passlib 0.1.0

data/lib/passlib/argon2.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Passlib
+  # Handles Argon2 password hashing via the {https://rubygems.org/gems/argon2 argon2} gem.
+  #
+  # Supports all three Argon2 variants: +argon2i+, +argon2id+ (recommended),
+  # and +argon2d+.  Hash format: +$argon2id$v=19$m=65536,t=2,p=1$...$...+
+  #
+  # @example
+  #   hash = Passlib::Argon2.create("hunter2")
+  #   hash.verify("hunter2")  # => true
+  #
+  # @!method self.create(secret, **options)
+  #   Creates a new Argon2 hash.
+  #   @param secret [String] the plaintext password
+  #   @option options [String]  :secret  optional pepper (server-side secret mixed into the hash)
+  #   @option options [String]  :salt    custom salt (normally auto-generated)
+  #   @option options [Symbol]  :profile pre-defined cost profile (see argon2 gem docs)
+  #   @option options [Integer] :t_cost  time cost — number of iterations
+  #   @option options [Integer] :m_cost  memory cost in KiB
+  #   @option options [Integer] :p_cost  parallelism factor
+  #   @return [Argon2]
+  class Argon2 < Password
+    external "argon2", "~> 2.3"
+    register mcf: %w[argon2i argon2id argon2d]
+    options :secret, :salt, :profile, :t_cost, :m_cost, :p_cost
+
+    def verify(secret) = ::Argon2::Engine.argon2_verify(secret, string, config.secret)
+    def create(secret) = ::Argon2::Password.new(**config).create(secret)
+
+    def upgrade?
+      defaults = ::Argon2::Profiles[config.profile] if config.profile
+
+      defaults ||= {
+        t_cost: ::Argon2::Password::DEFAULT_T_COST,
+        m_cost: ::Argon2::Password::DEFAULT_M_COST,
+        p_cost: ::Argon2::Password::DEFAULT_P_COST,
+      }
+
+      params = Internal.mcf_params(string)
+
+      params[:t] != (config.t_cost || defaults[:t_cost]) ||
+        params[:m] != (1 << (config.m_cost || defaults[:m_cost])) ||
+        params[:p] != (config.p_cost || defaults[:p_cost]) ||
+        false
+    end
+  end
+end

data/lib/passlib/balloon.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Passlib
+  # Handles Balloon hashing via the
+  # {https://rubygems.org/gems/balloon_hashing balloon_hashing} gem.
+  #
+  # Hash format: +$balloon$v=1$alg=sha256,s=1024,t=3$<salt>$<checksum>+
+  #
+  # @example
+  #   hash = Passlib::Balloon.create("hunter2")
+  #   hash.verify("hunter2") # => true
+  #
+  # @!method self.create(secret, **options)
+  #   Creates a new Balloon hash.
+  #   @param secret [String] the plaintext password
+  #   @option options [Integer] :s_cost    space cost (memory usage)
+  #   @option options [Integer] :t_cost    time cost (iterations)
+  #   @option options [String]  :algorithm digest algorithm name (e.g. +"sha256"+)
+  #   @return [Balloon]
+  class Balloon < Password
+    register mcf: "balloon"
+    external "balloon_hashing", ">= 0.1.0"
+    options :s_cost, :t_cost, :algorithm
+
+    def verify(secret) = BalloonHashing.verify(secret, string)
+    def create(secret) = BalloonHashing.create(secret, **config)
+
+    def upgrade?
+      params = Internal.mcf_params(string)
+      params[:alg] != (config.algorithm || BalloonHashing::DEFAULT_ALGORITHM) ||
+        params[:s]  != (config.s_cost    || BalloonHashing::DEFAULT_S_COST)    ||
+        params[:t]  != (config.t_cost    || BalloonHashing::DEFAULT_T_COST)    ||
+        false
+    end
+  end
+end

data/lib/passlib/bcrypt.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Passlib
+  # Handles bcrypt password hashing via the {https://rubygems.org/gems/bcrypt bcrypt} gem.
+  #
+  # Recognized hash formats: +$2a$+, +$2b$+, +$2x$+, +$2y$+ (all variants are
+  # accepted on load, new hashes are always produced in +$2a$+ format by the
+  # underlying gem).
+  #
+  # @example
+  #   hash = Passlib::BCrypt.create("hunter2", cost: 12)
+  #   hash.verify("hunter2")  # => true
+  #   hash.to_s               # => "$2a$12$..."
+  #
+  # @!method self.create(secret, **options)
+  #   Creates a new bcrypt hash.
+  #   @param secret [String] the plaintext password
+  #   @option options [String]  :salt custom bcrypt salt string (normally auto-generated,
+  #     must include the cost factor in standard bcrypt format)
+  #   @option options [Integer] :cost bcrypt cost factor, 4–31
+  #     (default: +BCrypt::Engine::DEFAULT_COST+)
+  #   @return [BCrypt]
+  class BCrypt < Password
+    external "bcrypt", "~> 3.0"
+    register mcf: %w[2a 2b 2x 2y]
+    options :salt, :cost
+
+    # @param secret [String] the plaintext password to re-hash
+    # @return [BCrypt] a new instance hashed with the same salt
+    def create_comparable(secret) = self.class.create(secret, salt: @salt)
+
+    def upgrade?
+      cost = @salt.split("$")[2].to_i
+      cost != (config.cost || ::BCrypt::Engine::DEFAULT_COST)
+    end
+
+    def create(secret)
+      @salt = config.salt || ::BCrypt::Engine.generate_salt(config.cost || ::BCrypt::Engine::DEFAULT_COST)
+      ::BCrypt::Engine.hash_secret(secret, @salt)
+    end
+
+    def load(string)
+      bcrypt = ::BCrypt::Password.new(string)
+      @salt = bcrypt.salt
+      bcrypt.to_str
+    end
+  end
+end

data/lib/passlib/bcrypt_sha256.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+module Passlib
+  # Handles bcrypt-sha256 password hashing via the
+  # {https://rubygems.org/gems/bcrypt bcrypt} gem.
+  #
+  # A hybrid scheme that works around bcrypt's 72-byte password truncation
+  # limit: the password is first run through HMAC-SHA256 (keyed with the
+  # bcrypt salt), the resulting 32-byte digest is base64-encoded, and the
+  # base64 string is then hashed with standard bcrypt.  Passwords of any
+  # length are handled correctly, and the output is a self-contained MCF
+  # string that embeds all parameters needed for verification.
+  #
+  # Hash format: +$bcrypt-sha256$v=2,t=2b,r=12$<salt22>$<digest31>+
+  #
+  # This format is compatible with Python's
+  # {https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt_sha256.html
+  # passlib.hash.bcrypt_sha256}.
+  #
+  # @example
+  #   hash = Passlib::BcryptSHA256.create("hunter2")
+  #   hash.verify("hunter2")  # => true
+  #   hash.to_s               # => "$bcrypt-sha256$v=2,t=2b,r=12$..."
+  #
+  # @!method self.create(secret, **options)
+  #   Creates a new bcrypt-sha256 hash.
+  #   @param secret [String] the plaintext password
+  #   @option options [Integer] :cost bcrypt cost factor, 4–31
+  #     (default: +BCrypt::Engine::DEFAULT_COST+)
+  #   @option options [String] :salt custom bcrypt salt string (normally
+  #     auto-generated; must be in standard bcrypt format +$2b$NN$<22chars>+)
+  #   @return [BcryptSHA256]
+  class BcryptSHA256 < Password
+    identifier :bcrypt_sha256
+    external "bcrypt", "~> 3.0"
+    register mcf: "bcrypt-sha256"
+    options :cost, :salt
+
+    FORMAT = /\A\$bcrypt-sha256\$v=2,t=2b,r=(\d+)\$([.\/A-Za-z0-9]{22})\$([.\/A-Za-z0-9]{31})\z/
+    private_constant :FORMAT
+
+    # Re-hashes +secret+ with the same salt and cost.
+    # @param secret [String] the plaintext password
+    # @return [BcryptSHA256]
+    def create_comparable(secret) = self.class.create(secret, salt: @bcrypt_salt)
+
+    # @return [Boolean] +true+ if the stored cost differs from the configured cost
+    def upgrade?
+      @cost != (config.cost || ::BCrypt::Engine::DEFAULT_COST)
+    end
+
+    private
+
+    def load(string)
+      m = FORMAT.match(string) or raise ArgumentError, "invalid bcrypt-sha256 hash: #{string.inspect}"
+      @cost       = m[1].to_i
+      @bcrypt_salt = "$2b$#{m[1].rjust(2, "0")}$#{m[2]}"
+      string
+    end
+
+    def create(secret)
+      cost         = config.cost || ::BCrypt::Engine::DEFAULT_COST
+      @bcrypt_salt = config.salt || ::BCrypt::Engine.generate_salt(cost).sub(/\A\$2[a-z]\$/, "$2b$")
+      parts        = @bcrypt_salt.split("$")  # ["", "2b", "NN", "22chars"]
+      @cost        = parts[2].to_i
+      salt22       = parts[3]
+      digest31     = bcrypt_digest(secret, @bcrypt_salt)
+      "$bcrypt-sha256$v=2,t=2b,r=#{@cost}$#{salt22}$#{digest31}"
+    end
+
+    # Computes the bcrypt digest of the HMAC-SHA256 pre-hash.
+    #
+    # 1. HMAC-SHA256(key: bcrypt_salt, msg: UTF-8 password) → 32 bytes
+    # 2. Standard base64-encode → 44-char ASCII string (with = padding)
+    # 3. BCrypt-hash that string with the same salt → take the last 31 chars
+    def bcrypt_digest(secret, bcrypt_salt)
+      hmac    = OpenSSL::HMAC.digest("SHA256", bcrypt_salt, secret.encode("UTF-8"))
+      encoded = [hmac].pack("m0")  # standard base64, no newlines, with = padding
+      ::BCrypt::Engine.hash_secret(encoded, bcrypt_salt)[-31..]
+    end
+  end
+end

data/lib/passlib/configuration/context.rb

@@ -0,0 +1,121 @@
+# frozen_string_literal: true
+
+# Mixin that provides configuration, hash-loading, and hash-creation helpers.
+#
+# Extended into the {Passlib} module (so all methods are available as
+# +Passlib.load+, +Passlib.create+, etc.)
+module Passlib::Configuration::Context
+  # Returns the active {Configuration} for this object.
+  #
+  # The first call initializes the configuration, inheriting from
+  # {Passlib.configuration} unless this object *is* the {Passlib} module.
+  #
+  # @return [Configuration]
+  def configuration = @configuration ||= Passlib::Configuration.new(base_config)
+
+  # Replaces the current configuration options.
+  #
+  # @param value [Configuration, Hash] new configuration or option overrides
+  # @return [void]
+  # @see Configuration#set
+  def configuration=(value)
+    configuration.set(value)
+  end
+
+  alias config  configuration
+  alias config= configuration=
+
+  # Yields the current configuration to a block for modification.
+  # @yieldparam config [Configuration] the current configuration
+  # @return [void]
+  def configure = yield(config)
+  alias setup configure
+
+  # Parses a stored hash string and returns a {Password} instance.
+  #
+  # Delegates to {Password.load} with the current configuration applied.
+  #
+  # @param payload [String] the stored password hash string
+  # @return [Password] a {Password} instance for the detected algorithm
+  # @raise [ArgumentError] if the hash format is not recognized
+  # @raise [Passlib::UnknownHashFormat] if the format is recognized but invalid
+  def load(payload, **)  = Passlib::Password.load(payload,  config, **)
+
+  # Creates a new password hash for the given secret using the current configuration.
+  #
+  # Delegates to {Password.create} with the current configuration applied.
+  # A preferred algorithm must be configured or a concrete subclass used.
+  #
+  # @param secret [String] the plaintext password to hash
+  # @return [Password] a new {Password} instance
+  def create(secret, **) = Passlib::Password.create(secret, config, **)
+
+  # Verifies a plaintext secret against a stored password hash.
+  #
+  # The argument order may be swapped: if the first argument is a
+  # {Password} instance and the second is a String, they are treated as
+  # +(hash, secret)+.
+  #
+  # Equivalent to +Passlib.load(hash).verify(secret)+.
+  #
+  # @param secret [String] the plaintext password to verify
+  # @param hash   [String] the stored password hash string
+  # @return [Boolean] +true+ if the secret matches the hash, +false+ otherwise
+  # @raise [ArgumentError] if the hash format is not recognized
+  # @raise [Passlib::UnsupportedAlgorithm] if the algorithm is unavailable
+  # @see Password#verify
+  def verify(secret, hash)
+    secret, hash = hash, secret if secret.is_a? Passlib::Password and not hash.is_a? Passlib::Password
+    hash = load(hash) unless hash.is_a? Passlib::Password
+    hash.verify(secret)
+  end
+
+  alias match? verify
+  alias valid_secret? verify
+  alias valid_password? verify
+
+  # Returns whether a stored hash should be re-hashed.
+  #
+  # Returns +false+ immediately when no preferred scheme is configured.
+  # Returns +true+ when the hash uses a different algorithm than the
+  # preferred scheme.  When the algorithm already matches, delegates to
+  # {Password#upgrade?} to check whether the cost parameters are weaker
+  # than those in the current configuration.
+  #
+  # @param hash [String, Password] the stored password hash to evaluate
+  # @return [Boolean] +true+ if the hash should be upgraded, +false+ otherwise
+  def upgrade?(hash)
+    return false unless target = config.preferred_scheme
+    hash = load(hash) unless hash.is_a? Passlib::Password
+    return true unless hash.is_a? Passlib[target]
+    hash.upgrade?
+  end
+
+  # Re-hashes a password if the stored hash is outdated.
+  #
+  # First verifies +secret+ against +hash+ (unless +verify: false+).
+  # Returns +nil+ if verification fails or no upgrade is needed.
+  # Otherwise creates and returns a new hash using the current
+  # configuration (algorithm and cost parameters).
+  #
+  # The argument order may be swapped: if the first argument is a
+  # {Password} instance and the second is a String, they are treated as
+  # +(hash, secret)+.
+  #
+  # @param secret [String, Password] the plaintext password (or hash if swapped)
+  # @param hash   [String, Password] the stored password hash (or secret if swapped)
+  # @param verify [Boolean] when +false+, skip password verification before upgrading
+  #   (default: +true+)
+  # @return [Password, nil] a new {Password} if an upgrade was performed, +nil+ otherwise
+  def upgrade(secret, hash, verify: true)
+    secret, hash = hash, secret if secret.is_a? Passlib::Password and not hash.is_a? Passlib::Password
+    hash = load(hash) unless hash.is_a? Passlib::Password
+    return if verify and not verify(secret, hash)
+    return unless upgrade?(hash)
+    create(secret)
+  end
+
+  private
+
+  def base_config = Passlib.configuration
+end

data/lib/passlib/configuration/passlib.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class Passlib::Configuration::Passlib < Passlib::Configuration
+  option :preferred_schemes, %i[ yescrypt argon2 balloon scrypt bcrypt pbkdf2 ].freeze
+
+  def preferred_scheme=(scheme)
+    self.preferred_schemes = Array(scheme)
+  end
+
+  def preferred_scheme
+    return preferred_schemes.first if preferred_schemes.size == 1
+    preferred_schemes.detect { ::Passlib.available? it }
+  end
+
+  alias default_scheme preferred_scheme
+  alias default_scheme= preferred_scheme=
+end

data/lib/passlib/configuration.rb

@@ -0,0 +1,187 @@
+# frozen_string_literal: true
+
+module Passlib
+  # Thread-safe, chainable configuration object.
+  #
+  # Each algorithm class has its own configuration subclass (e.g.
+  # +Configuration::BCrypt+) whose options are auto-registered via the +options+
+  # DSL macro in the algorithm class body.  A child configuration inherits
+  # defaults from a parent and can override individual options without mutating
+  # the parent.
+  #
+  # The global Passlib configuration is accessible via {Passlib.configuration}
+  # (aliased as {Passlib.config}).
+  #
+  # @example Reading a configuration value
+  #   Passlib.configuration.bcrypt.cost  # => nil (use algorithm default)
+  #
+  # @example Setting a global default
+  #   Passlib.config.bcrypt.cost = 12
+  class Configuration
+    autoload :Context, "passlib/configuration/context"
+    autoload :Passlib, "passlib/configuration/passlib"
+
+    # @api private
+    def self.new(...) = self == Configuration ? Passlib.new(...) : super(...)
+
+    # @api private
+    def self.option(key, default = nil)
+      @available_options << key unless available_options.include? key
+
+      if const_defined?(:Generated, false)
+        mixin = const_get(:Generated, false)
+      else
+        mixin = Module.new
+        const_set(:Generated, mixin)
+        include mixin
+      end
+
+      mixin.module_eval do
+        if default.is_a? Configuration
+          define_method("#{key}=") { public_send(key).set(it) }
+          define_method(key) do
+            @options.compute_if_absent(key) do
+              result = default.class.new(parent ? parent.public_send(key) : default)
+              frozen? ? result.freeze : result
+            end
+          end
+        else
+          define_method("#{key}=") do |value|
+            raise FrozenError, "can't modify frozen configuration" if frozen?
+            @options[key] = value
+          end
+          define_method(key) do
+            @options.fetch(key) do
+              value = parent ? parent.public_send(key) : default
+              value = value.dup.freeze unless value.frozen?
+              value
+            end
+          end
+        end
+      end
+    end
+
+    # @api private
+    def self.options(*list)
+      list.each do |entry|
+        case entry
+        when Symbol then option(entry)
+        when Hash   then entry.each { option(_1, _2) }
+        else raise ArgumentError, "invalid option: #{entry.inspect}"
+        end
+      end
+    end
+
+    # @api private
+    def self.available_options
+      inherited = superclass.respond_to?(:available_options) ? superclass.available_options : []
+      @available_options ||= []
+      inherited + @available_options
