.com/copiousfreetime/htauth/tree/master)
-* email jeremy at copiousfreetime dot org
+* [![Build Status](https://travis-ci.org/copiousfreetime/htauth.svg?branch=master)](https://travis-ci.org/copiousfreetime/htauth)
 
 ## DESCRIPTION
 
@@ -26,32 +26,38 @@ Additionally, you can access all the functionality of *htdigest-ruby* and
 
 ### htpasswd-ruby command line application
 
-
     Usage:
-    htpasswd-ruby [-cmdpsD] passwordfile username
-    htpasswd-ruby -b[cmdpsD] passwordfile username password
-
-    htpasswd-ruby -n[mdps] username
-    htpasswd-ruby -nb[mdps] username password
-
-    -b, --batch                      Batch mode, get the password from the command line, rather than prompt
-    -c, --create                     Create a new file; this overwrites an existing file.
-    -d, --crypt                      Force CRYPT encryption of the password (default).
-    -D, --delete                     Delete the specified user.
-    -h, --help                       Display this help.
-    -m, --md5                        Force MD5 encryption of the password (default on Windows).
-    -n, --stdout                     Do not update the file; Display the results on stdout instead.
-    -p, --plaintext                  Do not encrypt the password (plaintext).
-    -s, --sha1                       Force SHA encryption of the password.
-    -v, --version                    Show version info.
+            htpasswd-ruby [-cimBdpsD] [-C cost] passwordfile username
+            htpasswd-ruby -b[cmBdpsD] [-C cost] passwordfile username password
+
+            htpasswd-ruby -n[imBdps] [-C cost] username
+            htpasswd-ruby -nb[mBdps] [-C cost] username password
+
+        -b, --batch      Batch mode, get the password from the command line, rather than prompt
+        -B, --bcrypt     Force bcrypt encryption of the password.
+        -C, --cost COST  Set the computing time used for the bcrypt algorithm
+                         (higher is more secure but slower, default: 5, valid: 4 to 31).
+        -c, --create     Create a new file; this overwrites an existing file.
+        -d, --crypt      Force CRYPT encryption of the password.
+        -D, --delete     Delete the specified user.
+        -h, --help       Display this help.
+        -i, --stdin      Read the passwod from stdin without verivication (for script usage).
+        -m, --md5        Force MD5 encryption of the password (default).
+        -n, --stdout     Do not update the file; Display the results on stdout instead.
+        -p, --plaintext  Do not encrypt the password (plaintext).
+        -s, --sha1       Force SHA encryption of the password.
+        -v, --version    Show version info.
+            --verify     Verify password for the specified user
+
+    The SHA algorihtm does not use a salt and is less secure than the MD5 algorithm.
 
 ### htdigest-ruby command line application
 
     Usage: htdigest-ruby [options] passwordfile realm username
-    -c, --create                     Create a new digest password file; this overwrites an existing file.
-    -D, --delete                     Delete the specified user.
-    -h, --help                       Display this help.
-    -v, --version                    Show version info.
+        -c, --create   Create a new digest password file; this overwrites an existing file.
+        -D, --delete   Delete the specified user.
+        -h, --help     Display this help.
+        -v, --version  Show version info.
 
 ### API Usage
 
@@ -65,6 +71,14 @@ Additionally, you can access all the functionality of *htdigest-ruby* and
       pf.add('someotheruser', 'a different password', 'sha1')
     end
 
+    HTAuth::PasswdFile.open("some.htpasswd", HTAuth::File::ALTER) do |pf|
+      pf.update('someuser', 'a password', 'bcrypt')
+    end
+
+    HTAuth::PasswdFile.open("some.htpasswd") do |pf|
+      pf.authenticated?('someuser', 'a password')
+    end
+
 ## CREDITS
 
 * [The Apache Software Foundation](http://www.apache.org/)

data/Rakefile

@@ -7,10 +7,14 @@ This.email    = "jeremy@copiousfreetime.org"
 This.homepage = "http://github.com/copiousfreetime/#{ This.name }"
 
 This.ruby_gemspec do |spec|
-  spec.add_development_dependency( 'rake'     , '~> 10.1')
-  spec.add_development_dependency( 'minitest' , '~> 5.0' )
-  spec.add_development_dependency( 'rdoc'     , '~> 4.0' )
-  spec.add_development_dependency( 'simplecov', '~> 0.9' )
+  spec.add_dependency( 'bcrypt', '~> 3.1' )
+
+  spec.add_development_dependency( 'rake'     , '~> 13.0')
+  spec.add_development_dependency( 'minitest' , '~> 5.5' )
+  spec.add_development_dependency( 'rdoc'     , '~> 6.2' )
+  spec.add_development_dependency( 'simplecov', '~> 0.17' )
+
+  spec.license = "MIT"
 end
 
 load 'tasks/default.rake'

data/lib/htauth.rb

@@ -31,6 +31,7 @@ end
 require 'htauth/version'
 require 'htauth/algorithm'
 require 'htauth/console'
+require 'htauth/bcrypt'
 require 'htauth/crypt'
 require 'htauth/digest_entry'
 require 'htauth/digest_file'

data/lib/htauth/algorithm.rb

@@ -1,4 +1,5 @@
 require 'htauth/error'
+require 'htauth/descendant_tracker'
 require 'securerandom'
 module HTAuth
   class InvalidAlgorithmError < Error; end
@@ -7,8 +8,13 @@ module HTAuth
   #
   class Algorithm
 
