net-sasl 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 808eb424556d20a21234ed67c852cf7f664c3964b98109ff0180ab16aea19da1
+  data.tar.gz: 302b360c9e02f77d72d3f3daf9124444df70ee73c51d489a116b8eb87c1ab720
+SHA512:
+  metadata.gz: c1747077cf7bbd3d16a248491b4143ef6e6e33e347a9c8c35025c803079b42077584ebf46df977103599d1d7d84b5d9c5f3a5bb0f5ab4d4e68278bc9fdc422d2
+  data.tar.gz: 453cc6578665f03b5f4dce9d9fcd039caee5e0f5238ec3fc499c566d5357b0ee8f5c2d5d0074e06597d81705585b5a2a65a7c8356856356f301617e6a601c6b4

data/.github/workflows/main.yml

@@ -0,0 +1,23 @@
+name: Ruby
+
+on: [push,pull_request]
+
+jobs:
+  build:
+    name: build (${{ matrix.ruby }} / ${{ matrix.os }})
+    strategy:
+      matrix:
+        ruby: [ '3.0', 2.7, 2.6, 2.5, head ]
+        os: [ ubuntu-latest, macos-latest ]
+    runs-on: ${{ matrix.os }}
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: true
+    - name: Install dependencies
+      run: bundle install
+    - name: Run the default task (tests, rubocop, etc)
+      run: bundle exec rake

