class ROM::LDAP::Directory::Password

@abstract

Encode and validate passwords using md5, sha or ssha.

@api public

Public Class Methods

check_ssha(password, encrypted) click to toggle source

Validate plain password against encrypted SSHA password.

@return [Boolean]

@api public

# File lib/rom/ldap/directory/password.rb, line 60
def self.check_ssha(password, encrypted)
  decoded = Base64.decode64(encrypted.gsub(/^{SSHA}/, EMPTY_STRING))
  # hash = decoded[0..20]
  salt = decoded[20..-1]
  _encode(:ssha, ssha(password, salt)) == encrypted
end
check_ssha512(password, encrypted) click to toggle source
# File lib/rom/ldap/directory/password.rb, line 48
def self.check_ssha512(password, encrypted)
  decoded = Base64.decode64(encrypted.gsub(/^{SSHA512}/, EMPTY_STRING))
  # hash = decoded[0..64]
  salt = decoded[64..-1]
  _encode(:ssha512, ssha512(password, salt)) == encrypted
end
generate(type, password, salt = secure_salt) click to toggle source

Generate an ecrypted password.

@example

Password.generate(:ssha, 'secret magic word')

@param type [Symbol] Encryption type. [:md5, :sha, :ssha]. @param password [String] Plain text password to be encrypted.

@return [String]

@raise [PasswordError]

@api public

# File lib/rom/ldap/directory/password.rb, line 35
def self.generate(type, password, salt = secure_salt)
  raise PasswordError, 'No password supplied' if password.nil?

  case type
  when :md5    then _encode(type, md5(password))
  when :sha    then _encode(type, sha(password))
  when :ssha   then _encode(type, ssha(password, salt))
  when :ssha512 then _encode(type, ssha512(password, salt))
  else
    raise PasswordError, "Unsupported encryption type (#{type})"
  end
end

Private Class Methods

_encode(type, encrypted) click to toggle source

@return [String] Prepend type to encrypted string.

@api private

# File lib/rom/ldap/directory/password.rb, line 72
def self._encode(type, encrypted)
  "{#{type.upcase}}" + Base64.strict_encode64(encrypted).chomp
end
md5(str) click to toggle source

@param str [String]

@return [String] MD5 digest.

@api private

# File lib/rom/ldap/directory/password.rb, line 88
def self.md5(str)
  Digest::MD5.digest(str)
end
secure_salt() click to toggle source

Generate salt.

@api private

# File lib/rom/ldap/directory/password.rb, line 79
def self.secure_salt
  SecureRandom.random_bytes(16)
end
sha(str) click to toggle source

@param str [String]

@return [String] SHA1 digest without salt.

@api private

# File lib/rom/ldap/directory/password.rb, line 107
def self.sha(str)
  Digest::SHA1.digest(str)
end
ssha(str, salt) click to toggle source

@param str [String] @param salt [String]

@return [String] SHA1 digest with salt.

@api private

# File lib/rom/ldap/directory/password.rb, line 98
def self.ssha(str, salt)
  Digest::SHA1.digest(str + salt) + salt
end
ssha512(str, salt) click to toggle source

“{SSHA512}A1lCCGYzUEJ5/qQCrFUAztLVaTaWv959RnpzaOsWB9Ij4CBCeNh6i4XrZzrvwUMM/AWbEb8Gjc7FWOBSPnkRuHsexjzeQImm” initial

# File lib/rom/ldap/directory/password.rb, line 114
def self.ssha512(str, salt)
  Digest::SHA512.digest(str + salt) + salt
end