From d5623a235d54b308280d90920238bf75a2880b84 Mon Sep 17 00:00:00 2001 From: James Moger Date: Mon, 24 Oct 2011 16:32:57 -0400 Subject: [PATCH] Combined-md5 password storage option --- distrib/gitblit.properties | 4 +- docs/00_index.mkd | 7 +-- docs/04_releases.mkd | 7 +-- src/com/gitblit/FileUserService.java | 9 ++++ src/com/gitblit/client/EditUserDialog.java | 53 +++++++++++++------ src/com/gitblit/utils/StringUtils.java | 2 + .../wicket/pages/ChangePasswordPage.java | 7 ++- .../gitblit/wicket/pages/EditUserPage.java | 14 ++++- 8 files changed, 76 insertions(+), 27 deletions(-) diff --git a/distrib/gitblit.properties b/distrib/gitblit.properties index 28a6db83..2d48da6e 100644 --- a/distrib/gitblit.properties +++ b/distrib/gitblit.properties @@ -59,7 +59,9 @@ web.allowCookieAuthentication = true realm.userService = users.properties # How to store passwords. -# Valid values are plain or md5. Default is md5. +# Valid values are plain, md5, or combined-md5. md5 is the hash of password. +# combined-md5 is the hash of username.toLowerCase()+password. +# Default is md5. # # SINCE 0.5.0 realm.passwordStorage = md5 diff --git a/docs/00_index.mkd b/docs/00_index.mkd index 12edae5d..4aea0d73 100644 --- a/docs/00_index.mkd +++ b/docs/00_index.mkd @@ -41,6 +41,10 @@ Gitblit requires a Java 6 Runtime Environment (JRE) or a Java 6 Development Kit - added: Gitblit Manager (Java/Swing Application) for remote administration of a Gitblit server. - added: per-repository setting to skip size calculation (faster repositories page loading) - added: per-repository setting to skip summary metrics calculation (faster summary page loading) +- added: IUserService.setup(IStoredSettings) for custom user service implementations +- added: setting to control Gitblit GO context path for proxy setups + **New:** *server.contextPath = /* +- added: *combined-md5* password storage option which stores the hash of username+password as the password - fixed: federation protocol timestamps. dates are now serialized to the [iso8601](http://en.wikipedia.org/wiki/ISO_8601) standard. **This breaks 0.6.0 federation clients/servers.** - fixed: collision on rename for repositories and users @@ -49,9 +53,6 @@ Gitblit requires a Java 6 Runtime Environment (JRE) or a Java 6 Development Kit - fixed: Set the RSS content type of syndication feeds for Firefox 4 (issue 22) - fixed: Null pointer exception if did not set federation strategy (issue 20) - fixed: Gitblit GO allows SSL renegotiation if running on Java 1.6.0_22 or later -- added: IUserService.setup(IStoredSettings) for custom user service implementations -- added: setting to control Gitblit GO context path for proxy setups - **New:** *server.contextPath = /* - updated: MarkdownPapers 1.2.4 issues, binaries, and sources @ [Google Code][googlecode]
diff --git a/docs/04_releases.mkd b/docs/04_releases.mkd index 68e09084..ac097781 100644 --- a/docs/04_releases.mkd +++ b/docs/04_releases.mkd @@ -15,6 +15,10 @@ - added: Gitblit Manager (Java/Swing Application) for remote administration of a Gitblit server. - added: per-repository setting to skip size calculation (faster repositories page loading) - added: per-repository setting to skip summary metrics calculation (faster summary page loading) +- added: IUserService.setup(IStoredSettings) for custom user service implementations +- added: setting to control Gitblit GO context path for proxy setups + **New:** *server.contextPath = /* +- added: *combined-md5* password storage option which stores the hash of username+password as the password - fixed: federation protocol timestamps. dates are now serialized to the [iso8601](http://en.wikipedia.org/wiki/ISO_8601) standard. **This breaks 0.6.0 federation clients/servers.