From 3308b5439cb1d046398744e4d913ece518de9532 Mon Sep 17 00:00:00 2001 From: ac2550 Date: Thu, 22 Mar 2018 16:50:16 +0100 Subject: Bcrypt as password hashing method in the backend Change-Id: I5ed802c35ade8ba5da4d21f2a8c22d0198490885 Signed-off-by: ac2550 Issue-ID: CLAMP-143 --- README.md | 17 +++++++++++++++- .../config/spring/CldsSecurityConfigUsers.java | 23 +++++++++++++++++++++- src/main/resources/clds/clds-users.json | 6 +++--- 3 files changed, 41 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index ea061ce3..f9a3414a 100644 --- a/README.md +++ b/README.md @@ -91,4 +91,19 @@ With the default log settings, all logs will be generated into console and into ### Api -You can see the swagger definition for the jaxrs apis at `/restservices/clds/v1/openapi.json` \ No newline at end of file +You can see the swagger definition for the jaxrs apis at `/restservices/clds/v1/openapi.json` + + +## Clamp Credentials + +Credentials should be specified in `src/main/resources/clds/clds-users.json`. You might specify you own credential file by redefining the `clamp.config.files.cldsUsers` in `application.properties`. + +Passwords should be hashed using md5, then using Bcrypt : +``` +# pip3 install bcrypt # if you don't have the bcrypt python lib installed, should be done once. +# python3 -c 'import bcrypt; import hashlib; m = hashlib.md5(); m.update("password".encode()); m.hexdigest(); print(bcrypt.hashpw(m.hexdigest().encode(), bcrypt.gensalt(rounds=10, prefix=b"2a")))' +``` + +Default credentials are admin/password and cs0008/password. + + diff --git a/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java b/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java index d9e5ef29..4dff9ce1 100644 --- a/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java +++ b/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java @@ -30,6 +30,7 @@ import java.io.IOException; import org.onap.clamp.clds.config.ClampProperties; import org.onap.clamp.clds.config.CldsUserJsonDecoder; +import org.onap.clamp.clds.exception.CldsConfigException; import org.onap.clamp.clds.exception.CldsUsersException; import org.onap.clamp.clds.service.CldsUser; import org.springframework.beans.factory.annotation.Autowired; @@ -40,6 +41,8 @@ import org.springframework.security.config.annotation.authentication.builders.Au import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; +import org.springframework.security.crypto.password.PasswordEncoder; /** * This class is used to enable the HTTP authentication to login. It requires a @@ -59,6 +62,10 @@ public class CldsSecurityConfigUsers extends WebSecurityConfigurerAdapter { private String cldsPersmissionTypeCl; @Value("${CLDS_PERMISSION_INSTANCE:dev}") private String cldsPermissionInstance; + @Value("${clamp.config.security.encoder:bcrypt}") + private String cldsEncoderMethod; + @Value("${clamp.config.security.encoder.bcrypt.strength:10}") + private Integer cldsBcryptEncoderStrength; /** * This method configures on which URL the authorization will be enabled. @@ -83,6 +90,9 @@ public class CldsSecurityConfigUsers extends WebSecurityConfigurerAdapter { */ @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) { + // configure