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+Gemfile.lock

data/.rubocop.yml

@@ -0,0 +1,198 @@
+inherit_mode:
+  merge:
+    - Exclude
+
+AllCops:
+  TargetRubyVersion: 2.5
+  NewCops: disable
+  Exclude:
+    - bin/rake
+    - bin/rspec
+    - bin/rubocop
+
+###########################################################################
+# rubocop defaults are distractingly WRONG about many rules... Sorry. :(
+
+###########################################################################
+# Layout: Alignment.  I want these to work, I really do...
+
+# I wish this worked with "table". but that goes wrong sometimes.
+Layout/HashAlignment: { Enabled: false }
+
+# This needs to be configurable so parenthesis calls are aligned with first
+# parameter, and non-parenthesis calls are aligned with fixed indentation.
+Layout/ParameterAlignment: { Enabled: false }
+
+###########################################################################
+# Layout: Empty lines
+
+Layout/EmptyLineAfterGuardClause:                 { Enabled: false }
+Layout/EmptyLineAfterMagicComment:                { Enabled: true }
+Layout/EmptyLineAfterMultilineCondition:          { Enabled: false }
+Layout/EmptyLines:                                { Enabled: true }
+Layout/EmptyLinesAroundAccessModifier:            { Enabled: true }
+Layout/EmptyLinesAroundArguments:                 { Enabled: true }
+Layout/EmptyLinesAroundBeginBody:                 { Enabled: true }
+Layout/EmptyLinesAroundBlockBody:                 { Enabled: false }
+Layout/EmptyLinesAroundExceptionHandlingKeywords: { Enabled: true }
+Layout/EmptyLinesAroundMethodBody:                { Enabled: true }
+
+Layout/EmptyLineBetweenDefs:
+  Enabled: true
+  AllowAdjacentOneLineDefs: true
+
+Layout/EmptyLinesAroundAttributeAccessor:
+  inherit_mode:
+    merge:
+      - Exclude
+      - AllowedMethods
+  Enabled: true
+  AllowedMethods:
+    - delegate
+    - def_delegator
+    - def_delegators
+    - def_instance_delegators
+
+# "empty_lines_special" sometimes does the wrong thing and annoys me.
+# I'd almost learned to live with it... almost. 🙁
+
+Layout/EmptyLinesAroundClassBody:
+  Enabled: false
+  EnforcedStyle: empty_lines_special
+
+Layout/EmptyLinesAroundModuleBody:
+  Enabled: false
+  EnforcedStyle: empty_lines_special
+
+###########################################################################
+# Layout: Space around, before, inside, etc
+
+Layout/SpaceAroundEqualsInParameterDefault: { Enabled: false }
+Layout/SpaceBeforeBlockBraces:              { Enabled: false }
+Layout/SpaceBeforeFirstArg:                 { Enabled: false }
+Layout/SpaceInLambdaLiteral:                { Enabled: false }
+Layout/SpaceInsideArrayLiteralBrackets:     { Enabled: false }
+Layout/SpaceInsideHashLiteralBraces:        { Enabled: false }
+
+Layout/SpaceInsideBlockBraces:
+  EnforcedStyle: space
+  EnforcedStyleForEmptyBraces: space
+  SpaceBeforeBlockParameters: false
+
+# I would enable this if it were handled alignment better
+Layout/ExtraSpacing:
+  Enabled: false
+  AllowForAlignment: true
+  AllowBeforeTrailingComments: true
+
+###########################################################################
+# Layout: Misc
+
+Layout/LineLength:
+  Max: 90 # should stay under 80, but we'll allow a little wiggle-room
+
+Layout/MultilineOperationIndentation: { Enabled: false }
+
+Layout/MultilineMethodCallIndentation:
+  EnforcedStyle: indented
+
+###########################################################################
+# Lint and Naming: rubocop defaults are mostly good, but...
+
+Lint/UnusedMethodArgument: { Enabled: false }
+Naming/BinaryOperatorParameterName: { Enabled: false } # def /(denominator)
+Naming/RescuedExceptionsVariableName: { Enabled: false }
+
+###########################################################################
+# Matrics:
+
+Metrics/CyclomaticComplexity:
+  Max: 10
+
+Metrics/BlockLength:
+  CountAsOne:
+    - array
+    - hash
+    - heredoc
+
+Metrics/ClassLength:
+  Max: 200
+  CountAsOne:
+    - array
+    - hash
+    - heredoc
+
+###########################################################################
+# Style...
+
+Style/AccessorGrouping:        { Enabled: false }
+Style/AsciiComments:           { Enabled: false } # 👮 can't stop our 🎉🥳🎊🥳!
+Style/ClassAndModuleChildren:  { Enabled: false }
+Style/EachWithObject:          { Enabled: false }
+Style/FormatStringToken:       { Enabled: false }
+Style/FloatDivision:           { Enabled: false }
+Style/GuardClause:             { Enabled: false } # usually nice to do, but...
+Style/IfUnlessModifier:        { Enabled: false }
+Style/IfWithSemicolon:         { Enabled: false }
+Style/Lambda:                  { Enabled: false }
+Style/LineEndConcatenation:    { Enabled: false }
+Style/MixinGrouping:           { Enabled: false }
+Style/MultilineBlockChain:     { Enabled: false }
+Style/NumericPredicate:        { Enabled: false } # usually nice to do, but...
+Style/ParallelAssignment:      { Enabled: false } # use occasionally/sparingly
+Style/PerlBackrefs:            { Enabled: false } # use occasionally/sparingly
+Style/RescueStandardError:     { Enabled: false }
+Style/Semicolon:               { Enabled: false }
+Style/SingleLineMethods:       { Enabled: false }
+Style/StabbyLambdaParentheses: { Enabled: false }
+Style/WhenThen               : { Enabled: false }
+
+# I require trailing commas elsewhere, but these are optional
+Style/TrailingCommaInArguments: { Enabled: false }
+
+# If rubocop had an option to only enforce this on constants and literals (e.g.
+# strings, regexp, range), I'd agree.
+#
+# But if you are using it e.g. on method arguments of unknown type, in the same
+# style that ruby uses it with grep, then you are doing exactly the right thing.
+Style/CaseEquality: { Enabled: false }
+
+# I'd enable if "require_parentheses_when_complex" considered unary '!' simple.
+Style/TernaryParentheses:
+  EnforcedStyle: require_parentheses_when_complex
+  Enabled: false
+
+Style/BlockDelimiters:
+  inherit_mode:
+    merge:
+      - Exclude
+      - ProceduralMethods
+      - IgnoredMethods
+      - FunctionalMethods
+  EnforcedStyle: semantic
+  AllowBracesOnProceduralOneLiners: true
+  IgnoredMethods:
+    - expect  # rspec
+    - profile # ruby-prof
+    - ips     # benchmark-ips
+
+
+Style/FormatString:
+  EnforcedStyle: percent
+
+Style/StringLiterals:
+  Enabled: true
+  EnforcedStyle: double_quotes
+
+Style/StringLiteralsInInterpolation:
+  Enabled: true
+  EnforcedStyle: double_quotes
+
+Style/TrailingCommaInHashLiteral:
+  EnforcedStyleForMultiline: consistent_comma
+
+Style/TrailingCommaInArrayLiteral:
+  EnforcedStyleForMultiline: consistent_comma
+
+Style/YodaCondition:
+  EnforcedStyle: forbid_for_equality_operators_only

