strelka 0.0.1.pre.301 → 0.0.1.pre.303

data/ChangeLog

@@ -1,8 +1,46 @@
+2012-09-18  Michael Granger  <ged@FaerieMUD.org>
+
+	* lib/strelka/authprovider/basic.rb,
+	spec/strelka/authprovider/basic_spec.rb:
+	Simplified Strelka::AuthProvider::Basic.
+
+	- removed the pbkdf2_hmac stuff for simplicity
+	- made it easier to use it as a base class for other auth providers.
+	[dbb4523ad258] [tip]
+
+	* Rakefile:
+	Update dependencies
+	[1962465c2c92]
+
+2012-09-05  Michael Granger  <ged@FaerieMUD.org>
+
+	* lib/strelka/cookie.rb:
+	Pull up cookie value method into a protected method for overriding.
+
+	This was done to facilitate the creation of specialized cookie
+	classes.
+	[6f6203c7f0aa]
+
+	* README.rdoc:
+	Small README fixes
+	[0c7cd9948e64]
+
+2012-08-24  Michael Granger  <ged@FaerieMUD.org>
+
+	* Deploying.rdoc, Manifest.txt, Plugins.rdoc, README.rdoc,
+	Tutorial.rdoc, manual/src/deploying.page, manual/src/plugins.page,
+	manual/src/tutorial.page:
+	Documentation update.
+
+	Got most of the default plugins covered at least minimally. Split
+	out the rest of the manual into RDoc pages.
+	[41ef7a20e7cb]
+
 2012-08-24  Mahlon E. Smith  <mahlon@martini.nu>
 
 	* examples/strelka.conf.example:
 	Add a documented example configuration file.
-	[9d8ce0e99016] [tip]
+	[9d8ce0e99016]
 
 2012-08-23  Mahlon E. Smith  <mahlon@martini.nu>
 
@@ -19,7 +57,7 @@
 	* lib/strelka/app/restresources.rb:
 	Don't try to auto-create restresource routes for no-param datasets,
 	either.
-	[10af8924212c] [github/master]
+	[10af8924212c]
 
 2012-08-13  Michael Granger  <ged@FaerieMUD.org>
 
@@ -1003,7 +1041,7 @@
 
 	* lib/strelka/app/errors.rb, spec/strelka/app/errors_spec.rb:
 	Add documentation for the Errors plugin, improve test coverage.
-	[ff3ef6e5a7a1] [github/master@default]
+	[ff3ef6e5a7a1]
 
 	* Manifest.txt:
 	Add session files to the manifest

data/Rakefile

@@ -30,8 +30,8 @@ hoespec = Hoe.spec 'strelka' do
 	self.dependency 'loggability',     '~> 0.4'
 	self.dependency 'mongrel2',        '~> 0.30'
 	self.dependency 'pluginfactory',   '~> 1.0'
-	self.dependency 'sysexits',        '~> 1.0'
-	self.dependency 'trollop',         '~> 1.16'
+	self.dependency 'sysexits',        '~> 1.1'
+	self.dependency 'trollop',         '~> 2.0'
 	self.dependency 'uuidtools',       '~> 2.1'
 
 	self.dependency 'hoe-deveiate',    '~> 0.1', :developer

data/lib/strelka/authprovider/basic.rb

@@ -14,7 +14,7 @@ require 'strelka/mixins'
 #
 # == Configuration
 #
-# The configuration for this provider is read from the 'auth' section of the config, and
+# The configuration for this provider is read from the 'basicauth' section of the config, and
 # may contain the following keys:
 #
 # [realm]::   the HTTP Basic realm. Defaults to the app's application ID
@@ -33,6 +33,11 @@ require 'strelka/mixins'
 #       jblack: "1pAnQNSVtpL1z88QwXV4sG8NMP8="
 #       kmurgen: "MZj9+VhZ8C9+aJhmwp+kWBL76Vs="
 #
+# == Caveats
+#
+# This auth provider is intended as documentation and demonstration only; you should use a
+# more cryptographically secure strategy for real-world applications.
+#
 class Strelka::AuthProvider::Basic < Strelka::AuthProvider
 	extend Configurability,
 	       Strelka::MethodUtilities
@@ -47,13 +52,6 @@ class Strelka::AuthProvider::Basic < Strelka::AuthProvider
 		users: {},
 	}
 
