summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSébastien Determe <sd378r@intl.att.com>2018-03-23 09:02:43 +0000
committerGerrit Code Review <gerrit@onap.org>2018-03-23 09:02:43 +0000
commitd9b46ded4ec845cd34d2ff628c9a24d5917ccf64 (patch)
tree94bed709b51b328b9fbb9600d58657337d10cbaf
parent4b3477b503f4effed467765e41026f247c565cbd (diff)
parent5c4aee562b7fcb42f10aa62011e0ff6297cee867 (diff)
Merge changes from topic 'security'
* changes: Remove client usage of md5 Bcrypt as password hashing method in the backend
-rw-r--r--README.md17
-rw-r--r--src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java23
-rw-r--r--src/main/resources/META-INF/resources/designer/index.html1
-rw-r--r--src/main/resources/META-INF/resources/designer/lib/angular-md5.js208
-rw-r--r--src/main/resources/META-INF/resources/designer/scripts/app.js3
-rw-r--r--src/main/resources/META-INF/resources/designer/scripts/authcontroller.js5
-rw-r--r--src/main/resources/clds/clds-users.json6
7 files changed, 43 insertions, 220 deletions
diff --git a/README.md b/README.md
index ea061ce3c..d129e5ba9 100644
--- a/README.md
+++ b/README.md
@@ -91,4 +91,19 @@ With the default log settings, all logs will be generated into console and into
### Api
-You can see the swagger definition for the jaxrs apis at `/restservices/clds/v1/openapi.json` \ No newline at end of file
+You can see the swagger definition for the jaxrs apis at `/restservices/clds/v1/openapi.json`
+
+
+## Clamp Credentials
+
+Credentials should be specified in `src/main/resources/clds/clds-users.json`. You might specify you own credential file by redefining the `clamp.config.files.cldsUsers` in `application.properties`.
+
+Passwords should be hashed using Bcrypt :
+```
+# pip3 install bcrypt # if you don't have the bcrypt python lib installed, should be done once.
+# python3 -c 'import bcrypt; print(bcrypt.hashpw("password".encode(), bcrypt.gensalt(rounds=10, prefix=b"2a")))'
+```
+
+Default credentials are admin/password and cs0008/password.
+
+
diff --git a/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java b/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java
index d9e5ef298..0f3d0d59e 100644
--- a/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java
+++ b/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java
@@ -30,6 +30,7 @@ import java.io.IOException;
import org.onap.clamp.clds.config.ClampProperties;
import org.onap.clamp.clds.config.CldsUserJsonDecoder;
+import org.onap.clamp.clds.exception.CldsConfigException;
import org.onap.clamp.clds.exception.CldsUsersException;
import org.onap.clamp.clds.service.CldsUser;
import org.springframework.beans.factory.annotation.Autowired;
@@ -40,6 +41,8 @@ import org.springframework.security.config.annotation.authentication.builders.Au
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
/**
* This class is used to enable the HTTP authentication to login. It requires a
@@ -59,6 +62,10 @@ public class CldsSecurityConfigUsers extends WebSecurityConfigurerAdapter {
private String cldsPersmissionTypeCl;
@Value("${CLDS_PERMISSION_INSTANCE:dev}")
private String cldsPermissionInstance;
+ @Value("${clamp.config.security.encoder:bcrypt}")
+ private String cldsEncoderMethod;
+ @Value("${clamp.config.security.encoder.bcrypt.strength:10}")
+ private Integer cldsBcryptEncoderStrength;
/**
* This method configures on which URL the authorization will be enabled.
@@ -83,6 +90,9 @@ public class CldsSecurityConfigUsers extends WebSecurityConfigurerAdapter {
*/
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
+ // configure algorithm used for password hashing
+ final PasswordEncoder passwordEncoder = getPasswordEncoder();
+
try {
CldsUser[] usersList = loadUsers();
// no users defined
@@ -92,7 +102,7 @@ public class CldsSecurityConfigUsers extends WebSecurityConfigurerAdapter {
}
for (CldsUser user : usersList) {
auth.inMemoryAuthentication().withUser(user.getUser()).password(user.getPassword())
- .roles(user.getPermissionsString());
+ .roles(user.getPermissionsString()).and().passwordEncoder(passwordEncoder);
}
} catch (Exception e) {
logger.error("Exception occurred during the setup of the Web users in memory", e);
@@ -112,4 +122,15 @@ public class CldsSecurityConfigUsers extends WebSecurityConfigurerAdapter {
logger.info("Load from clds-users.properties");
return CldsUserJsonDecoder.decodeJson(refProp.getFileContent("files.cldsUsers"));
}
+
+ /**
+ * This methods returns the chosen encoder for password hashing.
