File: //usr/lib/ruby/2.7.0/webrick/httpauth/htpasswd.rb
# frozen_string_literal: false
#
# httpauth/htpasswd -- Apache compatible htpasswd file
#
# Author: IPR -- Internet Programming with Ruby -- writers
# Copyright (c) 2003 Internet Programming with Ruby writers. All rights
# reserved.
#
# $IPR: htpasswd.rb,v 1.4 2003/07/22 19:20:45 gotoyuzo Exp $
require_relative 'userdb'
require_relative 'basicauth'
require 'tempfile'
module WEBrick
  module HTTPAuth
    ##
    # Htpasswd accesses apache-compatible password files.  Passwords are
    # matched to a realm where they are valid.  For security, the path for a
    # password database should be stored outside of the paths available to the
    # HTTP server.
    #
    # Htpasswd is intended for use with WEBrick::HTTPAuth::BasicAuth.
    #
    # To create an Htpasswd database with a single user:
    #
    #   htpasswd = WEBrick::HTTPAuth::Htpasswd.new 'my_password_file'
    #   htpasswd.set_passwd 'my realm', 'username', 'password'
    #   htpasswd.flush
    class Htpasswd
      include UserDB
      ##
      # Open a password database at +path+
      def initialize(path, password_hash: nil)
        @path = path
        @mtime = Time.at(0)
        @passwd = Hash.new
        @auth_type = BasicAuth
        @password_hash = password_hash
        case @password_hash
        when nil
          # begin
          #   require "string/crypt"
          # rescue LoadError
          #   warn("Unable to load string/crypt, proceeding with deprecated use of String#crypt, consider using password_hash: :bcrypt")
          # end
          @password_hash = :crypt
        when :crypt
          # require "string/crypt"
        when :bcrypt
          require "bcrypt"
        else
          raise ArgumentError, "only :crypt and :bcrypt are supported for password_hash keyword argument"
        end
        File.open(@path,"a").close unless File.exist?(@path)
        reload
      end
      ##
      # Reload passwords from the database
      def reload
        mtime = File::mtime(@path)
        if mtime > @mtime
          @passwd.clear
          File.open(@path){|io|
            while line = io.gets
              line.chomp!
              case line
              when %r!\A[^:]+:[a-zA-Z0-9./]{13}\z!
                if @password_hash == :bcrypt
                  raise StandardError, ".htpasswd file contains crypt password, only bcrypt passwords supported"
                end
                user, pass = line.split(":")
              when %r!\A[^:]+:\$2[aby]\$\d{2}\$.{53}\z!
                if @password_hash == :crypt
                  raise StandardError, ".htpasswd file contains bcrypt password, only crypt passwords supported"
                end
                user, pass = line.split(":")
              when /:\$/, /:{SHA}/
                raise NotImplementedError,
                      'MD5, SHA1 .htpasswd file not supported'
              else
                raise StandardError, 'bad .htpasswd file'
              end
              @passwd[user] = pass
            end
          }
          @mtime = mtime
        end
      end
      ##
      # Flush the password database.  If +output+ is given the database will
      # be written there instead of to the original path.
      def flush(output=nil)
        output ||= @path
        tmp = Tempfile.create("htpasswd", File::dirname(output))
        renamed = false
        begin
          each{|item| tmp.puts(item.join(":")) }
          tmp.close
          File::rename(tmp.path, output)
          renamed = true
        ensure
          tmp.close
          File.unlink(tmp.path) if !renamed
        end
      end
      ##
      # Retrieves a password from the database for +user+ in +realm+.  If
      # +reload_db+ is true the database will be reloaded first.
      def get_passwd(realm, user, reload_db)
        reload() if reload_db
        @passwd[user]
      end
      ##
      # Sets a password in the database for +user+ in +realm+ to +pass+.
      def set_passwd(realm, user, pass)
        if @password_hash == :bcrypt
          # Cost of 5 to match Apache default, and because the
          # bcrypt default of 10 will introduce significant delays
          # for every request.
          @passwd[user] = BCrypt::Password.create(pass, :cost=>5)
        else
          @passwd[user] = make_passwd(realm, user, pass)
        end
      end
      ##
      # Removes a password from the database for +user+ in +realm+.
      def delete_passwd(realm, user)
        @passwd.delete(user)
      end
      ##
      # Iterate passwords in the database.
      def each # :yields: [user, password]
        @passwd.keys.sort.each{|user|
          yield([user, @passwd[user]])
        }
      end
    end
  end
end