shield 2.1.0 → 2.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5e8cddce5d60179e40bb696d3cf99881cef02d32
-  data.tar.gz: de020f37164376682f9f31b48d3e82c4e31acca0
+  metadata.gz: b42c70f64c2292b685387b09ea89df2a0aff18a3
+  data.tar.gz: 0782a246fddf9b63acf1cced5f5fb5748d170aab
 SHA512:
-  metadata.gz: f7299a1a78a171b4e9b382282552ea521861ac0ecc8f96673998bdce98f8a9886b839e05e9dcb0195c57f55d72cc813cea169f6f675e51687dc034d4be6f2564
-  data.tar.gz: f85025b14a92309fc03edc3dc978e23e4f6dffd267fa2fd6ef12a372fe56c14e58797901e94f1a7abb86b60b5fccbb840ef81356ed1d9a73cd0524f0f801d666
+  metadata.gz: 7b2758cc4a231e6efcc138cc24dc360391b500f23f1970e12c1f42b72817dd017de871cafe37961c5fca4d3433abd258f22b4d05797da1094c533638e7e58ffe
+  data.tar.gz: a76c6de3bd2a54f4b29e7974404b8f286d07462948670e2bd986ac913271887f1653ca2a8bdc73ba6806b222d377e89d2ab0b6e4c8362240c0de3bc42f8b1ae7

data/.gems

@@ -0,0 +1,4 @@
+cutest -v 1.2.1
+rack-test -v 0.6.2
+cuba -v 3.1.0
+armor -v 0.0.3

data/.gitignore

@@ -0,0 +1 @@
+/pkg

data/README.md

@@ -1,27 +1,32 @@
-# Shield
+Shield
+======
 
 Shield
 
 _n. A solid piece of metal code used to protect your application._
 
-## Why another authentication library?
+Why another authentication library?
+-----------------------------------
 
 1. Because most of the other libraries are too huge.
 2. Extending other libraries is a pain.
-3. Writing code is fun :-)
+3. Writing code is fun :-).
 
-## What shield is
+What shield is
+--------------
 
-1. Simple (~ 110 lines of Ruby code)
-2. Doesn't get in the way
-3. Treats you like a grown up
+1. Simple (~ 110 lines of Ruby code).
+2. Doesn't get in the way.
+3. Treats you like a grown up.
 
-## What shield is not
+What shield is not
+------------------
 
 - is _not_ a ready-made end-to-end authentication solution.
 - is _not_ biased towards any kind of ORM.
 
-## Understanding Shield in 15 minutes
+Understanding Shield in 15 minutes
+----------------------------------
 
 ### Shield::Model
 
@@ -82,14 +87,8 @@ Shield uses [Armor][armor] for encrypting passwords. Armor is a pure ruby
 implementation of [PBKDF2][pbkdf2], a password-based key derivation function
 recommended for the protection of electronically-stored data.
 
-Shield also includes tests for [ohm][ohm] and [sequel][sequel] and makes sure
-that each release works with the latest respective versions.
-
-Take a look at [test/ohm.rb][ohm-test] and [test/sequel.rb][sequel-test]
-to learn more.
-
-To make Shield work with other ORMs (such as DataMapper), make sure to implement
-an `.[]` method which fetches the user instance by id.
+To make Shield work with any ORM, make sure that an `.[]` method which
+fetches the user instance by id is implemented.
 
 [armor]: https://github.com/cyx/armor
 [pbkdf2]: http://en.wikipedia.org/wiki/PBKDF2
@@ -100,7 +99,7 @@ class User
 