+ */
+ private PasswordEncoder getPasswordEncoder() {
+ if ("bcrypt".equals(cldsEncoderMethod)) {
+ return new BCryptPasswordEncoder(cldsBcryptEncoderStrength);
+ } else {
+ throw new CldsConfigException("Invalid clamp.config.security.encoder value. 'bcrypt' is the only option at this time.");
+ }
+ }
}
diff --git a/src/main/resources/META-INF/resources/designer/index.html b/src/main/resources/META-INF/resources/designer/index.html
index 8e2300f6a..adcdf5373 100644
--- a/src/main/resources/META-INF/resources/designer/index.html
+++ b/src/main/resources/META-INF/resources/designer/index.html
@@ -106,7 +106,6 @@
<!-- <script src="lib/angular.min.js"></script>-->
<script src="lib/angular-route.js"></script>
<script src="lib/angular-resource.min.js"></script>
- <script src="lib/angular-md5.js"></script>
<!-- jQuery Include and Bootstrap -->
diff --git a/src/main/resources/META-INF/resources/designer/lib/angular-md5.js b/src/main/resources/META-INF/resources/designer/lib/angular-md5.js
deleted file mode 100644
index 7896bb429..000000000
--- a/src/main/resources/META-INF/resources/designer/lib/angular-md5.js
+++ /dev/null
@@ -1,208 +0,0 @@
-/*
- angular-md5 - v0.1.8
- 2015-11-17
-*/
-
-/* commonjs package manager support (eg componentjs) */
-if (typeof module !== "undefined" && typeof exports !== "undefined" && module.exports === exports) {
- module.exports = "angular-md5";
-}
-(function(angular) {
- angular.module("angular-md5", [ "gdi2290.md5" ]);
- angular.module("ngMd5", [ "gdi2290.md5" ]);
- angular.module("gdi2290.md5", [ "gdi2290.gravatar-filter", "gdi2290.md5-service", "gdi2290.md5-filter" ]);
- "use strict";
- angular.module("gdi2290.gravatar-filter", []).filter("gravatar", [ "md5", function(md5) {
- var cache = {};
- return function(text, defaultText) {
- if (!cache[text]) {
- defaultText = defaultText ? md5.createHash(defaultText.toString().toLowerCase()) : "";
- cache[text] = text ? md5.createHash(text.toString().toLowerCase()) : defaultText;
- }
- return cache[text];
- };
- } ]);
- "use strict";
- angular.module("gdi2290.md5-filter", []).filter("md5", [ "md5", function(md5) {
- return function(text) {
- return text ? md5.createHash(text.toString().toLowerCase()) : text;
- };
- } ]);
- "use strict";
- angular.module("gdi2290.md5-service", []).factory("md5", [ function() {
- var md5 = {
- createHash: function(str) {
- if (null === str) {
- return null;
- }
- var xl;
- var rotateLeft = function(lValue, iShiftBits) {
- return lValue << iShiftBits | lValue >>> 32 - iShiftBits;
- };
- var addUnsigned = function(lX, lY) {
- var lX4, lY4, lX8, lY8, lResult;
- lX8 = lX & 2147483648;
- lY8 = lY & 2147483648;
- lX4 = lX & 1073741824;
- lY4 = lY & 1073741824;
- lResult = (lX & 1073741823) + (lY & 1073741823);
- if (lX4 & lY4) {
- return lResult ^ 2147483648 ^ lX8 ^ lY8;
- }
- if (lX4 | lY4) {
- if (lResult & 1073741824) {
- return lResult ^ 3221225472 ^ lX8 ^ lY8;
- } else {
- return lResult ^ 1073741824 ^ lX8 ^ lY8;