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [0.1.0] - 2021-04-30
+
+- Initial release

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,84 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for moderation decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the community in public spaces. Examples of representing our community include using an official e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at nicholas.evans@gmail.com. All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing clarity around the nature of the violation and an explanation of why the behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, for a specified period of time. This includes avoiding interactions in community spaces as well as external channels like social media. Violating these terms may lead to a temporary or permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public communication with the community for a specified period of time. No public or private interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, is allowed during this period. Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community standards, including sustained inappropriate behavior,  harassment of an individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.0,
+available at https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at https://www.contributor-covenant.org/translations.

data/Gemfile

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in net-sasl.gemspec
+gemspec
+
+gem "rake", "~> 13.0"
+
+gem "test-unit", "~> 3.0"
+
+gem "rubocop", "~> 1.7"
+gem "rubocop-rake"

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2021 nicholas a. evans
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,58 @@
+# Net::SASL
+
+Pluggable mechanisms to support protocols which use SASL.
+
+Originally written for Net::IMAP by Shugo Maeda, and extracted to this library
+by Nicholas Evans.
+
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'net-sasl'
+```
+
+And then execute:
+
+    $ bundle install
+
+Or install it yourself as:
+
+    $ gem install net-sasl
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run
+`rake test-unit` to run the tests. You can also run `bin/console` for an
+interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To
+release a new version, update the version number in `version.rb`, and then run
+`bundle exec rake release`, which will create a git tag for the version, push
+git commits and the created tag, and push the `.gem` file to
+[rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at
+https://github.com/nevans/net-sasl. This project is intended to be a safe,
+welcoming space for collaboration, and contributors are expected to adhere to
+the [code of
+conduct](https://github.com/nevans/net-sasl/blob/master/CODE_OF_CONDUCT.md).
+
+## License
+
+The gem is available as open source under the terms of the [MIT
+License](https://opensource.org/licenses/MIT).
+
+## Code of Conduct
+
+Everyone interacting in the Net::SASL project's codebases, issue trackers, chat
+rooms and mailing lists is expected to follow the [code of
+conduct](https://github.com/nevans/net-sasl/blob/master/CODE_OF_CONDUCT.md).

data/Rakefile

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/*_test.rb"]
+end
+
+require "rubocop/rake_task"
+
+RuboCop::RakeTask.new
+
+task default: %i[test rubocop]

data/bin/console

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "bundler/setup"
+require "net/sasl"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/net/sasl.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require_relative "sasl/version"
+require_relative "sasl/registry"
+require_relative "sasl/authenticator"
+require_relative "sasl/cram_md5_authenticator"
+require_relative "sasl/digest_md5_authenticator"
+require_relative "sasl/login_authenticator"
+require_relative "sasl/plain_authenticator"
+
+module Net
+
+  # Pluggable authentication mechanisms for protocols which support SASL (Simple
+  # Authentication and Security Layer), such as IMAP4, SMTP, LDAP, and XMPP.
+  # SASL is described by RFC4422[https://tools.ietf.org/html/rfc4422]: "SASL is
+  # conceptually a framework that provides an abstraction layer between
+  # protocols and mechanisms as illustrated in the following diagram."
+  #
+  #               SMTP    LDAP    XMPP   Other protocols ...
+  #                  \       |    |      /
+  #                   \      |    |     /
+  #                  SASL abstraction layer
+  #                   /      |    |     \
+  #                  /       |    |      \
+  #           EXTERNAL   GSSAPI  PLAIN   Other mechanisms ...
+  #
+  # This library was originally implemented for Net::IMAP, and has been
+  # extracted from there.
+  module SASL
+
+    # Superclass of SASL errors.
+    class Error < StandardError
+    end
+
+    # Error raised when data is in the incorrect format.
+    class DataFormatError < Error
+    end
+
+    # Error raised when a challnge from the server is non-parseable or the
+    # mechanism implementation is unable to respond
+    class ChallengeParseError < Error
+    end
+
+    # Adds an authenticator to the global registry, for use with
+    # Net::SASL.authenticator.  See Net::SASL::Registry#add_authenticator.
+    def self.add_authenticator(mechanism, authenticator)
+      DEFAULT_REGISTRY.add_authenticator(mechanism, authenticator)
+    end
+
+    # Builds an authenticator in its initial state, based on +mechanism+ name.
+    # Any additional arguments will be passed directly to the chosen
+    # authenticator's +#new+ method.  See Net::SASL::Registry#authenticator.
+    def self.authenticator(mechanism, *args, **kwargs)
+      DEFAULT_REGISTRY.authenticator(mechanism, *args, **kwargs)
+    end
+
+    # The default global registry used by Net::SASL.authenticator
+    DEFAULT_REGISTRY = Registry.new
+
+    add_authenticator "PLAIN",      PlainAuthenticator
+    add_authenticator "LOGIN",      LoginAuthenticator
+    add_authenticator "DIGEST-MD5", DigestMD5Authenticator
+    add_authenticator "CRAM-MD5",   CramMD5Authenticator
+
+  end
+
+end

data/lib/net/sasl/authenticator.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+module Net
+
+  module SASL
+
+    # A base class to use for SASL authenticators.
+    class Authenticator
+
+      # Creates a new authenticator.
+      #
+      # Each specific mechanism determines how the arguments are interpreted—see
+      # each mechanisms' documentation for details.  Whenever it's reasonable,
+      # mechanisms should support the standard positional and keyword arguments
+      # and ignore any irrelevant or unknown arguments.
+      #
+      # === Standard arguments
+      #
+      # * +authcid+: the authentication identity, the identity associated with
+      #   the authentication credentials. This is usually a +username+.
+      # * +credentials+: the authentication credentials, e.g. a +password+ or a
+      #   secret bearer token.  Some mechanisms may not require an explicit
+      #   +authcid+ if it is encoded inside the authentication credentials.
+      # * +authzid+: the authorization identity, an identity to act as or on
+      #   behalf of.  If this is is not given (or is left blank), the server
+      #   will derive an authorization identity from the authentication
+      #   credentials, usually the same as the authentication identity.
+      #
+      # The server is responsible for verifying the client's credentials and
+      # verifying that the identity it associates with the client's credentials
+      # (e.g., the authentication identity) is allowed to act as the
+      # authorization identity.  The precise form(s) of identities and
+      # credentials may be dictated by the mechanism and by the server.
+      #
+      # === Standard options
+      #
+      # * +host+: the server hostname which is being connected to
+      # * +port+: the server port being connected to
+      # * +realm+: some mechanisms use "realms" or "domains" to segment
+      #   authentication identities. This is protocol dependant and it might be
+      #   the same as +host+.
+      #
+      def initialize(authcid = nil, credentials = nil, authzid = nil, **_options)
+        @username = authcid
+        @password = credentials
+        @authzid  = authzid
+      end
+
+      # Does this mechanism support sending an initial response via SASL-IR?
+      def supports_initial_response?
+        false
+      end
+
+      # Process a +challenge+ string from the server and return the response.
+      # This method should be sent an unencoded challenge and return an
+      # unencoded response. The client is responsible for receiving and decoding
+      # the challenge, according the the specification of the specific protocol,
+      # e.g. IMAP4 base64 encodes challenges and responses.
+      #
+      # A nil +challenge+ will be sent to get the initial responses, when
+      # that is supported by the mechanism (#supports_initial_response? returns
+      # true) and by the protocol.
+      #
+      # Calling #process when #done? returns true has undefined behavior: it may
+      # raise an excepion, return the previous response again, or raise an
+      # exception.
+      def process(challenge)
+        raise NotImplementedError, "implemented by SASL mechanism subclasses"
+      end
+
+      # Has the authenticator finished?  If so, then clients must not call
+      # #process again.  This is so clients can know authentication is supposed
+      # to have been completed, without needing to call #process and handle an
+      # exception there.
+      def done?
+        false
+      end
+
+    end
+
+  end
+end

