RubyGems - shield - Versions diffs - 2.1.0 → 2.1.1 - Mend

shield 2.1.0 → 2.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5e8cddce5d60179e40bb696d3cf99881cef02d32
-  data.tar.gz: de020f37164376682f9f31b48d3e82c4e31acca0
+  metadata.gz: b42c70f64c2292b685387b09ea89df2a0aff18a3
+  data.tar.gz: 0782a246fddf9b63acf1cced5f5fb5748d170aab
 SHA512:
-  metadata.gz: f7299a1a78a171b4e9b382282552ea521861ac0ecc8f96673998bdce98f8a9886b839e05e9dcb0195c57f55d72cc813cea169f6f675e51687dc034d4be6f2564
-  data.tar.gz: f85025b14a92309fc03edc3dc978e23e4f6dffd267fa2fd6ef12a372fe56c14e58797901e94f1a7abb86b60b5fccbb840ef81356ed1d9a73cd0524f0f801d666
+  metadata.gz: 7b2758cc4a231e6efcc138cc24dc360391b500f23f1970e12c1f42b72817dd017de871cafe37961c5fca4d3433abd258f22b4d05797da1094c533638e7e58ffe
+  data.tar.gz: a76c6de3bd2a54f4b29e7974404b8f286d07462948670e2bd986ac913271887f1653ca2a8bdc73ba6806b222d377e89d2ab0b6e4c8362240c0de3bc42f8b1ae7

data/.gems ADDED

@@ -0,0 +1,4 @@
+cutest -v 1.2.1
+rack-test -v 0.6.2
+cuba -v 3.1.0
+armor -v 0.0.3

