Combined-md5 password storage option

distrib/gitblit.properties

@@ -59,7 +59,9 @@ web.allowCookieAuthentication = true
 realm.userService = users.properties
 
 # How to store passwords.
-# Valid values are plain or md5.  Default is md5.
+# Valid values are plain, md5, or combined-md5.  md5 is the hash of password.
+# combined-md5 is the hash of username.toLowerCase()+password.
+# Default is md5.
 #
 # SINCE 0.5.0 
 realm.passwordStorage = md5

docs/00_index.mkd

@@ -41,6 +41,10 @@ Gitblit requires a Java 6 Runtime Environment (JRE) or a Java 6 Development Kit
 - added: Gitblit Manager (Java/Swing Application) for remote administration of a Gitblit server.
 - added: per-repository setting to skip size calculation (faster repositories page loading)
 - added: per-repository setting to skip summary metrics calculation (faster summary page loading)
+- added: IUserService.setup(IStoredSettings) for custom user service implementations
+- added: setting to control Gitblit GO context path for proxy setups  
+    **New:** *server.contextPath = /*
+- added: *combined-md5* password storage option which stores the hash of username+password as the password
 - fixed: federation protocol timestamps.  dates are now serialized to the [iso8601](http://en.wikipedia.org/wiki/ISO_8601) standard.  
     **This breaks 0.6.0 federation clients/servers.**
 - fixed: collision on rename for repositories and users
@@ -49,9 +53,6 @@ Gitblit requires a Java 6 Runtime Environment (JRE) or a Java 6 Development Kit
 - fixed: Set the RSS content type of syndication feeds for Firefox 4 (issue 22)
 - fixed: Null pointer exception if did not set federation strategy (issue 20)
 - fixed: Gitblit GO allows SSL renegotiation if running on Java 1.6.0_22 or later
-- added: IUserService.setup(IStoredSettings) for custom user service implementations
-- added: setting to control Gitblit GO context path for proxy setups  
-    **New:** *server.contextPath = /*
 - updated: MarkdownPapers 1.2.4
 
 issues, binaries, and sources @ [Google Code][googlecode]<br/>

docs/04_releases.mkd

@@ -15,6 +15,10 @@
 - added: Gitblit Manager (Java/Swing Application) for remote administration of a Gitblit server.
 - added: per-repository setting to skip size calculation (faster repositories page loading)
 - added: per-repository setting to skip summary metrics calculation (faster summary page loading)
+- added: IUserService.setup(IStoredSettings) for custom user service implementations
+- added: setting to control Gitblit GO context path for proxy setups  
+    **New:** *server.contextPath = /*
+- added: *combined-md5* password storage option which stores the hash of username+password as the password
 - fixed: federation protocol timestamps.  dates are now serialized to the [iso8601](http://en.wikipedia.org/wiki/ISO_8601) standard.  
     **This breaks 0.6.0 federation clients/servers.**
 - fixed: collision on rename for repositories and users
@@ -23,9 +27,6 @@
 - fixed: Set the RSS content type of syndication feeds for Firefox 4 (issue 22)
 - fixed: Null pointer exception if did not set federation strategy (issue 20)
 - fixed: Gitblit GO allows SSL renegotiation if running on Java 1.6.0_22 or later
-- added: IUserService.setup(IStoredSettings) for custom user service implementations
-- added: setting to control Gitblit GO context path for proxy setups  
-    **New:** *server.contextPath = /*
 - updated: MarkdownPapers 1.2.4
 
 ### Older Releases

src/com/gitblit/FileUserService.java

@@ -126,11 +126,20 @@ public class FileUserService extends FileSettings implements IUserService {
 		UserModel returnedUser = null;
 		UserModel user = getUserModel(username);
 		if (user.password.startsWith(StringUtils.MD5_TYPE)) {
+			// password digest
 			String md5 = StringUtils.MD5_TYPE + StringUtils.getMD5(new String(password));
 			if (user.password.equalsIgnoreCase(md5)) {
 				returnedUser = user;
 			}
+		} else if (user.password.startsWith(StringUtils.COMBINED_MD5_TYPE)) {
+			// username+password digest
+			String md5 = StringUtils.COMBINED_MD5_TYPE
+					+ StringUtils.getMD5(username.toLowerCase() + new String(password));
+			if (user.password.equalsIgnoreCase(md5)) {
+				returnedUser = user;
+			}
 		} else if (user.password.equals(new String(password))) {
+			// plain-text password
 			returnedUser = user;
 		}
 		return returnedUser;

src/com/gitblit/client/EditUserDialog.java

@@ -191,6 +191,7 @@ public class EditUserDialog extends JDialog {
 			return false;
 		}
 
+		boolean rename = false;
 		// verify username uniqueness on create
 		if (isCreate) {
 			if (usernames.contains(uname.toLowerCase())) {
@@ -199,7 +200,8 @@ public class EditUserDialog extends JDialog {
 			}
 		} else {
 			// check rename collision
-			if (!username.equalsIgnoreCase(uname)) {
+			rename = !StringUtils.isEmpty(username) && !username.equalsIgnoreCase(uname);
+			if (rename) {
 				if (usernames.contains(uname.toLowerCase())) {
 					error(MessageFormat.format(
 							"Failed to rename ''{0}'' because ''{1}'' already exists.", username,
@@ -208,34 +210,51 @@ public class EditUserDialog extends JDialog {
 				}
 			}
 		}
+		user.username = uname;
 
