This adds a typed userpassword class for Bcrypt password hashes that replace the previous default of salted SHA1. It still provides a class for SHA1 passwords, however new passwords of that type may no longer be created directly, and passwords are checked whether to upgrade them on every login.pull/4838/head
parent
f6d20a0a01
commit
fff21a1229
@ -0,0 +1,44 @@ |
||||
#-- encoding: UTF-8 |
||||
#-- copyright |
||||
# OpenProject is a project management system. |
||||
# Copyright (C) 2012-2015 the OpenProject Foundation (OPF) |
||||
# |
||||
# This program is free software; you can redistribute it and/or |
||||
# modify it under the terms of the GNU General Public License version 3. |
||||
# |
||||
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: |
||||
# Copyright (C) 2006-2013 Jean-Philippe Lang |
||||
# Copyright (C) 2010-2013 the ChiliProject Team |
||||
# |
||||
# This program is free software; you can redistribute it and/or |
||||
# modify it under the terms of the GNU General Public License |
||||
# as published by the Free Software Foundation; either version 2 |
||||
# of the License, or (at your option) any later version. |
||||
# |
||||
# This program is distributed in the hope that it will be useful, |
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||||
# GNU General Public License for more details. |
||||
# |
||||
# You should have received a copy of the GNU General Public License |
||||
# along with this program; if not, write to the Free Software |
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
||||
# |
||||
# See doc/COPYRIGHT.rdoc for more details. |
||||
#++ |
||||
|
||||
## |
||||
# Password hashing method using bcrypt |
||||
class UserPassword::Bcrypt < UserPassword |
||||
protected |
||||
|
||||
## |
||||
# Determines whether the hashed value of +plain+ matches the stored password hash. |
||||
def hash_matches?(plain) |
||||
BCrypt::Password.new(hashed_password) == plain |
||||
end |
||||
|
||||
def derive_password!(input) |
||||
BCrypt::Password.create(input) |
||||
end |
||||
end |
@ -0,0 +1,70 @@ |
||||
#-- encoding: UTF-8 |
||||
#-- copyright |
||||
# OpenProject is a project management system. |
||||
# Copyright (C) 2012-2015 the OpenProject Foundation (OPF) |
||||
# |
||||
# This program is free software; you can redistribute it and/or |
||||
# modify it under the terms of the GNU General Public License version 3. |
||||
# |
||||
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: |
||||
# Copyright (C) 2006-2013 Jean-Philippe Lang |
||||
# Copyright (C) 2010-2013 the ChiliProject Team |
||||
# |
||||
# This program is free software; you can redistribute it and/or |
||||
# modify it under the terms of the GNU General Public License |
||||
# as published by the Free Software Foundation; either version 2 |
||||
# of the License, or (at your option) any later version. |
||||
# |
||||
# This program is distributed in the hope that it will be useful, |
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||||
# GNU General Public License for more details. |
||||
# |
||||
# You should have received a copy of the GNU General Public License |
||||
# along with this program; if not, write to the Free Software |
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
||||
# |
||||
# See doc/COPYRIGHT.rdoc for more details. |
||||
#++ |
||||
|
||||
## |
||||
# LEGACY password hashing method using salted SHA-1 |
||||
# This is only included for testing hashed passwords and will raise when trying |
||||
# to save new passwords with that strategy. |
||||
class UserPassword::SHA1 < UserPassword |
||||
protected |
||||
|
||||
## |
||||
# Determines whether the hashed value of +plain+ matches the stored password hash. |
||||
def hash_matches?(plain) |
||||
test_hash = derive_password!(plain) |
||||
secure_equals?(test_hash, hashed_password) |
||||
end |
||||
|
||||
# constant-time comparison algorithm to prevent timing attacks |
||||
def secure_equals?(a, b) |
||||
return false if a.blank? || b.blank? || a.bytesize != b.bytesize |
||||
l = a.unpack "C#{a.bytesize}" |
||||
|
||||
res = 0 |
||||
b.each_byte do |byte| res |= byte ^ l.shift end |
||||
res == 0 |
||||
end |
||||
|
||||
## |
||||
# Override the base method to disallow new passwords being generated this way. |
||||
def salt_and_hash_password! |
||||
raise ArgumentError, 'Do not use UserPassword::SHA1 for new passwords!' |
||||
end |
||||
|
||||
## |
||||
# Hash a plaintext password with a given salt |
||||
# The hashed password has following form: SHA1(salt + SHA1(password)) |
||||
def derive_password!(input) |
||||
hashfn("#{salt}#{hashfn(input)}") |
||||
end |
||||
|
||||
def hashfn(input) |
||||
Digest::SHA1.hexdigest(input) |
||||
end |
||||
end |
@ -0,0 +1,41 @@ |
||||
#-- encoding: UTF-8 |
||||
#-- copyright |
||||
# OpenProject is a project management system. |
||||
# Copyright (C) 2012-2015 the OpenProject Foundation (OPF) |
||||
# |
||||
# This program is free software; you can redistribute it and/or |
||||
