improve check for legacy passwords

scm-plugins/scm-legacy-plugin/src/main/java/sonia/scm/legacy/LegacyRealm.java

@@ -34,6 +34,7 @@ package sonia.scm.legacy;
 //~--- non-JDK imports --------------------------------------------------------
 
 import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.CharMatcher;
 import com.google.common.base.Preconditions;
 
 import org.apache.shiro.authc.AuthenticationException;
@@ -44,6 +45,9 @@ import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
 import org.apache.shiro.crypto.hash.Sha1Hash;
 import org.apache.shiro.realm.AuthenticatingRealm;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 import sonia.scm.group.GroupDAO;
 import sonia.scm.plugin.Extension;
 import sonia.scm.security.DAORealmHelper;
@@ -69,6 +73,19 @@ public class LegacyRealm extends AuthenticatingRealm
   @VisibleForTesting
   static final String REALM = "LegacyRealm";
 
+  /** Field description */
+  //J-
+  private static final CharMatcher HEX_MATCHER = CharMatcher.inRange('0', '9')
+    .or(CharMatcher.inRange('a', 'f'))
+    .or(CharMatcher.inRange('A', 'F'));
+  //J+
+
+  /**
+   *   the logger for LegacyRealm
+   */
+  private static final Logger logger =
+    LoggerFactory.getLogger(LegacyRealm.class);
+
   //~--- constructors ---------------------------------------------------------
 
   /**
@@ -112,15 +129,37 @@ public class LegacyRealm extends AuthenticatingRealm
     Preconditions.checkArgument(token instanceof UsernamePasswordToken,
       "unsupported token");
 
-    AuthenticationInfo info = null;
+    return returnOnHexCredentials(helper.getAuthenticationInfo(token));
-    char[] password = ((UsernamePasswordToken) token).getPassword();
-
-    if ((password != null) && (password[0] != '$'))
-    {
-      info = helper.getAuthenticationInfo(token);
   }
 
-    return info;
+  private AuthenticationInfo returnOnHexCredentials(AuthenticationInfo info)
+  {
+    AuthenticationInfo result = null;
+
+    if (info != null)
+    {
+      Object credentials = info.getCredentials();
+
+      if (credentials instanceof String)
+      {
+        String password = (String) credentials;
+
+        if (HEX_MATCHER.matchesAllOf(password))
+        {
+          result = info;
+        }
+        else
+        {
+          logger.debug("hash contains non hex chars");
+        }
+      }
+      else
+      {
+        logger.debug("non string crendentials found");
+      }
+    }
+
+    return result;
   }
 
   //~--- fields ---------------------------------------------------------------

scm-plugins/scm-legacy-plugin/src/test/java/sonia/scm/legacy/LegacyRealmTest.java

@@ -100,12 +100,29 @@ public class LegacyRealmTest
   @Test
   public void testDoGetAuthenticationInfoWithNewPasswords()
   {
+    User user = UserTestData.createTrillian();
+    user.setPassword(NEW_PASSWORD);
+    when(userDAO.get("tricia")).thenReturn(user);
+    
     AuthenticationToken token = new UsernamePasswordToken("tricia",
                                   NEW_PASSWORD);
 
     assertNull(realm.doGetAuthenticationInfo(token));
   }
   
+/**
+   * Method description
+   *
+   */
+  @Test
+  public void testDoGetAuthenticationInfoWithNullPassword()
+  {
+    when(userDAO.get("tricia")).thenReturn(UserTestData.createTrillian());
+    AuthenticationToken token = new UsernamePasswordToken("tricia", "secret");
+
+    assertNull(realm.doGetAuthenticationInfo(token));
+  }
+
   /**
    * Method description
    *