remove bcrypt code from code-base (#4844)

[aead]

Bcrypt is not neccessary and not used properly. This change
replace the whole bcrypt hash computation through a constant time
compare and removes bcrypt from the code base.

Fixes #4844

How Has This Been Tested?

Manually

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.

[harshavardhana]

hole bcrypt hash computation

what is a hole bcrypt hash ? do you mean whole ?

[codecov-io]

Codecov Report

Merging #4845 into master will decrease coverage by <.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #4845      +/-   ##
==========================================
- Coverage   63.02%   63.02%   -0.01%     
==========================================
  Files         191      191              
  Lines       27452    27440      -12     
==========================================
- Hits        17302    17294       -8     
+ Misses       8975     8972       -3     
+ Partials     1175     1174       -1

Impacted Files	Coverage Δ
cmd/credential.go	87.5% <100%> (+4.16%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3a73c67...bbc52f2. Read the comment docs.

[aead]

Ahm, yes xD - I fix it!

[balamurugana]

LGTM for removing codes

One question.
Does subtle.ConstantTimeCompare() prevent timing attack?

[aead]

Yes, that's exactly the function used in bcrypt for comparing the computed hash values. It compares two byte slices in constant time. This prevents timing attacks.

[aead]

Closed until we decide what to do...

[aead]

This PR should fulfill the requirements - reopened

[balamurugana]

How about doing below?

return (cred.AccessKey == ccred.AccessKey && subtle.ConstantTimeCompare([]byte(cred.SecretKey), []byte(ccred.SecretKey)) == 1)

[aead]

The access key is public information so this is fine. However for me it looks a lite bit wired when credentials are compared and some parts are constant time and some aren't. It's just easier to miss something in the future - but the decision is up to you...

[balamurugana]

I think you can do the change.

[aead]

done

[balamurugana]

I think you can keep function unchanged to minimize this PR

[aead]

This PR also cleans up the code a bit - like unnecessary if-else. aso.

[balamurugana]

Yep. Its better to send different PR doing cleanup.

[aead]

done

[harshavardhana]

Can you squash your commits? @aead

[aead]

Squashed