-
Notifications
You must be signed in to change notification settings - Fork 7
Fixes #8593: UserManagement need to have hashed password for both Linux and AIX #84
Conversation
a4e2484
to
af4d6ac
Compare
PR rebased |
val rounds = 2 << (cost-1) | ||
val s = salt.getOrElse(getRandomSalt(16)).getBytes("UTF-8") | ||
val spec: PBEKeySpec = new PBEKeySpec(pwd.toCharArray, s, rounds, 8*sha.byteNumber) | ||
val skf: SecretKeyFactory = SecretKeyFactory.getInstance(s"PBKDF2WithHmac${sha.name}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can't that fail ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ha, this is in a global try/catch
Looks great. I'd really appreciate more comments on it though |
@@ -118,5 +118,6 @@ object CfclerkXmlConstants { | |||
val CONSTRAINT_DEFAULT = "DEFAULT" | |||
val CONSTRAINT_REGEX = "REGEX" | |||
val CONSTRAINT_PASSWORD_HASH = "PASSWORDHASH" | |||
val CONSTRAINT_USED_FIELDS = "USES" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CONSTRAINT_USED_FIELDS -> CONSTRAINT_USES_FIELDS ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe it should be USED here.
In fact, USES is a terrible keywork, but I didn't find a good one for "one-side bound meaning that the field will be made available in the bounder"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
USES is indeed very bad.
shouldn't there be a test for the parsing of a metadata.xml that describes uses of new password type ? |
PR rebased |
af4d6ac
to
be683ac
Compare
v.spec.constraint.typeName.name == "masterPassword" | ||
} | ||
|
||
s"Have hash algorithme of type ${algos.map( _.prefix).mkString(",")}" in { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
algorithm
PR rebased |
be683ac
to
bedb90d
Compare
I propose to NOT merge it until we find a better word than "USES" |
PR rebased |
1 similar comment
PR rebased |
bedb90d
to
a62d958
Compare
* Appart for md5, which is the standard unix implementation and differs only for the | ||
* prefix ({smd5} in place of "$1", the other implementations differ SIGNIFICANTLY from | ||
* standard Unix crypt described at https://www.akkadia.org/drepper/SHA-crypt.txt. In fact, | ||
* they only kepted: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kept
a62d958
to
a70706a
Compare
PR rebased |
1 similar comment
PR rebased |
97ae51a
to
16fab0a
Compare
PR rebased |
private[this] final lazy val ssha256impl = getSecretKeFactory(ShaSpec.SHA256) match { | ||
case Full(skf) => doSsha(ShaSpec.SHA256, skf) _ | ||
case e:Failure => | ||
// this may happen on Java and older version, because PBKDF2WithHmacSHA256 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess you meant java 7 and earlier ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, PBKDF2WithHmacSHA256 was introduced in Java 8. And PBKDF2WithHmacSHA1 in Java 6
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this comment makes no sense "this may happen on Java and older version"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, my brain was kindly dismissing the "and" part. Corrected
PR rebased |
5b17a6c
to
f02c431
Compare
PR rebased |
1 similar comment
PR rebased |
f02c431
to
5b023fa
Compare
PR rebased |
5b023fa
to
75b39ab
Compare
OK, merging this PR |
https://www.rudder-project.org/redmine/issues/8593
The diff is better viewed with ?w=1, because big parts of the code were reindented.
The three main parts are:
PBKDF2WithHmacSHA256
/PBKDF2WithHmacSHA512
, and so Java 8.<CONSTRAINT>
elements,<USES>
, that instructs the input to do things with the other inputs in<USES>