- }
- } else {
- return lResult ^ lX8 ^ lY8;
- }
- };
- var _F = function(x, y, z) {
- return x & y | ~x & z;
- };
- var _G = function(x, y, z) {
- return x & z | y & ~z;
- };
- var _H = function(x, y, z) {
- return x ^ y ^ z;
- };
- var _I = function(x, y, z) {
- return y ^ (x | ~z);
- };
- var _FF = function(a, b, c, d, x, s, ac) {
- a = addUnsigned(a, addUnsigned(addUnsigned(_F(b, c, d), x), ac));
- return addUnsigned(rotateLeft(a, s), b);
- };
- var _GG = function(a, b, c, d, x, s, ac) {
- a = addUnsigned(a, addUnsigned(addUnsigned(_G(b, c, d), x), ac));
- return addUnsigned(rotateLeft(a, s), b);
- };
- var _HH = function(a, b, c, d, x, s, ac) {
- a = addUnsigned(a, addUnsigned(addUnsigned(_H(b, c, d), x), ac));
- return addUnsigned(rotateLeft(a, s), b);
- };
- var _II = function(a, b, c, d, x, s, ac) {
- a = addUnsigned(a, addUnsigned(addUnsigned(_I(b, c, d), x), ac));
- return addUnsigned(rotateLeft(a, s), b);
- };
- var convertToWordArray = function(str) {
- var lWordCount;
- var lMessageLength = str.length;
- var lNumberOfWords_temp1 = lMessageLength + 8;
- var lNumberOfWords_temp2 = (lNumberOfWords_temp1 - lNumberOfWords_temp1 % 64) / 64;
- var lNumberOfWords = (lNumberOfWords_temp2 + 1) * 16;
- var lWordArray = new Array(lNumberOfWords - 1);
- var lBytePosition = 0;
- var lByteCount = 0;
- while (lByteCount < lMessageLength) {
- lWordCount = (lByteCount - lByteCount % 4) / 4;
- lBytePosition = lByteCount % 4 * 8;
- lWordArray[lWordCount] = lWordArray[lWordCount] | str.charCodeAt(lByteCount) << lBytePosition;
- lByteCount++;
- }
- lWordCount = (lByteCount - lByteCount % 4) / 4;
- lBytePosition = lByteCount % 4 * 8;
- lWordArray[lWordCount] = lWordArray[lWordCount] | 128 << lBytePosition;
- lWordArray[lNumberOfWords - 2] = lMessageLength << 3;
- lWordArray[lNumberOfWords - 1] = lMessageLength >>> 29;
- return lWordArray;
- };
- var wordToHex = function(lValue) {
- var wordToHexValue = "", wordToHexValue_temp = "", lByte, lCount;
- for (lCount = 0; lCount <= 3; lCount++) {
- lByte = lValue >>> lCount * 8 & 255;
- wordToHexValue_temp = "0" + lByte.toString(16);
- wordToHexValue = wordToHexValue + wordToHexValue_temp.substr(wordToHexValue_temp.length - 2, 2);
- }
- return wordToHexValue;
- };
- var x = [], k, AA, BB, CC, DD, a, b, c, d, S11 = 7, S12 = 12, S13 = 17, S14 = 22, S21 = 5, S22 = 9, S23 = 14, S24 = 20, S31 = 4, S32 = 11, S33 = 16, S34 = 23, S41 = 6, S42 = 10, S43 = 15, S44 = 21;
- x = convertToWordArray(str);
- a = 1732584193;
- b = 4023233417;
- c = 2562383102;
- d = 271733878;
- xl = x.length;
- for (k = 0; k < xl; k += 16) {
- AA = a;
- BB = b;
- CC = c;
- DD = d;
- a = _FF(a, b, c, d, x[k + 0], S11, 3614090360);
- d = _FF(d, a, b, c, x[k + 1], S12, 3905402710);
- c = _FF(c, d, a, b, x[k + 2], S13, 606105819);
- b = _FF(b, c, d, a, x[k + 3], S14, 3250441966);
- a = _FF(a, b, c, d, x[k + 4], S11, 4118548399);
- d = _FF(d, a, b, c, x[k + 5], S12, 1200080426);