** - fixed: collision on rename for repositories and users @@ -23,9 +27,6 @@ - fixed: Set the RSS content type of syndication feeds for Firefox 4 (issue 22) - fixed: Null pointer exception if did not set federation strategy (issue 20) - fixed: Gitblit GO allows SSL renegotiation if running on Java 1.6.0_22 or later -- added: IUserService.setup(IStoredSettings) for custom user service implementations -- added: setting to control Gitblit GO context path for proxy setups - **New:** *server.contextPath = /* - updated: MarkdownPapers 1.2.4 ### Older Releases diff --git a/src/com/gitblit/FileUserService.java b/src/com/gitblit/FileUserService.java index cae0d791..3c8914dd 100644 --- a/src/com/gitblit/FileUserService.java +++ b/src/com/gitblit/FileUserService.java @@ -126,11 +126,20 @@ public class FileUserService extends FileSettings implements IUserService { UserModel returnedUser = null; UserModel user = getUserModel(username); if (user.password.startsWith(StringUtils.MD5_TYPE)) { + // password digest String md5 = StringUtils.MD5_TYPE + StringUtils.getMD5(new String(password)); if (user.password.equalsIgnoreCase(md5)) { returnedUser = user; } + } else if (user.password.startsWith(StringUtils.COMBINED_MD5_TYPE)) { + // username+password digest + String md5 = StringUtils.COMBINED_MD5_TYPE + + StringUtils.getMD5(username.toLowerCase() + new String(password)); + if (user.password.equalsIgnoreCase(md5)) { + returnedUser = user; + } } else if (user.password.equals(new String(password))) { + // plain-text password returnedUser = user; } return returnedUser; diff --git a/src/com/gitblit/client/EditUserDialog.java b/src/com/gitblit/client/EditUserDialog.java index c77713a8..0f666bde 100644 --- a/src/com/gitblit/client/EditUserDialog.java +++ b/src/com/gitblit/client/EditUserDialog.java @@ -191,6 +191,7 @@ public class EditUserDialog extends JDialog { return false; } + boolean rename = false; // verify username uniqueness on create if (isCreate) { if (usernames.contains(uname.toLowerCase())) { @@ -199,7 +200,8 @@ public class EditUserDialog extends JDialog { } } else { // check rename collision - if (!username.equalsIgnoreCase(uname)) { + rename = !StringUtils.isEmpty(username) && !username.equalsIgnoreCase(uname); + if (rename) { if (usernames.contains(uname.toLowerCase())) { error(MessageFormat.format( "Failed to rename ''{0}'' because ''{1}'' already exists.", username, @@ -208,34 +210,51 @@ public class EditUserDialog extends JDialog { } } } + user.username = uname; int minLength = settings.get(Keys.realm.minPasswordLength).getInteger(5); if (minLength < 4) { minLength = 4; } - char[] pw = passwordField.getPassword(); - if (pw == null || pw.length < minLength) { + + String password = new String(passwordField.getPassword()); + if (StringUtils.isEmpty(password) || password.length() < minLength) { error(MessageFormat.format("Password is too short. Minimum length is {0} characters.", minLength)); return false; } - char[] cpw = confirmPasswordField.getPassword(); - if (cpw == null || cpw.length != pw.length) { - error("Please confirm the password!"); - return false; - } - if (!Arrays.equals(pw, cpw)) { - error("Passwords do not match!"); + if (!password.toUpperCase().startsWith(StringUtils.MD5_TYPE) + && !password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) { + String cpw = new String(confirmPasswordField.getPassword()); + if (cpw == null || cpw.length() != password.length()) { + error("Please confirm the password!"); + return false; + } + if (!password.equals(cpw)) { + error("Passwords do not match!"); + return false; + } + + String type = settings.get(Keys.realm.passwordStorage).getString("md5"); + if (type.equalsIgnoreCase("md5")) { + // store MD5 digest of password + user.password = StringUtils.MD5_TYPE + StringUtils.getMD5(password); + } else if (type.equalsIgnoreCase("combined-md5")) { + // store MD5 digest of username+password + user.password = StringUtils.COMBINED_MD5_TYPE + + StringUtils.getMD5(username.toLowerCase() + password); + } else { + // plain-text password + user.password = password; + } + } else if (rename && password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) { + error("Gitblit