data/.gitignore ADDED

	@@ -0,0 +1 @@
1	+ /pkg

data/README.md CHANGED

@@ -1,27 +1,32 @@
-# Shield
+Shield
+======
 Shield
 _n. A solid piece of metal code used to protect your application._
-## Why another authentication library?
+Why another authentication library?
+-----------------------------------
 1. Because most of the other libraries are too huge.
 2. Extending other libraries is a pain.
-3. Writing code is fun :-)
+3. Writing code is fun :-).
-## What shield is
+What shield is
+--------------
-1. Simple (~ 110 lines of Ruby code)
-2. Doesn't get in the way
-3. Treats you like a grown up
+1. Simple (~ 110 lines of Ruby code).
+2. Doesn't get in the way.
+3. Treats you like a grown up.
-## What shield is not
+What shield is not
+------------------
 - is _not_ a ready-made end-to-end authentication solution.
 - is _not_ biased towards any kind of ORM.
-## Understanding Shield in 15 minutes
+Understanding Shield in 15 minutes
+----------------------------------
 ### Shield::Model
@@ -82,14 +87,8 @@ Shield uses [Armor][armor] for encrypting passwords. Armor is a pure ruby
 implementation of [PBKDF2][pbkdf2], a password-based key derivation function
 recommended for the protection of electronically-stored data.
-Shield also includes tests for [ohm][ohm] and [sequel][sequel] and makes sure
-that each release works with the latest respective versions.
-Take a look at [test/ohm.rb][ohm-test] and [test/sequel.rb][sequel-test]
-to learn more.
-To make Shield work with other ORMs (such as DataMapper), make sure to implement
-an `.[]` method which fetches the user instance by id.
+To make Shield work with any ORM, make sure that an `.[]` method which
+fetches the user instance by id is implemented.
 [armor]: https://github.com/cyx/armor
 [pbkdf2]: http://en.wikipedia.org/wiki/PBKDF2
@@ -100,7 +99,7 @@ class User
   # ...
-  self.[](id)
+  def self.[](id)
     get id
   end
 end
@@ -113,15 +112,19 @@ in using either username or email, then you can simply extend `User.fetch`
 a bit by doing:
 ```ruby
-# in Sequel
+# in Sequel (http://sequel.rubyforge.org)
 class User < Sequel::Model
+  include Shield::Model
   def self.fetch(identifier)
     filter(email: identifier).first || filter(username: identifier).first
   end
 end
-# in Ohm
+# in Ohm (http://ohm.keyvalue.org)
 class User < Ohm::Model
+  include Shield::Model
   attribute :email
   attribute :username
@@ -137,12 +140,6 @@ end
 If you want to allow case-insensitive logins for some reason, you can
 simply normalize the values to their lowercase form.
-[ohm]: http://ohm.keyvalue.org
-[sequel]: http://sequel.rubyforge.org
-[ohm-test]: https://github.com/cyx/shield/blob/master/test/ohm.rb
-[sequel-test]: https://github.com/cyx/shield/blob/master/test/sequel.rb
 ### Shield::Helpers
 As the name suggests, `Shield::Helpers` is out there to aid you a bit,

data/lib/shield.rb CHANGED

@@ -98,17 +98,33 @@ module Shield
   end
   module Password
+    Error = Class.new(StandardError)
+    # == DOS attack fix
+    #
+    # Excessively long passwords (e.g. 1MB strings) would hang
+    # a server.
+    #
+    # @see: https://www.djangoproject.com/weblog/2013/sep/15/security/
+    MAX_LEN = 4096
     def self.encrypt(password, salt = generate_salt)
-      Armor.digest(password, salt) + salt
+      digest(password, salt) + salt
     end
     def self.check(password, encrypted)
       sha512, salt = encrypted.to_s[0...128], encrypted.to_s[128..-1]
-      Armor.compare(Armor.digest(password, salt), sha512)
+      Armor.compare(digest(password, salt), sha512)
     end
   protected
+    def self.digest(password, salt)
+      raise Error if password.length > MAX_LEN
+      Armor.digest(password, salt)
+    end
     def self.generate_salt
       Armor.hex(OpenSSL::Random.random_bytes(32))
     end

data/makefile ADDED

@@ -0,0 +1,4 @@
+.PHONY: test
+test:
+	cutest -r ./test/helper test/*.rb

data/shield.gemspec ADDED

@@ -0,0 +1,21 @@
+Gem::Specification.new do |s|
+  s.name = "shield"
+  s.version = "2.1.1"
+  s.summary = %{Generic authentication protocol for rack applications.}
+  s.description = %Q{
+    Provides all the protocol you need in order to do authentication on
+    your rack application. The implementation specifics can be found in
+    http://github.com/cyx/shield-contrib
+  }
+  s.authors = ["Michel Martens", "Damian Janowski", "Cyril David"]
+  s.email = ["michel@soveran.com", "djanowski@dimaion.com", "me@cyrildavid.com"]
+  s.homepage = "http://github.com/cyx/shield"
+  s.license = "MIT"
+  s.files = `git ls-files`.split("\n")
+  s.add_dependency "armor"
+  s.add_development_dependency "cutest"
+  s.add_development_dependency "rack-test"
+  s.add_development_dependency "cuba"
