inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-31 17:39:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

ACS-4759 Replace default password hashing algorithm. (#1789)

Browse Source 
ACS-4759 Replace default password hashing algorithm with bcrypt10.

Update tests to use sha256 hashing and fix tests that relied on md4 being the default hashing algorithm.

Remove test for default password hashing algorithm since this is being overridden for the tests anyway.
This commit is contained in:
Tom Page
2023-03-15 14:11:25 +00:00
committed by GitHub
parent a96e805d52
commit acc5425d68
3 changed files with 163 additions and 156 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
repository/src/main/resources/alfresco/repository.properties
View File

@@ -1149,7 +1149,7 @@ smart.folders.config.type.templates.path=${spaces.dictionary.childname}/${spaces
smart.folders.config.type.templates.qname.filter=none smart.folders.config.type.templates.qname.filter=none
# Preferred password encoding, md4, sha256, bcrypt10 # Preferred password encoding, md4, sha256, bcrypt10
system.preferred.password.encoding=md4 system.preferred.password.encoding=bcrypt10
# Upgrade Password Hash Job # Upgrade Password Hash Job
system.upgradePasswordHash.jobBatchSize=100 system.upgradePasswordHash.jobBatchSize=100

315
repository/src/test/java/org/alfresco/repo/security/authentication/AuthenticationTest.java
View File

