htauth 2.2.0 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a392e544654ec732a878871166ba48129a72dc8e7d2b3b9e1ed37d99117546b9
-  data.tar.gz: fb244f0b94603e5829d36d10e1309d98608a584c1bc8ea3a3d95f60f9950b7fb
+  metadata.gz: ad5523ccfeacb957acb9cf2fae40e19e51bc92e10d093a950949fbe00bb50b1a
+  data.tar.gz: 280ed439110fd03ca5510ae81d8b17a4f0db21f4f0aed7360238bbcef83fe6c1
 SHA512:
-  metadata.gz: 3350108830c0ce7bb7e406ec2d449c89eaf3ce1047f095cab78cffe8c197fb03eb9a5ffe7ad1b782e6d15c1ed88017ef96cb48e87cd8e91993454e00bc1fffda
-  data.tar.gz: 3b4183cd67ab796c5de2c2fcee847a94ab7d83e925b5283640bd7718274667e141d1618a10f927cf5c6e70cc5a667c284577d83d449a7566770ea60e5a2bc20e
+  metadata.gz: cc5ddd224ce189eeb5d16a60059a9fcab868ff65de9aad4efac3177425004d98b22d9af29f556d001ae0c083b31cdaef4cf723c7d1342739fc01c7be12841f42
+  data.tar.gz: 28a12fef7f3c7a96c9bdb186a71b06b8263da2c1f6b77dfcba45239129a17311d9fbcfa799aaf004efbf09876cc380de99bb91cab6be23ffefc23ce70286618b

data/HISTORY.md

@@ -1,5 +1,11 @@
 # Changelog
-## Version 2.2.0 - 2023-02-XX
+## Version 2.3.0 - 2024-02-03
+
+* Add support for argon2 encryption [#18](https://github.com/copiousfreetime/htauth/pull/18)
+* Update supported ruby version, now supporting ruby 3.x only
+* Semaphore updates
+
+## Version 2.2.0 - 2023-02-06
 
 * Update ruby versions
 * Add to sempahore for CI

data/Manifest.txt

@@ -8,6 +8,7 @@ bin/htdigest-ruby
 bin/htpasswd-ruby
 lib/htauth.rb
 lib/htauth/algorithm.rb
+lib/htauth/argon2.rb
 lib/htauth/bcrypt.rb
 lib/htauth/cli.rb
 lib/htauth/cli/digest.rb
@@ -27,6 +28,7 @@ lib/htauth/plaintext.rb
 lib/htauth/sha1.rb
 lib/htauth/version.rb
 spec/algorithm_spec.rb
+spec/argon2_spec.rb
 spec/bcrypt_spec.rb
 spec/cli/digest_spec.rb
 spec/cli/passwd_spec.rb

data/README.md

@@ -7,25 +7,45 @@
 
 ## DESCRIPTION
 
-HTAuth is a pure ruby replacement for the Apache support programs htdigest and
-htpasswd.  Command line and API access are provided for access to htdigest and
-htpasswd files.
+HTAuth provides an API and commandline tools for managing Apache/httpd style
+htpasswd and htdigest files.
 
 ## FEATURES
 
-HTAuth provides to drop in commands *htdigest-ruby* and *htpasswd-ruby* that
-can manipulate the digest and passwd files in the same manner as Apache's
-original commands.
+HTAuth provides an API allowing direct manipulation of Apache/httpd style
+`htdigest` and `htpasswd` files. Supporting full programmatic manipulation and
+authentication of user credentials.
 
-*htdigest-ruby* and *htpasswd-ruby* are command line compatible with *htdigest*
-and *htpasswd*.  They support the same exact same command line options as the
-originals, and have some extras.
+HTAuth also includes drop-in, commandline compatible replacements for the Apache
+utilities `htpasswd` and `htdigest` with the respective `htpasswd-ruby` and
+`htdigest-ruby` commands.
 
-Additionally, you can access all the functionality of *htdigest-ruby* and
-*htpasswd-ruby* through an API.
+Additionally, support for the [argon2](https://github.com/technion/ruby-argon2)
+password hashing algorithm is provided for most platforms.
 