- c = _FF(c, d, a, b, x[k + 6], S13, 2821735955);
- b = _FF(b, c, d, a, x[k + 7], S14, 4249261313);
- a = _FF(a, b, c, d, x[k + 8], S11, 1770035416);
- d = _FF(d, a, b, c, x[k + 9], S12, 2336552879);
- c = _FF(c, d, a, b, x[k + 10], S13, 4294925233);
- b = _FF(b, c, d, a, x[k + 11], S14, 2304563134);
- a = _FF(a, b, c, d, x[k + 12], S11, 1804603682);
- d = _FF(d, a, b, c, x[k + 13], S12, 4254626195);
- c = _FF(c, d, a, b, x[k + 14], S13, 2792965006);
- b = _FF(b, c, d, a, x[k + 15], S14, 1236535329);
- a = _GG(a, b, c, d, x[k + 1], S21, 4129170786);
- d = _GG(d, a, b, c, x[k + 6], S22, 3225465664);
- c = _GG(c, d, a, b, x[k + 11], S23, 643717713);
- b = _GG(b, c, d, a, x[k + 0], S24, 3921069994);
- a = _GG(a, b, c, d, x[k + 5], S21, 3593408605);
- d = _GG(d, a, b, c, x[k + 10], S22, 38016083);
- c = _GG(c, d, a, b, x[k + 15], S23, 3634488961);
- b = _GG(b, c, d, a, x[k + 4], S24, 3889429448);
- a = _GG(a, b, c, d, x[k + 9], S21, 568446438);
- d = _GG(d, a, b, c, x[k + 14], S22, 3275163606);
- c = _GG(c, d, a, b, x[k + 3], S23, 4107603335);
- b = _GG(b, c, d, a, x[k + 8], S24, 1163531501);
- a = _GG(a, b, c, d, x[k + 13], S21, 2850285829);
- d = _GG(d, a, b, c, x[k + 2], S22, 4243563512);
- c = _GG(c, d, a, b, x[k + 7], S23, 1735328473);
- b = _GG(b, c, d, a, x[k + 12], S24, 2368359562);
- a = _HH(a, b, c, d, x[k + 5], S31, 4294588738);
- d = _HH(d, a, b, c, x[k + 8], S32, 2272392833);
- c = _HH(c, d, a, b, x[k + 11], S33, 1839030562);
- b = _HH(b, c, d, a, x[k + 14], S34, 4259657740);
- a = _HH(a, b, c, d, x[k + 1], S31, 2763975236);
- d = _HH(d, a, b, c, x[k + 4], S32, 1272893353);
- c = _HH(c, d, a, b, x[k + 7], S33, 4139469664);
- b = _HH(b, c, d, a, x[k + 10], S34, 3200236656);
- a = _HH(a, b, c, d, x[k + 13], S31, 681279174);
- d = _HH(d, a, b, c, x[k + 0], S32, 3936430074);
- c = _HH(c, d, a, b, x[k + 3], S33, 3572445317);
- b = _HH(b, c, d, a, x[k + 6], S34, 76029189);
- a = _HH(a, b, c, d, x[k + 9], S31, 3654602809);
- d = _HH(d, a, b, c, x[k + 12], S32, 3873151461);
- c = _HH(c, d, a, b, x[k + 15], S33, 530742520);
- b = _HH(b, c, d, a, x[k + 2], S34, 3299628645);
- a = _II(a, b, c, d, x[k + 0], S41, 4096336452);
- d = _II(d, a, b, c, x[k + 7], S42, 1126891415);
- c = _II(c, d, a, b, x[k + 14], S43, 2878612391);
- b = _II(b, c, d, a, x[k + 5], S44, 4237533241);
- a = _II(a, b, c, d, x[k + 12], S41, 1700485571);
- d = _II(d, a, b, c, x[k + 3], S42, 2399980690);
- c = _II(c, d, a, b, x[k + 10], S43, 4293915773);
- b = _II(b, c, d, a, x[k + 1], S44, 2240044497);
- a = _II(a, b, c, d, x[k + 8], S41, 1873313359);
- d = _II(d, a, b, c, x[k + 15], S42, 4264355552);
- c = _II(c, d, a, b, x[k + 6], S43, 2734768916);
- b = _II(b, c, d, a, x[k + 13], S44, 1309151649);
- a = _II(a, b, c, d, x[k + 4], S41, 4149444226);
- d = _II(d, a, b, c, x[k + 11], S42, 3174756917);
- c = _II(c, d, a, b, x[k + 2], S43, 718787259);
- b = _II(b, c, d, a, x[k + 9], S44, 3951481745);
- a = addUnsigned(a, AA);
- b = addUnsigned(b, BB);
- c = addUnsigned(c, CC);