@@ -26,15 +26,12 @@
package org.alfresco.repo.security.authentication; package org.alfresco.repo.security.authentication;
import java.io.Serializable; import java.io.Serializable;
import java.io.UnsupportedEncodingException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays; import java.util.Arrays;
import java.util.Date; import java.util.Date;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
import javax.transaction.Status; import javax.transaction.Status;
import javax.transaction.UserTransaction; import javax.transaction.UserTransaction;
@@ -48,7 +45,6 @@ import net.sf.acegisecurity.DisabledException;
import net.sf.acegisecurity.LockedException; import net.sf.acegisecurity.LockedException;
import net.sf.acegisecurity.UserDetails; import net.sf.acegisecurity.UserDetails;
import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken; import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import org.alfresco.error.AlfrescoRuntimeException; import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.model.ContentModel; import org.alfresco.model.ContentModel;
import org.alfresco.repo.admin.SysAdminParamsImpl; import org.alfresco.repo.admin.SysAdminParamsImpl;
@@ -519,50 +515,48 @@ public class AuthenticationTest extends TestCase
assertTrue("The user should exist", dao.userExists(userName)); assertTrue("The user should exist", dao.userExists(userName));
} }
public void testCreateAndyUserAndOtherCRUD() throws NoSuchAlgorithmException, UnsupportedEncodingException public void testCreateAndyUserAndUpdatePassword()
{ {
RepositoryAuthenticationDao dao = createRepositoryAuthenticationDao(); RepositoryAuthenticationDao dao = createRepositoryAuthenticationDao();
dao.createUser("Andy", "cabbage".toCharArray()); dao.createUser("Andy", "cabbage".toCharArray());
assertNotNull(dao.getUserOrNull("Andy")); assertNotNull(dao.getUserOrNull("Andy"));
UserDetails AndyDetails = (UserDetails) dao.loadUserByUsername("Andy"); RepositoryAuthenticatedUser andyDetails = (RepositoryAuthenticatedUser) dao.loadUserByUsername("Andy");
assertNotNull(AndyDetails); assertNotNull("User unexpectedly null", andyDetails);
assertEquals("Andy", AndyDetails.getUsername()); assertEquals("Unexpected username", "Andy", andyDetails.getUsername());
// assertNotNull(dao.getSalt(AndyDetails)); Object originalSalt = andyDetails.getSalt();
assertTrue(AndyDetails.isAccountNonExpired()); assertNotNull("Salt was not generated", originalSalt);
assertTrue(AndyDetails.isAccountNonLocked()); assertTrue("Account unexpectedly expired", andyDetails.isAccountNonExpired());
assertTrue(AndyDetails.isCredentialsNonExpired()); assertTrue("Account unexpectedly locked", andyDetails.isAccountNonLocked());
assertTrue(AndyDetails.isEnabled()); assertTrue("Credentials unexpectedly expired", andyDetails.isCredentialsNonExpired());
assertNotSame("cabbage", AndyDetails.getPassword()); assertTrue("User unexpectedly disabled", andyDetails.isEnabled());
assertTrue(compositePasswordEncoder.matches(compositePasswordEncoder.getPreferredEncoding(),"cabbage", AndyDetails.getPassword(), null)); assertNotSame("Password was not hashed", "cabbage", andyDetails.getPassword());
assertEquals(1, AndyDetails.getAuthorities().length); assertTrue("Failed to recalculate same password hash", compositePasswordEncoder.matches(compositePasswordEncoder.getPreferredEncoding(),"cabbage", andyDetails.getPassword(), originalSalt));
assertEquals("User does not have a single authority", 1, andyDetails.getAuthorities().length);
// Object oldSalt = dao.getSalt(AndyDetails);
dao.updateUser("Andy", "carrot".toCharArray()); dao.updateUser("Andy", "carrot".toCharArray());
UserDetails newDetails = (UserDetails) dao.loadUserByUsername("Andy"); RepositoryAuthenticatedUser newDetails = (RepositoryAuthenticatedUser) dao.loadUserByUsername("Andy");
assertNotNull(newDetails); assertNotNull("New details were null", newDetails);
assertEquals("Andy", newDetails.getUsername()); assertEquals("New details contain wrong username", "Andy", newDetails.getUsername());
// assertNotNull(dao.getSalt(newDetails)); Object updatedSalt = newDetails.getSalt();
assertTrue(newDetails.isAccountNonExpired()); assertNotNull("New details contain null salt", updatedSalt);
assertTrue(newDetails.isAccountNonLocked()); assertTrue("Updated account is expired", newDetails.isAccountNonExpired());
assertTrue(newDetails.isCredentialsNonExpired()); assertTrue("Updated account is locked", newDetails.isAccountNonLocked());
assertTrue(newDetails.isEnabled()); assertTrue("Updated account has expired credentials", newDetails.isCredentialsNonExpired());
assertNotSame("carrot", newDetails.getPassword()); assertTrue("Updated account is not enabled", newDetails.isEnabled());
assertEquals(1, newDetails.getAuthorities().length); assertNotSame("Updated account contains unhashed password", "carrot", newDetails.getPassword());
assertEquals("Updated account should have a single authority", 1, newDetails.getAuthorities().length);
