From 7c068621cfe935c68a111983d5989a44bfcf1cc3 Mon Sep 17 00:00:00 2001
From: Andrey Antukh <niwi@niwi.nz>
Date: Tue, 15 Sep 2020 14:48:13 +0200
Subject: [PATCH] :recycle: Replace internal crypto/pbkd with buddy.
---
backend/deps.edn | 7 +-
backend/src/app/cli/fixtures.clj | 4 +-
backend/src/app/services/mutations/demo.clj | 13 +-
.../src/app/services/mutations/profile.clj | 46 +--
backend/src/app/services/mutations/viewer.clj | 24 +-
backend/src/app/services/tokens.clj | 9 +-
backend/src/app/util/storage.clj | 15 +-
backend/vendor/sodi/LICENSE | 373 ------------------
backend/vendor/sodi/deps.edn | 32 --
backend/vendor/sodi/pom.xml | 37 --
backend/vendor/sodi/src/sodi/prng.clj | 42 --
backend/vendor/sodi/src/sodi/pwhash.clj | 101 -----
backend/vendor/sodi/src/sodi/util.clj | 50 ---
backend/vendor/sodi/tests.edn | 5 -
.../sodi/tests/sodi/tests/test_pwhash.clj | 22 --
backend/vendor/sodi/tests/user.clj | 31 --
16 files changed, 54 insertions(+), 757 deletions(-)
delete mode 100644 backend/vendor/sodi/LICENSE
delete mode 100644 backend/vendor/sodi/deps.edn
delete mode 100644 backend/vendor/sodi/pom.xml
delete mode 100644 backend/vendor/sodi/src/sodi/prng.clj
delete mode 100644 backend/vendor/sodi/src/sodi/pwhash.clj
delete mode 100644 backend/vendor/sodi/src/sodi/util.clj
delete mode 100644 backend/vendor/sodi/tests.edn
delete mode 100644 backend/vendor/sodi/tests/sodi/tests/test_pwhash.clj
delete mode 100644 backend/vendor/sodi/tests/user.clj
diff --git a/backend/deps.edn b/backend/deps.edn
index d05c2f335..2abd02f29 100644
--- a/backend/deps.edn
+++ b/backend/deps.edn
@@ -36,9 +36,10 @@
funcool/datoteka {:mvn/version "1.2.0"}
funcool/promesa {:mvn/version "5.1.0"}
funcool/cuerdas {:mvn/version "2020.03.26-3"}
- funcool/sodi
- {:local/root "vendor/sodi"
- :deps/manifest :pom}
+
+
+ buddy/buddy-core {:mvn/version "1.8.0"}
+ buddy/buddy-hashers {:mvn/version "1.5.1"}
lambdaisland/uri {:mvn/version "1.4.54"
:exclusions [org.clojure/data.json]}
diff --git a/backend/src/app/cli/fixtures.clj b/backend/src/app/cli/fixtures.clj
index 1feb94495..ee71ad267 100644
--- a/backend/src/app/cli/fixtures.clj
+++ b/backend/src/app/cli/fixtures.clj
@@ -12,7 +12,7 @@
(:require
[clojure.tools.logging :as log]
[mount.core :as mount]
- [sodi.pwhash :as pwhash]
+ [buddy.hashers :as hashers]
[app.common.data :as d]
[app.common.pages :as cp]
[app.common.uuid :as uuid]
@@ -28,7 +28,7 @@
;; --- Profiles creation
-(def password (pwhash/derive "123123"))
+(def password (hashers/derive "123123"))
(def preset-small
{:num-teams 5
diff --git a/backend/src/app/services/mutations/demo.clj b/backend/src/app/services/mutations/demo.clj
index 910809b2c..a2f03a349 100644
--- a/backend/src/app/services/mutations/demo.clj
+++ b/backend/src/app/services/mutations/demo.clj
@@ -11,8 +11,8 @@
"A demo specific mutations."
