From 27b6e6483e73e37a235b8160ad9a1c9f3f68d5ea Mon Sep 17 00:00:00 2001 From: Zlatko Murgoski Date: Mon, 3 Dec 2018 12:28:41 +0100 Subject: Remove clear text password Change to SHA256 Change-Id: I1c41247cf4094523b61487cbce0030d585982b06 Issue-ID: DCAEGEN2-978 Signed-off-by: Zlatko Murgoski --- README.md | 8 ++++++++ etc/collector.properties | 4 ++-- src/main/java/org/onap/dcae/ApplicationSettings.java | 6 ++++-- .../java/org/onap/dcae/restapi/ApiAuthInterceptor.java | 15 ++++++++------- src/main/java/org/onap/dcae/restapi/ApiConfiguration.java | 1 + src/test/java/org/onap/dcae/ApplicationSettingsTest.java | 4 ++-- src/test/java/org/onap/dcae/TLSTest.java | 2 +- .../org/onap/dcae/restapi/ApiAuthInterceptionTest.java | 4 ++-- 8 files changed, 28 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 09037680..f77ca227 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,14 @@ Run the image using docker-compose.yml docker-compose up ``` +### Generate auth credential + +Util "crypt_password.py" to generate new cryptographic password is stored in dcaegen2/sdk + +``` +python crypt_password.py -p TestPassword +``` + ### Environment variables in Docker Container Most of the configuration of how VESCollector should be started and managed is done through environment variables. Some of them are set during the image build process and some of them are defined manually or by diff --git a/etc/collector.properties b/etc/collector.properties index 475c49b0..d0c90695 100755 --- a/etc/collector.properties +++ b/etc/collector.properties @@ -60,9 +60,9 @@ collector.dmaapfile=./etc/DmaapConfig.json ## To disable enter 0 header.authflag=0 -## Combination of userid,base64 encoded pwd list to be supported +## Combination of userid,hashPassword encoded pwd list to be supported ## userid and pwd comma separated; pipe delimitation between each pair -header.authlist=sample1,c2FtcGxlMQ== +header.authlist=sample1,$2a$10$0buh.2WeYwN868YMwnNNEuNEAMNYVU9.FSMJGyIKV3dGET/7oGOi6 ## Event transformation Flag - when set expects configurable transformation ## defined under ./etc/eventTransform.json diff --git a/src/main/java/org/onap/dcae/ApplicationSettings.java b/src/main/java/org/onap/dcae/ApplicationSettings.java index ead148c4..f140def2 100644 --- a/src/main/java/org/onap/dcae/ApplicationSettings.java +++ b/src/main/java/org/onap/dcae/ApplicationSettings.java @@ -90,8 +90,10 @@ public class ApplicationSettings { } private Map prepareUsersMap(@Nullable String allowedUsers) { - return allowedUsers == null ? HashMap.empty() : List.ofAll(stream(allowedUsers.split("\\|"))) - .toMap(t -> t.split(",")[0].trim(), t -> new String(Base64.getDecoder().decode(t.split(",")[1])).trim()); + return allowedUsers == null ? HashMap.empty() + : List.of(allowedUsers.split("\\|")) + .map(t->t.split(",")) + .toMap(t-> t[0].trim(), t -> t[1].trim()); } private String findOutConfigurationFileLocation(Map parsedArgs) { diff --git a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java index 8061ec5a..6b5a64aa 100644 --- a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java +++ b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java @@ -20,19 +20,20 @@ package org.onap.dcae.restapi; import io.vavr.control.Option; +import java.io.IOException; +import java.util.Base64; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; import org.onap.dcae.ApplicationSettings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import java.io.IOException; -import java.util.Base64; - final class ApiAuthInterceptor extends HandlerInterceptorAdapter { private static final Logger LOG = LoggerFactory.getLogger(ApiAuthInterceptor.class); + private final BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder(); private final ApplicationSettings applicationSettings; private Logger errorLog; @@ -65,11 +66,11 @@ final class ApiAuthInterceptor extends HandlerInterceptorAdapter { String providedPassword = decodedData.split(":")[1].trim(); Option maybeSavedPassword = applicationSettings.validAuthorizationCredentials().get(providedUser); boolean userRegistered = maybeSavedPassword.isDefined(); - return userRegistered && maybeSavedPassword.get().equals(providedPassword); + return userRegistered && passwordEncoder.matches(providedPassword,maybeSavedPassword.get()); } catch (Exception e) { LOG.warn(String.format("Could not check if user is authorized (header: '%s')), probably malformed header.", authorizationHeader), e); return false; } } -} +} \ No newline at end of file diff --git a/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java b/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java index 9ebb5394..c44e0d45 100644 --- a/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java +++ b/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java @@ -32,6 +32,7 @@ import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; @EnableWebMvc @Configuration public class ApiConfiguration implements WebMvcConfigurer { + private final ApplicationSettings applicationSettings; private Logger errorLogger; diff --git a/src/test/java/org/onap/dcae/ApplicationSettingsTest.java b/src/test/java/org/onap/dcae/ApplicationSettingsTest.java index 55160ff5..0e91bc70 100644 --- a/src/test/java/org/onap/dcae/ApplicationSettingsTest.java +++ b/src/test/java/org/onap/dcae/ApplicationSettingsTest.java @@ -389,8 +389,8 @@ public class ApplicationSettingsTest { ).validAuthorizationCredentials(); // then - assertEquals(allowedUsers.get("pasza").get(), "simplepassword"); - assertEquals(allowedUsers.get("someoneelse").get(), "simplepassword"); + assertEquals(allowedUsers.get("pasza").get(), "c2ltcGxlcGFzc3dvcmQNCg=="); + assertEquals(allowedUsers.get("someoneelse").get(), "c2ltcGxlcGFzc3dvcmQNCg=="); } @Test diff --git a/src/test/java/org/onap/dcae/TLSTest.java b/src/test/java/org/onap/dcae/TLSTest.java index 63099b7d..c73bb53b 100644 --- a/src/test/java/org/onap/dcae/TLSTest.java +++ b/src/test/java/org/onap/dcae/TLSTest.java @@ -113,7 +113,7 @@ public class TLSTest extends TLSTestBase { when(settings.keystoreFileLocation()).thenReturn(KEYSTORE.toString()); when(settings.keystorePasswordFileLocation()).thenReturn(KEYSTORE_PASSWORD_FILE.toString()); when(settings.authorizationEnabled()).thenReturn(true); - when(settings.validAuthorizationCredentials()).thenReturn(HashMap.of(USERNAME, PASSWORD)); + when(settings.validAuthorizationCredentials()).thenReturn(HashMap.of(USERNAME, "$2a$10$51tDgG2VNLde5E173Ay/YO.Fq.aD.LR2Rp8pY3QAKriOSPswvGviy")); } } diff --git a/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java b/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java index cb4d334c..569fd969 100644 --- a/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java +++ b/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java @@ -139,9 +139,9 @@ public class ApiAuthInterceptionTest { public void shouldSucceed() throws IOException { // given final HttpServletRequest request = createRequestWithAuthorizationHeader(); - when(settings.authorizationEnabled()).thenReturn(true); - when(settings.validAuthorizationCredentials()).thenReturn(CREDENTIALS); + when(settings.validAuthorizationCredentials()).thenReturn( + HashMap.of(USERNAME, "$2a$10$BsZkEynNm/93wbAeeZuxJeu6IHRyQl4XReqDg2BtYOFDhUsz20.3G")); when(response.getWriter()).thenReturn(writer); // when -- cgit 1.2.3-korg