assertTrue("Failed to validate updated password hash", compositePasswordEncoder.matches(compositePasswordEncoder.getPreferredEncoding(),"carrot", newDetails.getPassword(), updatedSalt));
assertNotSame("Expected salt to be replaced when password was updated", originalSalt, updatedSalt);
assertNotSame(AndyDetails.getPassword(), newDetails.getPassword()); // Update back to first password again.
RepositoryAuthenticatedUser rau = (RepositoryAuthenticatedUser) newDetails; dao.updateUser("Andy", "cabbage".toCharArray());
assertTrue(compositePasswordEncoder.matchesPassword("carrot", newDetails.getPassword(), null, rau.getHashIndicator())); RepositoryAuthenticatedUser thirdDetails = (RepositoryAuthenticatedUser) dao.loadUserByUsername("Andy");
// assertNotSame(oldSalt, dao.getSalt(newDetails)); Object thirdSalt = thirdDetails.getSalt();
assertNotSame("New salt should not match original salt", thirdSalt, originalSalt);
//Update again assertNotSame("New salt should not match previous salt", thirdSalt, updatedSalt);
dao.updateUser("Andy", "potato".toCharArray()); assertTrue("New password hash was not reproducible", compositePasswordEncoder.matches(compositePasswordEncoder.getPreferredEncoding(), "cabbage", thirdDetails.getPassword(), thirdSalt));
newDetails = (UserDetails) dao.loadUserByUsername("Andy");
assertNotNull(newDetails);
assertEquals("Andy", newDetails.getUsername());
rau = (RepositoryAuthenticatedUser) newDetails;
assertTrue(compositePasswordEncoder.matchesPassword("potato", newDetails.getPassword(), null, rau.getHashIndicator()));
dao.deleteUser("Andy"); dao.deleteUser("Andy");
assertFalse("Should not be a cache entry for 'Andy'.", authenticationCache.contains("Andy")); assertFalse("Should not be a cache entry for 'Andy'.", authenticationCache.contains("Andy"));
@@ -1989,131 +1983,142 @@ public class AuthenticationTest extends TestCase
* Tests the scenario where a user logs in after the system has been upgraded. * Tests the scenario where a user logs in after the system has been upgraded.
* Their password should get re-hashed using the preferred encoding. * Their password should get re-hashed using the preferred encoding.
*/ */
public void testRehashedPasswordOnAuthentication() throws Exception public void testRehashedPasswordOnAuthentication()
{ {
// create the Andy authentication // This test requires upgrading from md4 to sha256 hashing.
assertNull(authenticationComponent.getCurrentAuthentication()); String defaultPreferredEncoding = compositePasswordEncoder.getPreferredEncoding();
authenticationComponent.setSystemUserAsCurrentUser(); compositePasswordEncoder.setPreferredEncoding("md4");
pubAuthenticationService.createAuthentication("Andy", "auth1".toCharArray());
try
// find the node representing the Andy user and it's properties {
NodeRef andyUserNodeRef = getRepositoryAuthenticationDao(). getUserOrNull("Andy"); // create the Andy authentication
assertNotNull(andyUserNodeRef); assertNull(authenticationComponent.getCurrentAuthentication());
authenticationComponent.setSystemUserAsCurrentUser();
// ensure the properties are in the state we're expecting pubAuthenticationService.createAuthentication("Andy", "auth1".toCharArray());
Map<QName, Serializable> userProps = nodeService.getProperties(andyUserNodeRef);
String passwordProp = (String)userProps.get(ContentModel.PROP_PASSWORD); // find the node representing the Andy user and its properties
assertNull("Expected the password property to be null", passwordProp); NodeRef andyUserNodeRef = getRepositoryAuthenticationDao().getUserOrNull("Andy");
String password2Prop = (String)userProps.get(ContentModel.PROP_PASSWORD_SHA256); assertNotNull(andyUserNodeRef);
assertNull("Expected the password2 property to be null", password2Prop);
String passwordHashProp = (String)userProps.get(ContentModel.PROP_PASSWORD_HASH); // ensure the properties are in the state we're expecting
assertNotNull("Expected the passwordHash property to be populated", passwordHashProp); Map<QName, Serializable> userProps = nodeService.getProperties(andyUserNodeRef);
List<String> hashIndicatorProp = (List<String>)userProps.get(ContentModel.PROP_HASH_INDICATOR); String passwordProp = (String) userProps.get(ContentModel.PROP_PASSWORD);
assertNotNull("Expected the hashIndicator property to be populated", hashIndicatorProp); assertNull("Expected the password property to be null", passwordProp);
String password2Prop = (String) userProps.get(ContentModel.PROP_PASSWORD_SHA256);
// re-generate an md4 hashed password assertNull("Expected the password2 property to be null", password2Prop);
MD4PasswordEncoderImpl md4PasswordEncoder = new MD4PasswordEncoderImpl(); String passwordHashProp = (String) userProps.get(ContentModel.PROP_PASSWORD_HASH);
String md4Password = md4PasswordEncoder.encodePassword("auth1", null); assertNotNull("Expected the passwordHash property to be populated", passwordHashProp);
List<String> hashIndicatorProp = (List<String>) userProps.get(ContentModel.PROP_HASH_INDICATOR);
// re-generate a sha256 hashed password assertNotNull("Expected the hashIndicator property to be populated", hashIndicatorProp);
