Add support for SHA526, SHA512 Crypt as well as PBKDF2 algorithms for…

… openshift submodule (#1020) (#1024) * Add SHA256 to password storage types for htpasswd file. * Add PBKDF2 Algorithms for Passwords.
hawkular · Aug 7, 2019 · 59782d4 · 59782d4
1 parent e9ceaf1
commit 59782d4
Show file tree

Hide file tree

Showing 5 changed files with 347 additions and 30 deletions.
diff --git a/containers/hawkular-htpasswd/pom.xml b/containers/hawkular-htpasswd/pom.xml
@@ -0,0 +1,67 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright 2014-2019 Red Hat, Inc. and/or its affiliates
+    and other contributors as indicated by the @author tags.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <groupId>org.hawkular.metrics</groupId>
+    <artifactId>hawkular-metrics-containers</artifactId>
+    <version>0.32.0-SNAPSHOT</version>
+  </parent>
+
+  <artifactId>hawkular-htpasswd</artifactId>
+
+  <name>Hawkular Password Creator</name>
+
+  <dependencies>
+    <dependency>
+      <groupId>${project.groupId}</groupId>
+      <artifactId>hawkular-openshift-security-filter</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+  </dependencies>
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-shade-plugin</artifactId>
+        <version>3.1.0</version>
+        <executions>
+          <execution>
+            <phase>package</phase>
+            <goals>
+              <goal>shade</goal>
+            </goals>
+            <configuration>
+              <createDependencyReducedPom>false</createDependencyReducedPom>
+              <transformers>
+                <transformer
+                        implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
+                  <mainClass>org.hawkular.openshift.htpasswd.CreatePassword</mainClass>
+                </transformer>
+              </transformers>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+    </plugins>
+  </build>
+</project>
diff --git a/...iners/hawkular-htpasswd/src/main/java/org/hawkular/openshift/htpasswd/CreatePassword.java b/...iners/hawkular-htpasswd/src/main/java/org/hawkular/openshift/htpasswd/CreatePassword.java
@@ -0,0 +1,106 @@
+/*
+ * Copyright 2014-2019 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.hawkular.openshift.htpasswd;
+
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+
+import org.hawkular.openshift.auth.PasswordManager;
+
+public class CreatePassword {
+
+    private static final String SHA256_ALGORITHM = "pbkdf2-sha256";
+    private static final String SHA512_ALGORITHM = "pbkdf2-sha512";
+
+    private String algorithm;
+    private String fileName;
+    private String password;
+    private String username;
+    private boolean overwrite;
+
+    private PasswordManager passwordManager = new PasswordManager();
+
+    public CreatePassword() {
+        password = System.getProperty("htpasswd.password", "");
+        username = System.getProperty("htpasswd.username", "");
+        algorithm = System.getProperty("htpasswd.algorithm", SHA256_ALGORITHM);
+        fileName = System.getProperty("htpasswd.file", "");
+        overwrite = Boolean.getBoolean("htpasswd.overwrite");
+
+    }
+
+    private void validateArguments() {
+        if (password.isEmpty()) {
+            throw new RuntimeException("htpasswd.password cannot be empty");
+        }
+
+        if (username.isEmpty()) {
+            throw new RuntimeException("htpasswd.username cannot be empty");
+        }
+
+        if (!algorithm.equals(SHA256_ALGORITHM) && !algorithm.equals(SHA512_ALGORITHM)) {
+            throw new RuntimeException("Invalid algorithm, permitted values: [" + SHA256_ALGORITHM + "," + SHA512_ALGORITHM + "]");
+        }
+    }
+
+    private void run() throws Exception {
+
+        String output = null;
+        OutputStream outputStream;
+
+        // First validate arguments.
+        this.validateArguments();
+
+        if (algorithm.equals(SHA256_ALGORITHM)) {
+            output = passwordManager.createPBDKF2SHA256Password(password);
+        } else if (algorithm.equals(SHA512_ALGORITHM)) {
+            output = passwordManager.createPBDKF2SHA512Password(password);
+        }
+
+        if (!fileName.isEmpty()) {
+            outputStream = new FileOutputStream(this.fileName, !overwrite);
+        } else {
+            outputStream = System.out;
+        }
+
+        if (output != null) {
+            try {
+                outputStream.write(username.getBytes());
+                outputStream.write(":".getBytes());
+                outputStream.write(output.getBytes());
+                outputStream.write("\n".getBytes());
+            } catch (IOException e) {
+                throw new RuntimeException(e.getMessage());
+            } finally {
+                outputStream.close();
+            }
+        } else {
+            throw new RuntimeException("Invalid output from algorithm, this should not happens, could be a bug");
+        }
+    }
+
+    public static void main(String[] args) {
+        CreatePassword passwordCreator = new CreatePassword();
+        try {
+            passwordCreator.run();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}
diff --git a/...enshift-security-filter/src/main/java/org/hawkular/openshift/auth/BasicAuthenticator.java b/...enshift-security-filter/src/main/java/org/hawkular/openshift/auth/BasicAuthenticator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2016 Red Hat, Inc. and/or its affiliates
+ * Copyright 2014-2019 Red Hat, Inc. and/or its affiliates
  * and other contributors as indicated by the @author tags.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -30,8 +30,6 @@
 import java.util.HashMap;
 import java.util.Map;
 