 ## SYNOPSIS
 
+### API Usage
+
+    HTAuth::DigestFile.open("some.htdigest") do |df|
+      df.add_or_update('someuser', 'myrealm', 'a password')
+      df.delete('someolduser', 'myotherrealm')
+    end
+
+    HTAuth::PasswdFile.open("some.htpasswd", HTAuth::File::CREATE) do |pf|
+      pf.add('someuser', 'a password', 'md5')
+      pf.add('someotheruser', 'a different password', 'sha1')
+    end
+
+    HTAuth::PasswdFile.open("some.htpasswd", HTAuth::File::ALTER) do |pf|
+      pf.update('someuser', 'a password', 'bcrypt')
+    end
+
+    HTAuth::PasswdFile.open("some.htpasswd") do |pf|
+      pf.authenticated?('someuser', 'a password')
+    end
+
+
 ### htpasswd-ruby command line application
 
     Usage:
@@ -35,7 +55,8 @@ Additionally, you can access all the functionality of *htdigest-ruby* and
             htpasswd-ruby -n[imBdps] [-C cost] username
             htpasswd-ruby -nb[mBdps] [-C cost] username password
 
-        -b, --batch      Batch mode, get the password from the command line, rather than prompt
+            --argon2     Force argon2 encryption of the password.
+        -b, --batch      Batch mode, get the password from the command line, rather than prompt.
         -B, --bcrypt     Force bcrypt encryption of the password.
         -C, --cost COST  Set the computing time used for the bcrypt algorithm
                          (higher is more secure but slower, default: 5, valid: 4 to 31).
@@ -49,9 +70,7 @@ Additionally, you can access all the functionality of *htdigest-ruby* and
         -p, --plaintext  Do not encrypt the password (plaintext).
         -s, --sha1       Force SHA encryption of the password.
         -v, --version    Show version info.
-            --verify     Verify password for the specified user
-
-    The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.
+            --verify     Verify password for the specified user.
 
 ### htdigest-ruby command line application
 
@@ -61,30 +80,31 @@ Additionally, you can access all the functionality of *htdigest-ruby* and
         -h, --help     Display this help.
         -v, --version  Show version info.
 
-### API Usage
+## Supported Hash Algorithms
 
-    HTAuth::DigestFile.open("some.htdigest") do |df|
-      df.add_or_update('someuser', 'myrealm', 'a password')
-      df.delete('someolduser', 'myotherrealm')
-    end
+Out of the box, `htauth` supports the classic algorithms that ship with Apache
+`htpasswd`.
 
-    HTAuth::PasswdFile.open("some.htpasswd", HTAuth::File::CREATE) do |pf|
-      pf.add('someuser', 'a password', 'md5')
-      pf.add('someotheruser', 'a different password', 'sha1')
-    end
+- Built in
+    - Generally accepted
+        - MD5 (default for compatibility reasons)
+        - bcrypt (probably the better choice)
 
-    HTAuth::PasswdFile.open("some.htpasswd", HTAuth::File::ALTER) do |pf|
-      pf.update('someuser', 'a password', 'bcrypt')
-    end
+    - **Not Recommended** - available only for backwards compatibility with `htpasswd`
+        - SHA1
+        - crypt
+        - plaintext
 
-    HTAuth::PasswdFile.open("some.htpasswd") do |pf|
-      pf.authenticated?('someuser', 'a password')
-    end
+- Available with the installation of additional libraries:
+    - argon2 - to use, add `gem 'argon2'` to your `Gemfile`. `argon2` will
+      now be a valid algorithm to use in `HTAuth::PasswdFile` API. Currently
+      argon2 is not supported on windows as the upstream `argon2` gem does not
+      support windows.
 