is configured for combined-md5 password hashing. You must enter a new password on account rename."); return false; - } - user.username = uname; - String type = settings.get(Keys.realm.passwordStorage).getString("md5"); - if (type.equalsIgnoreCase("md5")) { - // store MD5 digest of password - user.password = StringUtils.MD5_TYPE + StringUtils.getMD5(new String(pw)); } else { - user.password = new String(pw); + // no change in password + user.password = password; } + user.canAdmin = canAdminCheckbox.isSelected(); user.excludeFromFederation = notFederatedCheckbox.isSelected(); diff --git a/src/com/gitblit/utils/StringUtils.java b/src/com/gitblit/utils/StringUtils.java index 8adf1e42..746fbe2e 100644 --- a/src/com/gitblit/utils/StringUtils.java +++ b/src/com/gitblit/utils/StringUtils.java @@ -33,6 +33,8 @@ import java.util.regex.PatternSyntaxException; public class StringUtils { public static final String MD5_TYPE = "MD5:"; + + public static final String COMBINED_MD5_TYPE = "CMD5:"; /** * Returns true if the string is null or empty. diff --git a/src/com/gitblit/wicket/pages/ChangePasswordPage.java b/src/com/gitblit/wicket/pages/ChangePasswordPage.java index fec24144..2738a5fc 100644 --- a/src/com/gitblit/wicket/pages/ChangePasswordPage.java +++ b/src/com/gitblit/wicket/pages/ChangePasswordPage.java @@ -77,14 +77,19 @@ public class ChangePasswordPage extends RootSubPage { return; } + UserModel user = GitBlitWebSession.get().getUser(); + // convert to MD5 digest, if appropriate String type = GitBlit.getString(Keys.realm.passwordStorage, "md5"); if (type.equalsIgnoreCase("md5")) { // store MD5 digest of password password = StringUtils.MD5_TYPE + StringUtils.getMD5(password); + } else if (type.equalsIgnoreCase("combined-md5")) { + // store MD5 digest of username+password + password = StringUtils.COMBINED_MD5_TYPE + + StringUtils.getMD5(user.username.toLowerCase() + password); } - UserModel user = GitBlitWebSession.get().getUser(); user.password = password; try { GitBlit.self().updateUserModel(user.username, user, false); diff --git a/src/com/gitblit/wicket/pages/EditUserPage.java b/src/com/gitblit/wicket/pages/EditUserPage.java index 78e94614..8955e222 100644 --- a/src/com/gitblit/wicket/pages/EditUserPage.java +++ b/src/com/gitblit/wicket/pages/EditUserPage.java @@ -70,7 +70,7 @@ public class EditUserPage extends RootSubPage { } else { super.setupPage(getString("gb.edit"), userModel.username); } - + final Model confirmPassword = new Model( StringUtils.isEmpty(userModel.password) ? "" : userModel.password); CompoundPropertyModel model = new CompoundPropertyModel(userModel); @@ -109,12 +109,14 @@ public class EditUserPage extends RootSubPage { return; } } + boolean rename = !StringUtils.isEmpty(oldName) && !oldName.equalsIgnoreCase(username); if (!userModel.password.equals(confirmPassword.getObject())) { error("Passwords do not match!"); return; } String password = userModel.password; - if (!password.toUpperCase().startsWith(StringUtils.MD5_TYPE)) { + if (!password.toUpperCase().startsWith(StringUtils.MD5_TYPE) + && !password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) { // This is a plain text password. // Check length. int minLength = GitBlit.getInteger(Keys.realm.minPasswordLength, 5); @@ -134,7 +136,15 @@ public class EditUserPage extends RootSubPage { // store MD5 digest of password userModel.password = StringUtils.MD5_TYPE + StringUtils.getMD5(userModel.password); + } else if (type.equalsIgnoreCase("combined-md5")) { + // store MD5 digest of username+password + userModel.password = StringUtils.COMBINED_MD5_TYPE + + StringUtils.getMD5(username.toLowerCase() + userModel.password); } + } else if (rename + && password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) { + error("Gitblit is configured for combined-md5 password hashing. You must enter a new password on account rename."); + return; } Iterator selectedRepositories = repositories.getSelectedChoices(); -- 2.39.5