# modify it under the terms of the GNU General Public License version 3. |
||||
# |
||||
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: |
||||
# Copyright (C) 2006-2013 Jean-Philippe Lang |
||||
# Copyright (C) 2010-2013 the ChiliProject Team |
||||
# |
||||
# This program is free software; you can redistribute it and/or |
||||
# modify it under the terms of the GNU General Public License |
||||
# as published by the Free Software Foundation; either version 2 |
||||
# of the License, or (at your option) any later version. |
||||
# |
||||
# This program is distributed in the hope that it will be useful, |
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||||
# GNU General Public License for more details. |
||||
# |
||||
# You should have received a copy of the GNU General Public License |
||||
# along with this program; if not, write to the Free Software |
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
||||
# |
||||
# See doc/COPYRIGHT.rdoc for more details. |
||||
#++ |
||||
|
||||
if OpenProject::Configuration.override_bcrypt_cost_factor? |
||||
cost_factor = OpenProject::Configuration.override_bcrypt_cost_factor.to_i |
||||
current = BCrypt::Engine.cost |
||||
|
||||
if cost_factor < 8 |
||||
Rails.logger.warn { |
||||
"Ignoring BCrypt cost factor #{cost_factor}. Using default (#{current})." |
||||
} |
||||
else |
||||
BCrypt::Engine.cost = cost_factor |
||||
end |
||||
end |
@ -0,0 +1,36 @@ |
||||
class IntroduceBcryptPasswords < ActiveRecord::Migration |
||||
def up |
||||
# Introduce type to UserPassword |
||||
add_column :user_passwords, :type, :string, null: true |
||||
|
||||
# Increase hash limit due to bcrypt embedded salt |
||||
change_column :user_passwords, :hashed_password, :string, limit: 128, null: false |
||||
|
||||
# All current passwords are assumed to be SHA-1 salted. |
||||
UserPassword.update_all(type: 'UserPassword::SHA1') |
||||
|
||||
# Make type non-optional |
||||
change_column :user_passwords, :type, :string, null: false |
||||
|
||||
# Make salt explicitly optional |
||||
change_column_null :user_passwords, :salt, true |
||||
end |
||||
|
||||
def down |
||||
unless ENV['OPENPROJECT_CONFIRM_ROLLBACK'] == '20160829225633' |
||||
raise ActiveRecord::IrreversibleMigration, <<-EXC.strip_heredoc |
||||
WARNING |
||||
|
||||
You cannot roll back this migration without losing passwords. |
||||
If you really want to do undo BCrypt passwords, set the following ENV variable: |
||||
|
||||
export OPENPROJECT_CONFIRM_ROLLBACK="20160829225633" |
||||
EXC |
||||
end |
||||
|
||||
UserPassword.where(type: 'UserPassword::Bcrypt').delete_all |
||||
remove_column :user_passwords, :type |
||||
change_column :user_passwords, :hashed_password, :string, limit: 40 |
||||
# Salt was (implictly) optional |
||||
end |
||||
end |
@ -0,0 +1,54 @@ |
||||
#-- copyright |
||||
# OpenProject is a project management system. |
||||
# Copyright (C) 2012-2015 the OpenProject Foundation (OPF) |
||||
# |
||||
# This program is free software; you can redistribute it and/or |
||||
# modify it under the terms of the GNU General Public License version 3. |
||||
# |
||||
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: |
||||
# Copyright (C) 2006-2013 Jean-Philippe Lang |
||||
# Copyright (C) 2010-2013 the ChiliProject Team |
||||
# |
||||
# This program is free software; you can redistribute it and/or |
||||
# modify it under the terms of the GNU General Public License |
||||
# as published by the Free Software Foundation; either version 2 |
||||
# of the License, or (at your option) any later version. |
||||
# |
||||
# This program is distributed in the hope that it will be useful, |
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||||
# GNU General Public License for more details. |
||||
# |
||||
# You should have received a copy of the GNU General Public License |
||||
# along with this program; if not, write to the Free Software |
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
||||
# |
||||
# See doc/COPYRIGHT.rdoc for more details. |
||||
#++ |
||||
|
||||
require 'spec_helper' |
||||
|
||||
describe UserPassword::SHA1, type: :model do |
||||
let(:legacy_password) { |
||||
pass = FactoryGirl.build(:legacy_sha1_password, plain_password: 'adminAdmin!') |
||||
expect(pass).to receive(:salt_and_hash_password!).and_return nil |
||||
|
||||
pass.save! |
||||
pass |
||||
} |
||||
|
||||
describe '#matches_plaintext?' do |
||||
it 'still matches for existing passwords' do |
||||
expect(legacy_password).to be_a(UserPassword::SHA1) |
||||
expect(legacy_password.matches_plaintext?('adminAdmin!')).to be_truthy |
||||
end |
||||
end |
||||
|
||||
describe '#create' do |
||||
let(:legacy_password) { FactoryGirl.build(:legacy_sha1_password) } |
||||
|
||||
it 'raises an exception trying to save it' do |
||||
expect { legacy_password.save! }.to raise_error(ArgumentError) |
||||
end |
||||
end |
||||
end |
Loading…
Reference in new issue