String salt = (String)userProps.get(ContentModel.PROP_SALT);
ShaPasswordEncoderImpl sha256PasswordEncoder = new ShaPasswordEncoderImpl(256); // re-generate an md4 hashed password
String sha256Password = sha256PasswordEncoder.encodePassword("auth1", salt); MD4PasswordEncoderImpl md4PasswordEncoder = new MD4PasswordEncoderImpl();
String md4Password = md4PasswordEncoder.encodePassword("auth1", null);
// change the underlying user object to represent state in previous release
userProps.put(ContentModel.PROP_PASSWORD, md4Password); // re-generate a sha256 hashed password
userProps.put(ContentModel.PROP_PASSWORD_SHA256, sha256Password); String salt = (String) userProps.get(ContentModel.PROP_SALT);
userProps.remove(ContentModel.PROP_PASSWORD_HASH); ShaPasswordEncoderImpl sha256PasswordEncoder = new ShaPasswordEncoderImpl(256);
userProps.remove(ContentModel.PROP_HASH_INDICATOR); String sha256Password = sha256PasswordEncoder.encodePassword("auth1", salt);
nodeService.setProperties(andyUserNodeRef, userProps);
// change the underlying user object to represent state in previous release
// make sure the changes took effect userProps.put(ContentModel.PROP_PASSWORD, md4Password);
Map<QName, Serializable> updatedProps = nodeService.getProperties(andyUserNodeRef); userProps.put(ContentModel.PROP_PASSWORD_SHA256, sha256Password);
String usernameProp = (String)updatedProps.get(ContentModel.PROP_USER_USERNAME); userProps.remove(ContentModel.PROP_PASSWORD_HASH);
assertEquals("Expected the username property to be 'Andy'", "Andy", usernameProp); userProps.remove(ContentModel.PROP_HASH_INDICATOR);
passwordProp = (String)updatedProps.get(ContentModel.PROP_PASSWORD); nodeService.setProperties(andyUserNodeRef, userProps);
assertNotNull("Expected the password property to be populated", passwordProp);
password2Prop = (String)updatedProps.get(ContentModel.PROP_PASSWORD_SHA256); // make sure the changes took effect
assertNotNull("Expected the password2 property to be populated", password2Prop); Map<QName, Serializable> updatedProps = nodeService.getProperties(andyUserNodeRef);
passwordHashProp = (String)updatedProps.get(ContentModel.PROP_PASSWORD_HASH); String usernameProp = (String) updatedProps.get(ContentModel.PROP_USER_USERNAME);
assertNull("Expected the passwordHash property to be null", passwordHashProp); assertEquals("Expected the username property to be 'Andy'", "Andy", usernameProp);
hashIndicatorProp = (List<String>)updatedProps.get(ContentModel.PROP_HASH_INDICATOR); passwordProp = (String) updatedProps.get(ContentModel.PROP_PASSWORD);
assertNull("Expected the hashIndicator property to be null", hashIndicatorProp); assertNotNull("Expected the password property to be populated", passwordProp);
password2Prop = (String) updatedProps.get(ContentModel.PROP_PASSWORD_SHA256);
// authenticate the user assertNotNull("Expected the password2 property to be populated", password2Prop);
authenticationComponent.clearCurrentSecurityContext(); passwordHashProp = (String) updatedProps.get(ContentModel.PROP_PASSWORD_HASH);
pubAuthenticationService.authenticate("Andy", "auth1".toCharArray()); assertNull("Expected the passwordHash property to be null", passwordHashProp);
assertEquals("Andy", authenticationService.getCurrentUserName()); hashIndicatorProp = (List<String>) updatedProps.get(ContentModel.PROP_HASH_INDICATOR);
assertNull("Expected the hashIndicator property to be null", hashIndicatorProp);
// commit the transaction to invoke the password hashing of the user
userTransaction.commit(); // authenticate the user
authenticationComponent.clearCurrentSecurityContext();
// start another transaction and change to system user pubAuthenticationService.authenticate("Andy", "auth1".toCharArray());
userTransaction = transactionService.getUserTransaction(); assertEquals("Andy", authenticationService.getCurrentUserName());
userTransaction.begin();
authenticationComponent.setSystemUserAsCurrentUser(); // commit the transaction to invoke the password hashing of the user
userTransaction.commit();
// verify that the new properties are populated and the old ones are cleaned up
Map<QName, Serializable> upgradedProps = nodeService.getProperties(andyUserNodeRef); // start another transaction and change to system user
passwordProp = (String)upgradedProps.get(ContentModel.PROP_PASSWORD); userTransaction = transactionService.getUserTransaction();
assertNull("Expected the password property to be null", passwordProp); userTransaction.begin();
password2Prop = (String)upgradedProps.get(ContentModel.PROP_PASSWORD_SHA256); authenticationComponent.setSystemUserAsCurrentUser();
assertNull("Expected the password2 property to be null", password2Prop);
passwordHashProp = (String)upgradedProps.get(ContentModel.PROP_PASSWORD_HASH); // verify that the new properties are populated and the old ones are cleaned up
assertNotNull("Expected the passwordHash property to be populated", passwordHashProp); Map<QName, Serializable> upgradedProps = nodeService.getProperties(andyUserNodeRef);