algorithm used for password hashing + final PasswordEncoder passwordEncoder = getPasswordEncoder(); + try { CldsUser[] usersList = loadUsers(); // no users defined @@ -92,7 +102,7 @@ public class CldsSecurityConfigUsers extends WebSecurityConfigurerAdapter { } for (CldsUser user : usersList) { auth.inMemoryAuthentication().withUser(user.getUser()).password(user.getPassword()) - .roles(user.getPermissionsString()); + .roles(user.getPermissionsString()).and().passwordEncoder(passwordEncoder); } } catch (Exception e) { logger.error("Exception occurred during the setup of the Web users in memory", e); @@ -112,4 +122,15 @@ public class CldsSecurityConfigUsers extends WebSecurityConfigurerAdapter { logger.info("Load from clds-users.properties"); return CldsUserJsonDecoder.decodeJson(refProp.getFileContent("files.cldsUsers")); } + + /** + * This methods returns the chosen encoder for password hashing. + */ + private PasswordEncoder getPasswordEncoder() { + if ("bcrypt".equals(cldsEncoderMethod)) { + return new BCryptPasswordEncoder(cldsBcryptEncoderStrength); + } else { + throw new CldsConfigException("Invalid clamp.config.security.encoder value. Must be one of [bcrypt, none]"); + } + } } diff --git a/src/main/resources/clds/clds-users.json b/src/main/resources/clds/clds-users.json index d2c06c80..3fa32e81 100644 --- a/src/main/resources/clds/clds-users.json +++ b/src/main/resources/clds/clds-users.json @@ -1,6 +1,6 @@ [{ "user":"admin", - "password":"5f4dcc3b5aa765d61d8327deb882cf99", + "password":"$2a$10$j7wM0G1gcpJTJygRY2ZG8O2HafSwlvM.tIb18/eusVPKBhrpwB6xC", "permissions": [ "permission-type-cl|dev|read", @@ -12,7 +12,7 @@ }, { "user":"cs0008", - "password":"5f4dcc3b5aa765d61d8327deb882cf99", + "password":"$2a$10$j7wM0G1gcpJTJygRY2ZG8O2HafSwlvM.tIb18/eusVPKBhrpwB6xC", "permissions": [ "permission-type-cl|dev|read", @@ -23,4 +23,4 @@ "permission-type-template|dev|update" ] } -] \ No newline at end of file +] -- cgit 1.2.3-korg From 5c4aee562b7fcb42f10aa62011e0ff6297cee867 Mon Sep 17 00:00:00 2001 From: ac2550 Date: Thu, 22 Mar 2018 17:04:06 +0100 Subject: Remove client usage of md5 Md5 usage introduce a security flow by reducing the amount of test needed for a brute force attack. Change-Id: Ifa4e6259d0a3fb06c91c03d1c67470ddd02284fc Issue-ID: CLAMP-143 Signed-off-by: ac2550 --- README.md | 4 +- .../config/spring/CldsSecurityConfigUsers.java | 2 +- .../META-INF/resources/designer/index.html | 1 - .../META-INF/resources/designer/lib/angular-md5.js | 208 --------------------- .../META-INF/resources/designer/scripts/app.js | 3 - .../resources/designer/scripts/authcontroller.js | 5 +- src/main/resources/clds/clds-users.json | 4 +- 7 files changed, 7 insertions(+), 220 deletions(-) delete mode 100644 src/main/resources/META-INF/resources/designer/lib/angular-md5.js diff --git a/README.md b/README.md index f9a3414a..d129e5ba 100644 --- a/README.md +++ b/README.md @@ -98,10 +98,10 @@ You can see the swagger definition for the jaxrs apis at `/restservices/clds/v1/ Credentials should be specified in `src/main/resources/clds/clds-users.json`. You might specify you own credential file by