   # ...
 
-  self.[](id)
+  def self.[](id)
     get id
   end
 end
@@ -113,15 +112,19 @@ in using either username or email, then you can simply extend `User.fetch`
 a bit by doing:
 
 ```ruby
-# in Sequel
+# in Sequel (http://sequel.rubyforge.org)
 class User < Sequel::Model
+  include Shield::Model
+
   def self.fetch(identifier)
     filter(email: identifier).first || filter(username: identifier).first
   end
 end
 
-# in Ohm
+# in Ohm (http://ohm.keyvalue.org)
 class User < Ohm::Model
+  include Shield::Model
+
   attribute :email
   attribute :username
 
@@ -137,12 +140,6 @@ end
 If you want to allow case-insensitive logins for some reason, you can
 simply normalize the values to their lowercase form.
 
-[ohm]: http://ohm.keyvalue.org
-[sequel]: http://sequel.rubyforge.org
-
-[ohm-test]: https://github.com/cyx/shield/blob/master/test/ohm.rb
-[sequel-test]: https://github.com/cyx/shield/blob/master/test/sequel.rb
-
 ### Shield::Helpers
 
 As the name suggests, `Shield::Helpers` is out there to aid you a bit,

data/lib/shield.rb

@@ -98,17 +98,33 @@ module Shield
   end
 
   module Password
+    Error = Class.new(StandardError)
+
+    # == DOS attack fix
+    #
+    # Excessively long passwords (e.g. 1MB strings) would hang
+    # a server.
+    #
+    # @see: https://www.djangoproject.com/weblog/2013/sep/15/security/
+    MAX_LEN = 4096
+
     def self.encrypt(password, salt = generate_salt)
-      Armor.digest(password, salt) + salt
+      digest(password, salt) + salt
     end
 
     def self.check(password, encrypted)
       sha512, salt = encrypted.to_s[0...128], encrypted.to_s[128..-1]
 
-      Armor.compare(Armor.digest(password, salt), sha512)
+      Armor.compare(digest(password, salt), sha512)
     end
 
   protected
+    def self.digest(password, salt)
+      raise Error if password.length > MAX_LEN
+
+      Armor.digest(password, salt)
+    end
+
     def self.generate_salt
       Armor.hex(OpenSSL::Random.random_bytes(32))
     end

data/makefile

@@ -0,0 +1,4 @@
+.PHONY: test
+
+test:
+	cutest -r ./test/helper test/*.rb

data/shield.gemspec

@@ -0,0 +1,21 @@
+Gem::Specification.new do |s|
+  s.name = "shield"
+  s.version = "2.1.1"
+  s.summary = %{Generic authentication protocol for rack applications.}
+  s.description = %Q{
+    Provides all the protocol you need in order to do authentication on
+    your rack application. The implementation specifics can be found in
+    http://github.com/cyx/shield-contrib
+  }
+  s.authors = ["Michel Martens", "Damian Janowski", "Cyril David"]
+  s.email = ["michel@soveran.com", "djanowski@dimaion.com", "me@cyrildavid.com"]
+  s.homepage = "http://github.com/cyx/shield"
+  s.license = "MIT"
+
+  s.files = `git ls-files`.split("\n")
+
+  s.add_dependency "armor"
+  s.add_development_dependency "cutest"
+  s.add_development_dependency "rack-test"
+  s.add_development_dependency "cuba"
+end

data/test/cuba.rb

@@ -0,0 +1,91 @@
+require_relative "helper"
+require_relative "user"
+require "cuba"
+
+Cuba.use Rack::Session::Cookie, secret: "foo"
+Cuba.use Shield::Middleware
+Cuba.plugin Shield::Helpers
+
+Cuba.define do
+  on get, "public" do
+    res.write "Public"
+  end
+
+  on get, "private" do
+    if authenticated(User)
+      res.write "Private"
+    else
+      res.status = 401
+    end
+  end
+
+  on get, "login" do
+    res.write "Login"
+  end
+
+  on post, "login", param("login"), param("password") do |u, p|
+    if login(User, u, p)
+      remember if req[:remember_me]
+      res.redirect(req[:return] || "/")
+    else
+      res.redirect "/login"
+    end
+  end
+
+  on "logout" do
+    logout(User)
+    res.redirect "/"
+  end
+end
+
+scope do
+  def app
+    Cuba
+  end
+
+  setup do
+    clear_cookies
+  end
+
+  test "public" do
+    get "/public"
+    assert "Public" == last_response.body
+  end
+
+  test "successful logging in" do
+    get "/private"
+
+    assert_equal "/login?return=%2Fprivate", redirection_url
+
+    post "/login", login: "quentin", password: "password", return: "/private"
+
+    assert_redirected_to "/private"
+
+    assert 1001 == session["User"]
+  end
+
