rom-auth 0.0.4

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 0ce8711f63f7f47e34d33f9eb7d06cf50c786dec
+  data.tar.gz: f348776bc063992f9e86e8205c61a244d07b8ed8
+SHA512:
+  metadata.gz: f26618867fd3c1580bd258a7c1c5c14ec62bd9a357ad93fa4222f827191965a7fc03c22031aadd9d419da9e2487b82adc2846cd08a044555080bebc785525842
+  data.tar.gz: dfc67314e9c244cf45e09480985bce757f46bf29f17ee0458b763419a10de6ecb8078ecec5d7ffa3fd82467fd27a546a0e0c61dbaf6fbe2d77221fef14f9617f

data/README.md

@@ -0,0 +1,63 @@
+# rom-auth
+
+* https://github.com/Ragmaanir/rom-auth
+
+## DESCRIPTION:
+
+Low level Authentication solution based on [ROM](http://rom-rb.org). It is based on plugins and only supposed to do database-oriented authentication of users. It is completely independent of HTTP/Rails.
+
+## FEATURES/PROBLEMS:
+
+* authentication of users via passwords
+* Plugins
+* A plugin for storing authentication attempts and their success/failure
+* A lockdown plugin for locking down user accounts on authentication failure
+
+## SYNOPSIS:
+
+  * TODO
+
+## REQUIREMENTS:
+
+* activesupport
+* rom
+* pbkdf2
+* virtus
+
+## INSTALL:
+
+* gem install rom-auth
+
+## DEVELOPERS:
+
+After checking out the source, run:
+
+  $ rake newb
+
+This task will install any missing dependencies, run the tests/specs,
+and generate the RDoc.
+
+## LICENSE:
+
+(The MIT License)
+
+Copyright (c) 2015 Ragmaanir
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/lib/rom-auth.rb

@@ -0,0 +1,6 @@
+require 'rom/auth'
+
+module ROM
+  module Auth
+  end
+end

data/lib/rom/auth.rb

@@ -0,0 +1,34 @@
+require 'bundler'
+Bundler.setup
+
+require 'rom'
+require 'rom-sql'
+require 'virtus'
+require 'active_support'
+require 'active_support/core_ext'
+
+# require 'rom/auth/support/shorthand_symbol'
+
+require 'rom/auth/version'
+require 'rom/auth/configuration'
+require 'rom/auth/system'
+
+# require 'rom/auth/authenticators/authenticator'
+# require 'rom/auth/authenticators/password_authenticator'
+
+require 'rom/auth/migration'
+
+require 'rom/auth/plugins/plugin'
+require 'rom/auth/plugins/authentication_events_plugin'
+require 'rom/auth/plugins/authentication_credentials_plugin'
+require 'rom/auth/plugins/lockdown_plugin'
+
+require 'rom/auth/digest'
+require 'rom/auth/password_verifiers/password_verifier'
+require 'rom/auth/password_verifiers/pbkdf2_verifier'
+
+module ROM
+  module Auth
+
+  end
+end

data/lib/rom/auth/authenticators/authenticator.rb

@@ -0,0 +1,11 @@
+module ROM::Auth
+  module Authenticators
+    class Authenticator
+      include Support::ShorthandSymbol.strip(/Authenticator/)
+
+      def authenticate(*args)
+        raise NotImplementedError
+      end
+    end
+  end
+end

data/lib/rom/auth/authenticators/password_authenticator.rb

@@ -0,0 +1,14 @@
+module ROM::Auth
+  module Authenticators
+    class PasswordAuthenticator < Authenticator
+
+      def authenticate(user, identifier, password)
+        raise ArgumentError unless password.is_a?(String)
+
+        #user.password_verifier.verifies?(password)
+
+      end
+
+    end
+  end
+end

data/lib/rom/auth/configuration.rb

@@ -0,0 +1,45 @@
+module ROM
+  module Auth
+    class Configuration
+      include Virtus.model
+
+      attribute :users_table_name, Symbol, default: :users
+      attribute :email_confirmation_token_length, Range
+      attribute :cookie_authentication_token_length, Range
+      attribute :instrumentation, Object, default: ->(c,_){ c.find_default_instrumentation }
+      attribute :plugins, Hash, default: {}
+      attribute :logger, Object, default: ->(_,_){
+        Logger.new(STDOUT).tap do |l|
+          l.level = Logger::WARN
+          l.progname = 'ROM::Auth'
+        end
+      }
+
+      def initialize(*args, &block)
+        super(*args)
+        block.call(self) if block
+        self
+      end
+
+      def plugin(cls, options={}, &block)
+        raise(ArgumentError, "Expected a class but was #{cls.inspect}") unless cls.is_a?(Class)
+        config = cls.const_get(:Configuration).new(options)
+        block.call(config) if block
+        self.plugins = plugins.merge(cls => config)
+      end
+
+      def find_default_instrumentation
+        ActiveSupport::Notifications
+      end
+
+      def singular_users_table_name
+        users_table_name.to_s.singularize
+      end
+
+      def user_fk_name
+        [singular_users_table_name, :id].join('_').to_sym
+      end
+
+    end
+  end
+end

