litvinovg/vitro
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Removed the overloaded Argon2Encoding methods in Authenticator and moved the Argon2StubEncoding method to AuthenticatorStub

Browse source
This commit is contained in:
AsimA 2018-05-22 13:41:26 +02:00
parent aeb9754500
commit 96388c0951
5 changed files with 43 additions and 70 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/RootUserPolicy.java
View file

@ -150,7 +150,7 @@ public class RootUserPolicy implements PolicyIface {
ua.setEmailAddress(configuredRootUser); ua.setEmailAddress(configuredRootUser);
ua.setFirstName("root"); ua.setFirstName("root");
ua.setLastName("user"); ua.setLastName("user");
ua.setArgon2Password(Authenticator.applyArgon2iEncoding(cp, ua.setArgon2Password(Authenticator.applyArgon2iEncoding(
ROOT_USER_INITIAL_PASSWORD)); ROOT_USER_INITIAL_PASSWORD));
ua.setMd5Password(""); ua.setMd5Password("");
ua.setPasswordChangeRequired(true); ua.setPasswordChangeRequired(true);

89
api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/Authenticator.java
View file

@ -10,7 +10,7 @@ import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
import edu.cornell.mannlib.vitro.webapp.beans.UserAccount; import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
import edu.cornell.mannlib.vitro.webapp.config.ConfigurationProperties; import edu.cornell.mannlib.vitro.webapp.config.ConfigurationProperties;
import org.apache.commons.codec.binary.Hex; import org.apache.commons.codec.binary.Hex;
import edu.cornell.mannlib.vitro.webapp.application.ApplicationUtils;
import javax.mail.internet.AddressException; import javax.mail.internet.AddressException;
import javax.mail.internet.InternetAddress; import javax.mail.internet.InternetAddress;
import javax.servlet.ServletContext; import javax.servlet.ServletContext;
@ -57,7 +57,7 @@ public abstract class Authenticator {
* *
* If there is no factory, configure a Basic one. * If there is no factory, configure a Basic one.
*/ */
private static ConfigurationProperties cp;
public static Authenticator getInstance(HttpServletRequest request) { public static Authenticator getInstance(HttpServletRequest request) {
ServletContext ctx = request.getSession().getServletContext(); ServletContext ctx = request.getSession().getServletContext();
Object attribute = ctx.getAttribute(FACTORY_ATTRIBUTE_NAME); Object attribute = ctx.getAttribute(FACTORY_ATTRIBUTE_NAME);
@ -66,7 +66,6 @@ public abstract class Authenticator {
attribute = ctx.getAttribute(FACTORY_ATTRIBUTE_NAME); attribute = ctx.getAttribute(FACTORY_ATTRIBUTE_NAME);
} }
AuthenticatorFactory factory = (AuthenticatorFactory) attribute; AuthenticatorFactory factory = (AuthenticatorFactory) attribute;
cp = ConfigurationProperties.getBean(ctx);
return factory.getInstance(request); return factory.getInstance(request);
} }
@ -200,80 +199,36 @@ public abstract class Authenticator {
} }
} }
/**
* Applies Argon2i hashing on a string.
* Used by tests only with pre-specified values because the configuration
* properties (runtime.properties) is not set at compile time.
**/
public static String applyArgon2iEncodingStub(String raw) { /**
Argon2 argon2 = Argon2Factory.create(); * Applies Argon2i hashing on a string. Obtains the argon2i parameters
try { * from the configuration properties specified in the runtime.properties
return argon2.hash(200, 500, 1, raw); * through this class "Authenticator".
} catch (Exception e) { **/
// This can't happen with a normal Java runtime.
throw new RuntimeException(e);
}
}
/**
* Applies Argon2i hashing on a string. Obtains the argon2i parameters
* from the configuration properties specified in the runtime.properties
* through this class "Authenticator".
**/
public static String applyArgon2iEncoding(String raw) { public static String applyArgon2iEncoding(String raw) {
ServletContext ctx = ApplicationUtils.instance().getServletContext();
ConfigurationProperties configProp = ConfigurationProperties.getBean(ctx);
Argon2 argon2 = Argon2Factory.create(); Argon2 argon2 = Argon2Factory.create();
try { if (configProp.getProperty("argon2.time") != null
if(cp.getProperty("argon2.time") != null && cp.getProperty("argon2.memory") !=null && configProp.getProperty("argon2.memory") != null
&& cp.getProperty("argon2.parallelism")!=null) { && configProp.getProperty("argon2.parallelism") != null) {
return argon2.hash(Integer.parseInt(cp.getProperty("argon2.time")), return argon2.hash(
Integer.parseInt(cp.getProperty("argon2.memory")), Integer.parseInt(configProp.getProperty("argon2.time")),
Integer.parseInt(cp.getProperty("argon2.parallelism")), raw); Integer.parseInt(configProp.getProperty("argon2.memory")),
} Integer.parseInt(configProp.getProperty("argon2.parallelism")), raw);
else { } else {
throw new RuntimeException("Parameters \"argon2.time\", \"argon2.memory\" " + throw new RuntimeException(
"and \"argon2.parallelism\" are either missing in the \"runtime.properties\"" + "Parameters \"argon2.time\", \"argon2.memory\" and "
" file or are not defined correctly"); + "\"argon2.parallelism\" are either missing in the "
} + "\"runtime.properties\" file or are not defined correctly");
}
catch (Exception e) {
// This can't happen with a normal Java runtime.
throw new RuntimeException(e);
} }
} }
/**
* Applies Argon2i hashing on a string.
* When Vivo/Vitro is run for the first time the application needs to set
* the "root" account before a call is made to this class (Authenticator).
* In that case the configuration properties are passed along with the
* password string to this method.
**/
public static String applyArgon2iEncoding(ConfigurationProperties configProp, String raw) {
Argon2 argon2 = Argon2Factory.create();
try {
if(configProp.getProperty("argon2.time") != null && configProp.getProperty("argon2.memory") !=null
&& configProp.getProperty("argon2.parallelism")!=null) {
return argon2.hash(Integer.parseInt(configProp.getProperty("argon2.time")),
Integer.parseInt(configProp.getProperty("argon2.memory")),
Integer.parseInt(configProp.getProperty("argon2.parallelism")), raw);
}
else {
throw new RuntimeException("Parameters \"argon2.time\", \"argon2.memory\" " +
"and \"argon2.parallelism\" are either missing in the \"runtime.properties\"" +
" file or are not defined correctly");
}
}
catch (Exception e) {
// This can't happen with a normal Java runtime.
throw new RuntimeException(e);
}
}
/** /**
Verifies the string against the Argon2i hash stored for a user account Verifies the string against the Argon2i hash stored for a user account
*/ */