(:require
[clojure.spec.alpha :as s]
- [sodi.prng]
- [sodi.util]
+ [buddy.core.codecs :as bc]
+ [buddy.core.nonce :as bn]
[app.common.exceptions :as ex]
[app.config :as cfg]
[app.db :as db]
@@ -24,12 +24,13 @@
(sm/defmutation ::create-demo-profile
[_]
- (let [id (uuid/next)
- sem (System/currentTimeMillis)
+ (let [id (uuid/next)
+ sem (System/currentTimeMillis)
email (str "demo-" sem ".demo@nodomain.com")
fullname (str "Demo User " sem)
- password (-> (sodi.prng/random-bytes 12)
- (sodi.util/bytes->b64s))
+ password (-> (bn/random-bytes 12)
+ (bc/bytes->b64u)
+ (bc/bytes->str))
params {:id id
:email email
:fullname fullname
diff --git a/backend/src/app/services/mutations/profile.clj b/backend/src/app/services/mutations/profile.clj
index 7ce748dd2..39a00f7fb 100644
--- a/backend/src/app/services/mutations/profile.clj
+++ b/backend/src/app/services/mutations/profile.clj
@@ -9,33 +9,32 @@
(ns app.services.mutations.profile
(:require
- [clojure.spec.alpha :as s]
- [cuerdas.core :as str]
- [datoteka.core :as fs]
- [promesa.core :as p]
- [promesa.exec :as px]
- [sodi.prng]
- [sodi.pwhash]
- [sodi.util]
[app.common.exceptions :as ex]
+ [app.common.media :as cm]
[app.common.spec :as us]
[app.common.uuid :as uuid]
- [app.common.media :as cm]
[app.config :as cfg]
[app.db :as db]
[app.emails :as emails]
[app.media :as media]
[app.media-storage :as mst]
- [app.services.tokens :as tokens]
[app.services.mutations :as sm]
[app.services.mutations.media :as media-mutations]
[app.services.mutations.projects :as projects]
[app.services.mutations.teams :as teams]
[app.services.queries.profile :as profile]
+ [app.services.tokens :as tokens]
[app.tasks :as tasks]
[app.util.blob :as blob]
[app.util.storage :as ust]
- [app.util.time :as dt]))
+ [app.util.time :as dt]
+ [buddy.core.codecs :as bc]
+ [buddy.core.nonce :as bn]
+ [buddy.hashers :as hashers]
+ [clojure.spec.alpha :as s]
+ [cuerdas.core :as str]
+ [datoteka.core :as fs]))
+
;; --- Helpers & Specs
@@ -112,16 +111,16 @@
"Create the profile entry on the database with limited input
filling all the other fields with defaults."
[conn {:keys [id fullname email password demo?] :as params}]
- (let [id (or id (uuid/next))
+ (let [id (or id (uuid/next))
demo? (if (boolean? demo?) demo? false)
- password (sodi.pwhash/derive password)]
+ paswd (hashers/derive password {:alg :bcrypt+sha512})]
(db/insert! conn :profile
{:id id
:fullname fullname
:email (str/lower email)
:pending-email (if demo? nil email)
:photo ""
- :password password
+ :password paswd
:is-demo demo?})))
(defn- create-profile-relations
@@ -159,8 +158,7 @@
(when (= (:password profile) "!")
(ex/raise :type :validation
:code ::account-without-password))
- (let [result (sodi.pwhash/verify password (:password profile))]
- (:valid result)))
+ (hashers/check password (:password profile)))
(validate-profile [profile]
(when-not profile
@@ -242,9 +240,8 @@
(defn- validate-password!
[conn {:keys [profile-id old-password] :as params}]
- (let [profile (profile/retrieve-profile-data conn profile-id)
- result (sodi.pwhash/verify old-password (:password profile))]
- (when-not (:valid result)
+ (let [profile (profile/retrieve-profile-data conn profile-id)]
+ (when-not (hashers/check old-password (:password profile))
(ex/raise :type :validation
:code ::old-password-not-match))))
@@ -256,12 +253,11 @@
(db/with-atomic [conn db/pool]
(validate-password! conn params)
(db/update! conn :profile
- {:password (sodi.pwhash/derive password)}
+ {:password (hashers/derive password {:alg :bcrypt+sha512})}
{:id profile-id})
nil))
-
;; --- Mutation: Update Photo
(declare upload-photo)
@@ -290,8 +286,9 @@
(defn- upload-photo
[conn {:keys [file profile-id]}]
- (let [prefix (-> (sodi.prng/random-bytes 8)
- (sodi.util/bytes->b64s))
+ (let [prefix (-> (bn/random-bytes 8)
+ (bc/bytes->b64u)
+ (bc/bytes->str))
thumb (media/run
{:cmd :profile-thumbnail
:format :jpeg
@@ -455,13 +452,12 @@
(:profile-id tpayload)))
(update-password [conn profile-id]
- (let [pwd (sodi.pwhash/derive password)]
+ (let [pwd (hashers/derive password {:alg :bcrypt+sha512})]
(db/update! conn :profile {:password pwd} {:id profile-id})))
(delete-token [conn token]
(db/delete! conn :generic-token {:token token}))]
-
(db/with-atomic [conn db/pool]
(->> (validate-token conn token)
(update-password conn))
diff --git a/backend/src/app/services/mutations/viewer.clj b/backend/src/app/services/mutations/viewer.clj
index 9b1e53d4c..71d189260 100644
--- a/backend/src/app/services/mutations/viewer.clj
+++ b/backend/src/app/services/mutations/viewer.clj
@@ -5,31 +5,20 @@
;; This Source Code Form is "Incompatible With Secondary Licenses", as
;; defined by the Mozilla Public License, v. 2.0.
