Class: Authlogic::CryptoProviders::Guidance

Inherits:

Object

• Object
• Authlogic::CryptoProviders::Guidance

Defined in:

lib/authlogic/crypto_providers.rb

Overview

Guide users to choose a better crypto provider.

Constant Summary

BUILTIN_PROVIDER_PREFIX =

"Authlogic::CryptoProviders::"

NONADAPTIVE_ALGORITHM =

"You have selected %s as your authlogic crypto provider. This algorithm\ndoes not have any practical known attacks against it. However, there are\nbetter choices.\n\nAuthlogic has no plans yet to deprecate this crypto provider. However,\nwe recommend transitioning to a more secure, adaptive hashing algorithm,\nlike scrypt. Adaptive algorithms are designed to slow down brute force\nattacks, and over time the iteration count can be increased to make it\nslower, so it remains resistant to brute-force search attacks even in\nthe face of increasing computation power.\n\nUse the transition_from_crypto_providers option to make the transition\npainless for your users.\n"

VULNERABLE_ALGORITHM =

"You have selected %s as your authlogic crypto provider. It is a poor\nchoice because there are known attacks against this algorithm.\n\nAuthlogic has no plans yet to deprecate this crypto provider. However,\nwe recommend transitioning to a secure hashing algorithm. We recommend\nan adaptive algorithm, like scrypt.\n\nUse the transition_from_crypto_providers option to make the transition\npainless for your users.\n"

Instance Method Summary

• #impart_wisdom ⇒ Object
• #initialize(provider) ⇒ Guidance constructor

  A new instance of Guidance.

Constructor Details

#initialize(provider) ⇒ Guidance

Returns a new instance of Guidance.

# File 'lib/authlogic/crypto_providers.rb', line 63

def initialize(provider)
  @provider = provider
end

Instance Method Details

#impart_wisdom ⇒ Object

# File 'lib/authlogic/crypto_providers.rb', line 67

def impart_wisdom
  return unless @provider.is_a?(Class)

  # We can only impart wisdom about our own built-in providers.
  absolute_name = @provider.name
  return unless absolute_name.start_with?(BUILTIN_PROVIDER_PREFIX)

  # Inspect the string name of the provider, rather than using the
  # constants in our `when` clauses. If we used the constants, we'd
  # negate the benefits of the `autoload` above.
  name = absolute_name.demodulize
  case name
  when "MD5", "Sha1"
    warn(format(VULNERABLE_ALGORITHM, name))
  when "Sha256", "Sha512"
    warn(format(NONADAPTIVE_ALGORITHM, name))
  end
end