18
api/src/test/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AuthenticatorStub.java
View file

@ -9,6 +9,8 @@ import java.util.Map;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import de.mkammerer.argon2.Argon2;
import de.mkammerer.argon2.Argon2Factory;
import edu.cornell.mannlib.vedit.beans.LoginStatusBean; import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
import edu.cornell.mannlib.vedit.beans.LoginStatusBean.AuthenticationSource; import edu.cornell.mannlib.vedit.beans.LoginStatusBean.AuthenticationSource;
import edu.cornell.mannlib.vitro.webapp.beans.UserAccount; import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
@ -114,6 +116,22 @@ public class AuthenticatorStub extends Authenticator {
return false; return false;
} }
/**
* Applies Argon2i hashing on a string.
* Used by tests only with pre-specified values because the configuration
* properties (runtime.properties) is not set at compile time.
**/
public static String applyArgon2iEncodingStub(String raw) {
Argon2 argon2 = Argon2Factory.create();
try {
return argon2.hash(200, 500, 1, raw);
} catch (Exception e) {
// This can't happen with a normal Java runtime.
throw new RuntimeException(e);
}
}
@Override @Override
public boolean isCurrentPasswordArgon2(UserAccount userAccount, public boolean isCurrentPasswordArgon2(UserAccount userAccount,

2
api/src/test/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ProgramLoginTest.java
View file

@ -98,7 +98,7 @@ public class ProgramLoginTest extends AbstractTestClass {
user.setUri(uri); user.setUri(uri);
user.setPermissionSetUris(Collections user.setPermissionSetUris(Collections
.singleton(PermissionSets.URI_DBA)); .singleton(PermissionSets.URI_DBA));
user.setArgon2Password(Authenticator.applyArgon2iEncodingStub(password)); user.setArgon2Password(AuthenticatorStub.applyArgon2iEncodingStub(password));
user.setMd5Password(""); user.setMd5Password("");
user.setLoginCount(loginCount); user.setLoginCount(loginCount);
user.setPasswordChangeRequired(loginCount == 0); user.setPasswordChangeRequired(loginCount == 0);

2
api/src/test/java/edu/cornell/mannlib/vitro/webapp/controller/edit/AuthenticateTest.java
View file

@ -191,7 +191,7 @@ public class AuthenticateTest extends AbstractTestClass {
user.setEmailAddress(userInfo.username); user.setEmailAddress(userInfo.username);
user.setUri(userInfo.uri); user.setUri(userInfo.uri);
user.setPermissionSetUris(userInfo.permissionSetUris); user.setPermissionSetUris(userInfo.permissionSetUris);
user.setArgon2Password(Authenticator.applyArgon2iEncodingStub(userInfo.password)); user.setArgon2Password(AuthenticatorStub.applyArgon2iEncodingStub(userInfo.password));
user.setMd5Password(""); user.setMd5Password("");
user.setLoginCount(userInfo.loginCount); user.setLoginCount(userInfo.loginCount);
user.setPasswordChangeRequired(userInfo.loginCount == 0); user.setPasswordChangeRequired(userInfo.loginCount == 0);