Bcrypt as password hashing method in the backend

Change-Id: I5ed802c35ade8ba5da4d21f2a8c22d0198490885 Signed-off-by: ac2550 <ac2550@intl.att.com> Issue-ID: CLAMP-143
author: ac2550 <ac2550@intl.att.com> 2018-03-22 16:50:16 +0100
committer: Sébastien Determe <sd378r@intl.att.com> 2018-03-22 16:23:34 +0000
commit: 3308b5439cb1d046398744e4d913ece518de9532 (patch)
tree: 91ae5845341f724fa3b294d5c3a96b0db441b855 /src
parent: 36647a6e6dedf4d4fb82da40ab8bc99cd137ad1d (diff)
2 files changed, 25 insertions, 4 deletions
diff --git a/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java b/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java
index d9e5ef29..4dff9ce1 100644
--- a/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java
+++ b/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java
@@ -30,6 +30,7 @@ import java.io.IOException;
 
 import org.onap.clamp.clds.config.ClampProperties;
 import org.onap.clamp.clds.config.CldsUserJsonDecoder;
+import org.onap.clamp.clds.exception.CldsConfigException;
 import org.onap.clamp.clds.exception.CldsUsersException;
 import org.onap.clamp.clds.service.CldsUser;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -40,6 +41,8 @@ import org.springframework.security.config.annotation.authentication.builders.Au
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
 
 /**
  * This class is used to enable the HTTP authentication to login. It requires a
@@ -59,6 +62,10 @@ public class CldsSecurityConfigUsers extends WebSecurityConfigurerAdapter {
     private String cldsPersmissionTypeCl;
     @Value("${CLDS_PERMISSION_INSTANCE:dev}")
     private String cldsPermissionInstance;
+    @Value("${clamp.config.security.encoder:bcrypt}")
+    private String cldsEncoderMethod;
+    @Value("${clamp.config.security.encoder.bcrypt.strength:10}")
+    private Integer cldsBcryptEncoderStrength;
 
     /**
      * This method configures on which URL the authorization will be enabled.
@@ -83,6 +90,9 @@ public class CldsSecurityConfigUsers extends WebSecurityConfigurerAdapter {
      */
     @Autowired
     public void configureGlobal(AuthenticationManagerBuilder auth) {
+        // configure algorithm used for password hashing
+        final PasswordEncoder passwordEncoder = getPasswordEncoder();
+
         try {
             CldsUser[] usersList = loadUsers();
             // no users defined
@@ -92,7 +102,7 @@ public class CldsSecurityConfigUsers extends WebSecurityConfigurerAdapter {
             }
             for (CldsUser user : usersList) {
                 auth.inMemoryAuthentication().withUser(user.getUser()).password(user.getPassword())
-                        .roles(user.getPermissionsString());
+                    .roles(user.getPermissionsString()).and().passwordEncoder(passwordEncoder);
             }
         } catch (Exception e) {
             logger.error("Exception occurred during the setup of the Web users in memory", e);
@@ -112,4 +122,15 @@ public class CldsSecurityConfigUsers extends WebSecurityConfigurerAdapter {
         logger.info("Load from clds-users.properties");
         return CldsUserJsonDecoder.decodeJson(refProp.getFileContent("files.cldsUsers"));
     }
+
+    /**
+     * This methods returns the chosen encoder for password hashing.
+     */
+    private PasswordEncoder getPasswordEncoder() {
+        if ("bcrypt".equals(cldsEncoderMethod)) {
+            return new BCryptPasswordEncoder(cldsBcryptEncoderStrength);
+        } else {
+            throw new CldsConfigException("Invalid clamp.config.security.encoder value. Must be one of [bcrypt, none]");
+        }
+    }
 }
diff --git a/src/main/resources/clds/clds-users.json b/src/main/resources/clds/clds-users.json
index d2c06c80..3fa32e81 100644
--- a/src/main/resources/clds/clds-users.json
+++ b/src/main/resources/clds/clds-users.json
@@ -1,6 +1,6 @@
  [{
 	"user":"admin",
-	"password":"5f4dcc3b5aa765d61d8327deb882cf99",
+	"password":"$2a$10$j7wM0G1gcpJTJygRY2ZG8O2HafSwlvM.tIb18/eusVPKBhrpwB6xC",
 	"permissions":
 	            [
 	               "permission-type-cl|dev|read",
@@ -12,7 +12,7 @@
 	},
 	{
 	"user":"cs0008",
-	"password":"5f4dcc3b5aa765d61d8327deb882cf99",
+	"password":"$2a$10$j7wM0G1gcpJTJygRY2ZG8O2HafSwlvM.tIb18/eusVPKBhrpwB6xC",
 	"permissions":
 	            [
 	               "permission-type-cl|dev|read",
@@ -23,4 +23,4 @@
 	               "permission-type-template|dev|update"
 	            ]
 	}
-]
-\ No newline at end of file
+]
author	ac2550 <ac2550@intl.att.com>	2018-03-22 16:50:16 +0100
committer	Sébastien Determe <sd378r@intl.att.com>	2018-03-22 16:23:34 +0000
commit	3308b5439cb1d046398744e4d913ece518de9532 (patch)
tree	91ae5845341f724fa3b294d5c3a96b0db441b855 /src
parent	36647a6e6dedf4d4fb82da40ab8bc99cd137ad1d (diff)