improve check for legacy passwords

2025-11-13 17:05:43 +01:00 · 2015-06-20 15:36:17 +02:00
parent a6c8afc3c2
commit d4081e2af5
2 changed files with 61 additions and 5 deletions
--- a/scm-plugins/scm-legacy-plugin/src/main/java/sonia/scm/legacy/LegacyRealm.java
+++ b/scm-plugins/scm-legacy-plugin/src/main/java/sonia/scm/legacy/LegacyRealm.java
@@ -34,6 +34,7 @@ package sonia.scm.legacy;
 //~--- non-JDK imports --------------------------------------------------------

 import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.CharMatcher;
 import com.google.common.base.Preconditions;

 import org.apache.shiro.authc.AuthenticationException;
@@ -44,6 +45,9 @@ import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
 import org.apache.shiro.crypto.hash.Sha1Hash;
 import org.apache.shiro.realm.AuthenticatingRealm;

+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 import sonia.scm.group.GroupDAO;
 import sonia.scm.plugin.Extension;
 import sonia.scm.security.DAORealmHelper;
@@ -69,6 +73,19 @@ public class LegacyRealm extends AuthenticatingRealm
  @VisibleForTesting
  static final String REALM = "LegacyRealm";

+  /** Field description */
+  //J-
+  private static final CharMatcher HEX_MATCHER = CharMatcher.inRange('0', '9')
+    .or(CharMatcher.inRange('a', 'f'))
+    .or(CharMatcher.inRange('A', 'F'));
+  //J+
+
+  /**
+   *   the logger for LegacyRealm
+   */
+  private static final Logger logger =
+    LoggerFactory.getLogger(LegacyRealm.class);
+
  //~--- constructors ---------------------------------------------------------

  /**
@@ -112,15 +129,37 @@ public class LegacyRealm extends AuthenticatingRealm
    Preconditions.checkArgument(token instanceof UsernamePasswordToken,
      "unsupported token");

-    AuthenticationInfo info = null;
-    char[] password = ((UsernamePasswordToken) token).getPassword();
+    return returnOnHexCredentials(helper.getAuthenticationInfo(token));
+  }

-    if ((password != null) && (password[0] != '$'))
+  private AuthenticationInfo returnOnHexCredentials(AuthenticationInfo info)
+  {
+    AuthenticationInfo result = null;
+
+    if (info != null)
    {
-      info = helper.getAuthenticationInfo(token);
+      Object credentials = info.getCredentials();
+
+      if (credentials instanceof String)
+      {
+        String password = (String) credentials;
+
+        if (HEX_MATCHER.matchesAllOf(password))
+        {
+          result = info;
+        }
+        else
+        {
+          logger.debug("hash contains non hex chars");
+        }
+      }
+      else
+      {
+        logger.debug("non string crendentials found");
+      }
    }

-    return info;
+    return result;
  }

  //~--- fields ---------------------------------------------------------------
--- a/scm-plugins/scm-legacy-plugin/src/test/java/sonia/scm/legacy/LegacyRealmTest.java
+++ b/scm-plugins/scm-legacy-plugin/src/test/java/sonia/scm/legacy/LegacyRealmTest.java
@@ -100,11 +100,28 @@ public class LegacyRealmTest
  @Test
  public void testDoGetAuthenticationInfoWithNewPasswords()
  {
+    User user = UserTestData.createTrillian();
+    user.setPassword(NEW_PASSWORD);
+    when(userDAO.get("tricia")).thenReturn(user);
+    
    AuthenticationToken token = new UsernamePasswordToken("tricia",
                                  NEW_PASSWORD);

    assertNull(realm.doGetAuthenticationInfo(token));
  }
+  
+/**
+   * Method description
+   *
+   */
+  @Test
+  public void testDoGetAuthenticationInfoWithNullPassword()
+  {
+    when(userDAO.get("tricia")).thenReturn(UserTestData.createTrillian());
+    AuthenticationToken token = new UsernamePasswordToken("tricia", "secret");
+
+    assertNull(realm.doGetAuthenticationInfo(token));
+  }

  /**
   * Method description