+    end
+
+    # Creates a new configuration instance.
+    #
+    # @param arguments [Array<Configuration, Hash, Proc, nil>] zero or more
+    #   parent configurations (at most one) and/or option hashes to apply
+    #   immediately, +nil+ entries are silently ignored
+    # @param block [Proc] if given, used as a lazy parent configuration
+    def initialize(*arguments, &block)
+      super()
+      arguments << block if block
+
+      @parent  = nil
+      @options = Concurrent::Map.new
+
+      arguments.flatten.each do |argument|
+        case argument
+        when nil
+          # ignore
+        when Configuration, Proc
+          raise ArgumentError, "cannot set multiple parent configurations" if @parent
+          @parent = argument
+        else
+          apply(argument.to_hash)
+        end
+      end
+    end
+
+    # The parent configuration from which defaults are inherited, or +nil+.
+    # @return [Configuration, nil]
+    def parent = @parent&.call
+
+    # Replaces all current options.
+    #
+    # If +options+ is a {Configuration} it becomes the new parent, otherwise
+    # the options map is cleared and the hash is applied via {#apply}.
+    #
+    # @param options [Configuration, #to_hash] replacement options or new parent
+    # @return [void]
+    def set(options)
+      @options.clear
+      options.is_a?(Configuration) ? @parent = options : apply(options)
+    end
+
+    # Applies a hash of option values by calling the corresponding setters.
+    #
+    # @param options [#each] key/value pairs to apply
+    # @return [void]
+    def apply(options) = options.each { public_send(:"#{_1}=", _2) }
+
+    # Returns all explicitly-set options (and nested configurations) as a Hash.
+    #
+    # Nested {Configuration} values are converted recursively, empty nested
+    # hashes are omitted.
+    #
+    # @return [Hash{Symbol => Object}]
+    def to_h
+      return @to_h if instance_variable_defined?(:@to_h)
+      self.class.available_options.to_h do |key|
+        value = public_send(key)
+        if value.is_a? Configuration
+          value = value.to_h
+          value = nil if value.empty?
+        end
+        [key, value]
+      end.compact
+    end
+
+    alias to_hash to_h
+
+    # Returns a hash value for this configuration, based on the hash of the
+    # options hash returned by {#to_h}.
+    # @return [Integer]
+    def hash = to_h.hash
+
+    # Freezes this configuration and all nested option values in place.
+    # Changes to a parent configuration will no longer have any effect.
+    #
+    # @return [self]
+    def freeze
+      return self if frozen?
+      @parent = @parent&.call
+      self.class.available_options.each { @options[it] = public_send(it).freeze }
+      @to_h ||= to_h.freeze
+      super
+    rescue FrozenError
+      self
+    end
+
+    # Returns a human-readable representation of this configuration.
+    # @return [String]
+    def inspect = "#<Passlib::Configuration #{to_h.inspect}>"
+
+    # Pretty-print support for +pp+.
+    # @param pp [PP] the pretty-printer instance
+    # @return [void]
+    def pretty_print(pp)
+      pp.group(1, "#<Passlib::Configuration", ">") do
+        pp.breakable
+        pp.pp to_h
+      end
+    end
+
+    protected
+
+    def call = self
+  end
+end

