implement password encoder from spring security

Author: andponlin

haikudepotserver-core-test/src/main/java/org/haiku/haikudepotserver/IntegrationTestSupportService.java

@@ -333,7 +333,7 @@ private void ensureUserRatingAggregate(ObjectContext context, Pkg pkg, Repositor
         Optional<PkgUserRatingAggregate> aggregateOptional = pkg.getPkgUserRatingAggregate(repository);
         PkgUserRatingAggregate aggregate;
 
-        if(!aggregateOptional.isPresent()) {
+        if(aggregateOptional.isEmpty()) {
             aggregate = context.newObject(PkgUserRatingAggregate.class);
             pkg.addToManyTarget(Pkg.PKG_USER_RATING_AGGREGATES.getName(), aggregate, true);
             aggregate.setRepository(repository);
@@ -346,11 +346,10 @@ private void ensureUserRatingAggregate(ObjectContext context, Pkg pkg, Repositor
         aggregate.setDerivedRatingSampleSize(sampleSize);
     }
 
-    public User createBasicUser(ObjectContext context, String nickname, String password) {
+    public User createBasicUser(ObjectContext context, String nickname, String passwordClear) {
         User user = context.newObject(User.class);
         user.setNickname(nickname);
-        user.setPasswordSalt(); // random
-        user.setPasswordHash(userAuthenticationService.hashPassword(user, password));
+        userAuthenticationService.setPassword(user, passwordClear);
         user.setNaturalLanguage(NaturalLanguage.getByCode(context, NaturalLanguage.CODE_ENGLISH));
         context.commitChanges();
         return user;

haikudepotserver-core-test/src/test/java/org/haiku/haikudepotserver/security/UserAuthenticationServiceIT.java

@@ -55,17 +55,36 @@ public void testAuthenticateByNicknameAndPassword() {
     @Test
     public void testHashPassword() {
         User user = new User();
-        user.setPasswordSalt("cad3422ea02761f8");
-        String passwordHash = userAuthenticationService.hashPassword(user,"p4mphl3t");
-        Assertions.assertThat(passwordHash).isEqualTo("b9c4717bc5c6d16f2be9e967ab0c752f8ac2084f95781989f39cf8736e2edeef");
+
+        // -----------------
+        userAuthenticationService.setPassword(user, "p4mphl3t");
+        // -----------------
+
+        Assertions.assertThat(userAuthenticationService.matchPassword(user, "p4mphl3t")).isTrue();
+        Assertions.assertThat(userAuthenticationService.matchPassword(user, "Other")).isFalse();
     }
 
     @Test
     public void testHashPassword_2() {
         User user = new User();
-        user.setPasswordSalt("66a9b264bf730ac2");
-        String passwordHash = userAuthenticationService.hashPassword(user,"Pa55word0");
-        Assertions.assertThat(passwordHash).isEqualTo("d439da8f2ec8c7aa3d0c9c2a1dd7cd6dcbf8b4435f9e288cc1a6f7b77d47361e");
+
+        // -----------------
+        userAuthenticationService.setPassword(user, "Pa55word0");
+        // -----------------
+
+        Assertions.assertThat(userAuthenticationService.matchPassword(user, "Pa55word0")).isTrue();
+        Assertions.assertThat(userAuthenticationService.matchPassword(user, "Other")).isFalse();
+    }
+
+    @Test(expected = Exception.class)
+    public void testClearPassword() {
+        User user = new User();
+
+        // -----------------
+        userAuthenticationService.setPassword(user, null);
+        // -----------------
+
+        // expecting an exception.
     }
 
 }

haikudepotserver-core/src/main/java/org/haiku/haikudepotserver/api1/RepositoryApiImpl.java

