This adds a typed userpassword class for Bcrypt password hashes that replace the previous default of salted SHA1. It still provides a class for SHA1 passwords, however new passwords of that type may no longer be created directly, and passwords are checked whether to upgrade them on every login.pull/4838/head
parent
f6d20a0a01
commit
fff21a1229
@ -0,0 +1,44 @@ |
|||||||
|
#-- encoding: UTF-8 |
||||||
|
#-- copyright |
||||||
|
# OpenProject is a project management system. |
||||||
|
# Copyright (C) 2012-2015 the OpenProject Foundation (OPF) |
||||||
|
# |
||||||
|
# This program is free software; you can redistribute it and/or |
||||||
|
# modify it under the terms of the GNU General Public License version 3. |
||||||
|
# |
||||||
|
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: |
||||||
|
# Copyright (C) 2006-2013 Jean-Philippe Lang |
||||||
|
# Copyright (C) 2010-2013 the ChiliProject Team |
||||||
|
# |
||||||
|
# This program is free software; you can redistribute it and/or |
||||||
|
# modify it under the terms of the GNU General Public License |
||||||
|
# as published by the Free Software Foundation; either version 2 |
||||||
|
# of the License, or (at your option) any later version. |
||||||
|
# |
||||||
|
# This program is distributed in the hope that it will be useful, |
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||||||
|
# GNU General Public License for more details. |
||||||
|
# |
||||||
|
# You should have received a copy of the GNU General Public License |
||||||
|
# along with this program; if not, write to the Free Software |
||||||
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
||||||
|
# |
||||||
|
# See doc/COPYRIGHT.rdoc for more details. |
||||||
|
#++ |
||||||
|
|
||||||
|
## |
||||||
|
# Password hashing method using bcrypt |
||||||
|
class UserPassword::Bcrypt < UserPassword |
||||||
|
protected |
||||||
|
|
||||||
|
## |
||||||
|
# Determines whether the hashed value of +plain+ matches the stored password hash. |
||||||
|
def hash_matches?(plain) |
||||||
|
BCrypt::Password.new(hashed_password) == plain |
||||||
|
end |
||||||
|
|
||||||
|
def derive_password!(input) |
||||||
|
BCrypt::Password.create(input) |
||||||
|
end |
||||||
|
end |
@ -0,0 +1,70 @@ |
|||||||
|
#-- encoding: UTF-8 |
||||||
|
#-- copyright |
||||||
|
# OpenProject is a project management system. |
||||||
|
# Copyright (C) 2012-2015 the OpenProject Foundation (OPF) |
||||||
|
# |
||||||
|
# This program is free software; you can redistribute it and/or |
||||||
|
# modify it under the terms of the GNU General Public License version 3. |
||||||
|
# |
||||||
|
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: |
||||||
|
# Copyright (C) 2006-2013 Jean-Philippe Lang |
||||||
|
# Copyright (C) 2010-2013 the ChiliProject Team |
||||||
|
# |
||||||
|
# This program is free software; you can redistribute it and/or |
||||||
|
# modify it under the terms of the GNU General Public License |
||||||
|
# as published by the Free Software Foundation; either version 2 |
||||||
|
# of the License, or (at your option) any later version. |
||||||
|
# |
||||||
|
# This program is distributed in the hope that it will be useful, |
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||||||
|
# GNU General Public License for more details. |
||||||
|
# |
||||||
|
# You should have received a copy of the GNU General Public License |
||||||
|
# along with this program; if not, write to the Free Software |
||||||
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
||||||
|
# |
||||||
|
# See doc/COPYRIGHT.rdoc for more details. |
||||||
|
#++ |
||||||
|
|
||||||
|