+  test "failed login" do
+    post "/login", :login => "q", :password => "p"
+    assert_redirected_to "/login"
+
+    assert nil == session["User"]
+  end
+
+  test "logging out" do
+    post "/login", :login => "quentin", :password => "password"
+
+    get "/logout"
+
+    assert nil == session["User"]
+  end
+
+  test "remember functionality" do
+    post "/login", :login => "quentin", :password => "password", :remember_me => "1"
+
+    assert_equal session[:remember_for], 86400 * 14
+
+    get "/logout"
+
+    assert_equal nil, session[:remember_for]
+  end
+end

data/test/helper.rb

@@ -0,0 +1,23 @@
+require "cutest"
+require "rack/test"
+
+require_relative "../lib/shield"
+
+class Cutest::Scope
+  include Rack::Test::Methods
+
+  def assert_redirected_to(path)
+    unless last_response.status == 302
+      flunk
+    end
+    assert_equal path, URI(redirection_url).path
+  end
+
+  def redirection_url
+    last_response.headers["Location"]
+  end
+
+  def session
+    last_request.env["rack.session"]
+  end
+end

data/test/middleware.rb

@@ -0,0 +1,30 @@
+require_relative "helper"
+require_relative "user"
+require "cuba"
+
+Cuba.use Rack::Session::Cookie, secret: "foo"
+Cuba.use Shield::Middleware
+
+Cuba.plugin Shield::Helpers
+
+Cuba.define do
+  on "secured" do
+    if not authenticated(User)
+      halt [401, { "Content-Type" => "text/html" }, []]
+    end
+
+    res.write "You're in"
+  end
+
+  on "foo" do
+    puts env.inspect
+  end
+end
+
+test do
+  env = { "PATH_INFO" => "/secured", "SCRIPT_NAME" => "" }
+  status, headers, body = Cuba.call(env)
+
+  assert_equal 302, status
+  assert_equal "/login?return=%2Fsecured", headers["Location"]
+end

data/test/model.rb

@@ -0,0 +1,51 @@
+require_relative "helper"
+
+class User < Struct.new(:crypted_password)
+  include Shield::Model
+end
+
+test "fetch" do
+  ex = nil
+
+  begin
+    User.fetch("quentin")
+  rescue Exception => ex
+  end
+
+  assert ex.kind_of?(Shield::Model::FetchMissing)
+  assert "User.fetch not implemented" == ex.message
+end
+
+test "is_valid_password?" do
+  user = User.new(Shield::Password.encrypt("password"))
+
+  assert User.is_valid_password?(user, "password")
+  assert ! User.is_valid_password?(user, "password1")
+end
+
+class User
+  class << self
+    attr_accessor :fetched
+  end
+
+  def self.fetch(username)
+    return fetched if username == "quentin"
+  end
+end
+
+test "authenticate" do
+  user = User.new(Shield::Password.encrypt("pass"))
+
+  User.fetched = user
+
+  assert user == User.authenticate("quentin", "pass")
+  assert nil == User.authenticate("unknown", "pass")
+  assert nil == User.authenticate("quentin", "wrongpass")
+end
+
+test "#password=" do
+  u = User.new
+  u.password = "pass1234"
+
+  assert Shield::Password.check("pass1234", u.crypted_password)
+end

data/test/model_integration.rb

@@ -0,0 +1,29 @@
+require_relative "helper"
+
+class User
+  include Shield::Model
+
+  attr_accessor :email, :crypted_password
+
+  def self.fetch(email)
+    $users[email]
+  end
+
+  def initialize(email, password)
+    @email = email
+    self.password = password
+  end
+end
+
+setup do
+  $users = {}
+  $users["foo@bar.com"] = User.new("foo@bar.com", "pass1234")
+end
+
+test "fetch" do |user|
+  assert_equal user, User.fetch("foo@bar.com")
+end
+
+test "authenticate" do |user|
+  assert_equal user, User.authenticate("foo@bar.com", "pass1234")
+end

data/test/nested.rb

@@ -0,0 +1,41 @@
+require_relative "helper"
+require_relative "user"
+require "cuba"
+
+Cuba.use Rack::Session::Cookie, secret: "foo"
+Cuba.plugin Shield::Helpers
+
+class Admin < Cuba
+  use Shield::Middleware, "/admin/login"
+
+  define do
+    on "login" do
+      res.write "Login"
+    end
+
+    on default do
+      res.status = 401
+    end
+  end
+end
+
+Cuba.define do
+  on "admin" do
+    run Admin
+  end
+end
+
+scope do
+  def app
+    Cuba
+  end
+
+  setup do
+    clear_cookies
+  end
+
+  test "return + return flow" do
+    get "/admin"
+    assert_equal "/admin/login?return=%2Fadmin", redirection_url
+  end
+end

data/test/password.rb

@@ -0,0 +1,21 @@
+require_relative "helper"
+