;;
-;; Copyright (c) 2019-2020 Andrey Antukh <niwi@niwi.nz>
+;; Copyright (c) 2020 UXBOX Labs SL
(ns app.services.mutations.viewer
(:require
[app.common.exceptions :as ex]
[app.common.pages :as cp]
- [app.common.pages-migrations :as pmg]
[app.common.spec :as us]
- [app.common.uuid :as uuid]
[app.config :as cfg]
[app.db :as db]
- [app.redis :as redis]
[app.services.mutations :as sm]
- [app.services.mutations.projects :as proj]
[app.services.queries.files :as files]
- [app.tasks :as tasks]
- [app.util.blob :as blob]
- [app.util.storage :as ust]
- [app.util.time :as dt]
- [app.util.transit :as t]
- [clojure.spec.alpha :as s]
- [datoteka.core :as fs]
- [promesa.core :as p]
- [sodi.prng]
- [sodi.util]))
+ [buddy.core.codecs :as bc]
+ [buddy.core.nonce :as bn]
+ [clojure.spec.alpha :as s]))
(s/def ::profile-id ::us/uuid)
(s/def ::file-id ::us/uuid)
@@ -42,8 +31,9 @@
[{:keys [profile-id file-id page-id] :as params}]
(db/with-atomic [conn db/pool]
(files/check-edition-permissions! conn profile-id file-id)
- (let [token (-> (sodi.prng/random-bytes 16)
- (sodi.util/bytes->b64s))]
+ (let [token (-> (bn/random-bytes 16)
+ (bc/bytes->b64u)
+ (bc/bytes->str))]
(db/insert! conn :file-share-token
{:file-id file-id
:page-id page-id
diff --git a/backend/src/app/services/tokens.clj b/backend/src/app/services/tokens.clj
index e9c8da048..aa5a2189f 100644
--- a/backend/src/app/services/tokens.clj
+++ b/backend/src/app/services/tokens.clj
@@ -11,8 +11,8 @@
(:require
[clojure.spec.alpha :as s]
[cuerdas.core :as str]
- [sodi.prng]
- [sodi.util]
+ [buddy.core.codecs :as bc]
+ [buddy.core.nonce :as bn]
[app.common.exceptions :as ex]
[app.common.spec :as us]
[app.util.time :as dt]
@@ -21,8 +21,9 @@
(defn next-token
([] (next-token 96))
([n]
- (-> (sodi.prng/random-nonce n)
- (sodi.util/bytes->b64s))))
+ (-> (bn/random-bytes n)
+ (bc/bytes->b64u)
+ (bc/bytes->str))))
(def default-duration
(dt/duration {:hours 48}))
diff --git a/backend/src/app/util/storage.clj b/backend/src/app/util/storage.clj
index 74f19b206..b4329df3c 100644
--- a/backend/src/app/util/storage.clj
+++ b/backend/src/app/util/storage.clj
@@ -10,14 +10,14 @@
(ns app.util.storage
"A local filesystem storage implementation."
(:require
+ [app.common.exceptions :as ex]
+ [buddy.core.codecs :as bc]
+ [buddy.core.nonce :as bn]
[clojure.java.io :as io]
[clojure.spec.alpha :as s]
[cuerdas.core :as str]
[datoteka.core :as fs]
- [datoteka.proto :as fp]
- [sodi.prng :as sodi.prng]
- [sodi.util :as sodi.util]
- [app.common.exceptions :as ex])
+ [datoteka.proto :as fp])
(:import
java.io.ByteArrayInputStream
java.io.InputStream
@@ -162,7 +162,7 @@
(def ^:private prng
(delay
(doto (java.security.SecureRandom/getInstance "SHA1PRNG")
- (.setSeed ^bytes (sodi.prng/random-bytes 64)))))
+ (.setSeed ^bytes (bn/random-bytes 64)))))
(defn with-xf
[storage xfm]
@@ -174,8 +174,9 @@
(def random-path
(map (fn [^Path path]
(let [name (str (.getFileName path))
- hash (-> (sodi.prng/random-bytes @prng 10)
- (sodi.util/bytes->b64s))
+ hash (-> (bn/random-bytes 10 @prng)
+ (bc/bytes->b64u)
+ (bc/bytes->str))
tokens (re-seq #"[\w\d\-\_]{2}" hash)
path-tokens (take 3 tokens)
rest-tokens (drop 3 tokens)
diff --git a/backend/vendor/sodi/LICENSE b/backend/vendor/sodi/LICENSE
deleted file mode 100644
index 14e2f777f..000000000
--- a/backend/vendor/sodi/LICENSE
+++ /dev/null
@@ -1,373 +0,0 @@
-Mozilla Public License Version 2.0
-==================================
-
-1. Definitions
---------------
-
-1.1. "Contributor"
- means each individual or legal entity that creates, contributes to
- the creation of, or owns Covered Software.
-
-1.2. "Contributor Version"
- means the combination of the Contributions of others (if any) used
- by a Contributor and that particular Contributor's Contribution.
-
-1.3. "Contribution"
- means Covered Software of a particular Contributor.
-
-1.4. "Covered Software"
- means Source Code Form to which the initial Contributor has attached
- the notice in Exhibit A, the Executable Form of such Source Code
- Form, and Modifications of such Source Code Form, in each case
- including portions thereof.
-
-1.5. "Incompatible With Secondary Licenses"
- means
-
- (a) that the initial Contributor has attached the notice described
- in Exhibit B to the Covered Software; or
-
- (b) that the Covered Software was made available under the terms of
- version 1.1 or earlier of the License, but not also under the
- terms of a Secondary License.