-	# The amount of work to do while encrypting -- higher number == more work == less suceptable
-	# to brute-force attacks
-	ENCRYPT_ITERATIONS = 20_000
-
-	# The Digest class to use when encrypting passwords
-	DIGEST_CLASS = OpenSSL::Digest::SHA256
-
 
 	##
 	# The Hash of users and their SHA1+Base64'ed passwords
@@ -82,22 +80,6 @@ class Strelka::AuthProvider::Basic < Strelka::AuthProvider
 	###	I N S T A N C E   M E T H O D S
 	#################################################################
 
-	### Create a new Default AuthProvider.
-	def initialize( * )
-		super
-
-		# Default the authentication realm to the application's ID
-		unless self.class.realm
-			self.log.warn "No realm configured -- using the app id"
-			self.class.realm = self.app.conn.app_id
-		end
-
-		unless self.class.users
-			self.log.warn "No users configured -- using an empty user list"
-			self.class.users = {}
-		end
-	end
-
 
 	######
 	public
@@ -120,12 +102,7 @@ class Strelka::AuthProvider::Basic < Strelka::AuthProvider
 
 		# Split the credentials, check for valid user
 		username, password = credentials.split( ':', 2 )
-		digest = self.class.users[ username ] or
-			self.log_failure "No such user %p." % [ username ]
-
-		# Fail if the password's hash doesn't match
-		self.log_failure "Password mismatch." unless
-			digest == Digest::SHA1.base64digest( password )
+		self.check_password( username, password )
 
 		# Success!
 		self.log.info "Authentication for %p succeeded." % [ username ]
@@ -137,26 +114,27 @@ class Strelka::AuthProvider::Basic < Strelka::AuthProvider
 	protected
 	#########
 
+	### Return +true+ if the given +password+ is valid for the specified +username+. Always
+	### returns false for non-existant users.
+	def check_password( username, password )
+		digest = self.class.users[ username ] or
+			self.log_failure "No such user %p." % [ username ]
+
+		# Fail if the password's hash doesn't match
+		self.log_failure "Password mismatch." unless
+			digest == Digest::SHA1.base64digest( password )
+
+		return true
+	end
+
+
 	### Syntax sugar to allow returning 'false' while logging a reason for doing so.
 	### Log a message at 'info' level and return false.
 	def log_failure( reason )
 		self.log.warn "Auth failure: %s" % [ reason ]
-		header = "Basic realm=%s" % [ self.class.realm ]
+		header = "Basic realm=%s" % [ self.class.realm || self.app.conn.app_id ]
 		finish_with( HTTP::AUTH_REQUIRED, "Requires authentication.", www_authenticate: header )
 	end
 
 
-	### (undocumented)
-	def encrypt( pass, salt=nil )
-		salt   ||= OpenSSL::Random.random_bytes( 16 ) #store this with the generated value
-		iter   = ENCRYPT_ITERATIONS
-		digest = DIGEST_CLASS.new
-		len    = digest.digest_length
-
-		value  = OpenSSL::PKCS5.pbkdf2_hmac( pass, salt, iter, len, digest )
-
-		return [ value, salt ].join( ':' )
-	end
-
-
 end # class Strelka::AuthProvider::Basic

data/spec/strelka/authprovider/basic_spec.rb

@@ -64,10 +64,6 @@ describe Strelka::AuthProvider::Basic do
 	# Examples
 	#
 
-	it "uses the app ID as the basic auth realm if none is explicitly configured" do
-		described_class.realm.should == @app.conn.app_id
-	end
-
 	it "can be configured via the Configurability API" do
 		described_class.configure( @config )
 		described_class.realm.should == @config[:realm]

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: strelka
 version: !ruby/object:Gem::Version
-  version: 0.0.1.pre.301
+  version: 0.0.1.pre.303
   prerelease: 
 platform: ruby
 authors:
@@ -36,7 +36,7 @@ cert_chain:
   YUhDS0xaZFNLai9SSHVUT3QrZ2JsUmV4OEZBaDhOZUEKY21saFhlNDZwWk5K
   Z1dLYnhaYWg4NWpJang5NWhSOHZPSStOQU01aUg5a09xSzEzRHJ4YWNUS1Bo
   cWo1UGp3RgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
-date: 2012-09-05 00:00:00.000000000 Z
+date: 2012-09-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: configurability
@@ -173,7 +173,7 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -181,7 +181,7 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: trollop
   requirement: !ruby/object:Gem::Requirement
@@ -189,7 +189,7 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '1.16'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -197,7 +197,7 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '1.16'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: uuidtools
   requirement: !ruby/object:Gem::Requirement