-import org.apache.commons.codec.digest.DigestUtils;
-import org.apache.commons.codec.digest.Md5Crypt;
 import org.jboss.logging.Logger;
 
 import io.undertow.server.HttpHandler;
@@ -49,13 +47,15 @@ class BasicAuthenticator implements Authenticator {
     private static final String HTPASSWD_FILE_SYSPROP_SUFFIX = ".openshift.htpasswd-file";
     private final File htpasswdFile;
 
-    private static final String MD5_PREFIX = "$apr1$";
-    private static final String SHA_PREFIX = "{SHA}";
 
     private final HttpHandler containerHandler;
     private final Map<String, String> users;
 
+    private PasswordManager passwordManager;
+
     BasicAuthenticator(HttpHandler containerHandler, String componentName) {
+        passwordManager = new PasswordManager();
+
         String htpasswdPath = System.getProperty(componentName + HTPASSWD_FILE_SYSPROP_SUFFIX);
         if (htpasswdPath == null) {
             htpasswdFile = new File(System.getProperty("user.home"), ".htpasswd");
@@ -102,37 +102,13 @@ public void handleRequest(HttpServerExchange serverExchange) throws Exception {
         String username = entries[0];
         String password = entries[1];
 
-        if (users.containsKey(username) && isAuthorized(username, password)) {
+        if (users.containsKey(username) && passwordManager.isAuthorized(users.get(username), password)) {
             containerHandler.handleRequest(serverExchange);
         } else {
             endExchange(serverExchange, FORBIDDEN);
         }
     }
 
-    private boolean isAuthorized(String username, String password) {
-        String storedPassword = users.get(username);
-        return (storedPassword.startsWith(MD5_PREFIX) && verifyMD5Password(storedPassword, password))
-                || (storedPassword.startsWith(SHA_PREFIX) && verifySHA1Password(storedPassword, password));
-    }
-
-
-    private boolean verifyMD5Password(String storedPassword, String passedPassword) {
-        // We send in the password presented by the user and use the stored password as the salt
-        // If they match, then the password matches the original non-encrypted stored password
-        return Md5Crypt.apr1Crypt(passedPassword, storedPassword).equals(storedPassword);
-    }
-
-    private boolean verifySHA1Password(String storedPassword, String passedPassword) {
-        //Remove the SHA_PREFIX from the password string
-        storedPassword = storedPassword.substring(SHA_PREFIX.length());
-
-        //Get the SHA digest and encode it in Base64
-        byte[] digestedPasswordBytes = DigestUtils.sha1(passedPassword);
-        String digestedPassword = Base64.getEncoder().encodeToString(digestedPasswordBytes);
-
-        //Check if the stored password matches the passed one
-        return digestedPassword.equals(storedPassword);
-    }
 
     @Override
     public void stop() {