data/lib/net/sasl/cram_md5_authenticator.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+require "digest/md5"
+
+module Net
+
+  module SASL
+
+    # Authenticator for the "+CRAM-MD5+" SASL mechanism, specified in
+    # RFC2195[https://tools.ietf.org/html/rfc2195].
+    #
+    # == Deprecated
+    #
+    # +CRAM-MD5+ is obsolete. It is included for compatibility with existing
+    # servers.
+    # {draft-ietf-sasl-crammd5-to-historic}[https://tools.ietf.org/html/draft-ietf-sasl-crammd5-to-historic-00.html]
+    # recommends using +SCRAM-*+ or +PLAIN+ protected by TLS instead.
+    class CramMD5Authenticator < Authenticator
+
+      attr_reader :username, :password, :done
+
+      alias done? done
+      private :done
+
+      # Provide the +username+ and +password+ credentials for authentication.
+      #
+      # CRAM-MD5 doesn't support +authzid+, and an ArgumentError will be raised
+      # if a third positional parameter is passed.
+      #
+      # This should generally be instantiated via Net::SASL.authenticator.
+      def initialize(username, password, **_options)
+        super
+        @username = username
+        @password = password
+        @done = false
+      end
+
+      # responds to the server's challenge using the HMAC-MD5 algorithm.
+      def process(challenge)
+        digest = hmac_md5(challenge, password)
+        "#{username} #{digest}"
+      end
+
+      private
+
+      # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+
+      def hmac_md5(text, key)
+        if key.length > 64
+          key = Digest::MD5.digest(key)
+        end
+
+        k_ipad = key + "\0" * (64 - key.length)
+        k_opad = key + "\0" * (64 - key.length)
+        (0..63).each do |i|
+          k_ipad[i] = (k_ipad[i].ord ^ 0x36).chr
+          k_opad[i] = (k_opad[i].ord ^ 0x5c).chr
+        end
+
+        digest = Digest::MD5.digest(k_ipad + text)
+
+        Digest::MD5.hexdigest(k_opad + digest)
+      end
+
+      # rubocop:enable Metrics/AbcSize, Metrics/MethodLength
+
+    end
+  end
+end