 ## CREDITS
 
 * [The Apache Software Foundation](http://www.apache.org/)
-* all the folks who contributed to htdigest and htpassword
+* all the folks who contributed to htdigest and htpasswd
 
 ## MIT LICENSE
 

data/Rakefile

@@ -8,12 +8,14 @@ This.homepage = "http://github.com/copiousfreetime/#{ This.name }"
 
 This.ruby_gemspec do |spec|
   spec.add_dependency( 'bcrypt', '~> 3.1' )
+  spec.add_dependency( 'base64', '~> 0.2' )
 
-  spec.add_development_dependency( 'rake'     , '~> 13.0')
-  spec.add_development_dependency( 'minitest' , '~> 5.11' )
-  spec.add_development_dependency( 'minitest-junit' , '~> 1.0' )
-  spec.add_development_dependency( 'rdoc'     , '~> 6.4' )
-  spec.add_development_dependency( 'simplecov', '~> 0.17' )
+  spec.add_development_dependency( 'argon2'   , '~> 2.3')
+  spec.add_development_dependency( 'rake'     , '~> 13.1')
+  spec.add_development_dependency( 'minitest' , '~> 5.21' )
+  spec.add_development_dependency( 'minitest-junit' , '~> 1.1' )
+  spec.add_development_dependency( 'rdoc'     , '~> 6.6' )
+  spec.add_development_dependency( 'simplecov', '~> 0.21' )
 
   spec.metadata = {
     "bug_tracker_uri" => "https://github.com/copiousfreetime/htauth/issues",

data/bin/htdigest-ruby

@@ -1,7 +1,7 @@
 #!/usr/bin/env ruby
 
 begin
-  require 'htauth/cli'
+  require 'htauth/cli/digest'
 rescue LoadError 
   path = File.expand_path(File.join(File.dirname(__FILE__),"..","lib"))
   raise if $:.include?(path)

data/bin/htpasswd-ruby

@@ -1,7 +1,7 @@
 #!/usr/bin/env ruby
 
 begin
-  require 'htauth/cli'
+  require 'htauth/cli/passwd'
 rescue LoadError 
   path = File.expand_path(File.join(File.dirname(__FILE__),"..","lib"))
   raise if $:.include?(path)

data/lib/htauth/algorithm.rb

@@ -13,6 +13,8 @@ module HTAuth
     SALT_CHARS    = (%w[ . / ] + ("0".."9").to_a + ('A'..'Z').to_a + ('a'..'z').to_a).freeze
     SALT_LENGTH   = 8
 
+    # Public: flag for the argon2 algorithm
+    ARGON2        = "argon2".freeze
     # Public: flag for the bcrypt algorithm
     BCRYPT        = "bcrypt".freeze
     # Public: flag for the md5 algorithm
@@ -84,7 +86,17 @@ module HTAuth
     end
 
     # Internal
-    def encode(password) ; end
+    def encode(password)
+      raise NotImplementedError, "#{self.class.name} must implement #{self.class.name}.encode(password)"
+    end
+
+    # Internal: Does the given password match the digest, the default just
+    # encodes and secure compares the result, different algorithms may overide
+    # this method
+    def verify_password?(password, digest)
+      encoded = encode(password)
+      self.class.secure_compare(encoded, digest)
+    end
 
