Fixes #8593: UserManagement need to have hashed password for both Linux and AIX #84
Conversation
fanf
force-pushed
the
bug_8593/usermanagement_need_to_have_hashed_password_for_both_linux_and_aix
branch
from
a4e2484
to
af4d6ac
Compare
|
PR rebased |
| val rounds = 2 << (cost-1) | ||
| val s = salt.getOrElse(getRandomSalt(16)).getBytes("UTF-8") | ||
| val spec: PBEKeySpec = new PBEKeySpec(pwd.toCharArray, s, rounds, 8*sha.byteNumber) | ||
| val skf: SecretKeyFactory = SecretKeyFactory.getInstance(s"PBKDF2WithHmac${sha.name}") |
There was a problem hiding this comment.
ha, this is in a global try/catch
|
Looks great. I'd really appreciate more comments on it though |
| @@ -118,5 +118,6 @@ object CfclerkXmlConstants { | |||
| val CONSTRAINT_DEFAULT = "DEFAULT" | |||
| val CONSTRAINT_REGEX = "REGEX" | |||
| val CONSTRAINT_PASSWORD_HASH = "PASSWORDHASH" | |||
| val CONSTRAINT_USED_FIELDS = "USES" | |||
There was a problem hiding this comment.
CONSTRAINT_USED_FIELDS -> CONSTRAINT_USES_FIELDS ?
There was a problem hiding this comment.
I believe it should be USED here.
In fact, USES is a terrible keywork, but I didn't find a good one for "one-side bound meaning that the field will be made available in the bounder"
|
shouldn't there be a test for the parsing of a metadata.xml that describes uses of new password type ? |
|
PR rebased |
fanf
force-pushed
the
bug_8593/usermanagement_need_to_have_hashed_password_for_both_linux_and_aix
branch
from
af4d6ac
to
be683ac
Compare
| v.spec.constraint.typeName.name == "masterPassword" | ||
| } | ||
|
|
||
| s"Have hash algorithme of type ${algos.map( _.prefix).mkString(",")}" in { |
|
PR rebased |
fanf
force-pushed
the
bug_8593/usermanagement_need_to_have_hashed_password_for_both_linux_and_aix
branch
from
be683ac
to
bedb90d
Compare
|
I propose to NOT merge it until we find a better word than "USES" |
|
PR rebased |
1 similar comment
|
PR rebased |
fanf
force-pushed
the
bug_8593/usermanagement_need_to_have_hashed_password_for_both_linux_and_aix
branch
from
bedb90d
to
a62d958
Compare
| * Appart for md5, which is the standard unix implementation and differs only for the | ||
| * prefix ({smd5} in place of "$1", the other implementations differ SIGNIFICANTLY from | ||
| * standard Unix crypt described at https://www.akkadia.org/drepper/SHA-crypt.txt. In fact, | ||
| * they only kepted: |
fanf
force-pushed
the
bug_8593/usermanagement_need_to_have_hashed_password_for_both_linux_and_aix
branch
from
a62d958
to
a70706a
Compare
|
PR rebased |
1 similar comment
|
PR rebased |
fanf
force-pushed
the
bug_8593/usermanagement_need_to_have_hashed_password_for_both_linux_and_aix
branch
2 times, most recently
from
97ae51a
to
16fab0a
Compare
|
PR rebased |
| private[this] final lazy val ssha256impl = getSecretKeFactory(ShaSpec.SHA256) match { | ||
| case Full(skf) => doSsha(ShaSpec.SHA256, skf) _ | ||
| case e:Failure => | ||
| // this may happen on Java and older version, because PBKDF2WithHmacSHA256 |
There was a problem hiding this comment.
I guess you meant java 7 and earlier ?
There was a problem hiding this comment.
No, PBKDF2WithHmacSHA256 was introduced in Java 8. And PBKDF2WithHmacSHA1 in Java 6
There was a problem hiding this comment.
this comment makes no sense "this may happen on Java and older version"
There was a problem hiding this comment.
ok, my brain was kindly dismissing the "and" part. Corrected
|
PR rebased |
fanf
force-pushed
the
bug_8593/usermanagement_need_to_have_hashed_password_for_both_linux_and_aix
branch
2 times, most recently
from
5b17a6c
to
f02c431
Compare
|
PR rebased |
1 similar comment
|
PR rebased |
fanf
force-pushed
the
bug_8593/usermanagement_need_to_have_hashed_password_for_both_linux_and_aix
branch
from
f02c431
to
5b023fa
Compare
|
PR rebased |
fanf
force-pushed
the
bug_8593/usermanagement_need_to_have_hashed_password_for_both_linux_and_aix
branch
from
5b023fa
to
75b39ab
Compare
|
OK, merging this PR |
https://www.rudder-project.org/redmine/issues/8593
The diff is better viewed with ?w=1, because big parts of the code were reindented.
The three main parts are:
PBKDF2WithHmacSHA256/PBKDF2WithHmacSHA512, and so Java 8.<CONSTRAINT>elements,<USES>, that instructs the input to do things with the other inputs in<USES>