- d = addUnsigned(d, DD);
- }
- var temp = wordToHex(a) + wordToHex(b) + wordToHex(c) + wordToHex(d);
- return temp.toLowerCase();
- }
- };
- return md5;
- } ]);
-})(angular); \ No newline at end of file
diff --git a/src/main/resources/META-INF/resources/designer/scripts/app.js b/src/main/resources/META-INF/resources/designer/scripts/app.js
index 588b61723..1d707c08f 100644
--- a/src/main/resources/META-INF/resources/designer/scripts/app.js
+++ b/src/main/resources/META-INF/resources/designer/scripts/app.js
@@ -46,7 +46,6 @@ var app = angular.module('clds-app', ['ngRoute',
'ui.grid.exporter',
'angucomplete',
'kendo.directives',
- 'angular-md5'
])
.config(['cfpLoadingBarProvider', function(cfpLoadingBarProvider) {
@@ -77,8 +76,6 @@ var app = angular.module('clds-app', ['ngRoute',
function($routeProvider, $locationProvider,
cfpLoadingBarProvider, $timeout, dialogs,
$cookies) {
- console
- .log("$routeProvider','$locationProvider', '$compileProvider','cfpLoadingBarProvider','md5'")
$locationProvider.html5Mode(false);
// alert("App.js");
diff --git a/src/main/resources/META-INF/resources/designer/scripts/authcontroller.js b/src/main/resources/META-INF/resources/designer/scripts/authcontroller.js
index b138c96ad..0072a24d2 100644
--- a/src/main/resources/META-INF/resources/designer/scripts/authcontroller.js
+++ b/src/main/resources/META-INF/resources/designer/scripts/authcontroller.js
@@ -23,7 +23,7 @@
'use strict';
-function AuthenticateCtrl($scope, $rootScope, $window, $resource, $http, $location, $cookies, md5) {
+function AuthenticateCtrl($scope, $rootScope, $window, $resource, $http, $location, $cookies) {
console.log("//////////AuthenticateCtrl");
$scope.getInclude = function() {
console.log("getInclude011111111");
@@ -50,10 +50,9 @@ function AuthenticateCtrl($scope, $rootScope, $window, $resource, $http, $locati
$window.localStorage.setItem("isInvalidUser", true);
return;
}
- var hashpass = md5.createHash(pass);
var headers = username ? {
authorization: "Basic " +
- btoa(username + ":" + hashpass)
+ btoa(username + ":" + pass)
} : {};
// send request to a test API with the username/password to verify the authorization
$http.get('/restservices/clds/v1/user/testUser', {
diff --git a/src/main/resources/clds/clds-users.json b/src/main/resources/clds/clds-users.json
index d2c06c808..8be08e1d4 100644
--- a/src/main/resources/clds/clds-users.json
+++ b/src/main/resources/clds/clds-users.json
@@ -1,6 +1,6 @@
[{
"user":"admin",
- "password":"5f4dcc3b5aa765d61d8327deb882cf99",
+ "password":"$2a$10$H/e21kl04Dw9C978CHuM7OewyMGUN5WGzAAx7SgIaR4ix8.wTcssi",
"permissions":
[
"permission-type-cl|dev|read",
@@ -12,7 +12,7 @@
},
{
"user":"cs0008",
- "password":"5f4dcc3b5aa765d61d8327deb882cf99",
+ "password":"$2a$10$H/e21kl04Dw9C978CHuM7OewyMGUN5WGzAAx7SgIaR4ix8.wTcssi",
"permissions":
[
"permission-type-cl|dev|read",
@@ -23,4 +23,4 @@
"permission-type-template|dev|update"
]
}
-] \ No newline at end of file
+]