inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-10-08 14:51:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged 5.1-MC1 (5.1.0) to HEAD (5.1)

Browse Source 
119044 adavis: Merged 5.1.N (5.1.1) to 5.1-MC1 (5.1.0)
      117325 adavis: Merged 5.0.2-CLOUD42 (Cloud ) to 5.1.N (5.1.1)
         117234 adavis: Merged 5.0.2-CLOUD (Cloud ) to 5.0.2-CLOUD42 (Cloud )
            114503 adavis: Merged BCRYPT to 5.0.2-CLOUD
               113532 gjames: Adding a CompositePasswordEncoder for MNT-14892


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@119882 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Jean-Pierre Huynh
2015-12-10 09:57:28 +00:00
parent bc946d06f5
commit 01ffcc2511
2 changed files with 509 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

214
source/java/org/alfresco/repo/security/authentication/CompositePasswordEncoder.java Normal file
View File

@@ -0,0 +1,214 @@
/*
* Copyright (C) 2005-2016 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.repo.security.authentication;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.util.ParameterCheck;
import org.alfresco.util.PropertyCheck;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import java.util.List;
import java.util.Map;
/**
* A configurable password encoding that delegates the encoding to a Map of
* configured encoders.
*
* @Author Gethin James
*/
public class CompositePasswordEncoder
{
private static Log logger = LogFactory.getLog(CompositePasswordEncoder.class);
private Map<String,Object> encoders;
private String preferredEncoding;
private String legacyEncoding;
private String legacyEncodingProperty;
public void setLegacyEncoding(String legacyEncoding)
{
this.legacyEncoding = legacyEncoding;
}
public void setLegacyEncodingProperty(String legacyEncodingProperty)
{
this.legacyEncodingProperty = legacyEncodingProperty;
}
public String getPreferredEncoding()
{
return preferredEncoding;
}
public String getLegacyEncoding()
{
return legacyEncoding;
}
public String getLegacyEncodingProperty()
{
return legacyEncodingProperty;
}
public void setPreferredEncoding(String preferredEncoding)
{
this.preferredEncoding = preferredEncoding;
}
public void setEncoders(Map<String, Object> encoders)
{
this.encoders = encoders;
}
/**
* Is this the preferred encoding ?
* @param encoding a String representing the encoding
* @return true if is correct
*/
public boolean isPreferredEncoding(String encoding)
{
return preferredEncoding.equals(encoding);
}
/**
* Basic init method for checking mandatory properties
*/
public void init()
{
PropertyCheck.mandatory(this, "encoders", encoders);
PropertyCheck.mandatory(this, "preferredEncoding", preferredEncoding);
PropertyCheck.mandatory(this, "legacyEncoding", legacyEncoding);
PropertyCheck.mandatory(this, "legacyEncodingProperty", legacyEncodingProperty);
}
/**
* Encode a password
* @param rawPassword mandatory password
* @param salt optional salt
* @param encodingChain mandatory encoding chain
* @return the encoded password
*/
public String encodePassword(String rawPassword, Object salt, List<String> encodingChain) {
ParameterCheck.mandatoryString("rawPassword", rawPassword);
ParameterCheck.mandatoryCollection("encodingChain", encodingChain);
String encoded = new String(rawPassword);
for (String encoderKey : encodingChain)
{
encoded = encode(encoderKey, encoded, salt);
}
if (encoded == rawPassword) throw new AlfrescoRuntimeException("No password encoding specified. "+encodingChain);
return encoded;
}
/**
* Encode a password using the specified encoderKey
* @param encoderKey the encoder to use
* @param rawPassword mandatory password
* @param salt optional salt
* @return the encoded password
*/
protected String encode(String encoderKey, String rawPassword, Object salt)
{
ParameterCheck.mandatoryString("rawPassword", rawPassword);
ParameterCheck.mandatoryString("encoderKey", encoderKey);
Object encoder = encoders.get(encoderKey);
if (encoder == null) throw new AlfrescoRuntimeException("Invalid encoder specified: "+encoderKey);
if (encoder instanceof net.sf.acegisecurity.providers.encoding.PasswordEncoder)
{
net.sf.acegisecurity.providers.encoding.PasswordEncoder pEncoder = (net.sf.acegisecurity.providers.encoding.PasswordEncoder) encoder;
if (logger.isDebugEnabled()) {
logger.debug("Encoding using acegis PasswordEncoder: "+encoderKey);
}
return pEncoder.encodePassword(rawPassword, salt);
}
if (encoder instanceof org.springframework.security.crypto.password.PasswordEncoder)
{
org.springframework.security.crypto.password.PasswordEncoder passEncoder = (org.springframework.security.crypto.password.PasswordEncoder) encoder;
if (logger.isDebugEnabled()) {
logger.debug("Encoding using spring PasswordEncoder: "+encoderKey);
}
return passEncoder.encode(rawPassword);
}
throw new AlfrescoRuntimeException("Unsupported encoder specified: "+encoderKey);
}
/**
* Does the password match?
