Class: Fortifier::Secret

Inherits:

ActiveRecord::Base

• Object
• ActiveRecord::Base
• Fortifier::Secret

Defined in:

app/models/fortifier/secret.rb

Constant Summary

EXPIRATION_PERIOD =

days

90

RESTRICTION_PERIOD =

year

1

GRACE_PERIOD =

days

EXPIRATION_PERIOD - 8

SHA =

"SHA"

BCRYPT =

"BCRYPT"

SSO_TOKEN =

i.e. no encryption

"SSO_TOKEN"

RESET_TOKEN =

'RESET_TOKEN'

Instance Attribute Summary

• #reset_token ⇒ Object

  Returns the value of attribute reset_token.

• #secret ⇒ Object

  Returns the value of attribute secret.

• #secret_confirmation ⇒ Object

  Returns the value of attribute secret_confirmation.

• #skip_validation ⇒ Object

  Returns the value of attribute skip_validation.

Class Method Summary

• .evaluate_for_expiration ⇒ Object

  This is called by the rufus job to determine whether users should be locked for not changing secrets.

• .make_sso_token ⇒ Object
• .make_token ⇒ Object
• .reset_token_unique?(token) ⇒ Boolean

Instance Method Summary

• #enable! ⇒ Object
• #expiration_date ⇒ Object
• #expire! ⇒ Object
• #expire_previous_secret ⇒ Object
• #expired? ⇒ Boolean
• #matches?(secret_string) ⇒ Boolean
• #password_reset? ⇒ Boolean
• #secret_confirmation_is_present ⇒ Object
• #secret_is_present ⇒ Object
• #secret_matches_confirmation ⇒ Object
• #secret_matches_regex ⇒ Object
• #skip_validation? ⇒ Boolean
• #sso_auth_user? ⇒ Boolean

  TODO: (DK) def secret_not_used_recently # enhanced secret validation errors << :password_previously_used if matches_previous_secret?(secret) end.

• #update_encryption_method(secret_string) ⇒ Object
• #within_a_week_of_expiration? ⇒ Boolean

Instance Attribute Details

#reset_token ⇒ Object

Returns the value of attribute reset_token.

# File 'app/models/fortifier/secret.rb', line 14

def reset_token
  @reset_token
end

#secret ⇒ Object

Returns the value of attribute secret.

# File 'app/models/fortifier/secret.rb', line 12

def secret
  @secret
end

#secret_confirmation ⇒ Object

Returns the value of attribute secret_confirmation.

# File 'app/models/fortifier/secret.rb', line 12

def secret_confirmation
  @secret_confirmation
end

#skip_validation ⇒ Object

Returns the value of attribute skip_validation.

# File 'app/models/fortifier/secret.rb', line 13

def skip_validation
  @skip_validation
end

Class Method Details

.evaluate_for_expiration ⇒ Object

This is called by the rufus job to determine whether users should be locked for not changing secrets

# File 'app/models/fortifier/secret.rb', line 115

def self.evaluate_for_expiration
  Secret.past_expiration.each do |secret|
    secret.user.disable!
    secret.expire!
  end
  Secret.week_to_expiration.each do |secret|
    NotifierMailer.secret_expiration(secret, secret.user.email).deliver
  end
end

.make_sso_token ⇒ Object

# File 'app/models/fortifier/secret.rb', line 152

def self.make_sso_token
  token=rand(36**30).to_s(36) while Secret.reset_token_unique?(token)==false
  token
end

.make_token ⇒ Object

# File 'app/models/fortifier/secret.rb', line 147

def self.make_token
  token=rand(36**30).to_s(36) while Secret.reset_token_unique?(token)==false
  token
end

.reset_token_unique?(token) ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/fortifier/secret.rb', line 101

def self.reset_token_unique?(token)
  return false if token.blank?
  Fortifier::Secret.where("enc_type='#{RESET_TOKEN}' 
                            AND secret_value='#{token}' 
                            AND (expired IS NULL OR expired=false)").blank?
end

Instance Method Details

#enable! ⇒ Object

# File 'app/models/fortifier/secret.rb', line 92

def enable!; expired == 0; end

#expiration_date ⇒ Object

# File 'app/models/fortifier/secret.rb', line 94

def expiration_date; (created_at.to_time + EXPIRATION_PERIOD.days); end

#expire! ⇒ Object

# File 'app/models/fortifier/secret.rb', line 88

def expire!; update_column(:expired, 1); end

#expire_previous_secret ⇒ Object

# File 'app/models/fortifier/secret.rb', line 108

def expire_previous_secret
  return if (self.reset_token || auth_user.current_secret.blank?)
  old_secrets = Secret.where("auth_user_id='#{auth_user.id}' AND (expired IS NULL OR expired=false)")
  old_secrets.each{|s| s.expire!}
end

#expired? ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/fortifier/secret.rb', line 90

def expired?; expired == 1; end

#matches?(secret_string) ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/fortifier/secret.rb', line 125

def matches?(secret_string)
  if enc_type == SHA
     # deprecated pw hashing
    secret_value == Digest::SHA1.hexdigest("--#{salt}--#{secret_string}--")
   elsif enc_type == Secret::SSO_TOKEN
         secret_value == secret_string
  else
    BCrypt::Password.new(secret_value) == secret_string
  end
end

#password_reset? ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/fortifier/secret.rb', line 82

def password_reset?; self.enc_type==RESET_TOKEN || self.reset_token; end

#secret_confirmation_is_present ⇒ Object

# File 'app/models/fortifier/secret.rb', line 59

def secret_confirmation_is_present
  return if secret_confirmation.present?
  errors[:base] << :blank_password_confirmation
end

#secret_is_present ⇒ Object

# File 'app/models/fortifier/secret.rb', line 54

def secret_is_present
  return if secret.present?
  errors[:base] << :blank_password
end

#secret_matches_confirmation ⇒ Object

# File 'app/models/fortifier/secret.rb', line 64

def secret_matches_confirmation
  return if secret == secret_confirmation
  errors[:base] << :passwords_do_not_match
end

#secret_matches_regex ⇒ Object

# File 'app/models/fortifier/secret.rb', line 69

def secret_matches_regex
  # 10 to 40 characters, one letter, one number
  errors[:base] << :bad_password if secret and secret.match(Fortifier::Authentication::SECRET_REGEX).nil?
end

#skip_validation? ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/fortifier/secret.rb', line 84

def skip_validation?
  self.skip_validation || self.sso_auth_user? || self.password_reset?
end

#sso_auth_user? ⇒ Boolean

TODO: (DK) def secret_not_used_recently

# enhanced secret validation
errors[:base] << :password_previously_used if matches_previous_secret?(secret)

end

Returns:

• (Boolean)

# File 'app/models/fortifier/secret.rb', line 80

def sso_auth_user?; self.enc_type==SSO_TOKEN; end

#update_encryption_method(secret_string) ⇒ Object

# File 'app/models/fortifier/secret.rb', line 136

def update_encryption_method(secret_string)
  # TODO: dave, test if this works: return if enc_type == (BCRYPT || SSO_TOKEN)
  return if self.enc_type == Secret::BCRYPT || self.enc_type == Secret::SSO_TOKEN or secret_string.blank?
   new_secret = Secret.new
   new_secret.auth_user = self.auth_user
  new_secret.secret_value = secret_string
  new_secret.salt = nil
  new_secret.enc_type = BCRYPT
  new_secret.save!(validate: false)
end

#within_a_week_of_expiration? ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/fortifier/secret.rb', line 96

def within_a_week_of_expiration?
 t = (expiration_date.to_date - Date.today).to_i
 t <= 7 && t > 0
end