sequel_password 0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: c7be80a93422a9c18bd61e2d309b61481fb4c4d1
+  data.tar.gz: b89e1934f8373ba7e341d50312b1620574f93f19
+SHA512:
+  metadata.gz: a15ae5358ab1e5601c50dc6cc4c5b10bd4c223c3f3e5d2726e8a022b8dd28989a24e8b7b0e5321add1835549fcc5bbc1277e8df0ee12866db2748bb090e07863
+  data.tar.gz: 1014dcda3e264885bb94301736b00bfce78f574444919b11d6f0c71c53079192fb81345403385cc838e552ddc79d021d65d2acc7a7ede82d426af3822ef7909a

data/.gitignore

@@ -0,0 +1 @@
+coverage

data/.rubocop.yml

@@ -0,0 +1,44 @@
+Style/AlignHash:
+  Enabled: false
+
+Style/AlignArray:
+  Enabled: false
+
+Style/AlignParameters:
+  Enabled: false
+
+Style/Documentation:
+  Enabled: false
+
+Style/CaseIndentation:
+  Enabled: false
+
+Style/IndentHash:
+  Enabled: false
+
+Style/NumericLiterals:
+  Enabled: false
+
+Style/SignalException:
+  Enabled: false
+
+Style/StringLiterals:
+  Enabled: false
+
+Style/MultilineOperationIndentation:
+  Enabled: false
+
+Style/StringLiterals:
+  Enabled: false
+
+Metrics/LineLength:
+  Max: 250
+
+Metrics/MethodLength:
+  Max: 250
+
+Metrics/ClassLength:
+  Max: 250
+
+Lint/UselessAssignment:
+  Enabled: false

data/.travis.yml

@@ -0,0 +1,8 @@
+language: ruby
+cache: bundler
+rvm:
+  - 2.2.1
+sudo: false
+script: bundle exec rspec
+notifications:
+  email: false

data/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec

data/Gemfile.lock

@@ -0,0 +1,45 @@
+PATH
+  remote: .
+  specs:
+    sequel_password (0.1)
+      bcrypt (~> 3.1.10)
+      pbkdf2-ruby (~> 0.2.1)
+      sequel (~> 4.21.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    bcrypt (3.1.10)
+    diff-lcs (1.2.5)
+    docile (1.1.5)
+    multi_json (1.11.0)
+    pbkdf2-ruby (0.2.1)
+    rspec (3.2.0)
+      rspec-core (~> 3.2.0)
+      rspec-expectations (~> 3.2.0)
+      rspec-mocks (~> 3.2.0)
+    rspec-core (3.2.2)
+      rspec-support (~> 3.2.0)
+    rspec-expectations (3.2.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.2.0)
+    rspec-mocks (3.2.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.2.0)
+    rspec-support (3.2.2)
+    sequel (4.21.0)
+    simplecov (0.9.2)
+      docile (~> 1.1.0)
+      multi_json (~> 1.0)
+      simplecov-html (~> 0.9.0)
+    simplecov-html (0.9.0)
+    sqlite3 (1.3.10)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  rspec (~> 3.2.0)
+  sequel_password!
+  simplecov (~> 0.9.2)
+  sqlite3 (~> 1.3.10)

data/README.md

@@ -0,0 +1,4 @@
+# Sequel password
+
+This sequel plugin adds authentication and password hashing to Sequel models.
+It supports pbkdf2 and bcrypt hashers.