data/lib/rom/auth/digest.rb

@@ -0,0 +1,34 @@
+module ROM
+  module Auth
+
+    class Digest
+      def initialize(data)
+        raise(ArgumentError, "String required got #{data.class}") if !data.is_a?(String)
+        @data = data
+      end
+
+      def length
+        @data.length
+      end
+
+      def ==(other)
+        raise ArgumentError if !other.is_a?(Digest)
+        raise ArgumentError if length != other.length
+
+        # SECURITY timing attack
+        # TODO because of short-circuiting this is actually not 100% constant time. fix this.
+        result = @data.chars.zip(other.to_s.chars).inject(true) do |res, (char, other_char)|
+          eq = (char == other_char)
+          res && eq
+        end
+
+        result
+      end
+
+      def to_s
+        @data
+      end
+    end
+
+  end
+end

data/lib/rom/auth/migration.rb

@@ -0,0 +1,25 @@
+module ROM::Auth
+  class Migration
+    attr_reader :system, :setup, :config
+
+    def initialize(system, setup, config)
+      @system = system
+      @setup = setup
+      @config = config
+    end
+
+    def column_exists?(table, column)
+      database.schema(table).find{ |col| col.first == column }
+    end
+
+    def run
+      raise NotImplementedError
+    end
+
+  private
+
+    def database
+      @setup.default.connection
+    end
+  end
+end

data/lib/rom/auth/password_verifiers/password_verifier.rb

@@ -0,0 +1,69 @@
+module ROM
+  module Auth
+    module PasswordVerifiers
+      class PasswordVerifier
+
+        DEFAULT_OPTIONS       = { :iterations => 15000, :hash_function => :sha256 }.freeze
+        DEFAULT_SALT_LENGTH   = 16
+        SEPARATOR             = ","
+        VERIFIERS             = {}
+
+        attr_reader :salt, :digest, :options
+
+        def verifies?(plaintext_password)
+          tested_digest = compute_digest(plaintext_password, salt, options)
+
+          digest == tested_digest
+        end
+
+        def to_s
+          [type, salt, digest.to_s, options[:iterations]].join(SEPARATOR)
+        end
+
+        def ==(other)
+          case other
+            when PasswordVerifier then to_s == other.to_s
+            when String then to_s == other
+            else false
+          end
+        end
+
+        def self.for_password(plaintext_password, options={})
+          raise ArgumentError unless plaintext_password.is_a?(String)
+          new(options.merge(:password => plaintext_password))
+        end
+
+        def self.from_s(string)
+          kind, salt, digest, iterations = string.split(SEPARATOR)
+
+          raise(ArgumentError, "Invalid password verifier kind: #{kind.inspect}") unless VERIFIERS.keys.map(&:to_s).include?(kind)
+
+          VERIFIERS[kind.to_sym].new(DEFAULT_OPTIONS.merge(:digest => digest, :salt => salt, :iterations => iterations.to_i))
+        end
+
+      protected
+
+        def initialize(options={})
+          raise(ArgumentError, ":password or :digest required but got #{options.inspect}") unless options.values_at(:password, :digest).compact.one?
+
+          @options  = DEFAULT_OPTIONS.merge(options)
+          @salt     = @options.delete(:salt) || generate_random_salt(@options.delete(:salt_length))
+          @digest   = if digest_str = @options.delete(:digest)
+            Digest.new(digest_str)
+          else
+            compute_digest(@options[:password], @salt, @options)
+          end
+        end
+
+        def compute_digest(plaintext_password, salt, options={})
+          raise NotImplementedError
+        end
+
+        def generate_random_salt(length=nil)
+          SecureRandom.hex(length || DEFAULT_SALT_LENGTH)
+        end
+
+      end
+    end
+  end
+end

