Class: Authlogic::CryptoProviders::Guidance

Inherits:

Object

• Object
• Authlogic::CryptoProviders::Guidance

Defined in:

lib/authlogic/crypto_providers.rb

Overview

Guide users to choose a better crypto provider.

Constant Summary

AES256_DEPRECATED =

<<~EOS.freeze
  You have selected AES256 as your authlogic crypto provider. This
  choice is not suitable for password storage.

  Authlogic will drop its AES256 crypto provider in the next major
  version. If you're unable to transition away from AES256 please let us
  know immediately.

  We recommend using a one-way algorithm instead. There are many choices;
  we recommend scrypt. Use the transition_from_crypto_providers option
  to make this painless for your users.
EOS

BUILTIN_PROVIDER_PREFIX =

"Authlogic::CryptoProviders::".freeze

NONADAPTIVE_ALGORITHM =

<<~EOS.freeze
  You have selected %s as your authlogic crypto provider. This algorithm
  does not have any practical known attacks against it. However, there are
  better choices.

  Authlogic has no plans yet to deprecate this crypto provider. However,
  we recommend transitioning to a more secure, adaptive hashing algorithm,
  like scrypt. Adaptive algorithms are designed to slow down brute force
  attacks, and over time the iteration count can be increased to make it
  slower, so it remains resistant to brute-force search attacks even in
  the face of increasing computation power.

  Use the transition_from_crypto_providers option to make the transition
  painless for your users.
EOS

VULNERABLE_ALGORITHM =

<<~EOS.freeze
  You have selected %s as your authlogic crypto provider. It is a poor
  choice because there are known attacks against this algorithm.

  Authlogic has no plans yet to deprecate this crypto provider. However,
  we recommend transitioning to a secure hashing algorithm. We recommend
  an adaptive algorithm, like scrypt.

  Use the transition_from_crypto_providers option to make the transition
  painless for your users.
EOS

Instance Method Summary

• #impart_wisdom ⇒ Object
• #initialize(provider) ⇒ Guidance constructor

  A new instance of Guidance.

Constructor Details

#initialize(provider) ⇒ Guidance

Returns a new instance of Guidance.

# File 'lib/authlogic/crypto_providers.rb', line 76

def initialize(provider)
  @provider = provider
end

Instance Method Details

#impart_wisdom ⇒ Object

# File 'lib/authlogic/crypto_providers.rb', line 80

def impart_wisdom
  return unless @provider.is_a?(Class)

  # We can only impart wisdom about our own built-in providers.
  absolute_name = @provider.name
  return unless absolute_name.start_with?(BUILTIN_PROVIDER_PREFIX)

  # Inspect the string name of the provider, rather than using the
  # constants in our `when` clauses. If we used the constants, we'd
  # negate the benefits of the `autoload` above.
  name = absolute_name.demodulize
  case name
  when "AES256"
    ::ActiveSupport::Deprecation.warn(AES256_DEPRECATED)
  when "MD5", "Sha1"
    warn(format(VULNERABLE_ALGORITHM, name))
  when "Sha256", "Sha512"
    warn(format(NONADAPTIVE_ALGORITHM, name))
  end
end