data/lib/sequel_password.rb

@@ -0,0 +1,186 @@
+require "base64"
+require "bcrypt"
+require "openssl"
+require "pbkdf2"
+require "securerandom"
+
+module Sequel
+  module Plugins
+    module Password
+      class InvalidHasherException < Exception; end
+
+      def self.configure(model, options = {})
+        model.instance_eval do
+          @column = options.fetch(:column, :digest)
+          @hashers = options.fetch(:hashers,
+            pbkdf2_sha256: PBKDF2Hasher.new,
+            bcrypt_sha256: BCryptSHA256Hasher.new,
+            bcrypt: BCryptHasher.new,
+            sha1: SHA1Hasher.new)
+        end
+      end
+
+      module ClassMethods
+        attr_reader :column, :hashers
+
+        Plugins.inherited_instance_variables(self,
+          "@column": :digest, "@hashers": {})
+
+        def make_password(password, salt: nil, algorithm: :default)
+          return "!#{SecureRandom.hex(20)}" if password.nil?
+
+          salt = hasher(algorithm).salt if salt.nil?
+          hasher(algorithm).encode(password, salt)
+        end
+
+        def hasher(algorithm = :default)
+          @hashers.fetch(algorithm.to_sym, @hashers.values.first)
+        end
+
+        def usable_password?(encoded)
+          return false if encoded.nil? || encoded.start_with?("!")
+
+          algorithm = encoded.split('$').first
+          !hasher(algorithm).nil?
+        end
+
+        def check_password(password, encoded, setter: nil, algorithm: :default)
+          return false if password.nil? || !usable_password?(encoded)
+
+          preferred = hasher(algorithm)
+          hasher = hasher(encoded.split('$').first)
+
+          must_update = hasher.algorithm != preferred.algorithm
+          must_update = preferred.must_update(encoded) unless must_update
+
+          correct = hasher.verify(password, encoded)
+          setter.call(password) if !setter.nil? && correct && must_update
+
+          correct
+        end
+      end
+
+      module InstanceMethods
+        def authenticate(password)
+          encoded = send(model.column)
+          model.check_password(password, encoded, setter: method(:"password="))
+        end
+
+        def password=(password)
+          send("#{model.column}=", model.make_password(password))
+        end
+
+        def set_unusable_password
+          send("#{model.column}=", model.make_password(nil))
+        end
+      end
+
+      class Hasher
+        attr_reader :algorithm
+
+        def salt
+          # 72 bits
+          SecureRandom.hex(9)
+        end
+
+        def verify(password, encoded)
+          raise NotImplementedError
+        end
+
+        def encode(password, salt)
+          raise NotImplementedError
+        end
+
+        def must_update(encoded)
+          false
+        end
+
+        private
+
+        def constant_time_compare(a, b)
+          check = a.bytesize ^ b.bytesize
+          a.bytes.zip(b.bytes) { |x, y| check |= x ^ y }
+          check == 0
+        end
+      end
+
+      class PBKDF2Hasher < Hasher
+        def initialize
+          @algorithm = :pbkdf2_sha256
+          @iterations = 24000
+          @digest = OpenSSL::Digest::SHA256.new
+        end
+
+        def encode(password, salt, iterations = nil)
+          iterations = @iterations if iterations.nil?
+          hash = PBKDF2.new(password: password, salt: salt,
+            iterations: iterations, hash_function: @digest)
+          hash = Base64.strict_encode64(hash.value)
+          "#{@algorithm}$#{iterations}$#{salt}$#{hash}"
+        end
+
+        def verify(password, encoded)
+          algorithm, iterations, salt, hash = encoded.split('$', 4)
+          hash = encode(password, salt, iterations.to_i)
+          constant_time_compare(encoded, hash)
+        end
+
+        def must_update(encoded)
+          algorithm, iterations, salt, hash = encoded.split('$', 4)
+          iterations.to_i != @iterations
+        end
+      end
+
+      class BCryptSHA256Hasher < Hasher
+        def initialize
+          @algorithm = :bcrypt_sha256
+          @cost = 12
+          @digest = OpenSSL::Digest::SHA256.new
+        end
+
+        def salt
+          BCrypt::Engine.generate_salt(@cost)
+        end
+
+        def encode(password, salt)
+          password = @digest.digest(password) unless @digest.nil?
+          hash = BCrypt::Engine.hash_secret(password, salt)
+          "#{@algorithm}$#{hash}"
+        end
+
+        def verify(password, encoded)
+          algorithm, data = encoded.split('$', 2)
+          password = @digest.digest(password) unless @digest.nil?
+          hash = BCrypt::Engine.hash_secret(password, data)
+          constant_time_compare(data, hash)
+        end
+      end
+
+      class BCryptHasher < BCryptSHA256Hasher
+        def initialize
+          @algorithm = :bcrypt
+          @cost = 12
+          @digest = nil
+        end
+      end
+
+      class SHA1Hasher < Hasher
+        def initialize
+          @algorithm = :sha1
+          @digest = OpenSSL::Digest::SHA1.new
+        end
+
+        def encode(password, salt)
+          hash = @digest.digest(salt + password).unpack('H*').first
+          "#{@algorithm}$#{salt}$#{hash}"
+        end
+
+        def verify(password, encoded)
+          algorithm, salt, hash = encoded.split('$', 3)
+          hash = encode(password, salt)
+          constant_time_compare(encoded, hash)
+        end
+      end
+    end
+  end
+end