-
-1.6. "Executable Form"
- means any form of the work other than Source Code Form.
-
-1.7. "Larger Work"
- means a work that combines Covered Software with other material, in
- a separate file or files, that is not Covered Software.
-
-1.8. "License"
- means this document.
-
-1.9. "Licensable"
- means having the right to grant, to the maximum extent possible,
- whether at the time of the initial grant or subsequently, any and
- all of the rights conveyed by this License.
-
-1.10. "Modifications"
- means any of the following:
-
- (a) any file in Source Code Form that results from an addition to,
- deletion from, or modification of the contents of Covered
- Software; or
-
- (b) any new file in Source Code Form that contains any Covered
- Software.
-
-1.11. "Patent Claims" of a Contributor
- means any patent claim(s), including without limitation, method,
- process, and apparatus claims, in any patent Licensable by such
- Contributor that would be infringed, but for the grant of the
- License, by the making, using, selling, offering for sale, having
- made, import, or transfer of either its Contributions or its
- Contributor Version.
-
-1.12. "Secondary License"
- means either the GNU General Public License, Version 2.0, the GNU
- Lesser General Public License, Version 2.1, the GNU Affero General
- Public License, Version 3.0, or any later versions of those
- licenses.
-
-1.13. "Source Code Form"
- means the form of the work preferred for making modifications.
-
-1.14. "You" (or "Your")
- means an individual or a legal entity exercising rights under this
- License. For legal entities, "You" includes any entity that
- controls, is controlled by, or is under common control with You. For
- purposes of this definition, "control" means (a) the power, direct
- or indirect, to cause the direction or management of such entity,
- whether by contract or otherwise, or (b) ownership of more than
- fifty percent (50%) of the outstanding shares or beneficial
- ownership of such entity.
-
-2. License Grants and Conditions
---------------------------------
-
-2.1. Grants
-
-Each Contributor hereby grants You a world-wide, royalty-free,
-non-exclusive license:
-
-(a) under intellectual property rights (other than patent or trademark)
- Licensable by such Contributor to use, reproduce, make available,
- modify, display, perform, distribute, and otherwise exploit its
- Contributions, either on an unmodified basis, with Modifications, or
- as part of a Larger Work; and
-
-(b) under Patent Claims of such Contributor to make, use, sell, offer
- for sale, have made, import, and otherwise transfer either its
- Contributions or its Contributor Version.
-
-2.2. Effective Date
-
-The licenses granted in Section 2.1 with respect to any Contribution
-become effective for each Contribution on the date the Contributor first
-distributes such Contribution.
-
-2.3. Limitations on Grant Scope
-
-The licenses granted in this Section 2 are the only rights granted under
-this License. No additional rights or licenses will be implied from the
-distribution or licensing of Covered Software under this License.
-Notwithstanding Section 2.1(b) above, no patent license is granted by a
-Contributor:
-
-(a) for any code that a Contributor has removed from Covered Software;
- or
-
-(b) for infringements caused by: (i) Your and any other third party's
- modifications of Covered Software, or (ii) the combination of its
- Contributions with other software (except as part of its Contributor
- Version); or
-
-(c) under Patent Claims infringed by Covered Software in the absence of
- its Contributions.
-
-This License does not grant any rights in the trademarks, service marks,
-or logos of any Contributor (except as may be necessary to comply with
-the notice requirements in Section 3.4).
-
-2.4. Subsequent Licenses
-
-No Contributor makes additional grants as a result of Your choice to
-distribute the Covered Software under a subsequent version of this
-License (see Section 10.2) or under the terms of a Secondary License (if
-permitted under the terms of Section 3.3).
-
-2.5. Representation
-
-Each Contributor represents that the Contributor believes its
-Contributions are its original creation(s) or it has sufficient rights
-to grant the rights to its Contributions conveyed by this License.
-
-2.6. Fair Use
-
-This License is not intended to limit any rights You have under
-applicable copyright doctrines of fair use, fair dealing, or other
-equivalents.
-
-2.7. Conditions
-
-Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
-in Section 2.1.
-
-3. Responsibilities
--------------------
-
-3.1. Distribution of Source Form
-
-All distribution of Covered Software in Source Code Form, including any
-Modifications that You create or to which You contribute, must be under
-the terms of this License. You must inform recipients that the Source
-Code Form of the Covered Software is governed by the terms of this
-License, and how they can obtain a copy of this License. You may not
-attempt to alter or restrict the recipients' rights in the Source Code
-Form.
-
-3.2. Distribution of Executable Form
-
-If You distribute Covered Software in Executable Form then:
-
-(a) such Covered Software must also be made available in Source Code
- Form, as described in Section 3.1, and You must inform recipients of
- the Executable Form how they can obtain a copy of such Source Code
- Form by reasonable means in a timely manner, at a charge no more
- than the cost of distribution to the recipient; and
-
-(b) You may distribute such Executable Form under the terms of this
- License, or sublicense it under different terms, provided that the
- license for the Executable Form does not attempt to limit or alter
- the recipients' rights in the Source Code Form under this License.