+end

data/test/cuba.rb ADDED

@@ -0,0 +1,91 @@
+require_relative "helper"
+require_relative "user"
+require "cuba"
+Cuba.use Rack::Session::Cookie, secret: "foo"
+Cuba.use Shield::Middleware
+Cuba.plugin Shield::Helpers
+Cuba.define do
+  on get, "public" do
+    res.write "Public"
+  end
+  on get, "private" do
+    if authenticated(User)
+      res.write "Private"
+    else
+      res.status = 401
+    end
+  end
+  on get, "login" do
+    res.write "Login"
+  end
+  on post, "login", param("login"), param("password") do |u, p|
+    if login(User, u, p)
+      remember if req[:remember_me]
+      res.redirect(req[:return] || "/")
+    else
+      res.redirect "/login"
+    end
+  end
+  on "logout" do
+    logout(User)
+    res.redirect "/"
+  end
+end
+scope do
+  def app
+    Cuba
+  end
+  setup do
+    clear_cookies
+  end
+  test "public" do
+    get "/public"
+    assert "Public" == last_response.body
+  end
+  test "successful logging in" do
+    get "/private"
+    assert_equal "/login?return=%2Fprivate", redirection_url
+    post "/login", login: "quentin", password: "password", return: "/private"
+    assert_redirected_to "/private"
+    assert 1001 == session["User"]
+  end
+  test "failed login" do
+    post "/login", :login => "q", :password => "p"
+    assert_redirected_to "/login"
+    assert nil == session["User"]
+  end
+  test "logging out" do
+    post "/login", :login => "quentin", :password => "password"
+    get "/logout"
+    assert nil == session["User"]
+  end
+  test "remember functionality" do
+    post "/login", :login => "quentin", :password => "password", :remember_me => "1"
+    assert_equal session[:remember_for], 86400 * 14
+    get "/logout"
+    assert_equal nil, session[:remember_for]
+  end
+end

data/test/helper.rb ADDED

@@ -0,0 +1,23 @@
+require "cutest"
+require "rack/test"
+require_relative "../lib/shield"
+class Cutest::Scope
+  include Rack::Test::Methods
+  def assert_redirected_to(path)
+    unless last_response.status == 302
+      flunk
+    end
+    assert_equal path, URI(redirection_url).path
+  end
+  def redirection_url
+    last_response.headers["Location"]
+  end
+  def session
+    last_request.env["rack.session"]
+  end
+end

data/test/middleware.rb ADDED

@@ -0,0 +1,30 @@
+require_relative "helper"
+require_relative "user"
+require "cuba"
+Cuba.use Rack::Session::Cookie, secret: "foo"
+Cuba.use Shield::Middleware
+Cuba.plugin Shield::Helpers
+Cuba.define do
+  on "secured" do
+    if not authenticated(User)
+      halt [401, { "Content-Type" => "text/html" }, []]
+    end
+    res.write "You're in"
+  end
+  on "foo" do
+    puts env.inspect
+  end
+end
+test do
+  env = { "PATH_INFO" => "/secured", "SCRIPT_NAME" => "" }
+  status, headers, body = Cuba.call(env)
+  assert_equal 302, status
+  assert_equal "/login?return=%2Fsecured", headers["Location"]
+end

data/test/model.rb ADDED

@@ -0,0 +1,51 @@
+require_relative "helper"
+class User < Struct.new(:crypted_password)
+  include Shield::Model
+end
+test "fetch" do
+  ex = nil
+  begin
+    User.fetch("quentin")
+  rescue Exception => ex
+  end
+  assert ex.kind_of?(Shield::Model::FetchMissing)
+  assert "User.fetch not implemented" == ex.message
+end
+test "is_valid_password?" do
+  user = User.new(Shield::Password.encrypt("password"))
+  assert User.is_valid_password?(user, "password")
+  assert ! User.is_valid_password?(user, "password1")
+end
+class User
+  class << self
+    attr_accessor :fetched
+  end
+  def self.fetch(username)
+    return fetched if username == "quentin"
+  end
+end
+test "authenticate" do
+  user = User.new(Shield::Password.encrypt("pass"))
+  User.fetched = user
+  assert user == User.authenticate("quentin", "pass")
+  assert nil == User.authenticate("unknown", "pass")
+  assert nil == User.authenticate("quentin", "wrongpass")
+end
+test "#password=" do
+  u = User.new
+  u.password = "pass1234"
+  assert Shield::Password.check("pass1234", u.crypted_password)
+end

data/test/model_integration.rb ADDED

@@ -0,0 +1,29 @@
+require_relative "helper"
+class User
+  include Shield::Model
+  attr_accessor :email, :crypted_password
+  def self.fetch(email)
+    $users[email]
+  end
+  def initialize(email, password)
+    @email = email
+    self.password = password
+  end
+end
+setup do
+  $users = {}
+  $users["foo@bar.com"] = User.new("foo@bar.com", "pass1234")
+end
+test "fetch" do |user|
+  assert_equal user, User.fetch("foo@bar.com")
+end
+test "authenticate" do |user|
+  assert_equal user, User.authenticate("foo@bar.com", "pass1234")
+end

data/test/nested.rb ADDED

@@ -0,0 +1,41 @@
+require_relative "helper"
+require_relative "user"
+require "cuba"