redefining the `clamp.config.files.cldsUsers` in `application.properties`. -Passwords should be hashed using md5, then using Bcrypt : +Passwords should be hashed using Bcrypt : ``` # pip3 install bcrypt # if you don't have the bcrypt python lib installed, should be done once. -# python3 -c 'import bcrypt; import hashlib; m = hashlib.md5(); m.update("password".encode()); m.hexdigest(); print(bcrypt.hashpw(m.hexdigest().encode(), bcrypt.gensalt(rounds=10, prefix=b"2a")))' +# python3 -c 'import bcrypt; print(bcrypt.hashpw("password".encode(), bcrypt.gensalt(rounds=10, prefix=b"2a")))' ``` Default credentials are admin/password and cs0008/password. diff --git a/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java b/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java index 4dff9ce1..0f3d0d59 100644 --- a/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java +++ b/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java @@ -130,7 +130,7 @@ public class CldsSecurityConfigUsers extends WebSecurityConfigurerAdapter { if ("bcrypt".equals(cldsEncoderMethod)) { return new BCryptPasswordEncoder(cldsBcryptEncoderStrength); } else { - throw new CldsConfigException("Invalid clamp.config.security.encoder value. Must be one of [bcrypt, none]"); + throw new CldsConfigException("Invalid clamp.config.security.encoder value. 'bcrypt' is the only option at this time."); } } } diff --git a/src/main/resources/META-INF/resources/designer/index.html b/src/main/resources/META-INF/resources/designer/index.html index 83928a9d..45b0c4b6 100644 --- a/src/main/resources/META-INF/resources/designer/index.html +++ b/src/main/resources/META-INF/resources/designer/index.html @@ -106,7 +106,6 @@ - diff --git a/src/main/resources/META-INF/resources/designer/lib/angular-md5.js b/src/main/resources/META-INF/resources/designer/lib/angular-md5.js deleted file mode 100644 index 7896bb42..00000000 --- a/src/main/resources/META-INF/resources/designer/lib/angular-md5.js +++ /dev/null @@ -1,208 +0,0 @@ -/* - angular-md5 - v0.1.8 - 2015-11-17 -*/ - -/* commonjs package manager support (eg componentjs) */ -if (typeof module !== "undefined" && typeof exports !== "undefined" && module.exports === exports) { - module.exports = "angular-md5"; -} -(function(angular) { - angular.module("angular-md5", [ "gdi2290.md5" ]); - angular.module("ngMd5", [ "gdi2290.md5" ]); - angular.module("gdi2290.md5", [ "gdi2290.gravatar-filter", "gdi2290.md5-service", "gdi2290.md5-filter" ]); - "use strict"; - angular.module("gdi2290.gravatar-filter", []).filter("gravatar", [ "md5", function(md5) { - var cache = {}; - return function(text, defaultText) { - if (!cache[text]) { - defaultText = defaultText ? md5.createHash(defaultText.toString().toLowerCase()) : ""; - cache[text] = text ? md5.createHash(text.toString().toLowerCase()) : defaultText; - } - return cache[text]; - }; - } ]); - "use strict"; - angular.module("gdi2290.md5-filter", []).filter("md5", [ "md5", function(md5) { - return function(text) { - return text ? md5.createHash(text.toString().toLowerCase()) : text; - }; - } ]); - "use strict"; - angular.module("gdi2290.md5-service", []).factory("md5", [ function() { - var md5 = { - createHash: function(str) { - if (null === str) { - return null; - } - var xl; - var rotateLeft = function(lValue, iShiftBits) { - return lValue << iShiftBits | lValue >>> 32 - iShiftBits; - }; - var addUnsigned = function(lX, lY) { - var lX4, lY4, lX8, lY8, lResult; - lX8 = lX & 2147483648; - lY8 = lY & 2147483648; - lX4 = lX & 1073741824; - lY4 = lY & 1073741824; - lResult = (lX & 1073741823) + (lY & 1073741823); - if (lX4 & lY4) { - return lResult ^ 2147483648 ^ lX8 ^ lY8; - } - if (lX4 | lY4) { - if (lResult & 1073741824) { - return lResult ^ 3221225472 ^ lX8 ^ lY8; - } else { - return lResult ^ 1073741824 ^ lX8 ^ lY8; - } - } else { - return lResult ^ lX8 ^ lY8; - } - }; - var _F = function(x, y, z) { - return x & y | ~x & z; - }; - var _G = function(x, y, z) { - return x & z | y & ~z; - }; - var _H = function(x, y, z) { - return x ^ y ^ z; - }; - var _I = function(x, y, z) { - return y ^ (x | ~z); - }; - var _FF = function(a, b, c, d, x, s, ac) { - a = addUnsigned(a, addUnsigned(addUnsigned(_F(b, c, d), x), ac)); - return addUnsigned(rotateLeft(a, s), b); - }; - var _GG = function(a, b, c, d, x, s, ac) { - a = addUnsigned(a, addUnsigned(addUnsigned(_G(b, c, d), x), ac)); - return addUnsigned(rotateLeft(a, s), b); - }; - var _HH = function(a, b, c, d, x, s, ac) { - a = addUnsigned(a, addUnsigned(addUnsigned(_H(b, c, d), x), ac)); - return addUnsigned(rotateLeft(a, s), b); - }; - var _II = function(a, b, c, d, x, s, ac) { - a = addUnsigned(a, addUnsigned(addUnsigned(_I(b, c, d), x), ac)); - return addUnsigned(rotateLeft(a, s), b); - }; - var convertToWordArray = function(str) { - var lWordCount; - var lMessageLength = str.length; - var lNumberOfWords_temp1 = lMessageLength + 8; - var lNumberOfWords_temp2 = (lNumberOfWords_temp1 - lNumberOfWords_temp1 % 64) / 64; - var lNumberOfWords = (lNumberOfWords_temp2 + 1) * 16; - var lWordArray = new Array(lNumberOfWords - 1); - var lBytePosition = 0; - var lByteCount = 0; - while (lByteCount < lMessageLength) { - lWordCount = (lByteCount - lByteCount % 4) / 4; - lBytePosition = lByteCount % 4 * 8; - lWordArray[lWordCount] = lWordArray[lWordCount] | str.charCodeAt(lByteCount) << lBytePosition; - lByteCount++; - } - lWordCount = (lByteCount - lByteCount % 4) / 4; - lBytePosition = lByteCount % 4 * 8; - lWordArray[lWordCount] = lWordArray[lWordCount] | 128 << lBytePosition; - lWordArray[lNumberOfWords - 2] = lMessageLength << 3; - lWordArray[lNumberOfWords - 1] = lMessageLength >>> 29; - return lWordArray; - }; - var wordToHex = function(lValue) { - var wordToHexValue = "", wordToHexValue_temp = "", lByte, lCount; - for (lCount = 0; lCount <= 3; lCount++) { - lByte = lValue >>> lCount * 8 & 255; - wordToHexValue_temp = "0" + lByte.toString(16); - wordToHexValue = wordToHexValue + wordToHexValue_temp.substr(wordToHexValue_temp.length - 2, 2); - } - return wordToHexValue; - }; - var x = [], k, AA, BB, CC, DD, a, b, c, d, S11 = 7, S12 = 12, S13 = 17, S14 = 22, S21 = 5, S22 = 9, S23 = 14, S24 = 20, S31 = 4, S32 = 11, S33 = 16, S34 = 23, S41 = 6, S42 = 10, S43 = 15, S44 = 21; - x = convertToWordArray(str); - a = 1732584193; - b = 4023233417; - c = 