-
-3.3. Distribution of a Larger Work
-
-You may create and distribute a Larger Work under terms of Your choice,
-provided that You also comply with the requirements of this License for
-the Covered Software. If the Larger Work is a combination of Covered
-Software with a work governed by one or more Secondary Licenses, and the
-Covered Software is not Incompatible With Secondary Licenses, this
-License permits You to additionally distribute such Covered Software
-under the terms of such Secondary License(s), so that the recipient of
-the Larger Work may, at their option, further distribute the Covered
-Software under the terms of either this License or such Secondary
-License(s).
-
-3.4. Notices
-
-You may not remove or alter the substance of any license notices
-(including copyright notices, patent notices, disclaimers of warranty,
-or limitations of liability) contained within the Source Code Form of
-the Covered Software, except that You may alter any license notices to
-the extent required to remedy known factual inaccuracies.
-
-3.5. Application of Additional Terms
-
-You may choose to offer, and to charge a fee for, warranty, support,
-indemnity or liability obligations to one or more recipients of Covered
-Software. However, You may do so only on Your own behalf, and not on
-behalf of any Contributor. You must make it absolutely clear that any
-such warranty, support, indemnity, or liability obligation is offered by
-You alone, and You hereby agree to indemnify every Contributor for any
-liability incurred by such Contributor as a result of warranty, support,
-indemnity or liability terms You offer. You may include additional
-disclaimers of warranty and limitations of liability specific to any
-jurisdiction.
-
-4. Inability to Comply Due to Statute or Regulation
----------------------------------------------------
-
-If it is impossible for You to comply with any of the terms of this
-License with respect to some or all of the Covered Software due to
-statute, judicial order, or regulation then You must: (a) comply with
-the terms of this License to the maximum extent possible; and (b)
-describe the limitations and the code they affect. Such description must
-be placed in a text file included with all distributions of the Covered
-Software under this License. Except to the extent prohibited by statute
-or regulation, such description must be sufficiently detailed for a
-recipient of ordinary skill to be able to understand it.
-
-5. Termination
---------------
-
-5.1. The rights granted under this License will terminate automatically
-if You fail to comply with any of its terms. However, if You become
-compliant, then the rights granted under this License from a particular
-Contributor are reinstated (a) provisionally, unless and until such
-Contributor explicitly and finally terminates Your grants, and (b) on an
-ongoing basis, if such Contributor fails to notify You of the
-non-compliance by some reasonable means prior to 60 days after You have
-come back into compliance. Moreover, Your grants from a particular
-Contributor are reinstated on an ongoing basis if such Contributor
-notifies You of the non-compliance by some reasonable means, this is the
-first time You have received notice of non-compliance with this License
-from such Contributor, and You become compliant prior to 30 days after
-Your receipt of the notice.
-
-5.2. If You initiate litigation against any entity by asserting a patent
-infringement claim (excluding declaratory judgment actions,
-counter-claims, and cross-claims) alleging that a Contributor Version
-directly or indirectly infringes any patent, then the rights granted to
-You by any and all Contributors for the Covered Software under Section
-2.1 of this License shall terminate.
-
-5.3. In the event of termination under Sections 5.1 or 5.2 above, all
-end user license agreements (excluding distributors and resellers) which
-have been validly granted by You or Your distributors under this License
-prior to termination shall survive termination.
-
-************************************************************************
-* *
-* 6. Disclaimer of Warranty *
-* ------------------------- *
-* *
-* Covered Software is provided under this License on an "as is" *
-* basis, without warranty of any kind, either expressed, implied, or *
-* statutory, including, without limitation, warranties that the *
-* Covered Software is free of defects, merchantable, fit for a *
-* particular purpose or non-infringing. The entire risk as to the *
-* quality and performance of the Covered Software is with You. *
-* Should any Covered Software prove defective in any respect, You *
-* (not any Contributor) assume the cost of any necessary servicing, *
-* repair, or correction. This disclaimer of warranty constitutes an *
-* essential part of this License. No use of any Covered Software is *
-* authorized under this License except under this disclaimer. *
-* *
-************************************************************************
-
-************************************************************************
-* *
-* 7. Limitation of Liability *
-* -------------------------- *
-* *
-* Under no circumstances and under no legal theory, whether tort *
-* (including negligence), contract, or otherwise, shall any *
-* Contributor, or anyone who distributes Covered Software as *
-* permitted above, be liable to You for any direct, indirect, *
-* special, incidental, or consequential damages of any character *
-* including, without limitation, damages for lost profits, loss of *
-* goodwill, work stoppage, computer failure or malfunction, or any *
-* and all other commercial damages or losses, even if such party *
-* shall have been informed of the possibility of such damages. This *
-* limitation of liability shall not apply to liability for death or *
-* personal injury resulting from such party's negligence to the *
-* extent applicable law prohibits such limitation. Some *
-* jurisdictions do not allow the exclusion or limitation of *
-* incidental or consequential damages, so this exclusion and *
-* limitation may not apply to You. *
-* *
-************************************************************************
-
-8. Litigation
--------------
-
-Any litigation relating to this License may be brought only in the
-courts of a jurisdiction where the defendant maintains its principal
-place of business and such litigation shall be governed by laws of that
-jurisdiction, without reference to its conflict-of-law provisions.