+    extend DescendantTracker
+
     SALT_CHARS    = (%w[ . / ] + ("0".."9").to_a + ('A'..'Z').to_a + ('a'..'z').to_a).freeze
+    SALT_LENGTH   = 8
 
+    # Public: flag for the bcrypt algorithm
+    BCRYPT        = "bcrypt".freeze
     # Public: flag for the md5 algorithm
     MD5           = "md5".freeze
     # Public: flag for the sha1 algorithm
@@ -26,34 +32,36 @@ module HTAuth
 
 
     class << self
-      def algorithm_from_name(a_name, params = {})
-        raise InvalidAlgorithmError, "`#{a_name}' is an invalid encryption algorithm, use one of #{sub_klasses.keys.join(', ')}" unless sub_klasses[a_name.downcase]
-        sub_klasses[a_name.downcase].new(params)
+      def algorithm_name
+        self.name.split("::").last.downcase
       end
 
-      def algorithms_from_field(password_field)
-        matches = []
-
-        if password_field.index(sub_klasses[SHA1].new.prefix) then
-          matches << sub_klasses[SHA1].new
-        elsif password_field.index(sub_klasses[MD5].new.prefix) then
-          p = password_field.split("$")
-          matches << sub_klasses[MD5].new( :salt => p[2] )
-        else
-          matches << sub_klasses[PLAINTEXT].new
-          matches << sub_klasses[CRYPT].new( :salt => password_field[0,2] )
+      def algorithm_from_name(a_name, params = {})
+        found = children.find { |c| c.algorithm_name == a_name }
+        if !found then
+          names = children.map { |c| c.algorithm_name }
+          raise InvalidAlgorithmError, "`#{a_name}' is an unknown encryption algorithm, use one of #{names.join(', ')}"
         end
-
-        return matches
+        return found.new(params)
       end
 
-      def inherited(sub_klass)
-        k = sub_klass.name.split("::").last.downcase
-        sub_klasses[k] = sub_klass
+      # NOTE: if it is plaintext, and the length is 13 - it may matched crypt
+      #       and be tested that way. If that is the case - this is explicitly
+      #       siding with crypt() as you shouldn't be using plaintext. Or
+      #       crypt for that matter.
+      def algorithm_from_field(password_field)
+        match = find_child(:handles?, password_field)
+        match = ::HTAuth::Plaintext if match.nil? && ::HTAuth::Plaintext.entry_matches?(password_field)
+
+        raise InvalidAlgorithmError, "unknown encryption algorithm used for `#{password_field}`" if match.nil?
+
+        return match.new(:existing => password_field)
       end
 
-      def sub_klasses
-        @sub_klasses ||= {}
+      # Internal: Does this class handle this type of password entry
+      #
+      def handles?(password_entry)
+        raise NotImplementedError, "#{self.name} must implement #{self.name}.handles?(password_entry)"
       end
 
       # Internal: Constant time string comparison.
@@ -75,20 +83,15 @@ module HTAuth
       end
     end
 
-    # Internal
-    def prefix ; end
-
     # Internal
     def encode(password) ; end
 
     # Internal: 8 bytes of random items from SALT_CHARS
-    def gen_salt
-      chars = []
-      8.times { chars << SALT_CHARS[SecureRandom.random_number(SALT_CHARS.size)] }
-      chars.join('')
+    def gen_salt(length = SALT_LENGTH)
+      Array.new(length) { SALT_CHARS.sample }.join('')
     end
 