* @param rawPassword mandatory password
* @param encodedPassword mandatory hashed version
* @param salt optional salt
* @param encodingChain mandatory encoding chain
* @return true if they match
*/
public boolean matchesPassword(String rawPassword, String encodedPassword, Object salt, List<String> encodingChain)
{
ParameterCheck.mandatoryString("rawPassword", rawPassword);
ParameterCheck.mandatoryString("encodedPassword", encodedPassword);
ParameterCheck.mandatoryCollection("encodingChain", encodingChain);
if (encodingChain.size() > 1)
{
String lastEncoder = encodingChain.get(encodingChain.size() - 1);
String encoded = encodePassword(rawPassword,salt, encodingChain.subList(0,encodingChain.size()-1));
return matches(lastEncoder,encoded,encodedPassword,salt);
}
if (encodingChain.size() == 1)
{
return matches(encodingChain.get(0), rawPassword, encodedPassword, salt);
}
return false;
}
/**
* Does the password match?
* @param encoderKey the encoder to use
* @param rawPassword mandatory password
* @param encodedPassword mandatory hashed version
* @param salt optional salt
* @return true if they match
*/
protected boolean matches(String encoderKey, String rawPassword, String encodedPassword, Object salt)
{
ParameterCheck.mandatoryString("rawPassword", rawPassword);
ParameterCheck.mandatoryString("encodedPassword", encodedPassword);
ParameterCheck.mandatoryString("encoderKey", encoderKey);
Object encoder = encoders.get(encoderKey);
if (encoder == null) throw new AlfrescoRuntimeException("Invalid matches encoder specified: "+encoderKey);
if (encoder instanceof net.sf.acegisecurity.providers.encoding.PasswordEncoder)
{
net.sf.acegisecurity.providers.encoding.PasswordEncoder pEncoder = (net.sf.acegisecurity.providers.encoding.PasswordEncoder) encoder;
if (logger.isDebugEnabled()) {
logger.debug("Matching using acegis PasswordEncoder: "+encoderKey);
}
return pEncoder.isPasswordValid(encodedPassword, rawPassword, salt);
}
if (encoder instanceof org.springframework.security.crypto.password.PasswordEncoder)
{
org.springframework.security.crypto.password.PasswordEncoder passEncoder = (org.springframework.security.crypto.password.PasswordEncoder) encoder;
if (logger.isDebugEnabled()) {
logger.debug("Matching using spring PasswordEncoder: "+encoderKey);
}
return passEncoder.matches(rawPassword, encodedPassword);
}
throw new AlfrescoRuntimeException("Unsupported encoder for matching: "+encoderKey);
}
}

295
source/test-java/org/alfresco/repo/security/authentication/CompositePasswordEncoderTest.java Normal file
View File

@@ -0,0 +1,295 @@
/*
* Copyright (C) 2005-2016 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.repo.security.authentication;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotEquals;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.util.GUID;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
/**
* Tests CompositePasswordEncoder
* @author Gethin James
*/
public class CompositePasswordEncoderTest
{
CompositePasswordEncoder encoder;
static Map<String,Object> encodersConfig;
private static final String SOURCE_PASSWORD = "SOURCE PASS Word $%%^ #';/,_+{+} like €this"+"\u4eca\u65e5\u306f\u4e16\u754c";
@BeforeClass
public static void setUpClass() throws Exception
{
encodersConfig = new HashMap<>();
encodersConfig.put("md4", new MD4PasswordEncoderImpl());
encodersConfig.put("sha256", new ShaPasswordEncoderImpl(256));
encodersConfig.put("bcrypt10",new BCryptPasswordEncoder(10));
encodersConfig.put("bcrypt20",new BCryptPasswordEncoder(20));
encodersConfig.put("bcrypt30",new BCryptPasswordEncoder(30));
encodersConfig.put("badencoder",new Object());
}
@Before
public void setUp() throws Exception