2562383102; - d = 271733878; - xl = x.length; - for (k = 0; k < xl; k += 16) { - AA = a; - BB = b; - CC = c; - DD = d; - a = _FF(a, b, c, d, x[k + 0], S11, 3614090360); - d = _FF(d, a, b, c, x[k + 1], S12, 3905402710); - c = _FF(c, d, a, b, x[k + 2], S13, 606105819); - b = _FF(b, c, d, a, x[k + 3], S14, 3250441966); - a = _FF(a, b, c, d, x[k + 4], S11, 4118548399); - d = _FF(d, a, b, c, x[k + 5], S12, 1200080426); - c = _FF(c, d, a, b, x[k + 6], S13, 2821735955); - b = _FF(b, c, d, a, x[k + 7], S14, 4249261313); - a = _FF(a, b, c, d, x[k + 8], S11, 1770035416); - d = _FF(d, a, b, c, x[k + 9], S12, 2336552879); - c = _FF(c, d, a, b, x[k + 10], S13, 4294925233); - b = _FF(b, c, d, a, x[k + 11], S14, 2304563134); - a = _FF(a, b, c, d, x[k + 12], S11, 1804603682); - d = _FF(d, a, b, c, x[k + 13], S12, 4254626195); - c = _FF(c, d, a, b, x[k + 14], S13, 2792965006); - b = _FF(b, c, d, a, x[k + 15], S14, 1236535329); - a = _GG(a, b, c, d, x[k + 1], S21, 4129170786); - d = _GG(d, a, b, c, x[k + 6], S22, 3225465664); - c = _GG(c, d, a, b, x[k + 11], S23, 643717713); - b = _GG(b, c, d, a, x[k + 0], S24, 3921069994); - a = _GG(a, b, c, d, x[k + 5], S21, 3593408605); - d = _GG(d, a, b, c, x[k + 10], S22, 38016083); - c = _GG(c, d, a, b, x[k + 15], S23, 3634488961); - b = _GG(b, c, d, a, x[k + 4], S24, 3889429448); - a = _GG(a, b, c, d, x[k + 9], S21, 568446438); - d = _GG(d, a, b, c, x[k + 14], S22, 3275163606); - c = _GG(c, d, a, b, x[k + 3], S23, 4107603335); - b = _GG(b, c, d, a, x[k + 8], S24, 1163531501); - a = _GG(a, b, c, d, x[k + 13], S21, 2850285829); - d = _GG(d, a, b, c, x[k + 2], S22, 4243563512); - c = _GG(c, d, a, b, x[k + 7], S23, 1735328473); - b = _GG(b, c, d, a, x[k + 12], S24, 2368359562); - a = _HH(a, b, c, d, x[k + 5], S31, 4294588738); - d = _HH(d, a, b, c, x[k + 8], S32, 2272392833); - c = _HH(c, d, a, b, x[k + 11], S33, 1839030562); - b = _HH(b, c, d, a, x[k + 14], S34, 4259657740); - a = _HH(a, b, c, d, x[k + 1], S31, 2763975236); - d = _HH(d, a, b, c, x[k + 4], S32, 1272893353); - c = _HH(c, d, a, b, x[k + 7], S33, 4139469664); - b = _HH(b, c, d, a, x[k + 10], S34, 3200236656); - a = _HH(a, b, c, d, x[k + 13], S31, 681279174); - d = _HH(d, a, b, c, x[k + 0], S32, 3936430074); - c = _HH(c, d, a, b, x[k + 3], S33, 3572445317); - b = _HH(b, c, d, a, x[k + 6], S34, 76029189); - a = _HH(a, b, c, d, x[k + 9], S31, 3654602809); - d = _HH(d, a, b, c, x[k + 12], S32, 3873151461); - c = _HH(c, d, a, b, x[k + 15], S33, 530742520); - b = _HH(b, c, d, a, x[k + 2], S34, 3299628645); - a = _II(a, b, c, d, x[k + 0], S41, 4096336452); - d = _II(d, a, b, c, x[k + 7], S42, 1126891415); - c = _II(c, d, a, b, x[k + 14], S43, 2878612391); - b = _II(b, c, d, a, x[k + 5], S44, 4237533241); - a = _II(a, b, c, d, x[k + 12], S41, 1700485571); - d = _II(d, a, b, c, x[k + 3], S42, 2399980690); - c = _II(c, d, a, b, x[k + 10], S43, 4293915773); - b = _II(b, c, d, a, x[k + 1], S44, 2240044497); - a = _II(a, b, c, d, x[k + 8], S41, 1873313359); - d = _II(d, a, b, c, x[k + 15], S42, 4264355552); - c = _II(c, d, a, b, x[k + 6], S43, 2734768916); - b = _II(b, c, d, a, x[k + 13], S44, 1309151649); - a = _II(a, b, c, d, x[k + 4], S41, 