Class: Authlogic::CryptoProviders::Guidance

Inherits:

Object

• Object
• Authlogic::CryptoProviders::Guidance

Defined in:

lib/authlogic/crypto_providers.rb

Overview

Guide users to choose a better crypto provider.

Constant Summary

BUILTIN_PROVIDER_PREFIX =

"Authlogic::CryptoProviders::"

NONADAPTIVE_ALGORITHM =

<<~EOS
  You have selected %s as your authlogic crypto provider. This algorithm
  does not have any practical known attacks against it. However, there are
  better choices.

  Authlogic has no plans yet to deprecate this crypto provider. However,
  we recommend transitioning to a more secure, adaptive hashing algorithm,
  like scrypt. Adaptive algorithms are designed to slow down brute force
  attacks, and over time the iteration count can be increased to make it
  slower, so it remains resistant to brute-force search attacks even in
  the face of increasing computation power.

  Use the transition_from_crypto_providers option to make the transition
  painless for your users.
EOS

VULNERABLE_ALGORITHM =

<<~EOS
  You have selected %s as your authlogic crypto provider. It is a poor
  choice because there are known attacks against this algorithm.

  Authlogic has no plans yet to deprecate this crypto provider. However,
  we recommend transitioning to a secure hashing algorithm. We recommend
  an adaptive algorithm, like scrypt.

  Use the transition_from_crypto_providers option to make the transition
  painless for your users.
EOS

Instance Method Summary

• #impart_wisdom ⇒ Object
• #initialize(provider) ⇒ Guidance constructor

  A new instance of Guidance.

Constructor Details

#initialize(provider) ⇒ Guidance

Returns a new instance of Guidance.

# File 'lib/authlogic/crypto_providers.rb', line 63

def initialize(provider)
  @provider = provider
end

Instance Method Details

#impart_wisdom ⇒ Object

# File 'lib/authlogic/crypto_providers.rb', line 67

def impart_wisdom
  return unless @provider.is_a?(Class)

  # We can only impart wisdom about our own built-in providers.
  absolute_name = @provider.name
  return unless absolute_name.start_with?(BUILTIN_PROVIDER_PREFIX)

  # Inspect the string name of the provider, rather than using the
  # constants in our `when` clauses. If we used the constants, we'd
  # negate the benefits of the `autoload` above.
  name = absolute_name.demodulize
  case name
  when "MD5", "Sha1"
    warn(format(VULNERABLE_ALGORITHM, name))
  when "Sha256", "Sha512"
    warn(format(NONADAPTIVE_ALGORITHM, name))
  end
end