{
encoder = new CompositePasswordEncoder();
encoder.setEncoders(encodersConfig);
}
@Test
public void testInvalidParamsEncode() throws Exception
{
String encoded = null;
try
{
encoded = encoder.encode(null, null, null);
fail("Should throw exception");
} catch (IllegalArgumentException are)
{
assertTrue(are.getMessage().contains("rawPassword is a mandatory"));
}
try
{
encoded = encoder.encode(null, "fred", null);
fail("Should throw exception");
} catch (IllegalArgumentException are)
{
assertTrue(are.getMessage().contains("encoderKey is a mandatory parameter"));
}
try
{
encoded = encoder.encode("nonsense", "fred", null);
fail("Should throw exception");
} catch (AlfrescoRuntimeException are)
{
assertTrue(are.getMessage().contains("Invalid encoder specified"));
assertTrue(are.getMessage().endsWith("nonsense"));
}
try
{
encoded = encoder.encode("badencoder", "fred", null);
fail("Should throw exception");
} catch (AlfrescoRuntimeException are)
{
assertTrue(are.getMessage().contains("Unsupported encoder specified"));
assertTrue(are.getMessage().endsWith("badencoder"));
}
}
@Test
public void testInvalidParamsMatches() throws Exception
{
boolean match = false;
try
{
match = encoder.matches(null, null, null,null);
fail("Should throw exception");
} catch (IllegalArgumentException are)
{
assertTrue(are.getMessage().contains("rawPassword is a mandatory"));
}
try
{
match = encoder.matches(null, "fred", null,null);
fail("Should throw exception");
} catch (IllegalArgumentException are)
{
assertTrue(are.getMessage().contains("encodedPassword is a mandatory parameter"));
}
try
{
match = encoder.matches(null, "fred", "xyz",null);
fail("Should throw exception");
} catch (IllegalArgumentException are)
{
assertTrue(are.getMessage().contains("encoderKey is a mandatory parameter"));
}
try
{
match = encoder.matches("nonsense", "fred", "xyz",null);
fail("Should throw exception");
} catch (AlfrescoRuntimeException are)
{
assertTrue(are.getMessage().contains("Invalid matches encoder specified"));
assertTrue(are.getMessage().endsWith("nonsense"));
}
try
{
match = encoder.matches("badencoder", "fred", "xyz", null);
fail("Should throw exception");
} catch (AlfrescoRuntimeException are)
{
assertTrue(are.getMessage().contains("Unsupported encoder for matching"));
assertTrue(are.getMessage().endsWith("badencoder"));
}
}
@Test
public void testEncodeMD4() throws Exception
{
String salt = GUID.generate();
MD4PasswordEncoderImpl md4 = new MD4PasswordEncoderImpl();
String sourceEncoded = md4.encodePassword(SOURCE_PASSWORD, salt);
String sourceEncodedSaltFree = md4.encodePassword(SOURCE_PASSWORD, null);
String encoded = encoder.encode("md4", SOURCE_PASSWORD, salt);
assertEquals(sourceEncoded, encoded);
assertTrue(encoder.matches("md4", SOURCE_PASSWORD, encoded, salt));
assertTrue(encoder.matchesPassword(SOURCE_PASSWORD, encoded, salt, Arrays.asList("md4")));
assertEquals(sourceEncoded, encoder.encodePassword(SOURCE_PASSWORD, salt, Arrays.asList("md4")));
encoded = encoder.encode("md4", SOURCE_PASSWORD, null);
assertEquals(sourceEncodedSaltFree, encoded);
assertTrue(encoder.matches("md4", SOURCE_PASSWORD, sourceEncodedSaltFree, null));
assertTrue(encoder.matchesPassword(SOURCE_PASSWORD, sourceEncodedSaltFree, null, Arrays.asList("md4")));
assertEquals(sourceEncodedSaltFree, encoder.encodePassword(SOURCE_PASSWORD, null, Arrays.asList("md4")));
encoded = encoder.encode("sha256", SOURCE_PASSWORD, null);
assertNotEquals(sourceEncodedSaltFree, encoded);
}
@Test
public void testEncodeSha256() throws Exception
{
String salt = GUID.generate();
ShaPasswordEncoderImpl sha = new ShaPasswordEncoderImpl(256);
String sourceEncoded = sha.encodePassword(SOURCE_PASSWORD, salt);