 		int minLength = settings.get(Keys.realm.minPasswordLength).getInteger(5);
 		if (minLength < 4) {
 			minLength = 4;
 		}
-		char[] pw = passwordField.getPassword();
-		if (pw == null || pw.length < minLength) {
+
+		String password = new String(passwordField.getPassword());
+		if (StringUtils.isEmpty(password) || password.length() < minLength) {
 			error(MessageFormat.format("Password is too short. Minimum length is {0} characters.",
 					minLength));
 			return false;
 		}
-		char[] cpw = confirmPasswordField.getPassword();
-		if (cpw == null || cpw.length != pw.length) {
-			error("Please confirm the password!");
-			return false;
-		}
-		if (!Arrays.equals(pw, cpw)) {
-			error("Passwords do not match!");
+		if (!password.toUpperCase().startsWith(StringUtils.MD5_TYPE)
+				&& !password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) {
+			String cpw = new String(confirmPasswordField.getPassword());
+			if (cpw == null || cpw.length() != password.length()) {
+				error("Please confirm the password!");
+				return false;
+			}
+			if (!password.equals(cpw)) {
+				error("Passwords do not match!");
+				return false;
+			}
+
+			String type = settings.get(Keys.realm.passwordStorage).getString("md5");
+			if (type.equalsIgnoreCase("md5")) {
+				// store MD5 digest of password
+				user.password = StringUtils.MD5_TYPE + StringUtils.getMD5(password);
+			} else if (type.equalsIgnoreCase("combined-md5")) {
+				// store MD5 digest of username+password
+				user.password = StringUtils.COMBINED_MD5_TYPE
+						+ StringUtils.getMD5(username.toLowerCase() + password);
+			} else {
+				// plain-text password
+				user.password = password;
+			}
+		} else if (rename && password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) {
+			error("Gitblit is configured for combined-md5 password hashing. You must enter a new password on account rename.");
 			return false;
-		}
-		user.username = uname;
-		String type = settings.get(Keys.realm.passwordStorage).getString("md5");
-		if (type.equalsIgnoreCase("md5")) {
-			// store MD5 digest of password
-			user.password = StringUtils.MD5_TYPE + StringUtils.getMD5(new String(pw));
 		} else {
-			user.password = new String(pw);
+			// no change in password
+			user.password = password;
 		}
+
 		user.canAdmin = canAdminCheckbox.isSelected();
 		user.excludeFromFederation = notFederatedCheckbox.isSelected();
 

src/com/gitblit/utils/StringUtils.java

@@ -33,6 +33,8 @@ import java.util.regex.PatternSyntaxException;
 public class StringUtils {
 
 	public static final String MD5_TYPE = "MD5:";
+	
+	public static final String COMBINED_MD5_TYPE = "CMD5:";
 
 	/**
 	 * Returns true if the string is null or empty.

src/com/gitblit/wicket/pages/ChangePasswordPage.java

@@ -77,14 +77,19 @@ public class ChangePasswordPage extends RootSubPage {
 					return;
 				}
 
+				UserModel user = GitBlitWebSession.get().getUser();
+
 				// convert to MD5 digest, if appropriate
 				String type = GitBlit.getString(Keys.realm.passwordStorage, "md5");
 				if (type.equalsIgnoreCase("md5")) {
 					// store MD5 digest of password
 					password = StringUtils.MD5_TYPE + StringUtils.getMD5(password);
+				} else if (type.equalsIgnoreCase("combined-md5")) {
+					// store MD5 digest of username+password
+					password = StringUtils.COMBINED_MD5_TYPE
+							+ StringUtils.getMD5(user.username.toLowerCase() + password);
 				}
 
-				UserModel user = GitBlitWebSession.get().getUser();
 				user.password = password;
 				try {
 					GitBlit.self().updateUserModel(user.username, user, false);

src/com/gitblit/wicket/pages/EditUserPage.java

@@ -70,7 +70,7 @@ public class EditUserPage extends RootSubPage {
 		} else {
 			super.setupPage(getString("gb.edit"), userModel.username);
 		}
-		
+
 		final Model<String> confirmPassword = new Model<String>(
 				StringUtils.isEmpty(userModel.password) ? "" : userModel.password);
 		CompoundPropertyModel<UserModel> model = new CompoundPropertyModel<UserModel>(userModel);
@@ -109,12 +109,14 @@ public class EditUserPage extends RootSubPage {
 						return;
 					}
 				}
+				boolean rename = !StringUtils.isEmpty(oldName) && !oldName.equalsIgnoreCase(username);
 				if (!userModel.password.equals(confirmPassword.getObject())) {
 					error("Passwords do not match!");
 					return;
 				}
 				String password = userModel.password;
-				if (!password.toUpperCase().startsWith(StringUtils.MD5_TYPE)) {
+				if (!password.toUpperCase().startsWith(StringUtils.MD5_TYPE)
+						&& !password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) {
 					// This is a plain text password.
 					// Check length.
 					int minLength = GitBlit.getInteger(Keys.realm.minPasswordLength, 5);
@@ -134,7 +136,15 @@ public class EditUserPage extends RootSubPage {
 						// store MD5 digest of password
 						userModel.password = StringUtils.MD5_TYPE
 								+ StringUtils.getMD5(userModel.password);
+					} else if (type.equalsIgnoreCase("combined-md5")) {
+						// store MD5 digest of username+password
+						userModel.password = StringUtils.COMBINED_MD5_TYPE
+								+ StringUtils.getMD5(username.toLowerCase() + userModel.password);
 					}
+				} else if (rename
+						&& password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) {
+					error("Gitblit is configured for combined-md5 password hashing. You must enter a new password on account rename.");
+					return;
 				}
 
 				Iterator<String> selectedRepositories = repositories.getSelectedChoices();