-Nothing in this Section shall prevent a party's ability to bring
-cross-claims or counter-claims.
-
-9. Miscellaneous
-----------------
-
-This License represents the complete agreement concerning the subject
-matter hereof. If any provision of this License is held to be
-unenforceable, such provision shall be reformed only to the extent
-necessary to make it enforceable. Any law or regulation which provides
-that the language of a contract shall be construed against the drafter
-shall not be used to construe this License against a Contributor.
-
-10. Versions of the License
----------------------------
-
-10.1. New Versions
-
-Mozilla Foundation is the license steward. Except as provided in Section
-10.3, no one other than the license steward has the right to modify or
-publish new versions of this License. Each version will be given a
-distinguishing version number.
-
-10.2. Effect of New Versions
-
-You may distribute the Covered Software under the terms of the version
-of the License under which You originally received the Covered Software,
-or under the terms of any subsequent version published by the license
-steward.
-
-10.3. Modified Versions
-
-If you create software not governed by this License, and you want to
-create a new license for such software, you may create and use a
-modified version of this License if you rename the license and remove
-any references to the name of the license steward (except to note that
-such modified license differs from this License).
-
-10.4. Distributing Source Code Form that is Incompatible With Secondary
-Licenses
-
-If You choose to distribute Source Code Form that is Incompatible With
-Secondary Licenses under the terms of this version of the License, the
-notice described in Exhibit B of this License must be attached.
-
-Exhibit A - Source Code Form License Notice
--------------------------------------------
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-If it is not possible or desirable to put the notice in a particular
-file, then You may include the notice in a location (such as a LICENSE
-file in a relevant directory) where a recipient would be likely to look
-for such a notice.
-
-You may add additional accurate notices of copyright ownership.
-
-Exhibit B - "Incompatible With Secondary Licenses" Notice
----------------------------------------------------------
-
- This Source Code Form is "Incompatible With Secondary Licenses", as
- defined by the Mozilla Public License, v. 2.0.
diff --git a/backend/vendor/sodi/deps.edn b/backend/vendor/sodi/deps.edn
deleted file mode 100644
index c60fe7f6b..000000000
--- a/backend/vendor/sodi/deps.edn
+++ /dev/null
@@ -1,32 +0,0 @@
-;; [org.clojure/test.check "0.9.0" :scope "test"]
-
-{:mvn/repos
- {"central" {:url "https://repo1.maven.org/maven2/"}
- "clojars" {:url "https://clojars.org/repo"}
- "jcenter" {:url "https://jcenter.bintray.com/"}}
-
- :deps
- {com.goterl.lazycode/lazysodium-java {:mvn/version "4.2.4"}}
-
- :paths ["src"]
-
- :aliases
- {:dev
- {:extra-deps
- {com.bhauman/rebel-readline {:mvn/version "0.1.4"}
- org.clojure/tools.namespace {:mvn/version "0.3.1"}
- org.clojure/test.check {:mvn/version "0.10.0"}}
- :extra-paths ["tests"]}
-
- :repl
- {:main-opts ["-m" "rebel-readline.main"]}
-
- :tests
- {:extra-deps {lambdaisland/kaocha {:mvn/version "0.0-565"}}
- :main-opts ["-m" "kaocha.runner"]}}}
-
-
-
-
-
-
diff --git a/backend/vendor/sodi/pom.xml b/backend/vendor/sodi/pom.xml
deleted file mode 100644
index e1f7f5748..000000000
--- a/backend/vendor/sodi/pom.xml
+++ /dev/null
@@ -1,37 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <groupId>funcool</groupId>
- <artifactId>sodi</artifactId>
- <version>0.0.0-alpha.1</version>
- <name>sodi</name>
- <description>Cryptographic Utilities for Clojure</description>
- <url>https://github.com/funcool/sodi</url>
- <scm>
- <connection>scm:git:git://github.com/funcool/sodi.git</connection>
- <developerConnection>scm:git:ssh://git@github.com/funcool/sodi.git</developerConnection>
- <tag>master</tag>
- <url>https://github.com/funcool/sodi</url>
- </scm>
- <build>
- <sourceDirectory>src</sourceDirectory>
- </build>
- <dependencies>
- <dependency>
- <groupId>org.clojure</groupId>
- <artifactId>clojure</artifactId>
- <version>1.10.1</version>
- </dependency>
- <dependency>
- <groupId>com.goterl.lazycode</groupId>
- <artifactId>lazysodium-java</artifactId>
- <version>4.2.4</version>
- </dependency>
- </dependencies>
- <repositories>
- <repository>
- <id>clojars</id>
- <url>https://repo.clojars.org/</url>
- </repository>
- </repositories>
-</project>
diff --git a/backend/vendor/sodi/src/sodi/prng.clj b/backend/vendor/sodi/src/sodi/prng.clj
deleted file mode 100644
index 039e02c60..000000000
--- a/backend/vendor/sodi/src/sodi/prng.clj
+++ /dev/null
@@ -1,42 +0,0 @@
-;; This Source Code Form is subject to the terms of the Mozilla Public
-;; License, v. 2.0. If a copy of the MPL was not distributed with this
-;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 Andrey Antukh <niwi@niwi.nz>
-
-(ns sodi.prng
- "Random data generation helpers."