-    # Internal: this is not the Base64 encoding, this is the to64() 
+    # Internal: this is not the Base64 encoding, this is the to64()
     # method from the apache protable runtime library
     def to_64(number, rounds)
       r = StringIO.new

data/lib/htauth/bcrypt.rb

@@ -0,0 +1,35 @@
+require 'htauth/algorithm'
+require 'bcrypt'
+
+module HTAuth
+  # Internal: an implementation of the Bcrypt based encoding algorithm
+  # as used in the apache htpasswd -B option
+
+  class Bcrypt < Algorithm
+
+    attr_accessor :cost
+
+    DEFAULT_APACHE_COST = 5 # this is the default cost from htpasswd
+
+    def self.handles?(password_entry)
+      return ::BCrypt::Password.valid_hash?(password_entry)
+    end
+
+    def self.extract_cost_from_existing_password_field(existing)
+      password = ::BCrypt::Password.new(existing)
+      password.cost
+    end
+
+    def initialize(params = {})
+      if existing = (params['existing'] || params[:existing]) then
+        @cost = self.class.extract_cost_from_existing_password_field(existing)
+      else
+        @cost = params['cost'] || params[:cost] || DEFAULT_APACHE_COST
+      end
+    end
+
+    def encode(password)
+      ::BCrypt::Password.create(password, :cost => cost)
+    end
+  end
+end

data/lib/htauth/cli/digest.rb

@@ -37,7 +37,7 @@ module HTAuth
 
       def option_parser
         if not @option_parser then
-          @option_parser = OptionParser.new do |op|
+          @option_parser = OptionParser.new(nil, 14) do |op|
             op.banner = "Usage: #{op.program_name} [options] passwordfile realm username"
             op.on("-c", "--create", "Create a new digest password file; this overwrites an existing file.") do |c|
               options.file_mode = DigestFile::CREATE

data/lib/htauth/cli/passwd.rb

@@ -27,26 +27,28 @@ module HTAuth
           @options.file_mode      = File::ALTER
           @options.passwdfile     = nil
           @options.algorithm      = Algorithm::EXISTING
+          @options.algorithm_args = {}
+          @options.read_stdin_once= false
           @options.send_to_stdout = false
           @options.show_version   = false
           @options.show_help      = false
           @options.username       = nil
-          @options.delete_entry   = false
           @options.password       = ""
+          @options.operation      = []
         end
         @options
       end
 
       def option_parser
         if not @option_parser then
-          @option_parser = OptionParser.new do |op|
+          @option_parser = OptionParser.new(nil, 16) do |op|
             op.banner = <<-EOB
-Usage: 
-            #{op.program_name} [-cmdpsD] passwordfile username
-            #{op.program_name} -b[cmdpsD] passwordfile username password
+Usage:
+        #{op.program_name} [-cimBdpsD] [-C cost] passwordfile username
+        #{op.program_name} -b[cmBdpsD] [-C cost] passwordfile username password
 
-            #{op.program_name} -n[mdps] username
-            #{op.program_name} -nb[mdps] username password
+        #{op.program_name} -n[imBdps] [-C cost] username
+        #{op.program_name} -nb[mBdps] [-C cost] username password
             EOB
 
             op.separator ""
@@ -55,8 +57,27 @@ Usage:
               options.batch_mode = b
             end
 
+            op.on("-B", "--bcrypt", "Force bcrypt encryption of the password.") do |b|
+              options.algorithm = Algorithm::BCRYPT
+            end
+
+            op.on("-CCOST", "--cost COST", "Set the computing time used for the bcrypt algorithm",
+                                           "(higher is more secure but slower, default: 5, valid: 4 to 31).") do |c|
+              if c !~ /\A\d+\z/ then
+                  raise ::OptionParser::ParseError, "the bcrypt cost must be an integer from 4 to 31, `#{c}` is invalid"
+              end
+
+              cost = c.to_i
+              if (4..31).include?(cost)
+                options.algorithm_args = { :cost => cost }
+              else
+                raise ::OptionParser::ParseError, "the bcrypt cost must be an integer from 4 to 31, `#{c}` is invalid"
+              end
+            end
+
             op.on("-c", "--create", "Create a new file; this overwrites an existing file.") do |c|
               options.file_mode = HTAuth::File::CREATE
+              options.operation << :add_or_update
             end
 
             op.on("-d", "--crypt", "Force CRYPT encryption of the password.") do |c|
@@ -64,13 +85,17 @@ Usage:
             end
 
             op.on("-D", "--delete", "Delete the specified user.") do |d|
-              options.delete_entry = d
+              options.operation << :delete
             end
 
             op.on("-h", "--help", "Display this help.") do |h|
               options.show_help = h
             end
 
+            op.on("-i", "--stdin", "Read the passwod from stdin without verivication (for script usage).") do |i|
+              options.read_stdin_once = true
+            end
+
             op.on("-m", "--md5", "Force MD5 encryption of the password (default).") do |m|
               options.algorithm = Algorithm::MD5
             end
@@ -78,6 +103,7 @@ Usage:
             op.on("-n", "--stdout", "Do not update the file; Display the results on stdout instead.") do |n|
               options.send_to_stdout = true
               options.passwdfile     = HTAuth::File::STDOUT_FLAG
+              options.operation     << :stdout
             end
 
             op.on("-p", "--plaintext", "Do not encrypt the password (plaintext).") do |p|
@@ -92,9 +118,13 @@ Usage:
               options.show_version = v
             end
 