data/sequel_password.gemspec

@@ -0,0 +1,25 @@
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Timothée Peignier"]
+  gem.email         = ["timothee.peignier@tryphon.org"]
+  gem.description   = %q{Sequel plugins to handle password hashing}
+  gem.summary       = %q{Add passwords hashing to sequel models.}
+  gem.homepage      = "http://rubygems.org/gems/sequel_password"
+  gem.license       = 'MIT'
+
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "sequel_password"
+  gem.require_paths = ["lib"]
+  gem.version       = '0.1'
+
+  gem.add_runtime_dependency 'sequel', '~> 4.21', '>= 4.21.0'
+  gem.add_runtime_dependency 'bcrypt', '~> 3.1', '>= 3.1.10'
+  gem.add_runtime_dependency 'pbkf2-ruby', '~> 0.2.1'
+
+  gem.add_development_dependency 'rspec', '~> 3.2', '>= 3.2.0'
+  gem.add_development_dependency 'simplecov', '~> 0.9.2'
+  gem.add_development_dependency 'sqlite3', '~> 1.3', '>= 1.3.10'
+end

data/spec/sequel_password_spec.rb

@@ -0,0 +1,115 @@
+require "spec_helper"
+
+describe Sequel::Plugins::Password do
+  subject(:user) { DefaultUser.new }
+
+  it "has an inherited instance variable @column" do
+    expect(DefaultUser.inherited_instance_variables).to include(:@column)
+  end
+
+  it "has an inherited instance variable @hashers" do
+    expect(DefaultUser.inherited_instance_variables).to include(:@hashers)
+  end
+
+  describe "set_unusable_password" do
+    let(:secret) { "lètmein" }
+
+    before { user.password = secret }
+
+    it "sets an unusable password" do
+      expect { user.set_unusable_password }.to change(user, :digest)
+      expect(user.digest).to match(/^!/)
+      expect(user.digest.length).to eq(41)
+    end
+  end
+
+  describe "#authenticate" do
+    let(:secret) { "lètmein" }
+
+    before { user.password = secret }
+
+    it "returns true if authentication is successful" do
+      expect(user.authenticate(secret)).to be_truthy
+    end
+
+    it "returns false when authentication fails" do
+      expect(user.authenticate("")).to be_falsey
+    end
+
+    it "upgrade to newest hasher" do
+      user.digest = "sha1$seasalt$cff36ea83f5706ce9aa7454e63e431fc726b2dc8"
+      expect { user.authenticate(secret) }.to change(user, :digest)
+      expect(user.digest).to match(/^pbkdf2_sha256\$/)
+    end
+
+    it "upgrade to new iterations values" do
+      user.digest = "pbkdf2_sha256$20000$seasalt$oBSd886ysm3AqYun62DOdin8YcfbU1z9cksZSuLP9r0="
+      expect { user.authenticate(secret) }.to change(user, :digest)
+      expect(user.digest).to match(/^pbkdf2_sha256\$24000\$/)
+    end
+  end
+
+  describe Sequel::Plugins::Password::PBKDF2Hasher do
+    let(:hasher) { described_class.new }
+    let(:password) { 'lètmein' }
+    let(:salt) { 'seasalt' }
+
+    it "encodes the password properly" do
+      encoded = hasher.encode(password, salt)
+      expect(encoded).to eq("pbkdf2_sha256$24000$#{salt}$V9DfCAVoweeLwxC/L2mb+7swhzF0XYdyQMqmusZqiTc=")
+      expect(hasher.verify(password, encoded)).to be_truthy
+      expect(hasher.verify(password.reverse, encoded)).to be_falsey
+    end
+
+    it "allows blank password" do
+      blank_encoded = hasher.encode('', salt)
+      expect(blank_encoded).to match(/^pbkdf2_sha256\$/)
+      expect(hasher.verify('', blank_encoded)).to be_truthy
+      expect(hasher.verify(' ', blank_encoded)).to be_falsey
+    end
+  end
+
+  describe Sequel::Plugins::Password::BCryptSHA256Hasher do
+    let(:hasher) { described_class.new }
+    let(:password) { 'lètmein' }
+
+    it "encodes the password properly" do
+      encoded = hasher.encode(password, hasher.salt)
+      expect(encoded).to match(/^bcrypt_sha256\$/)
+      expect(hasher.verify(password, encoded)).to be_truthy
+      expect(hasher.verify(password.reverse, encoded)).to be_falsey
+    end
+  end
+
+  describe Sequel::Plugins::Password::BCryptHasher do
+    let(:hasher) { described_class.new }
+    let(:password) { 'lètmein' }
+
+    it "encodes the password properly" do