data/lib/net/sasl/digest_md5_authenticator.rb

@@ -0,0 +1,149 @@
+# frozen_string_literal: true
+
+require "digest/md5"
+require "strscan"
+
+module Net
+
+  module SASL
+
+    # Authenticator for the "`DIGEST-MD5`" SASL mechanism type, specified
+    # in RFC2831(https://tools.ietf.org/html/rfc2831).
+    #
+    # == Deprecated
+    #
+    # "+DIGEST-MD5+" has been deprecated by
+    # {RFC6331}[https://tools.ietf.org/html/rfc6331] and should not be relied on
+    # for security.  It is included for compatibility with existing servers.
+    class DigestMD5Authenticator < Authenticator
+
+      STAGE_ONE = :stage_one
+      STAGE_TWO = :stage_two
+      private_constant :STAGE_ONE, :STAGE_TWO
+
+      attr_reader :username, :password, :authzid
+
+      # Provide the +username+ and +password+ credentials.  An optional
+      # +authzid+ is defined as: "The "authorization ID" as per
+      # RFC2222[https://tools.ietf.org/html/rfc2222],
+      # encoded in UTF-8. optional. If present, and the
+      # authenticating user has sufficient privilege, and the server supports
+      # it, then after authentication the server will use this identity for
+      # making all accesses and access checks.  If the client specifies it, and
+      # the server does not support it, then the response-value will be
+      # incorrect, and authentication will fail."
+      #
+      # This should generally be instantiated via Net::SASL.authenticator.
+      def initialize(username, password, authzid = nil, **_options)
+        super
+        @username, @password, @authzid = username, password, authzid
+        @nc, @stage = {}, STAGE_ONE
+      end
+
+      # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength, Metrics/BlockNesting
+
+      # responds to the server's DIGEST-MD5 challenges
+      def process(challenge)
+        case @stage
+        when STAGE_ONE
+          @stage = STAGE_TWO
+          sparams = {}
+          c = StringScanner.new(challenge)
+          while c.scan(/(?:\s*,)?\s*(\w+)=("(?:[^\\"]+|\\.)*"|[^,]+)\s*/)
+            k, v = c[1], c[2]
+            if v =~ /^"(.*)"$/
+              v = $1
+              if v =~ /,/
+                v = v.split(",")
+              end
+            end
+            sparams[k] = v
+          end
+
+          raise DataFormatError, "Bad Challenge: '#{challenge}'" unless c.rest.empty?
+          unless sparams["qop"].include?("auth")
+            raise Error,
+                  "Server does not support auth (qop = #{sparams["qop"].join(",")})"
+          end
+
+          response = {
+            nonce: sparams["nonce"],
+            username: @username,
+            realm: sparams["realm"],
+            cnonce: Digest::MD5.hexdigest("%.15f:%.15f:%d" % [Time.now.to_f, rand,
+                                                              Process.pid.to_s,]),
+            'digest-uri': "imap/#{sparams["realm"]}",
+            qop: "auth",
+            maxbuf: 65_535,
+            nc: "%08d" % nc(sparams["nonce"]),
+            charset: sparams["charset"],
+          }
+
+          response[:authzid] = @authzid unless @authzid.nil?
+
+          # now, the real thing
+          a0 = Digest::MD5.digest([ response.values_at(:username, :realm),
+                                    @password, ].join(":"))
+
+          a1 = [ a0, response.values_at(:nonce, :cnonce) ].join(":")
+          a1 << ":#{response[:authzid]}" unless response[:authzid].nil?
+
+          a2 = "AUTHENTICATE:#{response[:'digest-uri']}"
+          if response[:qop] && response[:qop] =~ (/^auth-(?:conf|int)$/)
+            a2 << ":00000000000000000000000000000000"
+          end
+
+          response[:response] = Digest::MD5.hexdigest(
+            [
+              Digest::MD5.hexdigest(a1),
+              response.values_at(:nonce, :nc, :cnonce, :qop),
+              Digest::MD5.hexdigest(a2),
+            ].join(":")
+          )
+
+          response.keys.map {|key| qdval(key.to_s, response[key]) }.join(",")
+        when STAGE_TWO
+          @stage = nil
+          # if at the second stage, return an empty string
+          if challenge =~ /rspauth=/
+            ""
+          else
+            raise ChallengeParseError, challenge
+          end
+        else
+          raise ChallengeParseError, challenge
+        end
+      end
+
+      # rubocop:enable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength, Metrics/BlockNesting
+
+      # returns true after two challenge/response stages
+      def done?
+        @stage.nil?
+      end
+
+      private
+
+      def nc(nonce)
+        @nc[nonce] = if @nc.key? nonce
+                       @nc[nonce] + 1
+                     else
+                       1
+                     end
+        @nc[nonce]
+      end
+
+      # some responses need quoting
+      def qdval(k, v) # rubocop:disable Naming/MethodParameterName
+        return if k.nil? || v.nil?
+        if %w[username authzid realm nonce cnonce digest-uri qop].include? k
+          v.gsub!(/([\\"])/, "\\\1")
+          '%s="%s"' % [k, v]
+        else
+          "%s=%s" % [k, v]
+        end
+      end
+
+    end
+  end
+end

