nacl_password 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: cab426388ecd1f11ff9f5832d6b5fe75a56e8e249eaec25c136c86bba89c6dc5
+  data.tar.gz: 9aa167457870e442f30550f1811979a8a78140979c7a01f1d86c50e3312219da
+SHA512:
+  metadata.gz: 544e6b5af9ca3af49950858ba5844b08ec64784794a8988ddbc5709827a6a54b5b86f67845ff1bf350c10aa41864355f71d59b41bb9b9532ab4146e09dbacb22
+  data.tar.gz: c2080b635da0588db6206fb4f5922c6f2f32ddb9c71d80e202640d0599aa92d4085d4f4a40e652b06e68501291fe9e5acda9cda15a6ca87aff907acece00c604

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2020 Sampson Crowley
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,28 @@
+# NaClPassword
+Short description and motivation.
+
+## Usage
+How to use my plugin.
+
+## Installation
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'nacl_password'
+```
+
+And then execute:
+```bash
+$ bundle
+```
+
+Or install it yourself as:
+```bash
+$ gem install nacl_password
+```
+
+## Contributing
+Contribution directions go here.
+
+## License
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/lib/nacl_password.rb

@@ -0,0 +1,190 @@
+# encoding: utf-8
+# frozen_string_literal: true
+
+require 'coerce_boolean'
+
+module NaClPassword
+  INVALID_OPTION_MESSAGE = "predefined options are :min, :interactive, :moderate, :sensitive, and :max"
+  UNCOERCEABLE_OPTION_MESSAGE = "value must be coercable to an integer or one of the predefined options (:min | :interactive | :moderate | :sensitive | :max)"
+
+  # Load rbnacl gem only when nacl_password is used. This is to avoid
+  # the entire app using this gem being dependent on a binary library.
+  def self.load_gem
+    require "rbnacl"
+  rescue LoadError, NameError
+    $stderr.puts <<-ERROR
+      You don't have rbnacl installed in your application.
+      Please add it to your Gemfile and run bundle install
+    ERROR
+
+    raise
+  end
+
+  # The Argon2 hash function can handle maximum 2^32 bytes, but system available
+  # memory probably cannot.
+  # A password of length 1024 bytes is way more than any user would ever need.
+  # Put a restriction on password length that keeps memory usage in the available
+  # range, but is more than anyone would ever need.
+  # other defaults are tested ranges of functional values for libsodium that
+  # allow maximum possible security without crashing the system
+  def self.setup
+    load_gem
+    ::NaClPassword::Argon2              ||= RbNaCl::PasswordHash::Argon2
+    ::NaClPassword::MAX_PASSWORD_LENGTH ||= 1024
+    ::NaClPassword::OPS_LIMIT_RANGE     ||= 3..20
+    ::NaClPassword::MEM_LIMIT_RANGE     ||= (2**25)..(2**32) #32 MB - 4 GB
+    ::NaClPassword::DIGEST_SIZE_RANGE   ||= 64..512
+    self
+  end
+
+  def self.const_missing(name)
+    NaClPassword.setup
+    if const_defined?(name)
+      const_get(name)
+    else
+      super
+    end
+  end
+
+  class << self
+    attr_reader :ops_limit # :nodoc:
+    attr_reader :mem_limit # :nodoc:
+    attr_reader :digest_size # :nodoc:
+
+    def ops_limit=(value)
+      @ops_limit = get_ops_limit(value)
+    end
+
+    def mem_limit=(value)
+      @mem_limit = get_mem_limit(value)
+    end
+
+    def digest_size=(value)
+      @digest_size = get_digest_size(value)
+      digest_size
+    end
+
+    def generate(password)
+      salt = RbNaCl::Random.random_bytes(Argon2::SALTBYTES)
+      ops = get_ops_limit
+      mem = get_mem_limit
+      size = get_digest_size
+      "#{
+        Base64.strict_encode64(encrypt(password, salt, ops, mem, size))
+      }.#{
+        Base64.strict_encode64(salt)