+      encoded = hasher.encode(password, hasher.salt)
+      expect(encoded).to match(/^bcrypt\$/)
+      expect(hasher.verify(password, encoded)).to be_truthy
+      expect(hasher.verify(password.reverse, encoded)).to be_falsey
+    end
+  end
+
+  describe Sequel::Plugins::Password::SHA1Hasher do
+    let(:hasher) { described_class.new }
+    let(:password) { 'lètmein' }
+    let(:salt) { 'seasalt' }
+
+    it "encodes the password properly" do
+      encoded = hasher.encode(password, salt)
+      expect(encoded).to eq("sha1$#{salt}$cff36ea83f5706ce9aa7454e63e431fc726b2dc8")
+      expect(hasher.verify(password, encoded)).to be_truthy
+      expect(hasher.verify(password.reverse, encoded)).to be_falsey
+    end
+
+    it "allows blank password" do
+      blank_encoded = hasher.encode('', salt)
+      expect(blank_encoded).to match(/^sha1\$/)
+      expect(hasher.verify('', blank_encoded)).to be_truthy
+      expect(hasher.verify(' ', blank_encoded)).to be_falsey
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,64 @@
+require "bundler"
+Bundler.require
+
+require "simplecov"
+SimpleCov.start do
+  add_filter('spec/')
+end
+
+require "sequel"
+require "sequel_password"
+
+RSpec.configure do |config|
+  config.order = 'random'
+
+  config.before(:suite) do
+    Sequel::Model.plugin(:schema)
+    Sequel.connect('sqlite:/')
+
+    class DefaultUser < Sequel::Model
+      set_schema do
+        primary_key :id
+        varchar     :digest
+      end
+
+      plugin :password
+    end
+
+    class BCryptUser < Sequel::Model
+      set_schema do
+        primary_key :id
+        varchar     :digest
+      end
+
+      plugin :password, hashers: { bcrypt: Sequel::Plugins::Password::BCryptHasher.new }
+    end
+
+    class BCryptSHA256User < Sequel::Model
+      set_schema do
+        primary_key :id
+        varchar     :digest
+      end
+
+      plugin :password, hashers: { bcrypt: Sequel::Plugins::Password::BCryptSHA256Hasher.new }
+    end
+
+    class AlternateColumnUser < Sequel::Model
+      set_schema do
+        primary_key :id
+        varchar     :password_digest
+      end
+
+      plugin :password, column: :digest
+    end
+
+    DefaultUser.create_table!
+    BCryptUser.create_table!
+    BCryptSHA256User.create_table!
+    AlternateColumnUser.create_table!
+  end
+
+  config.around(:each) do |example|
+    Sequel::Model.db.transaction(rollback: :always) { example.run }
+  end
+end

metadata

@@ -0,0 +1,164 @@
+--- !ruby/object:Gem::Specification
+name: sequel_password
+version: !ruby/object:Gem::Version
+  version: '0.1'
+platform: ruby
+authors:
+- Timothée Peignier
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-04-04 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: sequel
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.21'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.21.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.21'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.21.0
+- !ruby/object:Gem::Dependency
+  name: bcrypt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.1.10
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.1.10
+- !ruby/object:Gem::Dependency
+  name: pbkf2-ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.1
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.2
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.10
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.10
+description: Sequel plugins to handle password hashing
+email:
+- timothee.peignier@tryphon.org
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rubocop.yml"
+- ".travis.yml"
+- Gemfile
+- Gemfile.lock
+- README.md
+- lib/sequel_password.rb
+- sequel_password.gemspec
+- spec/sequel_password_spec.rb
+- spec/spec_helper.rb
+homepage: http://rubygems.org/gems/sequel_password
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5
+signing_key: 
+specification_version: 4
+summary: Add passwords hashing to sequel models.
+test_files:
+- spec/sequel_password_spec.rb
+- spec/spec_helper.rb