     # Internal: 8 bytes of random items from SALT_CHARS
     def gen_salt(length = SALT_LENGTH)

data/lib/htauth/argon2.rb

@@ -0,0 +1,77 @@
+require 'htauth/algorithm'
+begin
+  require 'argon2'
+rescue LoadError
+end
+
+module HTAuth
+  # Internal:  Support of the argon2id algorithm and password format.
+
+  class Argon2 < Algorithm
+    class NotSupportedError < ::HTAuth::InvalidAlgorithmError
+      def message
+        "Unfortunately Argon2 passwords are not supported on `#{RUBY_PLATFORM} at this time. This because the upstream argon2 gem does not support windows."
+      end
+    end
+    class NotInstalledError < ::HTAuth::InvalidAlgorithmError
+      def message
+        "Argon2 passwords are supported if the `argon2' gem is installed. Add `gem 'argon2', '~> 2.3'` to your Gemfile"
+      end
+    end
+
+    # from upstream, used to help make a nice error message if its not installed
+    # https://github.com/technion/ruby-argon2/blob/3388d7e05e8b486ea4ba8bd2aeb1e9988f025f13/lib/argon2/hash_format.rb#L45
+    PREFIX = /^\$argon2(id?|d).{,113}/.freeze
+    ARGON2_GEM_INSTALLED = defined?(::Argon2)
+
+    def self.supported?
+      !::Gem.win_platform?
+    end
+
+    def self.ensure_available!
+      raise NotSupportedError unless supported?
+      raise NotInstalledError unless ARGON2_GEM_INSTALLED
+    end
+
+    attr_accessor :options
+
+     def self.handles?(password_entry)
+      return false unless PREFIX.match?(password_entry)
+      ensure_available!
+
+      return ::Argon2::Password.valid_hash?(password_entry)
+     end
+
+     def self.extract_options_from_existing_password_field(existing)
+       hash_format = ::Argon2::HashFormat.new(existing)
+
+       # m_cost on the input is the 2**m_cost, but in the hash its the number of
+       # bytes, so need to convert it back to a power of 2, which is the
+       # log2(m_cost)
+
+       {
+         t_cost: hash_format.t_cost,
+         m_cost: ::Math.log2(hash_format.m_cost).floor,
+         p_cost: hash_format.p_cost,
+       }
+     end
+
+     def initialize(params = { profile: :rfc_9106_low_memory })
+       self.class.ensure_available!
+       if existing = (params['existing'] || params[:existing]) then
+         @options = self.class.extract_options_from_existing_password_field(existing)
+       else
+         @options = params
+       end
+     end
+
+     def encode(password)
+       argon2 = ::Argon2::Password.new(options)
+       argon2.create(password)
+     end
+
+    def verify_password?(password, digest)
+      ::Argon2::Password.verify_password(password, digest)
+    end
+  end
+end

data/lib/htauth/bcrypt.rb

@@ -31,5 +31,10 @@ module HTAuth
     def encode(password)
       ::BCrypt::Password.create(password, :cost => cost)
     end
+
+    def verify_password?(password, digest)
+      bc = ::BCrypt::Password.new(digest)
+      bc.is_password?(password)
+    end
   end
 end

data/lib/htauth/cli/digest.rb

@@ -1,7 +1,4 @@
-require 'htauth/version'
-require 'htauth/error'
-require 'htauth/digest_file'
-require 'htauth/console'
+require 'htauth/cli'
 
 require 'ostruct'
 require 'optparse'

data/lib/htauth/cli/passwd.rb

@@ -1,6 +1,4 @@
-require 'htauth/error'
-require 'htauth/passwd_file'
-require 'htauth/console'
+require 'htauth/cli'
 
 require 'ostruct'
 require 'optparse'
@@ -44,8 +42,8 @@ module HTAuth
           @option_parser = OptionParser.new(nil, 16) do |op|
             op.banner = <<-EOB
 Usage:
-        #{op.program_name} [-cimBdpsD] [-C cost] passwordfile username
-        #{op.program_name} -b[cmBdpsD] [-C cost] passwordfile username password
+        #{op.program_name} [-acimBdpsD] [--verify] [-C cost] passwordfile username
+        #{op.program_name} -b[acmBdpsD] [--verify] [-C cost] passwordfile username password
 
         #{op.program_name} -n[imBdps] [-C cost] username
         #{op.program_name} -nb[mBdps] [-C cost] username password
@@ -53,7 +51,11 @@ Usage:
 
             op.separator ""
 
-            op.on("-b", "--batch", "Batch mode, get the password from the command line, rather than prompt") do |b|
+            op.on("--argon2", "Force argon2 encryption of the password.") do |a|
+              options.algorithm = Algorithm::ARGON2
+            end
+
+            op.on("-b", "--batch", "Batch mode, get the password from the command line, rather than prompt.") do |b|
               options.batch_mode = b
             end
 
@@ -118,7 +120,7 @@ Usage:
               options.show_version = v
             end
 
