dhis2-devs team mailing list archive

Thread
Date

[Branch ~dhis2-devs-core/dhis2/trunk] Rev 17113: Implemented support for authenticating legacy restore and invite tokens alongside bcrypt. Should ...

To: DHIS 2 developers <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
From: noreply@xxxxxxxxxxxxx
Date: Tue, 14 Oct 2014 14:39:25 -0000
Reply-to: noreply@xxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Merge authors:
  Halvdan Hoem Grelland (halvdanhg)
------------------------------------------------------------
revno: 17113 [merge]
committer: Halvdan Hoem Grelland <halvdanhg@xxxxxxxxx>
branch nick: dhis2
timestamp: Tue 2014-10-14 16:38:16 +0200
message:
  Implemented support for authenticating legacy restore and invite tokens alongside bcrypt. Should be reverted for some release in the future (2.18).
modified:
  dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java
  dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/migration/MigrationPasswordManager.java
  dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/migration/MigrationSpringSecurityPasswordManager.java


--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk

Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription

=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java	2014-10-14 06:46:36 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java	2014-10-14 13:58:05 +0000
@@ -38,6 +38,7 @@
 import org.hisp.dhis.i18n.locale.LocaleManager;
 import org.hisp.dhis.message.MessageSender;
 import org.hisp.dhis.period.Cal;
+import org.hisp.dhis.security.migration.MigrationPasswordManager;
 import org.hisp.dhis.setting.SystemSettingManager;
 import org.hisp.dhis.system.util.ValidationUtils;
 import org.hisp.dhis.system.velocity.VelocityManager;
@@ -78,9 +79,9 @@
     // Dependencies
     // -------------------------------------------------------------------------
 
-    private PasswordManager passwordManager;
+    private MigrationPasswordManager passwordManager;
 
-    public void setPasswordManager( PasswordManager passwordManager )
+    public void setPasswordManager( MigrationPasswordManager passwordManager )
     {
         this.passwordManager = passwordManager;
     }
@@ -347,7 +348,7 @@
             return "account_restoreCode_is_null";
         }
 
-        boolean validCode = passwordManager.matches( code, restoreCode );
+        boolean validCode = passwordManager.tokenMatches( code, restoreCode, credentials.getUsername() );
 
         return validCode ? null : "code_does_not_match_restoreCode - code: '"+ code + "' restoreCode: '" + restoreCode + "'" ;
     }
@@ -408,7 +409,7 @@
             return "could_not_verify_token";
         }
 
-        boolean validToken = passwordManager.matches( token, restoreToken );
+        boolean validToken = passwordManager.tokenMatches( token, restoreToken, credentials.getUsername() );
 
         return validToken ? null : "restore_token_does_not_match_supplied_token";
     }

=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/migration/MigrationPasswordManager.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/migration/MigrationPasswordManager.java	2014-08-26 12:00:27 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/migration/MigrationPasswordManager.java	2014-10-14 13:58:05 +0000
@@ -33,6 +33,20 @@
      */
     public boolean legacyMatches( String encodedPassword, String password, String username );
 
+
+    /**
+     * Determines whether encodedToken is a valid hash of token.
+     * This method is a wrapper for passwordManager.matches() in order to support
+     * authenticating tokens which were generated using the legacy hash implementation in addition
+     * to the current hashing scheme.
+     *
+     * @param token the unencoded token as supplied from the user.
+     * @param encodedToken the encoded token to match against.
+     * @param username the username associated with the token (used for salting by the legacy password encoder).
+     * @return true if the token matches for either the legacy or current hashing scheme, false otherwise.
+     */
+    public boolean tokenMatches( String token, String encodedToken, String username );
+
     /**
      * Return the class name of the legacy password encoder.
      * @return the name of the legacy password encoder class.

=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/migration/MigrationSpringSecurityPasswordManager.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/migration/MigrationSpringSecurityPasswordManager.java	2014-08-27 13:26:08 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/migration/MigrationSpringSecurityPasswordManager.java	2014-10-14 14:38:16 +0000
@@ -49,6 +49,12 @@
     }
 
     @Override
+    public boolean tokenMatches( String token, String encodedToken, String username )
+    {
+        return legacyMatches( encodedToken, token, username ) || super.matches( token, encodedToken );
+    }
+
+    @Override
     public String getLegacyPasswordEncoderClassName()
     {
         return legacyPasswordEncoder.getClass().getName();