hashIndicatorProp = (List<String>)upgradedProps.get(ContentModel.PROP_HASH_INDICATOR); passwordProp = (String) upgradedProps.get(ContentModel.PROP_PASSWORD);
assertNotNull("Expected the hashIndicator property to be populated", hashIndicatorProp); assertNull("Expected the password property to be null", passwordProp);
assertTrue("Expected there to be a single hash indicator entry", (hashIndicatorProp.size() == 1)); password2Prop = (String) upgradedProps.get(ContentModel.PROP_PASSWORD_SHA256);
String preferredEncoding = compositePasswordEncoder.getPreferredEncoding(); assertNull("Expected the password2 property to be null", password2Prop);
String hashEncoding = (String)hashIndicatorProp.get(0); passwordHashProp = (String) upgradedProps.get(ContentModel.PROP_PASSWORD_HASH);
assertEquals("Expected hash indicator to be '" + preferredEncoding + "' but it was: " + hashEncoding, assertNotNull("Expected the passwordHash property to be populated", passwordHashProp);
hashIndicatorProp = (List<String>) upgradedProps.get(ContentModel.PROP_HASH_INDICATOR);
assertNotNull("Expected the hashIndicator property to be populated", hashIndicatorProp);
assertTrue("Expected there to be a single hash indicator entry", (hashIndicatorProp.size() == 1));
String preferredEncoding = compositePasswordEncoder.getPreferredEncoding();
String hashEncoding = hashIndicatorProp.get(0);
assertEquals("Expected hash indicator to be '" + preferredEncoding + "' but it was: " + hashEncoding,
preferredEncoding, hashEncoding); preferredEncoding, hashEncoding);
// delete the user and clear the security context // delete the user and clear the security context
this.deleteAndy(); this.deleteAndy();
authenticationComponent.clearCurrentSecurityContext(); authenticationComponent.clearCurrentSecurityContext();
}
catch (Exception e)
{
throw new RuntimeException(e);
}
finally
{
compositePasswordEncoder.setPreferredEncoding(defaultPreferredEncoding);
}
} }
/** /**
* For on premise the default is MD4, for cloud BCRYPT10 * Test password encoding with MD4 without a salt.
*
* @throws Exception
*/ */
public void testDefaultEncodingIsMD4() throws Exception public void testGetsMD4Password()
{ {
assertNotNull(compositePasswordEncoder); String defaultPreferredEncoding = compositePasswordEncoder.getPreferredEncoding();
assertEquals("md4", compositePasswordEncoder.getPreferredEncoding()); compositePasswordEncoder.setPreferredEncoding("md4");
}
/** try
* For on premise the default is MD4, get it {
* String user = "mduzer";
* @throws Exception String rawPass = "roarPazzw0rd";
*/ dao.createUser(user, null, rawPass.toCharArray());
public void testGetsMD4Password() throws Exception NodeRef userNodeRef = getRepositoryAuthenticationDao().getUserOrNull(user);
{ assertNotNull(userNodeRef);
String user = "mduzer"; String pass = dao.getMD4HashedPassword(user);
String rawPass = "roarPazzw0rd"; assertNotNull(pass);
assertEquals("md4", compositePasswordEncoder.getPreferredEncoding()); assertTrue(compositePasswordEncoder.matches("md4", rawPass, pass, null));
dao.createUser(user, null, rawPass.toCharArray());
NodeRef userNodeRef = getRepositoryAuthenticationDao().getUserOrNull(user);
assertNotNull(userNodeRef);
String pass = dao.getMD4HashedPassword(user);
assertNotNull(pass);
assertTrue(compositePasswordEncoder.matches("md4", rawPass, pass, null));
Map<QName, Serializable> properties = nodeService.getProperties(userNodeRef); Map<QName, Serializable> properties = nodeService.getProperties(userNodeRef);
properties.remove(ContentModel.PROP_PASSWORD_HASH); properties.remove(ContentModel.PROP_PASSWORD_HASH);
properties.remove(ContentModel.PROP_HASH_INDICATOR); properties.remove(ContentModel.PROP_HASH_INDICATOR);
properties.remove(ContentModel.PROP_PASSWORD); properties.remove(ContentModel.PROP_PASSWORD);
properties.remove(ContentModel.PROP_PASSWORD_SHA256); properties.remove(ContentModel.PROP_PASSWORD_SHA256);
String encoded = compositePasswordEncoder.encode("md4",new String(rawPass), null); String encoded = compositePasswordEncoder.encodePassword("md4", rawPass, List.of("md4"));
properties.put(ContentModel.PROP_PASSWORD, encoded); properties.put(ContentModel.PROP_PASSWORD, encoded);
nodeService.setProperties(userNodeRef, properties); nodeService.setProperties(userNodeRef, properties);
pass = dao.getMD4HashedPassword(user); pass = dao.getMD4HashedPassword(user);
assertNotNull(pass); assertNotNull(pass);
assertEquals(encoded, pass); assertEquals(encoded, pass);
dao.deleteUser(user); dao.deleteUser(user);
}
finally
{
compositePasswordEncoder.setPreferredEncoding(defaultPreferredEncoding);
}
} }
/** /**

2
repository/src/test/resources/alfresco-global.properties
View File

@@ -66,3 +66,5 @@ encryption.cipherAlgorithm=DESede/CBC/PKCS5Padding
encryption.keystore.type=JCEKS encryption.keystore.type=JCEKS
encryption.keystore.backup.type=JCEKS encryption.keystore.backup.type=JCEKS
# For CI override the default hashing algorithm for password storage to save build time.
system.preferred.password.encoding=sha256