+            op.on("--verify", "Verify password for the specified user") do |v|
+              options.operation << :verify
+            end
+
             op.separator ""
 
-            op.separator "The SHA algorihtm does not use a salt and is less secure than the MD5 algorithm"
+            op.separator "The SHA algorihtm does not use a salt and is less secure than the MD5 algorithm."
           end
         end
         @option_parser
@@ -114,14 +144,17 @@ Usage:
         begin
           option_parser.parse!(argv)
           show_version if options.show_version
-          show_help if options.show_help 
+          show_help if options.show_help
 
+          raise ::OptionParser::ParseError, "only one of --create, --stdout, --verify, --delete may be specified" if options.operation.size > 1
           raise ::OptionParser::ParseError, "Unable to send to stdout AND create a new file" if options.send_to_stdout and (options.file_mode == File::CREATE)
           raise ::OptionParser::ParseError, "a username is needed" if options.send_to_stdout and argv.size < 1
           raise ::OptionParser::ParseError, "a username and password are needed" if options.send_to_stdout and options.batch_mode  and ( argv.size < 2 ) 
           raise ::OptionParser::ParseError, "a passwordfile, username and password are needed " if not options.send_to_stdout and options.batch_mode and ( argv.size < 3 )
           raise ::OptionParser::ParseError, "a passwordfile and username are needed" if argv.size < 2
+          raise ::OptionParser::ParseError, "options -i and -b are mutually exclusive" if options.batch_mode && options.read_stdin_once
 
+          options.operation  = options.operation.shift || :add_or_update
           options.passwdfile = argv.shift unless options.send_to_stdout
           options.username   = argv.shift
           options.password   = argv.shift if options.batch_mode
@@ -133,33 +166,60 @@ Usage:
         end
       end
 
+      def fetch_password(width=20)
+        return options.password if options.batch_mode
+        console = Console.new
+        if options.read_stdin_once then
+          pw_in = console.read_answer
+          return pw_in
+        end
+
+        case options.operation
+        when :verify
+          pw_in = console.ask("Enter password: ".rjust(width))
+          raise PasswordError, "password '#{pw_in}' too long" if pw_in.length >= MAX_PASSWD_LENGTH
+        when :add_or_update
+          pw_in = console.ask("New password: ".rjust(width))
+          raise PasswordError, "password '#{pw_in}' too long" if pw_in.length >= MAX_PASSWD_LENGTH
+
+          pw_validate = console.ask("Re-type new password: ".rjust(width))
+          raise PasswordError, "They don't match, sorry." unless pw_in == pw_validate
+        end
+
+        return pw_in
+      end
+
       def run(argv, env = ENV)
         begin
           parse_options(argv)
+          console = Console.new
           passwd_file = PasswdFile.new(options.passwdfile, options.file_mode)
-
-          if options.delete_entry then
+          case options.operation
+          when :delete
             passwd_file.delete(options.username)
-          else
-            unless options.batch_mode 
-              console = Console.new
-
-              action = passwd_file.has_entry?(options.username) ? "Changing" : "Adding"
-
-              console.say "#{action} password for #{options.username}."
-
-              pw_in       = console.ask("        New password: ")
-              raise PasswordError, "password '#{pw_in}' too long" if pw_in.length >= MAX_PASSWD_LENGTH
-
-              pw_validate = console.ask("Re-type new password: ")
-              raise PasswordError, "They don't match, sorry." unless pw_in == pw_validate
-              options.password = pw_in
+            passwd_file.save!
+          when :verify
+            if passwd_file.has_entry?(options.username) then
+              pw_in = fetch_password
+              if passwd_file.authenticated?(options.username, pw_in) then
+                $stderr.puts "Password for user #{options.username} correct."
+              else
+                raise HTAuth::Error, "Password verification for user #{options.username} failed."
+              end
+            else
+              raise HTAuth::Error, "User #{options.username} not found"
             end
-            passwd_file.add_or_update(options.username, options.password, options.algorithm)
+          when :add_or_update
+            options.password = fetch_password
+            action = passwd_file.has_entry?(options.username) ? "Changing" : "Adding"
+            console.say "#{action} password for #{options.username}."
+            passwd_file.add_or_update(options.username, options.password, options.algorithm, options.algorithm_args)
+            passwd_file.save!
+          when :stdout
+            options.password = fetch_password
+            passwd_file.add_or_update(options.username, options.password, options.algorithm, options.algorithm_args)
+            passwd_file.save!
           end
-
-          passwd_file.save! 
-
         rescue HTAuth::FileAccessError => fae
           msg = "Password file failure (#{options.passwdfile}) "
           $stderr.puts "#{msg}: #{fae.message}"