data/lib/rom/auth/password_verifiers/pbkdf2_verifier.rb

@@ -0,0 +1,24 @@
+require 'pbkdf2'
+
+module ROM
+  module Auth
+    module PasswordVerifiers
+      class PBKDF2Verifier < PasswordVerifier
+
+        PasswordVerifier::VERIFIERS.merge!(:PBKDF2 => PBKDF2Verifier)
+
+        def type
+          :PBKDF2
+        end
+
+      protected
+
+        def compute_digest(plaintext_password, salt, options={})
+          hex = PBKDF2.new(options.merge(:password => plaintext_password, :salt => salt)).hex_string
+          Digest.new(hex)
+        end
+
+      end
+    end
+  end
+end

data/lib/rom/auth/plugins/authentication_credentials_plugin.rb

@@ -0,0 +1,115 @@
+module ROM::Auth
+  module Plugins
+    class AuthenticationCredentialsPlugin < Plugin
+
+      class Configuration
+        include Virtus.model
+
+        attribute :table_name, Symbol, default: :authentication_credentials
+      end
+
+      def install
+        system.extend(CallbackOverrides)
+
+        config = configuration
+
+        @mapper_cls = Class.new(ROM::Mapper) do
+          relation(config.table_name)
+          model(AuthenticationCredential)
+          register_as :rom_auth_credential
+        end
+
+        @relation_cls = Class.new(ROM::Relation[:sql]) do
+          dataset(config.table_name)
+
+          def find_record(credentials)
+            raise if !credentials.respond_to?(:type) || !credentials.respond_to?(:identifier)
+            where(
+              type: credentials.type,
+              identifier: credentials.identifier
+            )
+          end
+        end
+      end
+
+      def migrate(setup)
+        AuthenticationCredentialsMigration.new(system, setup, configuration).run
+      end
+
+      def find_credential_entry(credentials)
+        ROM.env.relation(configuration.table_name).find_record(credentials).as(:rom_auth_credential).first
+      end
+
+      def identify_user(credentials)
+        cred = find_credential_entry(credentials)
+        ROM.env.relation(system.configuration.users_table_name).by_id(cred.user_id).first if cred
+      end
+
+      def authenticate(credentials)
+        cred = find_credential_entry(credentials)
+
+        cred.verifier.verifies?(credentials.password)
+      end
+
+      class AuthenticationCredential
+        include Virtus.value_object(coerce: false)
+
+        values do
+          attribute :user_id, Integer # FIXME this could be dynamic and could be account_id
+          attribute :created_at, DateTime
+          attribute :updated_at, DateTime
+          attribute :identifier, String
+          attribute :type, String
+          attribute :verifier_data, String
+          #attribute :verifier_type, String
+          attribute :active, Boolean
+        end
+
+        def verifier
+          PasswordVerifiers::PasswordVerifier.from_s(verifier_data)
+        end
+      end
+
+      class AuthenticationCredentialsMigration < Migration
+        def run
+          config = self.config
+          auth_config = system.configuration
+
+          user_fk_name = auth_config.user_fk_name
+
+          database.create_table(config.table_name) do
+            foreign_key(user_fk_name, auth_config.users_table_name.to_sym)
+
+            String :identifier
+            String :type
+            Boolean :active
+            #add_constraint(:password_verifier_length, Sequel.function(:char_length, :password_verifier)=>64..255)
+
+            String :verifier_data
+
+            DateTime :confirmed_at, null: true
+            String :confirmation_token, null: true
+            #add_constraint(:email_confirmation_token_length) { char_length(email_confirmation_token) == config.email_confirmation_token_length }
+            #add_constraint(:email_confirmation_token_length, Sequel.function(:char_length, :email_confirmation_token) => config.email_confirmation_token_length)
+
+            #String :cookie_authentication_token, null: true
+            #add_constraint(:cookie_authentication_token_length) { char_length(:cookie_authentication_token) == config.cookie_authentication_token_length }
+            #add_constraint(:cookie_authentication_token_length, Sequel.function(:char_length, :cookie_authentication_token) => config.cookie_authentication_token_length)
+            index [:identifier, :type], unique: true
+          end
+        end
+      end
+
+      module CallbackOverrides
+        def identify_user(credentials)
+          plugins[ROM::Auth::Plugins::AuthenticationCredentialsPlugin].identify_user(credentials)
+        end
+
+        def run_authentication_check(credentials)
+          plugins[ROM::Auth::Plugins::AuthenticationCredentialsPlugin].authenticate(credentials)
+        end
+      end
+
+    end
+  end
+end