data/lib/passlib/context.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+module Passlib
+  # An isolated configuration context for creating and verifying password hashes.
+  #
+  # A {Context} bundles a {Configuration} with the full {Configuration::Context}
+  # interface (+load+, +create+, +verify+, etc.), letting different parts of an
+  # application use different algorithms or settings independently without
+  # touching the global {Passlib} configuration.
+  #
+  # By default a new context inherits the global {Passlib} configuration as its
+  # parent, so any option not explicitly overridden falls back to the global
+  # setting. Pass another context or configuration as the first argument to
+  # inherit from that instead.
+  #
+  # @example Creating a context with a fixed algorithm
+  #   context = Passlib::Context.new(preferred_scheme: :bcrypt)
+  #   hash = context.create("hunter2")
+  #   hash.class # => Passlib::BCrypt
+  #   context.verify("hunter2", hash) # => true
+  #
+  # @example Inheriting from a parent context
+  #   parent  = Passlib::Context.new(preferred_scheme: :bcrypt)
+  #   context = Passlib::Context.new(parent)
+  #   context.create("hunter2").class  # => Passlib::BCrypt
+  #
+  # @example Reconfiguring after creation
+  #   context = Passlib::Context.new
+  #   context.configure { |c| c.preferred_scheme = :bcrypt }
+  #   context.create("hunter2").class  # => Passlib::BCrypt
+  #
+  # @example Using as a drop-in for a subset of Passlib's interface
+  #   context = Passlib::Context.new(preferred_scheme: :bcrypt)
+  #   context.load("$2a$12$...").verify("hunter2")  # => true
+  #
+  # @see Configuration::Context
+  class Context
+    include Passlib::Configuration::Context
+
+    # Creates a new context.
+    #
+    # @overload initialize()
+    #   Creates a context inheriting defaults from {Passlib.configuration}.
+    #
+    # @overload initialize(parent)
+    #   Creates a context inheriting defaults from another context or configuration.
+    #   @param parent [Context, Configuration] parent to inherit defaults from
+    #
+    # @overload initialize(**options)
+    #   Creates a context with the given options applied on top of the global defaults.
+    #   @param options [Hash] option key/value pairs (e.g. +preferred_scheme: :bcrypt+)
+    #
+    # @overload initialize(parent, **options)
+    #   Creates a context inheriting from a parent with additional option overrides.
+    #   @param parent [Context, Configuration] parent to inherit defaults from
+    #   @param options [Hash] option overrides applied on top of the parent
+    def initialize(input = nil, **options)
+      @base_config = nil
+
+      case input
+      when Passlib::Configuration::Context then @base_config   = input.config
+      when Passlib::Configuration          then @base_config   = input
+      when Hash                            then @configuration = Passlib::Configuration.new(base_config, input)
+      when nil
+      else raise ArgumentError, "invalid context input: #{input.inspect}"
+      end
+
+      config.apply(options)
+    end
+
+    private
+
+    def instance_variables_to_inspect = [:@configuration]
+    def base_config = @base_config || super
+  end
+end

data/lib/passlib/internal/dependency.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Passlib::Internal
+  class Dependency < Module
+    KNOWN ||= {}
+
+    def self.[](...) = new(...)
+    
+    def self.new(dependency, *requirements, &)
+      KNOWN[dependency] ||= []
+      KNOWN[dependency].concat(requirements)
+      super(dependency, &)
+    end
+
+    def initialize(dependency, &)
+      super()
+      @dependency = dependency.to_s
+      require @dependency
+      define_method("#{dependency}_available?") { true }
+    rescue LoadError
+      begin
+        # Reraise so Exception#cause is set
+        raise Passlib::MissingDependency, "missing dependency: #{dependency}"
+      rescue Passlib::MissingDependency => exception
+        define_method("#{dependency}_available?") { false }
+        define_method("available?") { false }
+        define_method(:create) { |*| raise exception }
+        define_method(:load) { |*| raise exception }
+      end
+    ensure
+      private "#{dependency}_available?"
+      super(&) if block_given?
+    end
+
+    def inspect
+      "#{self.class.inspect}[#{@dependency.inspect}]"
+    end
+  end
+end