- (:require [clojure.string :as str]
- [sodi.util :as util])
- (:import java.security.SecureRandom
- java.nio.ByteBuffer))
-
-(defonce ^:no-doc rng (SecureRandom.))
-
-(defn random-bytes
- "Generate a byte array of scpecified length with random
- bytes taken from secure random number generator.
- This method should be used to generate a random
- iv/salt or arbitrary length."
- ([^long numbytes]
- (let [buffer (byte-array numbytes)]
- (.nextBytes ^SecureRandom rng buffer)
- buffer))
- ([^SecureRandom rng ^long numbytes]
- (let [buffer (byte-array numbytes)]
- (.nextBytes rng buffer)
- buffer)))
-
-(defn random-nonce
- "Generate a secure nonce based on current time
- and additional random data obtained from secure random
- generator. The minimum value is 8 bytes, and recommended
- minimum value is 32."
- [^long numbytes]
- (let [^ByteBuffer buffer (ByteBuffer/allocate numbytes)]
- (.putLong buffer (System/currentTimeMillis))
- (.put buffer ^bytes (random-bytes (.remaining buffer)))
- (.array buffer)))
diff --git a/backend/vendor/sodi/src/sodi/pwhash.clj b/backend/vendor/sodi/src/sodi/pwhash.clj
deleted file mode 100644
index 6bebfd539..000000000
--- a/backend/vendor/sodi/src/sodi/pwhash.clj
+++ /dev/null
@@ -1,101 +0,0 @@
-;; This Source Code Form is subject to the terms of the Mozilla Public
-;; License, v. 2.0. If a copy of the MPL was not distributed with this
-;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 Andrey Antukh <niwi@niwi.nz>
-
-(ns sodi.pwhash
- "Password Hashing"
- (:refer-clojure :exclude [derive])
- (:require [clojure.string :as str]
- [sodi.prng :as rng]
- [sodi.util :as util])
- (:import javax.crypto.spec.PBEKeySpec
- javax.crypto.SecretKeyFactory))
-
-;; NOTE: at this moment only pbkdf2+sha512 algorithm is implement is
-;; good enough for start but we need seriosly consider add argon2
-;; algorithm and set it as default (and probably force rehash all
-;; passwords on login to start use new algorithm for existing users).
-;;
-;; Any help is welcome, lazysodium-java is already included in the
-;; dependencies so this should be pretty straight forward implement
-;; it.
-
-(defmulti ^:no-doc derive-password :alg)
-(defmulti ^:no-doc verify-password :alg)
-(defmulti ^:no-doc format-password :alg)
-(defmulti ^:no-doc parse-password
- (fn [password]
- (-> password
- (str/split #"\$" 2)
- (first))))
-
-;; --- Impl
-
-(defmethod parse-password :default
- [password]
- (let [[alg salt cc mc hash] (str/split password #"\$")]
- (when (some nil? [salt cc mc password])
- (throw (ex-info "Malformed hash" {:password password})))
- {:alg alg
- :salt (util/b64s->bytes salt)
- :hash (util/b64s->bytes hash)
- :cpucost (Integer/parseInt cc)
- :memcost (Integer/parseInt mc)}))
-
-(defmethod derive-password "pbkdf2+sha512"
- [{:keys [alg password salt cpucost] :as options}]
- (let [salt (or salt (rng/random-bytes 16))
- cpucost (or cpucost 50000)
- pwd (.toCharArray ^String password)
- spec (PBEKeySpec. pwd salt cpucost 512)
- skf (SecretKeyFactory/getInstance "PBKDF2WithHmacSHA256")
- hash (.getEncoded (.generateSecret skf spec))]
- {:alg alg
- :hash hash
- :salt salt
- :cpucost cpucost
- :memcost 0}))
-
-(defmethod derive-password :default
- [options]
- (derive-password (assoc options :alg "pbkdf2+sha512")))
-
-(defmethod format-password :default
- [{:keys [alg hash salt cpucost memcost]}]
- (let [salt (util/bytes->b64s salt)
- hash (util/bytes->b64s hash)]
- (format "%s$%s$%s$%s$%s" alg salt cpucost memcost hash)))
-
-(defmethod verify-password :default
- [pw-params]
- (let [candidate (-> (assoc pw-params :password (:candidate pw-params))
- (derive-password))]
- (util/equals? (:hash pw-params)
- (:hash candidate))))
-
-;; --- Public API
-
-(defn derive
- ([password] (derive password {}))
- ([password options]
- (-> (assoc options :password password)
- (derive-password)
- (format-password))))
-
-(defn verify
- ([candidate password] (verify candidate password {}))
- ([candidate password {:keys [alg setter-fn] :as options}]
- (when-not (and candidate password)
- (throw (ex-info "Invalid arguments." {})))
- (let [pw-params (-> (parse-password password)
- (assoc :candidate candidate))
- pw-params (if alg
- (assoc pw-params :alg alg)
- pw-params)]
- {:valid (verify-password pw-params)
- :need-rehash false})))
diff --git a/backend/vendor/sodi/src/sodi/util.clj b/backend/vendor/sodi/src/sodi/util.clj
deleted file mode 100644
index 6c020c406..000000000
--- a/backend/vendor/sodi/src/sodi/util.clj
+++ /dev/null
@@ -1,50 +0,0 @@
-;; This Source Code Form is subject to the terms of the Mozilla Public
-;; License, v. 2.0. If a copy of the MPL was not distributed with this
-;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 Andrey Antukh <niwi@niwi.nz>
-
-(ns sodi.util
- "Password Hashing"
- (:require [clojure.string :as str])
- (:import java.util.Base64
- java.util.Base64$Encoder
- java.util.Base64$Decoder))
-
-(defn str->bytes
- "Convert string to byte array."