@@ -309,11 +309,11 @@ public UpdateRepositoryResult updateRepository(UpdateRepositoryRequest updateRep
 
                 case PASSWORD:
                     if (StringUtils.isBlank(updateRepositoryRequest.passwordClear)) {
+                        repository.setPasswordSalt(null);
                         repository.setPasswordHash(null);
                         LOGGER.info("cleared the password for repository [{}]", repository);
                     } else {
-                        repository.setPasswordHash(userAuthenticationService.hashPassword(
-                                repository.getPasswordSalt(), updateRepositoryRequest.passwordClear));
+                        repositoryService.setPassword(repository, updateRepositoryRequest.passwordClear);
                         LOGGER.info("did update the repository [{}] password", repository);
                     }
                     break;

haikudepotserver-core/src/main/java/org/haiku/haikudepotserver/api1/UserApiImpl.java

@@ -219,7 +219,8 @@ public CreateUserResult createUser(CreateUserRequest createUserRequest) throws O
         user.setNaturalLanguage(getNaturalLanguage(context, createUserRequest.naturalLanguageCode));
         user.setNickname(createUserRequest.nickname);
         user.setEmail(createUserRequest.email);
-        user.setPasswordHash(userAuthenticationService.hashPassword(user, createUserRequest.passwordClear));
+
+        userAuthenticationService.setPassword(user, createUserRequest.passwordClear);
 
         UserUsageConditionsAgreement agreement = context.newObject(UserUsageConditionsAgreement.class);
         agreement.setUser(user);
@@ -400,7 +401,8 @@ public ChangePasswordResult changePassword(
             }
         }
 
-        targetUser.setPasswordHash(userAuthenticationService.hashPassword(targetUser, changePasswordRequest.newPasswordClear));
+        userAuthenticationService.setPassword(targetUser, changePasswordRequest.newPasswordClear);
+
         context.commitChanges();
         LOGGER.info("did change password for user {}", changePasswordRequest.nickname);
 

haikudepotserver-core/src/main/java/org/haiku/haikudepotserver/config/BasicConfig.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2018, Andrew Lindesay
+ * Copyright 2018-2020, Andrew Lindesay
  * Distributed under the terms of the MIT License.
  */
 
@@ -18,6 +18,7 @@
 import org.haiku.haikudepotserver.graphics.bitmap.PngOptimizationServiceFactory;
 import org.haiku.haikudepotserver.graphics.hvif.HvifRenderingService;
 import org.haiku.haikudepotserver.graphics.hvif.HvifRenderingServiceFactory;
+import org.haiku.haikudepotserver.security.PasswordEncoder;
 import org.haiku.haikudepotserver.support.RuntimeInformationService;
 import org.haiku.haikudepotserver.support.freemarker.LocalizedTemplateLoader;
 import org.haiku.haikudepotserver.support.logging.LoggingSetupOrchestration;
@@ -30,6 +31,7 @@
 import org.springframework.context.annotation.Import;
 import org.springframework.context.support.ReloadableResourceBundleMessageSource;
 import org.springframework.core.io.ResourceLoader;
+import org.springframework.security.crypto.keygen.KeyGenerators;
 import org.springframework.stereotype.Controller;
 
 import java.util.List;
@@ -129,4 +131,9 @@ public MessageSource messageSource(
         return messageSource;
     }
 
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new PasswordEncoder(KeyGenerators.secureRandom(8));
+    }
+
 }

haikudepotserver-core/src/main/java/org/haiku/haikudepotserver/dataobjects/Repository.java

@@ -1,15 +1,15 @@
 /*
- * Copyright 2018, Andrew Lindesay
+ * Copyright 2018-2020, Andrew Lindesay
  * Distributed under the terms of the MIT License.
  */
 
 package org.haiku.haikudepotserver.dataobjects;
 
 import com.google.common.base.Preconditions;
-import com.google.common.hash.Hashing;
 import org.apache.cayenne.ObjectContext;
 import org.apache.cayenne.ObjectId;
-import org.apache.cayenne.query.*;
+import org.apache.cayenne.query.ObjectSelect;
+import org.apache.cayenne.query.SelectById;
 import org.apache.cayenne.validation.BeanValidationFailure;
 import org.apache.cayenne.validation.ValidationResult;
 import org.apache.commons.lang3.builder.ToStringBuilder;
@@ -25,7 +25,6 @@
 import java.net.URL;
 import java.util.List;
 import java.util.Optional;
-import java.util.UUID;
 import java.util.stream.Collectors;
 
 public class Repository extends _Repository implements MutableCreateAndModifyTimestamped, Coded, Comparable<Repository> {
@@ -88,14 +87,6 @@ public void validateForInsert(ValidationResult validationResult) {
         super.validateForInsert(validationResult);
     }
 