4149444226); - d = _II(d, a, b, c, x[k + 11], S42, 3174756917); - c = _II(c, d, a, b, x[k + 2], S43, 718787259); - b = _II(b, c, d, a, x[k + 9], S44, 3951481745); - a = addUnsigned(a, AA); - b = addUnsigned(b, BB); - c = addUnsigned(c, CC); - d = addUnsigned(d, DD); - } - var temp = wordToHex(a) + wordToHex(b) + wordToHex(c) + wordToHex(d); - return temp.toLowerCase(); - } - }; - return md5; - } ]); -})(angular); \ No newline at end of file diff --git a/src/main/resources/META-INF/resources/designer/scripts/app.js b/src/main/resources/META-INF/resources/designer/scripts/app.js index 19906d96..a1e48a62 100644 --- a/src/main/resources/META-INF/resources/designer/scripts/app.js +++ b/src/main/resources/META-INF/resources/designer/scripts/app.js @@ -46,7 +46,6 @@ var app = angular.module('clds-app', ['ngRoute', 'ui.grid.exporter', 'angucomplete', 'kendo.directives', - 'angular-md5' ]) .config(['cfpLoadingBarProvider', function(cfpLoadingBarProvider) { @@ -77,8 +76,6 @@ var app = angular.module('clds-app', ['ngRoute', function($routeProvider, $locationProvider, cfpLoadingBarProvider, $timeout, dialogs, $cookies) { - console - .log("$routeProvider','$locationProvider', '$compileProvider','cfpLoadingBarProvider','md5'") $locationProvider.html5Mode(false); // alert("App.js"); diff --git a/src/main/resources/META-INF/resources/designer/scripts/authcontroller.js b/src/main/resources/META-INF/resources/designer/scripts/authcontroller.js index b138c96a..0072a24d 100644 --- a/src/main/resources/META-INF/resources/designer/scripts/authcontroller.js +++ b/src/main/resources/META-INF/resources/designer/scripts/authcontroller.js @@ -23,7 +23,7 @@ 'use strict'; -function AuthenticateCtrl($scope, $rootScope, $window, $resource, $http, $location, $cookies, md5) { +function AuthenticateCtrl($scope, $rootScope, $window, $resource, $http, $location, $cookies) { console.log("//////////AuthenticateCtrl"); $scope.getInclude = function() { console.log("getInclude011111111"); @@ -50,10 +50,9 @@ function AuthenticateCtrl($scope, $rootScope, $window, $resource, $http, $locati $window.localStorage.setItem("isInvalidUser", true); return; } - var hashpass = md5.createHash(pass); var headers = username ? { authorization: "Basic " + - btoa(username + ":" + hashpass) + btoa(username + ":" + pass) } : {}; // send request to a test API with the username/password to verify the authorization $http.get('/restservices/clds/v1/user/testUser', { diff --git a/src/main/resources/clds/clds-users.json b/src/main/resources/clds/clds-users.json index 3fa32e81..8be08e1d 100644 --- a/src/main/resources/clds/clds-users.json +++ b/src/main/resources/clds/clds-users.json @@ -1,6 +1,6 @@ [{ "user":"admin", - "password":"$2a$10$j7wM0G1gcpJTJygRY2ZG8O2HafSwlvM.tIb18/eusVPKBhrpwB6xC", + "password":"$2a$10$H/e21kl04Dw9C978CHuM7OewyMGUN5WGzAAx7SgIaR4ix8.wTcssi", "permissions": [ "permission-type-cl|dev|read", @@ -12,7 +12,7 @@ }, { "user":"cs0008", - "password":"$2a$10$j7wM0G1gcpJTJygRY2ZG8O2HafSwlvM.tIb18/eusVPKBhrpwB6xC", + "password":"$2a$10$H/e21kl04Dw9C978CHuM7OewyMGUN5WGzAAx7SgIaR4ix8.wTcssi", "permissions": [ "permission-type-cl|dev|read", -- cgit 1.2.3-korg