+      }.#{
+        ops
+      }.#{
+        mem
+      }.#{
+        size
+      }"
+    end
+
+    def authenticate(encoded, password)
+      digest, *metadata = decode(encoded)
+      RbNaCl::PasswordHash.argon2id(password, *metadata) == digest
+    end
+
+    def self.const_missing(name)
+      NaClPassword.const_missing(name)
+    end
+
+    private
+      def encrypt(...)
+        RbNaCl::PasswordHash.argon2id(...)
+      end
+
+      def decode(encoded)
+        digest_64, salt_64, ops, mem, size = encoded.split(".")
+        digest = Base64.strict_decode64(digest_64)
+        salt = Base64.strict_decode64(salt_64)
+        ops  = get_ops_limit(ops)
+        mem  = get_mem_limit(mem)
+        size = get_digest_size(size)
+        [ digest, salt, ops, mem, size ]
+      end
+
+      def get_ops_limit(ops = NaClPassword.ops_limit)
+        ops = :moderate unless CoerceBoolean.from(ops)
+
+        case ops
+        when :min         then OPS_LIMIT_RANGE.min
+        when :interactive then 5
+        when :moderate    then 10
+        when :sensitive   then 15
+        when :max         then OPS_LIMIT_RANGE.max
+        when Symbol
+          raise ArgumentError, INVALID_OPTION_MESSAGE
+        else
+          case ops = ops.to_i
+          when OPS_LIMIT_RANGE then ops
+          else
+            raise \
+              ArgumentError,
+              "ops_limit must be within the range #{OPS_LIMIT_RANGE}"
+          end
+        end
+      rescue NoMethodError
+        raise ArgumentError, UNCOERCEABLE_OPTION_MESSAGE
+      end
+
+      def get_mem_limit(mem = NaClPassword.mem_limit)
+        mem = :moderate unless CoerceBoolean.from(mem)
+
+        case mem
+        when :min         then MEM_LIMIT_RANGE.min # 32mb
+        when :interactive then (2**26)             # 64mb
+        when :moderate    then (2**28)             # 256mb
+        when :sensitive   then (2**30)             # 1024mb
+        when :max         then MEM_LIMIT_RANGE.max # 4096mb
+        when Symbol
+          raise ArgumentError, INVALID_OPTION_MESSAGE
+        else
+          case mem = mem.to_i
+          when MEM_LIMIT_RANGE then mem
+          else
+            raise \
+              ArgumentError,
+              "mem_limit must be within the range #{MEM_LIMIT_RANGE}"
+          end
+        end
+      rescue NoMethodError
+        raise ArgumentError, UNCOERCEABLE_OPTION_MESSAGE
+      end
+
+      def get_digest_size(size = NaClPassword.digest_size)
+        size = :moderate unless CoerceBoolean.from(size)
+
+        case size
+        when :min         then DIGEST_SIZE_RANGE.min
+        when :interactive then DIGEST_SIZE_RANGE.min * 2
+        when :moderate    then DIGEST_SIZE_RANGE.min * 4
+        when :sensitive   then DIGEST_SIZE_RANGE.min * 8
+        when :max         then DIGEST_SIZE_RANGE.max
+        when Symbol
+          raise ArgumentError, INVALID_OPTION_MESSAGE
+        else
+          case size = size.to_i
+          when DIGEST_SIZE_RANGE
+            unless size % 64 == 0
+              raise ArgumentError, "digest_size must be a multiple of 64"
+            end
+
+            size
+          else
+            raise ArgumentError, "digest_size must be within the range #{DIGEST_SIZE_RANGE}"
+          end
+        end
+      rescue NoMethodError
+        raise ArgumentError, UNCOERCEABLE_OPTION_MESSAGE
+      end
+  end
+
+  self.ops_limit   = :moderate
+  self.mem_limit   = :moderate
+  self.digest_size = :moderate
+end
+
+require "nacl_password/railtie" if defined? Rails

