simon/smeagol
1
0
Fork 0
mirror of https://github.com/journeyman-cc/smeagol.git synced 2026-04-12 18:05:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Now with strongly encrypted passwords! With the security issue solved, I've

Browse source 
upversioned to 0.5.0.
This commit is contained in:
simon 2015-01-16 22:41:48 +00:00
parent 1d87595a64
commit 37a61da33a
5 changed files with 66 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

14
README.md
View file

@ -15,28 +15,28 @@ Smeagol uses the Markdown format as provided by [markdown-clj](https://github.co
## Security and authentication
Currently security is very weak. There is currently a file called *passwd* in the *resources* directory, which contains a clojure map which maps usernames to maps with plain-text passwords and emails thus:
Currently security is now greatly improved. There is currently a file called *passwd* in the *resources* directory, which contains a clojure map which maps usernames to maps with plain-text passwords and emails thus:
{:admin {:password "admin" :email "admin@localhost"}
:adam {:password "secret" :email "adam@localhost"}}
that is to say, the username is a keyword and the corresponding password is a string. Obviously, this is a temporary solution while in development which I will fix later.
that is to say, the username is a keyword and the corresponding password is a string. However, since version 0.5.0, users can now change their own passwords, and when the user changes their password their new password is encrypted using the [scrypt](http://www.tarsnap.com/scrypt.html) one-way encryption scheme. The password file is now no longer either in the *resources/public* directory so cannot be downloaded through the browser, and is no longer in the git archive to which the Wiki content is stored, so that even if that git archive is remotely clonable an attacker cannot get the password file that way.
There's still no mechanism to add a new user to the system through the user interface; you do sill have to do that by editing the password file in an editor.
## Todo
* Image (and other media) upload;
* Improved editor. The editor is at present very primitive - right back from the beginnings of the Web. It would be nice to have a rich embedded editor like [Hallo](https://github.com/bergie/hallo) or [Aloha](http://aloha-editor.org/Content.Node/index.html) but I haven't (yet) had time to integrate them!
* Improved security. Having the passwords in plain text rather than encrypted is just basically poor. Essentially, authentication mechanisms should be pluggable, and at present they aren't;
* Transform diff output to HTML to show changes in a more user friendly format;
* Mechanism to add users through the user interface;
* Mechanism to change passwords through the user interface;
## License
Copyright © 2014 Simon Brooke. Licensed under the GNU General Public License,
Copyright © 2014-2015 Simon Brooke. Licensed under the GNU General Public License,
version 2.0 or (at your option) any later version. If you wish to incorporate
parts of Smeagol into another open source project which uses a less restrictive
license, please contact me.
license, please contact me; I'm open to dual licensing it.
## Prerequisites
@ -52,7 +52,7 @@ To start a web server for the application, run:
or more probably
nohup lein ring server > smeagol.log &
nohup lein ring server > smeagol.log &
Alternatively, if you want to deploy to a servlet container (which I would strongly recommend), the simplest thing is to run:

3
project.clj
View file

@ -1,4 +1,4 @@
(defproject smeagol "0.4.0-SNAPSHOT"
(defproject smeagol "0.5.0-SNAPSHOT"
:description "A simple Git-backed Wiki inspired by Gollum"
:url "https://github.com/simon-brooke/smeagol"
:dependencies [[org.clojure/clojure "1.6.0"]
@ -9,6 +9,7 @@
[com.taoensso/timbre "3.3.1" :exclusions [org.clojure/tools.reader]]
[com.taoensso/tower "3.0.2" :exclusions [com.taoensso/encore]]
[markdown-clj "0.9.55" :exclusions [com.keminglabs/cljx]]
[crypto-password "0.1.3"]
[clj-jgit "0.8.2"]
[environ "1.0.0"]
[im.chit/cronj "1.4.2"]