## |
||||||
|
# LEGACY password hashing method using salted SHA-1 |
||||||
|
# This is only included for testing hashed passwords and will raise when trying |
||||||
|
# to save new passwords with that strategy. |
||||||
|
class UserPassword::SHA1 < UserPassword |
||||||
|
protected |
||||||
|
|
||||||
|
## |
||||||
|
# Determines whether the hashed value of +plain+ matches the stored password hash. |
||||||
|
def hash_matches?(plain) |
||||||
|
test_hash = derive_password!(plain) |
||||||
|
secure_equals?(test_hash, hashed_password) |
||||||
|
end |
||||||
|
|
||||||
|
# constant-time comparison algorithm to prevent timing attacks |
||||||
|
def secure_equals?(a, b) |
||||||
|
return false if a.blank? || b.blank? || a.bytesize != b.bytesize |
||||||
|
l = a.unpack "C#{a.bytesize}" |
||||||
|
|
||||||
|
res = 0 |
||||||
|
b.each_byte do |byte| res |= byte ^ l.shift end |
||||||
|
res == 0 |
||||||
|
end |
||||||
|
|
||||||
|
## |
||||||
|
# Override the base method to disallow new passwords being generated this way. |
||||||
|
def salt_and_hash_password! |
||||||
|
raise ArgumentError, 'Do not use UserPassword::SHA1 for new passwords!' |
||||||
|
end |
||||||
|
|
||||||
|
## |
||||||
|
# Hash a plaintext password with a given salt |
||||||
|
# The hashed password has following form: SHA1(salt + SHA1(password)) |
||||||
|
def derive_password!(input) |
||||||
|
hashfn("#{salt}#{hashfn(input)}") |
||||||
|
end |
||||||
|
|
||||||
|
def hashfn(input) |
||||||
|
Digest::SHA1.hexdigest(input) |
||||||
|
end |
||||||
|
end |
@ -0,0 +1,41 @@ |
|||||||
|
#-- encoding: UTF-8 |
||||||
|
#-- copyright |
||||||
|
# OpenProject is a project management system. |
||||||
|
# Copyright (C) 2012-2015 the OpenProject Foundation (OPF) |
||||||
|
# |
||||||
|
# This program is free software; you can redistribute it and/or |
||||||
|
# modify it under the terms of the GNU General Public License version 3. |
||||||
|
# |
||||||
|
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: |
||||||
|
# Copyright (C) 2006-2013 Jean-Philippe Lang |
||||||
|
# Copyright (C) 2010-2013 the ChiliProject Team |
||||||
|
# |
||||||
|
# This program is free software; you can redistribute it and/or |
||||||
|
# modify it under the terms of the GNU General Public License |
||||||
|
# as published by the Free Software Foundation; either version 2 |
||||||
|
# of the License, or (at your option) any later version. |
||||||
|
# |
||||||
|
# This program is distributed in the hope that it will be useful, |
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||||||
|
# GNU General Public License for more details. |
||||||
|
# |
||||||
|
# You should have received a copy of the GNU General Public License |
||||||
|
# along with this program; if not, write to the Free Software |
||||||
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
||||||
|
# |
||||||
|
# See doc/COPYRIGHT.rdoc for more details. |
||||||
|
#++ |
||||||
|
|
||||||
|
if OpenProject::Configuration.override_bcrypt_cost_factor? |
||||||
|
cost_factor = OpenProject::Configuration.override_bcrypt_cost_factor.to_i |
||||||
|
current = BCrypt::Engine.cost |
||||||
|
|
||||||
|
if cost_factor < 8 |
||||||
|
Rails.logger.warn { |
||||||
|
"Ignoring BCrypt cost factor #{cost_factor}. Using default (#{current})." |
||||||
|
} |
||||||
|
else |
||||||
|
BCrypt::Engine.cost = cost_factor |
||||||
|
end |
||||||
|
end |
@ -0,0 +1,36 @@ |
|||||||
|
class IntroduceBcryptPasswords < ActiveRecord::Migration |
||||||
|
def up |
||||||
|
# Introduce type to UserPassword |
||||||
|
add_column :user_passwords, :type, :string, null: true |
||||||
|
|
||||||
|