-    // called from a listener
-    @SuppressWarnings("unused")
-    public void onPostAdd() {
-        if(null==getPasswordSalt()) {
-            setPasswordSalt();
-        }
-    }
-
     @Override
     protected void validateForSave(ValidationResult validationResult) {
         super.validateForSave(validationResult);
@@ -121,11 +112,6 @@ UriComponentsBuilder appendPathSegments(UriComponentsBuilder builder) {
         return builder.pathSegment(getCode());
     }
 
-    private void setPasswordSalt() {
-        String randomHash = Hashing.sha256().hashUnencodedChars(UUID.randomUUID().toString()).toString();
-        setPasswordSalt(randomHash.substring(0,16));
-    }
-
     @Override
     public int compareTo(Repository o) {
         return getCode().compareTo(o.getCode());

haikudepotserver-core/src/main/java/org/haiku/haikudepotserver/dataobjects/User.java

@@ -1,13 +1,12 @@
 /*
- * Copyright 2018-2019, Andrew Lindesay
+ * Copyright 2018-2020, Andrew Lindesay
  * Distributed under the terms of the MIT License.
  */
 
 package org.haiku.haikudepotserver.dataobjects;
 
 import com.google.common.base.Preconditions;
 import com.google.common.base.Strings;
-import com.google.common.hash.Hashing;
 import org.apache.cayenne.ObjectContext;
 import org.apache.cayenne.ObjectId;
 import org.apache.cayenne.query.ObjectIdQuery;
@@ -25,7 +24,6 @@
 import javax.mail.internet.InternetAddress;
 import java.util.List;
 import java.util.Optional;
-import java.util.UUID;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 
@@ -91,10 +89,6 @@ public void onPostAdd() {
             setActive(Boolean.TRUE);
         }
 
-        if(null==getPasswordSalt()) {
-            setPasswordSalt();
-        }
-
         // create and modify timestamp handled by listener.
     }
 
@@ -157,15 +151,6 @@ public List<? extends AuthorizationPkgRule> getAuthorizationPkgRules(final Pkg p
                 .collect(Collectors.toList());
     }
 
-    /**
-     * <p>This method will configure a random salt value.</p>
-     */
-
-    public void setPasswordSalt() {
-        String randomHash = Hashing.sha256().hashUnencodedChars(UUID.randomUUID().toString()).toString();
-        setPasswordSalt(randomHash.substring(0,16)); // LDAP server doesn't seem to like very long salts
-    }
-
     @Override
     public String toString() {
         return new ToStringBuilder(this, ToStringStyle.SHORT_PREFIX_STYLE)

haikudepotserver-core/src/main/java/org/haiku/haikudepotserver/dataobjects/auto/_Repository.java

@@ -104,7 +104,4 @@ public List<RepositorySource> getRepositorySources() {
         return (List<RepositorySource>)readProperty("repositorySources");
     }
 
-
-    protected abstract void onPostAdd();
-
 }

haikudepotserver-core/src/main/java/org/haiku/haikudepotserver/passwordreset/PasswordResetServiceImpl.java

@@ -189,8 +189,7 @@ public void complete(String tokenCode, String passwordClear) {
                             if (user.getActive()) {
 
                                 if (!Strings.isNullOrEmpty(passwordClear) && userAuthenticationService.validatePassword(passwordClear)) {
-                                    user.setPasswordSalt();
-                                    user.setPasswordHash(userAuthenticationService.hashPassword(user, passwordClear));
+                                    userAuthenticationService.setPassword(user, passwordClear);
                                     context.deleteObjects(token);
                                     context.commitChanges();