data/lib/nacl_password/concern.rb

@@ -0,0 +1,190 @@
+# encoding: utf-8
+# frozen_string_literal: true
+
+require 'nacl_password'
+
+module NaClPassword
+  module Concern
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      # Adds methods to set and authenticate against a Argon2 password.
+      # This mechanism requires you to have a +XXX_digest+ attribute.
+      # Where +XXX+ is the attribute name of your desired password.
+      # the +digest+ attribute to use can be set by passing
+      # `digest_attribute: non_standard_attribute` to `nacl_password`
+      #
+      # The following validations are added automatically:
+      # * Password must be present on creation
+      # * Password length should be less than or equal to 1024 bytes
+      # * Confirmation of password (using a +XXX_confirmation+ attribute)
+      #
+      # If confirmation validation is not needed, simply leave out the
+      # value for +XXX_confirmation+ (i.e. don't provide a form field for
+      # it). When this attribute has a +nil+ value, the validation will not be
+      # triggered.
+      #
+      # It is also possible to suppress the default validations completely by
+      # passing skip_validations: true as an argument.
+      #
+      # Add rbnacl (~> 7.1) to Gemfile to use #nacl_password:
+      #
+      #   gem "rbnacl", "~> 7.1"
+      #
+      # Example:
+      #
+      #   # Schema: User(name:string, password_digest:string, recovery_password_digest:string)
+      #   class User < ActiveRecord::Base
+      #     include NaClPassword::Concern
+      #     nacl_password
+      #     nacl_password :recovery_password, validations: false
+      #   end
+      #
+      #   user = User.new(name: 'david', password: '', password_confirmation: 'nomatch')
+      #   user.save                                                  # => false, password required
+      #   user.password = 'mUc3m00RsqyRe'
+      #   user.save                                                  # => false, confirmation doesn't match
+      #   user.password_confirmation = 'mUc3m00RsqyRe'
+      #   user.save                                                  # => true
+      #   user.recovery_password = "42password"
+      #   user.recovery_password_digest                              # => "$2a$04$iOfhwahFymCs5weB3BNH/uXkTG65HR.qpW.bNhEjFP3ftli3o5DQC"
+      #   user.save                                                  # => true
+      #   user.authenticate('notright')                              # => false
+      #   user.authenticate('mUc3m00RsqyRe')                         # => user
+      #   user.authenticate_recovery_password('42password')          # => user
+      #   User.find_by(name: 'david')&.authenticate('notright')      # => false
+      #   User.find_by(name: 'david')&.authenticate('mUc3m00RsqyRe') # => user
+      def nacl_password(attribute = :password, digest_attribute: nil, **opts)
+        NaClPassword.setup
+
+        digest_attribute ||= "#{attribute}_digest"
+
+        attribute = attribute.to_sym
+        digest_attribute = digest_attribute.to_sym
+
+        if digest_attribute.to_s == attribute.to_s
+          raise ArgumentError, "Digest Attribute Name can't be the same as Password Attribute Name"
+        end
+
+        skip_validations =
+          CoerceBoolean.from(opts[:skip_validations]) &&
+          (opts[:skip_validations] != :blank)
+
+        length_options =
+          skip_validations ? {} :
+            { maximum: NaClPassword::MAX_PASSWORD_LENGTH }.
+            merge(
+              opts[:min_length] == :none \
+                ? {} \
+                : { minimum: opts[:min_length].presence&.to_i || 8 }
+            )
+
+
+        include InstanceMethodsOnActivation.new(attribute.to_sym, digest_attribute, **length_options)
+
+        unless skip_validations
+          include ActiveModel::Validations
+
+          # This ensures the model has a password by checking whether the password_digest
+          # is present, so that this works with both new and existing records. However,
+          # when there is an error, the message is added to the password attribute instead
+          # so that the error message will make sense to the end-user.
+          unless opts[:skip_validations] == :blank
+            validate do |record|
+              unless record.__send__(digest_attribute).present?
+                record.errors.add(attribute, :blank)
+              end
+            end
+          end
+
+          validates_length_of attribute, **length_options, allow_blank: true
+
+          validates_confirmation_of attribute, allow_blank: true
+        end
+      end
+    end
+
+    class InstanceMethodsOnActivation < Module
+      def initialize(attribute, digest_attribute, **attribute_opts)
+        # == Constants ============================================================
+        confirmation_var = "@#{attribute}_confirmation"
+
+        # == Attributes ===========================================================
+        attr_reader attribute
+
+        define_method("#{attribute}=") do |given_password|
+          instance_variable_set("@#{attribute}", given_password.presence)
+
+          if given_password.nil? || given_password.empty?
+            self.__send__("#{digest_attribute}=", nil)
+          else
+            self.__send__(
+              "#{digest_attribute}=",
+              NaClPassword.generate(given_password)
+            )
+          end
+        end
+
+        define_method("#{attribute}_confirmation=") do |given_password|
+          instance_variable_set(confirmation_var, given_password)
+        end
+
+        # == Boolean Methods ======================================================
+        define_method("#{attribute}_length_valid?") do
+          value = self.__send__(attribute)
+          invalid = false
+
+          if attribute_opts[:maximum].present?
+            invalid ||= (value.length > attribute_opts[:maximum])
+          end
+
+          if attribute_opts[:minimum].present?
+            invalid ||= (value.length < attribute_opts[:minimum])
+          end
+
+          !invalid
+        end
+
+        define_method("#{attribute}_confirmed?") do
+          self.__send__(attribute) == self.instance_variable_get(confirmation_var)
+        end
+
+        define_method("#{attribute}_ready?") do |require_confirmation = false|
+          value = self.__send__(attribute)
+          if value.nil? || value.empty?
+            self.__send__("#{digest_attribute}").present?
+          else
+            confirmation = self.instance_variable_get(confirmation_var)
+            if !require_confirmation && (confirmation.nil? || confirmation.empty?)
+              self.__send__("#{attribute}_length_valid?")
+            else
+              self.__send__("#{attribute}_confirmed?") \
+              && self.__send__("#{attribute}_length_valid?")
+            end
+          end
+        end
+
+        # == Instance Methods =====================================================
+
+        # Returns +self+ if the password is correct, otherwise +nil+.
+        #
+        #   class User < ActiveRecord::Base
+        #     nacl_password validations: false
+        #   end
+        #
+        #   user = User.new(name: 'david', password: 'mUc3m00RsqyRe')
+        #   user.save
+        #   user.authenticate_password('mUc3m00RsqyRe') # => user
+        #   user.authenticate_password('notright')      # => nil
+        define_method("authenticate_#{attribute}") do |given_password|
+          return nil unless attribute_digest = __send__(digest_attribute)
+          if NaClPassword.authenticate(attribute_digest, given_password)
+            self
+          end
+        end
+
+        alias_method :authenticate, :authenticate_password if attribute == :password
+      end
+    end
+  end
+end