47
resources/public/content/Introduction.md
View file

@ -1,35 +1,64 @@
# Welcome to Smeagol!
Smeagol is a simple Wiki engine inspired by [Gollum](https://github.com/gollum/gollum/wiki). Gollum is a Wiki engine written in Ruby, which uses a number of simple text formats including [Markdown](http://daringfireball.net/projects/markdown/), which uses [Git](http://git-scm.com/) to provide versioning and backup. I needed a new Wiki for a project and thought Gollum would be ideal - but unfortunately it doesn't provide user authentication, which I needed, and it was simpler for me to reimplement the bits I did need in Clojure than to modify Gollum.
Smeagol is a simple Wiki engine inspired by [Gollum](https://github.com/gollum/gollum/wiki). Gollum is a Wiki engine written in Ruby, which uses a number of simple text formats including [Markdown](http://daringfireball.net/projects/markdown/), and which uses [Git](http://git-scm.com/) to provide versioning and backup. I needed a new Wiki for a project and thought Gollum would be ideal - but unfortunately it doesn't provide user authentication, which I needed, and it was simpler for me to reimplement the bits I did need in Clojure than to modify Gollum.
So at this stage Smeagol is a Wiki engine written in Clojure which uses Markdown as its text format, which does have user authentication, and which uses Git as its versioning and backup system.
## Status
Smeagol is now a fully working small Wiki engine, and meets my own immediate needs. There are some obvious
things which could be improved - see **TODO** list below - but it works now and doesn't seem to have any major problems.
## Markup syntax
Smeagol uses the Markdown format as provided by [markdown-clj](https://github.com/yogthos/markdown-clj), with the addition that anything enclosed in double square brackets, \[\[like this\]\], will be treated as a link into the wiki.
Smeagol uses the Markdown format as provided by [markdown-clj](https://github.com/yogthos/markdown-clj), with the addition that anything enclosed in double square brackets, \[\[like this\]\], will be treated as a link into the wiki itself.
## Security and authentication
Currently security is very weak. There is currently a file called *passwd* in the *resources/public* directory, which contains a clojure map of which maps username to maps with plain-text passwords and emails thus:
Currently security is now greatly improved. There is currently a file called *passwd* in the *resources* directory, which contains a clojure map which maps usernames to maps with plain-text passwords and emails thus:
{:admin {:password "admin" :email "admin@localhost"}
:adam {:password "secret" :email "adam@localhost"}}
that is to say, the username is a keyword and the corresponding password is a string. Obviously, this is a temporary solution while in development which I will fix later.
that is to say, the username is a keyword and the corresponding password is a string. However, since version 0.5.0, users can now change their own passwords, and when the user changes their password their new password is encrypted using the [scrypt](http://www.tarsnap.com/scrypt.html) one-way encryption scheme. The password file is now no longer either in the *resources/public* directory so cannot be downloaded through the browser, and is no longer in the git archive to which the Wiki content is stored, so that even if that git archive is remotely clonable an attacker cannot get the password file that way.
There's still no mechanism to add a new user to the system through the user interface; you do sill have to do that by editing the password file in an editor.
## Todo
* Currently, you need to do a 'git init' in the *resources/public/content* directory to initialise a git repository there - it should automatically create one if none exists, but does not currently do this;
* Image (and other media) upload;
* Improved editor. The editor is at present very primitive - right back from the beginnings of the Web. It would be nice to have a rich embedded editor like [Hallo](https://github.com/bergie/hallo) or [Aloha](http://aloha-editor.org/Content.Node/index.html) but I haven't (yet) had time to integrate them!
* Improved security. Having the passwords in plain text rather than encrypted is just basically poor; having the passwd file in *public* space is also poor (although I believe it cannot be accessed via HTTP). Essentially, authentication mechanisms should be pluggable, and at present they aren't;
* Transform diff output to HTML to show changes in a more user friendly format;
* Mechanism to add users through the user interface;
* Mechanism to change passwords through the user interface;
## License
Copyright © 2014 Simon Brooke. Licensed under the GNU General Public License,
version 2.0 or (at your option) any later version.
Copyright © 2014-2015 Simon Brooke. Licensed under the GNU General Public License,
version 2.0 or (at your option) any later version. If you wish to incorporate
parts of Smeagol into another open source project which uses a less restrictive
license, please contact me; I'm open to dual licensing it.
## Prerequisites
You will need [Leiningen][1] 2.0 or above installed.
[1]: https://github.com/technomancy/leiningen
## Running
To start a web server for the application, run:
lein ring server
or more probably
nohup lein ring server > smeagol.log &
Alternatively, if you want to deploy to a servlet container (which I would strongly recommend), the simplest thing is to run:
lein ring uberwar
(a command which I'm sure Smeagol would entirely appreciate) and deploy the resulting war file.
## Editing the framing content

24
src/smeagol/authenticate.clj
View file

@ -1,7 +1,8 @@
(ns smeagol.authenticate
(:use clojure.walk)
(:require [taoensso.timbre :as timbre]
[noir.io :as io]))
[noir.io :as io]
[crypto.password.scrypt :as password]))
;; Smeagol: a very simple Wiki engine
;; Copyright (C) 2014 Simon Brooke
@ -22,8 +23,8 @@
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; All functions which relate to the passwd file are in this namespace, in order
;; that it can reasonably simply swapped out for a more secure replacement
;; All functions which relate to the passwd file are in this namespace, in order
;; that it can reasonably simply swapped out for a more secure replacement.
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -34,7 +35,10 @@
users (read-string (slurp path))
user ((keyword username) users)]
(timbre/info (str "Authenticating " username " against " path))
(and user (.equals (:password user) password))))
(and user
(or
(.equals (:password user) password)
(password/check password (:password user))))))
(defn get-email
"Return the email address associated with this `username`."
@ -46,7 +50,8 @@
(defn change-pass
"Change the password for the user with this `username` and `oldpass` to this `newpass`.
Return `true` if password was successfully changed."
Return `true` if password was successfully changed. Subsequent to user change, their
password will be encrypted."
[username oldpass newpass]
(timbre/info (format "Changing password for user %s" username))
(let [path (str (io/resource-path) "../passwd")
@ -56,9 +61,14 @@
email (:email user)]
(try
(cond
(and user (.equals (:password user) oldpass))
(and user
(or
(.equals (:password user) oldpass)
(password/check oldpass (:password user))))
(do
(spit path (assoc (dissoc users keywd) keywd {:password newpass :email email}))
(spit path
(assoc (dissoc users keywd) keywd
{:password (password/encrypt newpass) :email email}))
true))
(catch Exception any
(timbre/error

4
src/smeagol/routes/wiki.clj
View file

@ -16,8 +16,7 @@
;; Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
(ns smeagol.routes.wiki
(:use clojure.walk
clojure.pprint)
(:use clojure.walk)
(:require [compojure.core :refer :all]
[clj-jgit.porcelain :as git]
[markdown.core :as md]
@ -154,7 +153,6 @@
(defn auth-page
"Render the auth page"
[request]
(pprint request)
(let [params (keywordize-keys (:form-params request))
username (:username params)
password (:password params)