# Increase hash limit due to bcrypt embedded salt |
||||||
|
change_column :user_passwords, :hashed_password, :string, limit: 128, null: false |
||||||
|
|
||||||
|
# All current passwords are assumed to be SHA-1 salted. |
||||||
|
UserPassword.update_all(type: 'UserPassword::SHA1') |
||||||
|
|
||||||
|
# Make type non-optional |
||||||
|
change_column :user_passwords, :type, :string, null: false |
||||||
|
|
||||||
|
# Make salt explicitly optional |
||||||
|
change_column_null :user_passwords, :salt, true |
||||||
|
end |
||||||
|
|
||||||
|
def down |
||||||
|
unless ENV['OPENPROJECT_CONFIRM_ROLLBACK'] == '20160829225633' |
||||||
|
raise ActiveRecord::IrreversibleMigration, <<-EXC.strip_heredoc |
||||||
|
WARNING |
||||||
|
|
||||||
|
You cannot roll back this migration without losing passwords. |
||||||
|
If you really want to do undo BCrypt passwords, set the following ENV variable: |
||||||
|
|
||||||
|
export OPENPROJECT_CONFIRM_ROLLBACK="20160829225633" |
||||||
|
EXC |
||||||
|
end |
||||||
|
|
||||||
|
UserPassword.where(type: 'UserPassword::Bcrypt').delete_all |
||||||
|
remove_column :user_passwords, :type |
||||||
|
change_column :user_passwords, :hashed_password, :string, limit: 40 |
||||||
|
# Salt was (implictly) optional |
||||||
|
end |
||||||
|
end |
@ -0,0 +1,54 @@ |
|||||||
|
#-- copyright |
||||||
|
# OpenProject is a project management system. |
||||||
|
# Copyright (C) 2012-2015 the OpenProject Foundation (OPF) |
||||||
|
# |
||||||
|
# This program is free software; you can redistribute it and/or |
||||||
|
# modify it under the terms of the GNU General Public License version 3. |
||||||
|
# |
||||||
|
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: |
||||||
|
# Copyright (C) 2006-2013 Jean-Philippe Lang |
||||||
|
# Copyright (C) 2010-2013 the ChiliProject Team |
||||||
|
# |
||||||
|
# This program is free software; you can redistribute it and/or |
||||||
|
# modify it under the terms of the GNU General Public License |
||||||
|
# as published by the Free Software Foundation; either version 2 |
||||||
|
# of the License, or (at your option) any later version. |
||||||
|
# |
||||||
|
# This program is distributed in the hope that it will be useful, |
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||||||
|
# GNU General Public License for more details. |
||||||
|
# |
||||||
|
# You should have received a copy of the GNU General Public License |
||||||
|
# along with this program; if not, write to the Free Software |
||||||
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
||||||
|
# |
||||||
|
# See doc/COPYRIGHT.rdoc for more details. |
||||||
|
#++ |
||||||
|
|
||||||
|
require 'spec_helper' |
||||||
|
|
||||||
|
describe UserPassword::SHA1, type: :model do |
||||||
|
let(:legacy_password) { |
||||||
|
pass = FactoryGirl.build(:legacy_sha1_password, plain_password: 'adminAdmin!') |
||||||
|
expect(pass).to receive(:salt_and_hash_password!).and_return nil |
||||||
|
|
||||||
|
pass.save! |
||||||
|
pass |
||||||
|
} |
||||||
|
|
||||||
|
describe '#matches_plaintext?' do |
||||||
|
it 'still matches for existing passwords' do |
||||||
|
expect(legacy_password).to be_a(UserPassword::SHA1) |
||||||
|
expect(legacy_password.matches_plaintext?('adminAdmin!')).to be_truthy |
||||||
|
end |
||||||
|
end |
||||||
|
|
||||||
|
describe '#create' do |
||||||
|
let(:legacy_password) { FactoryGirl.build(:legacy_sha1_password) } |
||||||
|
|
||||||
|
it 'raises an exception trying to save it' do |
||||||
|
expect { legacy_password.save! }.to raise_error(ArgumentError) |
||||||
|
end |
||||||
|
end |
||||||
|
end |
Loading…
Reference in new issue