- ([^String s]
- (str->bytes s "UTF-8"))
- ([^String s, ^String encoding]
- (.getBytes s encoding)))
-
-(defn bytes->str
- "Convert byte array to String."
- ([^bytes data]
- (bytes->str data "UTF-8"))
- ([^bytes data, ^String encoding]
- (String. data encoding)))
-
-(defn bytes->b64s
- [^bytes data]
- (let [^Base64$Encoder encoder (-> (Base64/getUrlEncoder)
- (.withoutPadding))]
- (.encodeToString encoder data)))
-
-(defn b64s->bytes
- [^String data]
- (let [^Base64$Decoder decoder (Base64/getUrlDecoder)]
- (.decode decoder data)))
-
-(defn equals?
- "Test whether two sequences of characters or bytes are equal in a way that
- protects against timing attacks. Note that this does not prevent an attacker
- from discovering the *length* of the data being compared."
- [a b]
- (let [a (map int a), b (map int b)]
- (if (and a b (= (count a) (count b)))
- (zero? (reduce bit-or 0 (map bit-xor a b)))
- false)))
diff --git a/backend/vendor/sodi/tests.edn b/backend/vendor/sodi/tests.edn
deleted file mode 100644
index 9885e11ff..000000000
--- a/backend/vendor/sodi/tests.edn
+++ /dev/null
@@ -1,5 +0,0 @@
-#kaocha/v1
-{:tests
- [{:id :unit
- :test-paths ["tests"]
- :ns-patterns ["test-.*"]}]}
diff --git a/backend/vendor/sodi/tests/sodi/tests/test_pwhash.clj b/backend/vendor/sodi/tests/sodi/tests/test_pwhash.clj
deleted file mode 100644
index 3e71e4fec..000000000
--- a/backend/vendor/sodi/tests/sodi/tests/test_pwhash.clj
+++ /dev/null
@@ -1,22 +0,0 @@
-(ns sodi.tests.test-pwhash
- (:require
- [clojure.test :as t]
- [clojure.test.check.clojure-test :refer [defspec]]
- [clojure.test.check.generators :as gen]
- [clojure.test.check.properties :as props]
- [sodi.pwhash :as pwh]))
-
-(defspec derive-verify-roundtrip 1000
- (props/for-all
- [password gen/string]
- (let [pwhash (pwh/derive password {:cpucost 10})
- result (pwh/verify password pwhash)]
- (t/is (true? (:valid result))))))
-
-(defspec derive-verify-roundtrip-invalid 1000
- (props/for-all
- [pw1 gen/string
- pw2 (gen/such-that #(not= % pw1) gen/string)]
- (let [pwhash (pwh/derive pw1 {:cpucost 10})
- result (pwh/verify pw2 pwhash)]
- (t/is (false? (:valid result))))))
diff --git a/backend/vendor/sodi/tests/user.clj b/backend/vendor/sodi/tests/user.clj
deleted file mode 100644
index bcd280b3f..000000000
--- a/backend/vendor/sodi/tests/user.clj
+++ /dev/null
@@ -1,31 +0,0 @@
-;; This Source Code Form is subject to the terms of the Mozilla Public
-;; License, v. 2.0. If a copy of the MPL was not distributed with this
-;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 Andrey Antukh <niwi@niwi.nz>
-
-(ns user
- (:require
- [clojure.tools.namespace.repl :as repl]
- [clojure.walk :refer [macroexpand-all]]
- [clojure.pprint :refer [pprint]]
- [clojure.test :as test]
- [clojure.java.io :as io]
- [clojure.repl :refer :all]))
-
-(defn run-tests
- ([] (run-tests #"^sodi.tests.*"))
- ([o]
- ;; (repl/refresh)
- (cond
- (instance? java.util.regex.Pattern o)
- (test/run-all-tests o)
-
- (symbol? o)
- (if-let [sns (namespace o)]
- (do (require (symbol sns))
- (test/test-vars [(resolve o)]))
- (test/test-ns o)))))