-            op.on("--verify", "Verify password for the specified user") do |v|
+            op.on("--verify", "Verify password for the specified user.") do |v|
               options.operation << :verify
             end
 

data/lib/htauth/cli.rb

@@ -1,8 +1,7 @@
 require 'htauth'
+require 'htauth/console'
 module HTAuth
   module CLI
 
   end
 end
-require 'htauth/cli/digest'
-require 'htauth/cli/passwd'

data/lib/htauth/digest_entry.rb

@@ -1,5 +1,6 @@
 require 'htauth/error'
 require 'htauth/entry'
+require 'htauth/algorithm'
 require 'digest/md5'
 
 module HTAuth

data/lib/htauth/passwd_entry.rb

@@ -62,7 +62,7 @@ module HTAuth
     # Internal: Create a new Entry with the given user, password, and algorithm
     def initialize(user, password = nil, alg = Algorithm::DEFAULT, alg_params = {} )
       @user      = user
-      alg = Algorithm::DEFAULT if alg == Algorithm::EXISTING 
+      alg = Algorithm::DEFAULT if alg == Algorithm::EXISTING
       @algorithm = Algorithm.algorithm_from_name(alg, alg_params)
       @digest    = calc_digest(password)
     end
@@ -106,25 +106,14 @@ module HTAuth
     end
 
     # Public: Check if the given password is the password of this entry
-    # check the password and make sure it works, in the case that the algorithm is unknown it
-    # tries all of the ones that it thinks it could be, and marks the algorithm if it matches
-    # when looking for a matche, we always compare all of them, no short
-    # circuiting
+    #
     def authenticated?(check_password)
-      authed = false
-      if algorithm.kind_of?(Bcrypt) then
-        bc = ::BCrypt::Password.new(digest)
-        authed = bc.is_password?(check_password)
-      else
-        encoded = algorithm.encode(check_password)
-        authed  = Algorithm.secure_compare(encoded, digest)
-      end
-      return authed
+      algorithm.verify_password?(check_password, @digest)
     end
 
     # Internal: Returns the key of this entry
     def key
-      return "#{user}"
+      "#{user}"
     end
 
     # Internal: Returns the file line for this entry

data/lib/htauth/passwd_file.rb

@@ -11,9 +11,9 @@ module HTAuth
   # Examples
   #
   #   ::HTAuth::PasswdFile.open("my.passwd") do |pf|
-  #     pf.has_entry?('myuser', 'myrealm')
-  #     pf.add_or_update('someuser', 'myrealm', 'a password')
-  #     pf.delete('someolduser', 'myotherrealm')
+  #     pf.has_entry?('myuser')
+  #     pf.add_or_update('someuser', 'a password')
+  #     pf.delete('someolduser')
   #   end
   #
   class PasswdFile < HTAuth::File
@@ -68,7 +68,7 @@ module HTAuth
     # username  - the username of the entry
     # password  - the password of the entry
     # algorithm - the algorithm to use (default: "md5"). Valid options are:
-    #             "md5", "bcrypt", "sha1", "plaintext", or "crypt"
+    #             "md5", "bcrypt", "argon2", "sha1", "plaintext", or "crypt"
     # algorithm_args - key-value pairs of arguments that are passed to the
     #                  algorithm, currently this is only used to pass the cost
     #                  to the bcrypt algorithm
@@ -96,7 +96,7 @@ module HTAuth
     # username  - the username of the entry
     # password  - the password of the entry
     # algorithm - the algorithm to use (default: "md5"). Valid options are:
-    #             "md5", "bcrypt", "sha1", "plaintext", or "crypt"
+    #             "md5", "bcrypt", "argon2", "sha1", "plaintext", or "crypt"
     # algorithm_args - key-value pairs of arguments that are passed to the
     #                  algorithm, currently this is only used to pass the cost
     #                  to the bcrypt algorithm
@@ -133,7 +133,7 @@ module HTAuth
     # username  - the username of the entry
     # password  - the password of the entry
     # algorithm - the algorithm to use (default: "existing"). Valid options are:
-    #             "existing", "md5", "bcrypt", "sha1", "plaintext", or "crypt"
+    #             "existing", "md5", "bcrypt", "argon2", "sha1", "plaintext", or "crypt"
     # algorithm_args - key-value pairs of arguments that are passed to the
     #                  algorithm, currently this is only used to pass the cost
     #                  to the bcrypt algorithm