+scope do
+  test "encrypt" do
+    encrypted = Shield::Password.encrypt("password")
+    assert Shield::Password.check("password", encrypted)
+  end
+
+  test "with custom 64 character salt" do
+    encrypted = Shield::Password.encrypt("password", "A" * 64)
+    assert Shield::Password.check("password", encrypted)
+  end
+
+  test "DOS fix" do
+    too_long = '*' * (Shield::Password::MAX_LEN + 1)
+
+    assert_raise Shield::Password::Error do
+      Shield::Password.encrypt(too_long)
+    end
+  end
+end

data/test/shield.rb

@@ -0,0 +1,95 @@
+require_relative "helper"
+
+class User < Struct.new(:id)
+  extend Shield::Model
+
+  def self.[](id)
+    User.new(1) unless id.to_s.empty?
+  end
+
+  def self.authenticate(username, password)
+    User.new(1001) if username == "quentin" && password == "password"
+  end
+end
+
+class Context
+  def initialize(path)
+    @path = path
+  end
+
+  def env
+    { "SCRIPT_NAME" => "", "PATH_INFO" => @path }
+  end
+
+  def session
+    @session ||= {}
+  end
+
+  class Request < Struct.new(:fullpath)
+  end
+
+  def req
+    Request.new(@path)
+  end
+
+  def redirect(redirect = nil)
+    @redirect = redirect if redirect
+    @redirect
+  end
+
+  include Shield::Helpers
+end
+
+setup do
+  Context.new("/events/1")
+end
+
+class Admin < Struct.new(:id)
+  def self.[](id)
+    new(id) unless id.to_s.empty?
+  end
+end
+
+test "authenticated" do |context|
+  context.session["User"] = 1
+
+  assert User.new(1) == context.authenticated(User)
+  assert nil == context.authenticated(Admin)
+end
+
+test "caches authenticated in @_shield" do |context|
+  context.session["User"] = 1
+  context.authenticated(User)
+
+  assert User.new(1) == context.instance_variable_get(:@_shield)[User]
+end
+
+test "login success" do |context|
+  assert context.login(User, "quentin", "password")
+  assert 1001 == context.session["User"]
+end
+
+test "login failure" do |context|
+  assert ! context.login(User, "wrong", "creds")
+  assert nil == context.session["User"]
+end
+
+test "logout" do |context|
+  context.session["User"] = 1001
+
+  # Now let's make it memoize the User
+  context.authenticated(User)
+
+  context.logout(User)
+
+  assert nil == context.session["User"]
+  assert nil == context.authenticated(User)
+end
+
+test "authenticate" do |context|
+  context.session["no_fixation"] = 1
+  context.authenticate(User[1001])
+
+  assert User[1] == context.authenticated(User)
+  assert nil == context.session["no_fixation"]
+end

data/test/user.rb

@@ -0,0 +1,21 @@
+class User
+  include Shield::Model
+
+  def self.[](id)
+    User.new(1001) unless id.to_s.empty?
+  end
+
+  def self.fetch(username)
+    User.new(1001) if username == "quentin"
+  end
+
+  attr :id
+
+  def initialize(id)
+    @id = id
+  end
+
+  def crypted_password
+    @crypted_password ||= Shield::Password.encrypt("password")
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: shield
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.1.1
 platform: ruby
 authors:
 - Michel Martens
@@ -10,48 +10,62 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-10-10 00:00:00.000000000 Z
+date: 2014-10-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: armor
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: cutest
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: cuba
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 description: "\n    Provides all the protocol you need in order to do authentication
@@ -65,11 +79,25 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- README.md
+- ".gems"
+- ".gitignore"
 - LICENSE
+- README.md
 - lib/shield.rb
+- makefile
+- shield.gemspec
+- test/cuba.rb
+- test/helper.rb
+- test/middleware.rb
+- test/model.rb
+- test/model_integration.rb
+- test/nested.rb
+- test/password.rb
+- test/shield.rb
+- test/user.rb
 homepage: http://github.com/cyx/shield
-licenses: []
+licenses:
+- MIT
 metadata: {}
 post_install_message: 
 rdoc_options: []
@@ -77,17 +105,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.3
+rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
 summary: Generic authentication protocol for rack applications.