data/lib/nacl_password/railtie.rb

@@ -0,0 +1,10 @@
+module NaClPassword
+  class Railtie < ::Rails::Railtie
+    initializer 'nacl_password.include_concern' do
+      ActiveSupport.on_load(:active_record) do
+        require 'nacl_password/concern'
+        ActiveRecord::Base.send :include, NaClPassword::Concern
+      end
+    end
+  end
+end

data/lib/nacl_password/version.rb

@@ -0,0 +1,3 @@
+module NaClPassword
+  VERSION = '0.1.0'
+end

data/lib/tasks/nacl_password_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :nacl_password do
+#   # Task goes here
+# end

metadata

@@ -0,0 +1,115 @@
+--- !ruby/object:Gem::Specification
+name: nacl_password
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Sampson Crowley
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-04-28 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: coerce_boolean
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: rbnacl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.1'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 6.0.2.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 6.0.2.2
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: |2
+      Easier encryption and decryption with libsodium while remaining configurable
+      with validated options. Also includes a concern for a "has_secure_password"
+      style one-line setup
+email:
+- sampsonsprojects@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- lib/nacl_password.rb
+- lib/nacl_password/concern.rb
+- lib/nacl_password/railtie.rb
+- lib/nacl_password/version.rb
+- lib/tasks/nacl_password_tasks.rake
+homepage: https://github.com/SampsonCrowley/nacl_password
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.2
+signing_key: 
+specification_version: 4
+summary: RbNaCl on Rails
+test_files: []