data/lib/htauth/sha1.rb

@@ -16,7 +16,7 @@ module HTAuth
     end
 
     # ignore the params
-    def initialize(params = {}) 
+    def initialize(params = {})
     end
 
     def encode(password)

data/lib/htauth/version.rb

@@ -1,4 +1,4 @@
 module HTAuth
   # Public: The version of the htauth library
-  VERSION = "2.2.0"
+  VERSION = "2.3.0"
 end

data/lib/htauth.rb

@@ -30,7 +30,7 @@ end
 
 require 'htauth/version'
 require 'htauth/algorithm'
-require 'htauth/console'
+require 'htauth/argon2'
 require 'htauth/bcrypt'
 require 'htauth/crypt'
 require 'htauth/digest_entry'

data/spec/algorithm_spec.rb

@@ -1,5 +1,4 @@
 require 'spec_helper'
-require 'htauth/algorithm'
 
 describe HTAuth::Algorithm do
   it "raises an error if it encouners an unknown algorithm" do

data/spec/argon2_spec.rb

@@ -0,0 +1,28 @@
+require 'spec_helper'
+require 'argon2'
+
+describe HTAuth::Argon2 do
+
+  it "decodes the hash back to the original options" do
+    hash    = '$argon2id$v=19$m=65536,t=3,p=4$V1ln1M4o1RS7SzWHAtqyWQ$jEHi1Qo2FSBgLAPpOa1mPx6OD/twtjj8M1AlVZwamPg'
+    options = HTAuth::Argon2.extract_options_from_existing_password_field(hash)
+    _(options).must_equal ::Argon2::Profiles[:rfc_9106_low_memory]
+  end
+
+  it "encrypts the same way that argon2 does by default" do
+    argon2 = HTAuth::Argon2.new
+    hash   = argon2.encode("a secret")
+    _(::Argon2::Password.verify_password('a secret', hash)).must_equal true
+  end
+
+  it "allow changing the parameters directly" do
+    hash    = '$argon2id$v=19$m=262144,t=3,p=4$7DRAuE1yIHPHqISmcyaJTg$M0EErpbxqv8dvrMrQMoGDEA7KQCw67jGdXwtCbRINFs'
+    options = HTAuth::Argon2.extract_options_from_existing_password_field(hash)
+
+    options[:m_cost] = 11
+
+    argon2     = HTAuth::Argon2.new(options)
+    local_hash = argon2.encode("a secret")
+    _(::Argon2::Password.verify_password('a secret', local_hash)).must_equal true
+  end
+end

data/spec/bcrypt_spec.rb

@@ -1,5 +1,4 @@
 require 'spec_helper'
-require 'htauth/bcrypt'
 
 describe HTAuth::Bcrypt do
   it "encrypts the same way that apache does by default" do

data/spec/cli/passwd_spec.rb

@@ -129,7 +129,23 @@ describe HTAuth::CLI::Passwd do
       _(@stderr.string).must_match( /ERROR:/m )
       _(se.status).must_equal 1
     end
- 
+  end
+
+  it "creates a new file with one argon2 entry" do
+    begin
+      @stdin.puts "a secret"
+      @stdin.puts "a secret"
+      @stdin.rewind
+      @htauth.run([ "--argon", "-c", @new_file, "agatha" ])
+    rescue SystemExit => se
+      _(se.status).must_equal 0
+      l = IO.readlines(@new_file)
+      fields = l.first.split(':')
+      _(fields.first).must_equal "agatha"
+      argon2_hash = fields.last
+
+      _(::Argon2::Password.valid_hash?(argon2_hash)).wont_be_nil
+    end
   end
 
   it "does not verify the password from stdin on -i option" do

data/spec/crypt_spec.rb

@@ -1,5 +1,4 @@
 require 'spec_helper'
-require 'htauth/crypt'
 
