New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[management-api] encoding/hashing algorithm for passwords for InMemory IDP should be customizable #804

Closed
blackfich opened this Issue Sep 20, 2017 · 3 comments

Comments

Projects
None yet
3 participants
@blackfich

blackfich commented Sep 20, 2017

The algorithm for hashing/encoding passwords should be customizable from the config file

Expected Behavior

The algorithm for hashing/encoding passwords should be customizable from the config file. It should support at least bcrypt (for backward compatibility) and none(for no encoding/hashing).

Current Behavior

Currently only bcrypt hashing is supported.

Possible Solution

add a password-encoding-algo to the setting of the memory security provider

security:
  providers:  # authentication providers
    - type: memory
      password-encoding-algo: none
      users:
        - user:
          username: admin
          password: admin
          roles: ADMIN
        - user:
          username: user
          password: password
          roles: MANAGEMENT:USER, PORTAL:USER

In the InMemoryAuthenticationProviderConfiguration class the passwordEncoder method should return an instance of PasswordEncoder based on the config. If property is not defined, it should default to bcrypt to maintaince backward compatbility. Also specifying an unsupported algorithm should throw an exception.

  @Autowired
  private Environment environment;

  @Bean
  public PasswordEncoder passwordEncoder() {
    String encodingAlgo = environment.getProperty("encoding-algo", "bcrypt");
    switch (encodingAlgo.toLowerCase()) {
    case "bcrypt":
      return new BCryptPasswordEncoder();
    case "":
    case "none":
      return NoOpPasswordEncoder.getInstance();
    default:
      throw new IllegalArgumentException("Unsuported password encoding algorithm : " + encodingAlgo);
    }
  }

Context

Basically we cannot create bcrypt passwords from our ansible scripts, and we don't want our Ops to have to manually bcrypt it. Also since our config files are readable only by root and the gravitee user, we can have it non encoded.

Your Environment

  • Version used: 1.9.0
  • Browser Name and version: N/A
  • Operating System and version: CentOS/7
@blackfich

This comment has been minimized.

blackfich commented Sep 20, 2017

If this is ok for you, I will do a PR (already implemented/tested localy)

@blackfich blackfich changed the title from [management] encoding/hashing algorithm for password for InMemory IDP should be customizable to [management] encoding/hashing algorithm for passwords for InMemory IDP should be customizable Sep 20, 2017

@brasseld

This comment has been minimized.

Member

brasseld commented Sep 20, 2017

Sounds good to me. Just one thing: please use String constant for "bcrypt", "none", ...

@blackfich

This comment has been minimized.

blackfich commented Sep 20, 2017

ok

@brasseld brasseld changed the title from [management] encoding/hashing algorithm for passwords for InMemory IDP should be customizable to [management-api] encoding/hashing algorithm for passwords for InMemory IDP should be customizable Sep 20, 2017

brasseld added a commit to gravitee-io/gravitee-management-rest-api that referenced this issue Oct 17, 2017

@brasseld brasseld added this to the 1.10.0 milestone Oct 17, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment