From d5623a235d54b308280d90920238bf75a2880b84 Mon Sep 17 00:00:00 2001 From: James Moger Date: Mon, 24 Oct 2011 16:32:57 -0400 Subject: Combined-md5 password storage option --- src/com/gitblit/FileUserService.java | 9 ++++ src/com/gitblit/client/EditUserDialog.java | 53 +++++++++++++++------- src/com/gitblit/utils/StringUtils.java | 2 + .../gitblit/wicket/pages/ChangePasswordPage.java | 7 ++- src/com/gitblit/wicket/pages/EditUserPage.java | 14 +++++- 5 files changed, 65 insertions(+), 20 deletions(-) (limited to 'src') diff --git a/src/com/gitblit/FileUserService.java b/src/com/gitblit/FileUserService.java index cae0d791..3c8914dd 100644 --- a/src/com/gitblit/FileUserService.java +++ b/src/com/gitblit/FileUserService.java @@ -126,11 +126,20 @@ public class FileUserService extends FileSettings implements IUserService { UserModel returnedUser = null; UserModel user = getUserModel(username); if (user.password.startsWith(StringUtils.MD5_TYPE)) { + // password digest String md5 = StringUtils.MD5_TYPE + StringUtils.getMD5(new String(password)); if (user.password.equalsIgnoreCase(md5)) { returnedUser = user; } + } else if (user.password.startsWith(StringUtils.COMBINED_MD5_TYPE)) { + // username+password digest + String md5 = StringUtils.COMBINED_MD5_TYPE + + StringUtils.getMD5(username.toLowerCase() + new String(password)); + if (user.password.equalsIgnoreCase(md5)) { + returnedUser = user; + } } else if (user.password.equals(new String(password))) { + // plain-text password returnedUser = user; } return returnedUser; diff --git a/src/com/gitblit/client/EditUserDialog.java b/src/com/gitblit/client/EditUserDialog.java index c77713a8..0f666bde 100644 --- a/src/com/gitblit/client/EditUserDialog.java +++ b/src/com/gitblit/client/EditUserDialog.java @@ -191,6 +191,7 @@ public class EditUserDialog extends JDialog { return false; } + boolean rename = false; // verify username uniqueness on create if (isCreate) { if (usernames.contains(uname.toLowerCase())) { @@ -199,7 +200,8 @@ public class EditUserDialog extends JDialog { } } else { // check rename collision - if (!username.equalsIgnoreCase(uname)) { + rename = !StringUtils.isEmpty(username) && !username.equalsIgnoreCase(uname); + if (rename) { if (usernames.contains(uname.toLowerCase())) { error(MessageFormat.format( "Failed to rename ''{0}'' because ''{1}'' already exists.", username, @@ -208,34 +210,51 @@ public class EditUserDialog extends JDialog { } } } + user.username = uname; int minLength = settings.get(Keys.realm.minPasswordLength).getInteger(5); if (minLength < 4) { minLength = 4; } - char[] pw = passwordField.getPassword(); - if (pw == null || pw.length < minLength) { + + String password = new String(passwordField.getPassword()); + if (StringUtils.isEmpty(password) || password.length() < minLength) { error(MessageFormat.format("Password is too short. Minimum length is {0} characters.", minLength)); return false; } - char[] cpw = confirmPasswordField.getPassword(); - if (cpw == null || cpw.length != pw.length) { - error("Please confirm the password!"); - return false; - } - if (!Arrays.equals(pw, cpw)) { - error("Passwords do not match!"); + if (!password.toUpperCase().startsWith(StringUtils.MD5_TYPE) + && !password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) { + String cpw = new String(confirmPasswordField.getPassword()); + if (cpw == null || cpw.length() != password.length()) { + error("Please confirm the password!"); + return false; + } + if (!password.equals(cpw)) { + error("Passwords do not match!"); + return false; + } + + String type = settings.get(Keys.realm.passwordStorage).getString("md5"); + if (type.equalsIgnoreCase("md5")) { + // store MD5 digest of password + user.password = StringUtils.MD5_TYPE + StringUtils.getMD5(password); + } else if (type.equalsIgnoreCase("combined-md5")) { + // store MD5 digest of username+password + user.password = StringUtils.COMBINED_MD5_TYPE + + StringUtils.getMD5(username.toLowerCase() + password); + } else { + // plain-text password + user.password = password; + } + } else