+Cuba.use Rack::Session::Cookie, secret: "foo"
+Cuba.plugin Shield::Helpers
+class Admin < Cuba
+  use Shield::Middleware, "/admin/login"
+  define do
+    on "login" do
+      res.write "Login"
+    end
+    on default do
+      res.status = 401
+    end
+  end
+end
+Cuba.define do
+  on "admin" do
+    run Admin
+  end
+end
+scope do
+  def app
+    Cuba
+  end
+  setup do
+    clear_cookies
+  end
+  test "return + return flow" do
+    get "/admin"
+    assert_equal "/admin/login?return=%2Fadmin", redirection_url
+  end
+end

data/test/password.rb ADDED

@@ -0,0 +1,21 @@
+require_relative "helper"
+scope do
+  test "encrypt" do
+    encrypted = Shield::Password.encrypt("password")
+    assert Shield::Password.check("password", encrypted)
+  end
+  test "with custom 64 character salt" do
+    encrypted = Shield::Password.encrypt("password", "A" * 64)
+    assert Shield::Password.check("password", encrypted)
+  end
+  test "DOS fix" do
+    too_long = '*' * (Shield::Password::MAX_LEN + 1)
+    assert_raise Shield::Password::Error do
+      Shield::Password.encrypt(too_long)
+    end
+  end
+end

data/test/shield.rb ADDED

@@ -0,0 +1,95 @@
+require_relative "helper"
+class User < Struct.new(:id)
+  extend Shield::Model
+  def self.[](id)
+    User.new(1) unless id.to_s.empty?
+  end
+  def self.authenticate(username, password)
+    User.new(1001) if username == "quentin" && password == "password"
+  end
+end
+class Context
+  def initialize(path)
+    @path = path
+  end
+  def env
+    { "SCRIPT_NAME" => "", "PATH_INFO" => @path }
+  end
+  def session
+    @session ||= {}
+  end
+  class Request < Struct.new(:fullpath)
+  end
+  def req
+    Request.new(@path)
+  end
+  def redirect(redirect = nil)
+    @redirect = redirect if redirect
+    @redirect
+  end
+  include Shield::Helpers
+end
+setup do
+  Context.new("/events/1")
+end
+class Admin < Struct.new(:id)
+  def self.[](id)
+    new(id) unless id.to_s.empty?
+  end
+end
+test "authenticated" do |context|
+  context.session["User"] = 1
+  assert User.new(1) == context.authenticated(User)
+  assert nil == context.authenticated(Admin)
+end
+test "caches authenticated in @_shield" do |context|
+  context.session["User"] = 1
+  context.authenticated(User)
+  assert User.new(1) == context.instance_variable_get(:@_shield)[User]
+end
+test "login success" do |context|
+  assert context.login(User, "quentin", "password")
+  assert 1001 == context.session["User"]
+end
+test "login failure" do |context|
+  assert ! context.login(User, "wrong", "creds")
+  assert nil == context.session["User"]
+end
+test "logout" do |context|
+  context.session["User"] = 1001
+  # Now let's make it memoize the User
+  context.authenticated(User)
+  context.logout(User)
+  assert nil == context.session["User"]
+  assert nil == context.authenticated(User)
+end
+test "authenticate" do |context|
+  context.session["no_fixation"] = 1
+  context.authenticate(User[1001])
+  assert User[1] == context.authenticated(User)
+  assert nil == context.session["no_fixation"]
+end

data/test/user.rb ADDED

@@ -0,0 +1,21 @@
+class User
+  include Shield::Model
+  def self.[](id)
+    User.new(1001) unless id.to_s.empty?
+  end
+  def self.fetch(username)
+    User.new(1001) if username == "quentin"
+  end
+  attr :id
+  def initialize(id)
+    @id = id
+  end
+  def crypted_password
+    @crypted_password ||= Shield::Password.encrypt("password")
+  end
+end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: shield
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.1.1
 platform: ruby
 authors:
 - Michel Martens
@@ -10,48 +10,62 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-10-10 00:00:00.000000000 Z
+date: 2014-10-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: armor
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: cutest
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: cuba
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 description: "\n    Provides all the protocol you need in order to do authentication
@@ -65,11 +79,25 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- README.md
+- ".gems"
+- ".gitignore"
 - LICENSE
+- README.md
 - lib/shield.rb
+- makefile
+- shield.gemspec
+- test/cuba.rb
+- test/helper.rb
+- test/middleware.rb
+- test/model.rb
+- test/model_integration.rb
+- test/nested.rb
+- test/password.rb
+- test/shield.rb
+- test/user.rb
 homepage: http://github.com/cyx/shield
-licenses: []
+licenses:
+- MIT
 metadata: {}
 post_install_message:
 rdoc_options: []
@@ -77,17 +105,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.0.3
+rubygems_version: 2.2.2
 signing_key:
 specification_version: 4
 summary: Generic authentication protocol for rack applications.