data/lib/net/sasl/login_authenticator.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module Net
+
+  module SASL
+
+    # Authenticator for the "+LOGIN+" SASL mechanism.  The authentication
+    # credentials are transmitted in cleartext so this mechanism should only be
+    # used over an encrypted link.
+    #
+    # === Deprecated
+    #
+    # The {SASL mechanisms registry}[https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml]
+    # marks "LOGIN" as obsoleted by "PLAIN".  It is included here for
+    # compatibility with existing servers.  See
+    # draft-murchison-sasl-login[https://www.iana.org/go/draft-murchison-sasl-login]
+    # for both specification and deprecation.
+    class LoginAuthenticator < Authenticator
+
+      attr_reader :username, :password
+
+      # Provide the +username+ and +password+ credentials for authentication.
+      #
+      # LOGIN doesn't support +authzid+, and an ArgumentError will be raised if
+      # a third positional parameter is passed.
+      #
+      # This should generally be instantiated via Net::SASL.authenticator.
+      def initialize(username, password, **_options)
+        super
+        @state = STATE_USER
+      end
+
+      # returns the SASL response for +LOGIN+
+      def process(data)
+        case @state
+        when STATE_USER
+          @state = STATE_PASSWORD
+          @username
+        when STATE_PASSWORD
+          @state = STATE_DONE
+          @password
+        end
+      end
+
+      # Returns true after sending the username and password.
+      def done?
+        @state == STATE_DONE
+      end
+
+      STATE_USER = :USER
+      STATE_PASSWORD = :PASSWORD
+      STATE_DONE = :DONE
+
+      private_constant :STATE_USER, :STATE_PASSWORD
+
+    end
+  end
+end

data/lib/net/sasl/plain_authenticator.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module Net
+
+  module SASL
+
+    # Authenticator for the "+PLAIN+" SASL mechanism, specified in
+    # RFC4616[https://tools.ietf.org/html/rfc4616].  The authentication
+    # credentials are transmitted in cleartext, so this mechanism should only be
+    # used over an encrypted link.
+    class PlainAuthenticator < Authenticator
+
+      NULL = -"\0".b
+      private_constant :NULL
+
+      attr_reader :username, :password, :authzid, :done
+
+      alias done? done
+      private :done
+
+      # +username+ is the authentication identity, the identity whose +password+ is
+      # used.  +username+ is referred to as +authcid+ by
+      # RFC4616[https://tools.ietf.org/html/rfc4616].
+      #
+      # +authzid+ is the authorization identity (identity to act as).  It can
+      # usually be left blank. When +authzid+ is left blank (nil or empty string)
+      # the server will derive an identity from the credentials and use that as the
+      # authorization identity.
+      #
+      # This should generally be instantiated via Net::SASL.authenticator.
+      def initialize(username, password, authzid = nil, **_options)
+        raise ArgumentError, "username contains NULL" if username&.include?(NULL)
+        raise ArgumentError, "password contains NULL" if password&.include?(NULL)
+        raise ArgumentError, "authzid  contains NULL" if authzid&.include?(NULL)
+        super
+        @done = false
+      end
+
+      # +PLAIN+ does support SASL-IR
+      def supports_initial_response?
+        true
+      end
+
+      # returns the SASL response for +PLAIN+
+      def process(data)
+        @done = true
+        "#{@authzid}\0#{@username}\0#{@password}"
+      end
+
+    end
+
+  end
+
+end

