Class: Authlogic::CryptoProviders::Guidance

Inherits:
Object
  • Object
show all
Defined in:
lib/authlogic/crypto_providers.rb

Overview

Guide users to choose a better crypto provider.

Constant Summary collapse

BUILTIN_PROVIDER_PREFIX =
"Authlogic::CryptoProviders::"
NONADAPTIVE_ALGORITHM =
<<~EOS
  You have selected %s as your authlogic crypto provider. This algorithm
  does not have any practical known attacks against it. However, there are
  better choices.

  Authlogic has no plans yet to deprecate this crypto provider. However,
  we recommend transitioning to a more secure, adaptive hashing algorithm,
  like scrypt. Adaptive algorithms are designed to slow down brute force
  attacks, and over time the iteration count can be increased to make it
  slower, so it remains resistant to brute-force search attacks even in
  the face of increasing computation power.

  Use the transition_from_crypto_providers option to make the transition
  painless for your users.
EOS
VULNERABLE_ALGORITHM =
<<~EOS
  You have selected %s as your authlogic crypto provider. It is a poor
  choice because there are known attacks against this algorithm.

  Authlogic has no plans yet to deprecate this crypto provider. However,
  we recommend transitioning to a secure hashing algorithm. We recommend
  an adaptive algorithm, like scrypt.

  Use the transition_from_crypto_providers option to make the transition
  painless for your users.
EOS

Instance Method Summary collapse

Constructor Details

#initialize(provider) ⇒ Guidance

Returns a new instance of Guidance.


63
64
65
# File 'lib/authlogic/crypto_providers.rb', line 63

def initialize(provider)
  @provider = provider
end

Instance Method Details

#impart_wisdomObject


67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# File 'lib/authlogic/crypto_providers.rb', line 67

def impart_wisdom
  return unless @provider.is_a?(Class)

  # We can only impart wisdom about our own built-in providers.
  absolute_name = @provider.name
  return unless absolute_name.start_with?(BUILTIN_PROVIDER_PREFIX)

  # Inspect the string name of the provider, rather than using the
  # constants in our `when` clauses. If we used the constants, we'd
  # negate the benefits of the `autoload` above.
  name = absolute_name.demodulize
  case name
  when "MD5", "Sha1"
    warn(format(VULNERABLE_ALGORITHM, name))
  when "Sha256", "Sha512"
    warn(format(NONADAPTIVE_ALGORITHM, name))
  end
end