 describe HTAuth::Crypt do
   it "encrypts the same way that apache does" do

data/spec/digest_entry_spec.rb

@@ -1,5 +1,4 @@
 require 'spec_helper'
-require 'htauth/digest_entry'
 
 describe HTAuth::DigestEntry do
   before(:each) do

data/spec/digest_file_spec.rb

@@ -1,5 +1,4 @@
 require 'spec_helper'
-require 'htauth/digest_file'
 require 'tempfile'
 
 describe HTAuth::DigestFile do

data/spec/md5_spec.rb

@@ -1,6 +1,4 @@
-require File.join(File.dirname(__FILE__),"spec_helper.rb")
-
-require 'htauth/md5'
+require 'spec_helper'
 
 describe HTAuth::Md5 do
   it "encrypts the same way that apache does" do

data/spec/passwd_entry_spec.rb

@@ -1,5 +1,4 @@
 require 'spec_helper'
-require 'htauth/passwd_entry'
 
 describe HTAuth::PasswdEntry do
   before(:each) do
@@ -32,6 +31,14 @@ describe HTAuth::PasswdEntry do
     _(bob.digest).must_equal "b secret"
   end
 
+  it "encypts correctly for argon2" do
+    # Don't do this in real life, do not pass in a salt, let the algorithm generate it internally
+    salt = ";L\xCDMRO\v\x13;\x012\x9B'\xEE\\i"
+    agatha = HTAuth::PasswdEntry.new("agatha","ag secret", "argon2", {salt_do_not_supply: salt} )
+    expected = "$argon2id$v=19$m=65536,t=3,p=4$O0zNTVJPCxM7ATKbJ+5caQ$e7wIsl7AY+uIbN+1StYOKkVCJhOrvX7BxAlQ+sPC+Nc"
+    _(agatha.digest).must_equal expected
+  end
+
   it "encrypts with crypt as a default, when parsed from crypt()'d line" do
     bob2 = HTAuth::PasswdEntry.from_line(@bob.to_s)
     _(bob2.algorithm).must_be_instance_of(HTAuth::Crypt)
@@ -97,6 +104,12 @@ describe HTAuth::PasswdEntry do
     _(s2.authenticated?("b secret")).must_equal true
   end
 
+  it "authenticates correctly against argon2" do
+    s = HTAuth::PasswdEntry.new("agatha", "ag secret", "argon2")
+    s2 = HTAuth::PasswdEntry.from_line(s.to_s)
+    _(s2.authenticated?("ag secret")).must_equal true
+  end
+
   it "can update the cost of an entry after initialization before encoding password" do
     s = HTAuth::PasswdEntry.new("brenda", "b secret", "bcrypt")
     _(s.algorithm.cost).must_equal(::HTAuth::Bcrypt::DEFAULT_APACHE_COST)
@@ -108,7 +121,7 @@ describe HTAuth::PasswdEntry do
     _(s2.algorithm.cost).must_equal(12)
   end
 
-  it "raises an error if assinging an invalid algorithm" do
+  it "raises an error if assigning an invalid algorithm" do
     b = HTAuth::PasswdEntry.new("brenda", "b secret", "bcrypt")
     _ { b.algorithm = 42 }.must_raise(HTAuth::InvalidAlgorithmError)
   end

data/spec/sha1_spec.rb

@@ -1,5 +1,4 @@
 require 'spec_helper'
-require 'htauth/sha1'
 
 describe HTAuth::Sha1 do
   it "encrypts the same way that apache does" do

data/spec/spec_helper.rb

@@ -1,10 +1,6 @@
-if RUBY_VERSION >= '1.9.2' then
-  require 'simplecov'
-  puts "Using coverage!"
-  SimpleCov.start if ENV['COVERAGE']
-end
+require 'simplecov'
+SimpleCov.start if ENV['COVERAGE']
 
-gem 'minitest'
 require 'minitest/autorun'
 require 'minitest/pride'
 