String sourceEncodedSaltFree = sha.encodePassword(SOURCE_PASSWORD, null);
String encoded = encoder.encode("sha256", SOURCE_PASSWORD, salt);
assertEquals(sourceEncoded, encoded);
assertTrue(encoder.matches("sha256", SOURCE_PASSWORD, encoded, salt));
assertTrue(encoder.matchesPassword(SOURCE_PASSWORD, encoded, salt, Arrays.asList("sha256")));
assertEquals(sourceEncoded, encoder.encodePassword(SOURCE_PASSWORD, salt, Arrays.asList("sha256")));
encoded = encoder.encode("sha256", SOURCE_PASSWORD, null);
assertEquals(sourceEncodedSaltFree, encoded);
assertTrue(encoder.matches("sha256", SOURCE_PASSWORD, sourceEncodedSaltFree, null));
assertTrue(encoder.matchesPassword(SOURCE_PASSWORD, sourceEncodedSaltFree, null, Arrays.asList("sha256")));
assertEquals(sourceEncodedSaltFree, encoder.encodePassword(SOURCE_PASSWORD, null, Arrays.asList("sha256")));
encoded = encoder.encode("md4", SOURCE_PASSWORD, null);
assertNotEquals(sourceEncodedSaltFree, encoded);
}
@Test
public void testEncodeBcrypt() throws Exception
{
String encoded = encoder.encode("bcrypt10", SOURCE_PASSWORD, null);
assertTrue(encoder.matches("bcrypt10", SOURCE_PASSWORD, encoded, null));
assertTrue(encoder.matchesPassword(SOURCE_PASSWORD, encoded, null, Arrays.asList("bcrypt10")));
assertFalse(encoder.matches("sha256", SOURCE_PASSWORD, encoded, null));
}
@Test
public void testEncodeChain() throws Exception
{
String salt = GUID.generate();
List<String> mdbChain = Arrays.asList("bcrypt10");
String encoded = encoder.encodePassword(SOURCE_PASSWORD, null, mdbChain);
assertTrue(encoder.matchesPassword(SOURCE_PASSWORD, encoded, null, mdbChain));
mdbChain = Arrays.asList("md4","bcrypt10");
encoded = encoder.encodePassword(SOURCE_PASSWORD, salt, mdbChain);
assertTrue(encoder.matchesPassword(SOURCE_PASSWORD, encoded, salt, mdbChain));
mdbChain = Arrays.asList("sha256","bcrypt10");
encoded = encoder.encodePassword(SOURCE_PASSWORD, salt, mdbChain);
assertTrue(encoder.matchesPassword(SOURCE_PASSWORD, encoded, salt, mdbChain));
mdbChain = Arrays.asList("md4","sha256","bcrypt10");
encoded = encoder.encodePassword(SOURCE_PASSWORD, salt, mdbChain);
assertTrue(encoder.matchesPassword(SOURCE_PASSWORD, encoded, salt, mdbChain));
mdbChain = Arrays.asList("md4","sha256");
encoded = encoder.encodePassword(SOURCE_PASSWORD, salt, mdbChain);
assertTrue(encoder.matchesPassword(SOURCE_PASSWORD, encoded, salt, mdbChain));
mdbChain = Arrays.asList("md4","sha256","md4","sha256","bcrypt10");
encoded = encoder.encodePassword(SOURCE_PASSWORD, salt, mdbChain);
assertTrue(encoder.matchesPassword(SOURCE_PASSWORD, encoded, salt, mdbChain));
}
@Test
public void testMandatoryProperties() throws Exception
{
CompositePasswordEncoder subject = new CompositePasswordEncoder();
try
{
subject.init();
} catch (AlfrescoRuntimeException expected)
{
expected.getMessage().contains("property_not_set");
}
subject.setEncoders(encodersConfig);
subject.setLegacyEncoding("md345");
subject.setLegacyEncodingProperty("password");
try
{
subject.init();
} catch (AlfrescoRuntimeException expected)
{
expected.getMessage().contains("property_not_set");
}
//No default preferred encoding
subject.setPreferredEncoding("nice_encoding");
subject.init();
assertEquals("nice_encoding", subject.getPreferredEncoding());
assertEquals("md345", subject.getLegacyEncoding());
assertEquals("password", subject.getLegacyEncodingProperty());
}
@Test
public void testIsPreferredEncoding() throws Exception
{
CompositePasswordEncoder subject = new CompositePasswordEncoder();
subject.setPreferredEncoding("fish");
assertTrue(subject.isPreferredEncoding("fish"));
assertEquals("fish", subject.getPreferredEncoding());
}
}