if (rename && password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) { + error("Gitblit is configured for combined-md5 password hashing. You must enter a new password on account rename."); return false; - } - user.username = uname; - String type = settings.get(Keys.realm.passwordStorage).getString("md5"); - if (type.equalsIgnoreCase("md5")) { - // store MD5 digest of password - user.password = StringUtils.MD5_TYPE + StringUtils.getMD5(new String(pw)); } else { - user.password = new String(pw); + // no change in password + user.password = password; } + user.canAdmin = canAdminCheckbox.isSelected(); user.excludeFromFederation = notFederatedCheckbox.isSelected(); diff --git a/src/com/gitblit/utils/StringUtils.java b/src/com/gitblit/utils/StringUtils.java index 8adf1e42..746fbe2e 100644 --- a/src/com/gitblit/utils/StringUtils.java +++ b/src/com/gitblit/utils/StringUtils.java @@ -33,6 +33,8 @@ import java.util.regex.PatternSyntaxException; public class StringUtils { public static final String MD5_TYPE = "MD5:"; + + public static final String COMBINED_MD5_TYPE = "CMD5:"; /** * Returns true if the string is null or empty. diff --git a/src/com/gitblit/wicket/pages/ChangePasswordPage.java b/src/com/gitblit/wicket/pages/ChangePasswordPage.java index fec24144..2738a5fc 100644 --- a/src/com/gitblit/wicket/pages/ChangePasswordPage.java +++ b/src/com/gitblit/wicket/pages/ChangePasswordPage.java @@ -77,14 +77,19 @@ public class ChangePasswordPage extends RootSubPage { return; } + UserModel user = GitBlitWebSession.get().getUser(); + // convert to MD5 digest, if appropriate String type = GitBlit.getString(Keys.realm.passwordStorage, "md5"); if (type.equalsIgnoreCase("md5")) { // store MD5 digest of password password = StringUtils.MD5_TYPE + StringUtils.getMD5(password); + } else if (type.equalsIgnoreCase("combined-md5")) { + // store MD5 digest of username+password + password = StringUtils.COMBINED_MD5_TYPE + + StringUtils.getMD5(user.username.toLowerCase() + password); } - UserModel user = GitBlitWebSession.get().getUser(); user.password = password; try { GitBlit.self().updateUserModel(user.username, user, false); diff --git a/src/com/gitblit/wicket/pages/EditUserPage.java b/src/com/gitblit/wicket/pages/EditUserPage.java index 78e94614..8955e222 100644 --- a/src/com/gitblit/wicket/pages/EditUserPage.java +++ b/src/com/gitblit/wicket/pages/EditUserPage.java @@ -70,7 +70,7 @@ public class EditUserPage extends RootSubPage { } else { super.setupPage(getString("gb.edit"), userModel.username); } - + final Model confirmPassword = new Model( StringUtils.isEmpty(userModel.password) ? "" : userModel.password); CompoundPropertyModel model = new CompoundPropertyModel(userModel); @@ -109,12 +109,14 @@ public class EditUserPage extends RootSubPage { return; } } + boolean rename = !StringUtils.isEmpty(oldName) && !oldName.equalsIgnoreCase(username); if (!userModel.password.equals(confirmPassword.getObject())) { error("Passwords do not match!"); return; } String password = userModel.password; - if (!password.toUpperCase().startsWith(StringUtils.MD5_TYPE)) { + if (!password.toUpperCase().startsWith(StringUtils.MD5_TYPE) + && !password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) { // This is a plain text password. // Check length. int minLength = GitBlit.getInteger(Keys.realm.minPasswordLength, 5); @@ -134,7 +136,15 @@ public class EditUserPage extends RootSubPage { // store MD5 digest of password userModel.password = StringUtils.MD5_TYPE + StringUtils.getMD5(userModel.password); + } else if (type.equalsIgnoreCase("combined-md5")) { + // store MD5 digest of username+password + userModel.password = StringUtils.COMBINED_MD5_TYPE + + StringUtils.getMD5(username.toLowerCase() + userModel.password); } + } else if (rename + && password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) { + error("Gitblit is configured for combined-md5 password hashing. You must enter a new password on account rename."); + return; } Iterator selectedRepositories = repositories.getSelectedChoices(); -- cgit v1.2.3