diff options
| author | Florian Zschocke <f.zschocke+git@gmail.com> | 2020-04-04 19:25:27 +0200 |
|---|---|---|
| committer | Florian Zschocke <f.zschocke+git@gmail.com> | 2020-04-05 12:34:34 +0200 |
| commit | e47647b00d566d64d311042981e6b1798f683e4a (patch) | |
| tree | 1a3c74a343cbed999a37d8d9161e0f9943d97272 /src/test | |
| parent | 8b18ac309bc36c8a16a3d26f088cb168635930d3 (diff) | |
| download | gitblit-e47647b00d566d64d311042981e6b1798f683e4a.tar.gz gitblit-e47647b00d566d64d311042981e6b1798f683e4a.zip | |
🦟 fix: Password hash upgrade kills existing passwords
The upgrade of a MD5 stored password hash to a PBKDF password hash
destroys the stored password. The has check zeroes out the password that
is tested, so that the new hash is built over the zeroed out value.
This fix prevents that an also adds a check to the test.
Fixes #1335
Diffstat (limited to 'src/test')
| -rw-r--r-- | src/test/java/com/gitblit/tests/AuthenticationManagerTest.java | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/src/test/java/com/gitblit/tests/AuthenticationManagerTest.java b/src/test/java/com/gitblit/tests/AuthenticationManagerTest.java index 45009856..1c6de3b2 100644 --- a/src/test/java/com/gitblit/tests/AuthenticationManagerTest.java +++ b/src/test/java/com/gitblit/tests/AuthenticationManagerTest.java @@ -671,14 +671,18 @@ public class AuthenticationManagerTest extends GitblitUnitTest { public void testAuthenticateUpgradePlaintext() throws Exception { IAuthenticationManager auth = newAuthenticationManager(); + String password = "topsecret"; UserModel user = new UserModel("sunnyjim"); - user.password = "password"; + user.password = password; users.updateUserModel(user); - assertNotNull(auth.authenticate(user.username, user.password.toCharArray(), null)); + assertNotNull(auth.authenticate(user.username, password.toCharArray(), null)); // validate that plaintext password was automatically updated to hashed one assertTrue(user.password.startsWith(PasswordHash.getDefaultType().name() + ":")); + + // validate that the password is still valid and the user can log in + assertNotNull(auth.authenticate(user.username, password.toCharArray(), null)); } @@ -686,14 +690,18 @@ public class AuthenticationManagerTest extends GitblitUnitTest { public void testAuthenticateUpgradeMD5() throws Exception { IAuthenticationManager auth = newAuthenticationManager(); + String password = "secretAndHashed"; UserModel user = new UserModel("sunnyjim"); - user.password = "MD5:5F4DCC3B5AA765D61D8327DEB882CF99"; + user.password = "MD5:BD95A1CFD00868B59B3564112D1E5847"; users.updateUserModel(user); - assertNotNull(auth.authenticate(user.username, "password".toCharArray(), null)); + assertNotNull(auth.authenticate(user.username, password.toCharArray(), null)); // validate that MD5 password was automatically updated to hashed one assertTrue(user.password.startsWith(PasswordHash.getDefaultType().name() + ":")); + + // validate that the password is still valid and the user can log in + assertNotNull(auth.authenticate(user.username, password.toCharArray(), null)); } |