@@ -26,3 +22,4 @@ class ConsoleIO < StringIO
     yield self
   end
 end
+require 'htauth'

data/tasks/default.rake

@@ -36,11 +36,13 @@ task :develop => "develop:default"
 # Minitest - standard TestTask
 #------------------------------------------------------------------------------
 begin
-  require 'rake/testtask'
-  Rake::TestTask.new( :test ) do |t|
-    t.ruby_opts    = %w[ -w ]
-    t.libs         = %w[ lib spec test ]
-    t.pattern      = "{test,spec}/**/{test_*,*_spec}.rb"
+  require 'minitest/test_task'
+  Minitest::TestTask.create( :test) do |t|
+    t.libs << "lib"
+    t.libs << "spec"
+    t.libs << "test"
+    t.warning = true
+    t.test_globs = "{test,spec}/**/{test_*,*_spec}.rb"
   end
 
   task :test_requirements
@@ -143,14 +145,20 @@ namespace :fixme do
   end
 
   def local_fixme_files
-    This.manifest.select { |p| p =~ %r|^tasks/| }
+    local_files = This.manifest.select { |p| p =~ %r|^tasks/| }
+    local_files << ".semaphore/semaphore.yml"
   end
 
   def outdated_fixme_files
     local_fixme_files.select do |local|
       upstream     = fixme_project_path( local )
-      upstream.exist? &&
-        ( Digest::SHA256.file( local ) != Digest::SHA256.file( upstream ) )
+      if upstream.exist? then
+        if File.exist?( local ) then
+          ( Digest::SHA256.file( local ) != Digest::SHA256.file( upstream ) )
+        else
+          true
+        end
+      end
     end
   end
 
@@ -201,7 +209,7 @@ task :gemspec do
 end
 
 # .rbc files from ruby 2.0
-CLOBBER << FileList["**/*.rbc"]
+CLOBBER << "**/*.rbc"
 
 # The standard gem packaging task, everyone has it.
 require 'rubygems/package_task'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: htauth
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.3.0
 platform: ruby
 authors:
 - Jeremy Hinegardner
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-02-06 00:00:00.000000000 Z
+date: 2024-02-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -24,79 +24,106 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.1'
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: argon2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '13.0'
+        version: '13.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '13.0'
+        version: '13.1'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.11'
+        version: '5.21'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.11'
+        version: '5.21'
 - !ruby/object:Gem::Dependency
   name: minitest-junit
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: rdoc
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '6.4'
+        version: '6.6'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '6.4'
+        version: '6.6'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.17'
+        version: '0.21'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.17'
-description: HTAuth is a pure ruby replacement for the Apache support programs htdigest
-  and htpasswd.  Command line and API access are provided for access to htdigest and
-  htpasswd files.
+        version: '0.21'
+description: HTAuth provides an API and commandline tools for managing Apache/httpd
+  style htpasswd and htdigest files.
 email: jeremy@copiousfreetime.org
 executables:
 - htdigest-ruby
@@ -118,6 +145,7 @@ files:
 - bin/htpasswd-ruby
 - lib/htauth.rb
 - lib/htauth/algorithm.rb
+- lib/htauth/argon2.rb
 - lib/htauth/bcrypt.rb
 - lib/htauth/cli.rb
 - lib/htauth/cli/digest.rb
@@ -137,6 +165,7 @@ files:
 - lib/htauth/sha1.rb
 - lib/htauth/version.rb
 - spec/algorithm_spec.rb
+- spec/argon2_spec.rb
 - spec/bcrypt_spec.rb
 - spec/cli/digest_spec.rb
 - spec/cli/passwd_spec.rb
@@ -186,14 +215,14 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.6
+rubygems_version: 3.5.3
 signing_key:
 specification_version: 4
-summary: HTAuth is a pure ruby replacement for the Apache support programs htdigest
-  and htpasswd.  Command line and API access are provided for access to htdigest and
-  htpasswd files.
+summary: HTAuth provides an API and commandline tools for managing Apache/httpd style
+  htpasswd and htdigest files.
 test_files:
 - spec/algorithm_spec.rb
+- spec/argon2_spec.rb
 - spec/bcrypt_spec.rb
 - spec/cli/digest_spec.rb
 - spec/cli/passwd_spec.rb