data/lib/net/sasl/registry.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Net
+
+  module SASL
+
+    # Registry for SASL mechanisms.  Common usage can use the default global
+    # registry, via Net::SASL#authenticator.
+    class Registry
+
+      # Creates a new registry, which matches enabled SASL mechanisms with their
+      # implementations.
+      def initialize
+        @authenticators = {}
+      end
+
+      # Adds an authenticator class for use with #authenticator.  +mechanism+ is
+      # the {SASL mechanism name}[https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml]
+      # supported by +authenticator+ (for instance, "+PLAIN+").  The
+      # +authenticator+ is an class which defines a +#process+ method to handle
+      # authentication with the server.  See e.g. Net::SASL::PlainAuthenticator.
+      #
+      # If +mechanism+ refers to an existing authenticator, it will be replaced
+      # by the new one.
+      def add_authenticator(mechanism, authenticator)
+        @authenticators[mechanism.upcase] = authenticator
+      end
+
+      # Deletes an authenticator from the registry.  This can be useful to
+      # implement a policy that prohibits the use of default mechanisms.
+      def remove_authenticator(mechanism)
+        @authenticators.delete(mechanism.upcase)
+      end
+
+      # Builds an authenticator in its initial state.  +mechanism+ is the SASL
+      # mechanism name.  All other arguments represent the credentials and other
+      # parameters or configuration, which will be passed directly to the chosen
+      # authenticator's +#new+ method.  See Authenticator.new.
+      def authenticator(mechanism, authcid=nil, credentials=nil, authzid=nil, **kwargs)
+        mechanism = mechanism.upcase
+        unless @authenticators.key?(mechanism)
+          raise ArgumentError, 'unknown SASL mechanism - "%s"' % mechanism
+        end
+        @authenticators.fetch(mechanism)
+          .new(authcid, credentials, authzid, **kwargs)
+      end
+
+    end
+
+  end
+
+end

data/lib/net/sasl/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Net
+  module SASL
+    VERSION = "0.1.0"
+  end
+end

data/net-sasl.gemspec

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require_relative "lib/net/sasl/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "net-sasl"
+  spec.version       = Net::SASL::VERSION
+  spec.authors       = ["nicholas a. evans", "Shugo Maeda"]
+  spec.email         = ["nicholas.evans@gmail.com", "shugo@ruby-lang.org"]
+
+  spec.summary       = "Pluggable SASL mechanisms"
+  spec.description   = "Pluggable mechanisms to support protocols which use SASL"
+  spec.homepage      = "https://github.com/nevans/net-sasl"
+  spec.license       = "MIT"
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.5.0")
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = spec.homepage
+  spec.metadata["changelog_uri"] = "#{spec.homepage}/blob/main/CHANGELOG.md"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) {
+    `git ls-files -z`.split("\x0").reject {|f| f.match(%r{\A(?:test|spec|features)/}) }
+  }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{\Aexe/}) {|f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "digest"
+  spec.add_dependency "strscan"
+end

metadata

@@ -0,0 +1,96 @@
+--- !ruby/object:Gem::Specification
+name: net-sasl
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- nicholas a. evans
+- Shugo Maeda
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2021-05-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: digest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: strscan
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Pluggable mechanisms to support protocols which use SASL
+email:
+- nicholas.evans@gmail.com
+- shugo@ruby-lang.org
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/workflows/main.yml"
+- ".gitignore"
+- ".rubocop.yml"
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- lib/net/sasl.rb
+- lib/net/sasl/authenticator.rb
+- lib/net/sasl/cram_md5_authenticator.rb
+- lib/net/sasl/digest_md5_authenticator.rb
+- lib/net/sasl/login_authenticator.rb
+- lib/net/sasl/plain_authenticator.rb
+- lib/net/sasl/registry.rb
+- lib/net/sasl/version.rb
+- net-sasl.gemspec
+homepage: https://github.com/nevans/net-sasl
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/nevans/net-sasl
+  source_code_uri: https://github.com/nevans/net-sasl
+  changelog_uri: https://github.com/nevans/net-sasl/blob/main/CHANGELOG.md
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.6
+signing_key: 
+specification_version: 4
+summary: Pluggable SASL mechanisms
+test_files: []