From 3308b5439cb1d046398744e4d913ece518de9532 Mon Sep 17 00:00:00 2001 From: ac2550 Date: Thu, 22 Mar 2018 16:50:16 +0100 Subject: [PATCH] Bcrypt as password hashing method in the backend Change-Id: I5ed802c35ade8ba5da4d21f2a8c22d0198490885 Signed-off-by: ac2550 Issue-ID: CLAMP-143 --- README.md | 17 +++++++++++++++- .../config/spring/CldsSecurityConfigUsers.java | 23 +++++++++++++++++++++- src/main/resources/clds/clds-users.json | 6 +++--- 3 files changed, 41 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index ea061ce3..f9a3414a 100644 --- a/README.md +++ b/README.md @@ -91,4 +91,19 @@ With the default log settings, all logs will be generated into console and into ### Api -You can see the swagger definition for the jaxrs apis at `/restservices/clds/v1/openapi.json` \ No newline at end of file +You can see the swagger definition for the jaxrs apis at `/restservices/clds/v1/openapi.json` + + +## Clamp Credentials + +Credentials should be specified in `src/main/resources/clds/clds-users.json`. You might specify you own credential file by redefining the `clamp.config.files.cldsUsers` in `application.properties`. + +Passwords should be hashed using md5, then using Bcrypt : +``` +# pip3 install bcrypt # if you don't have the bcrypt python lib installed, should be done once. +# python3 -c 'import bcrypt; import hashlib; m = hashlib.md5(); m.update("password".encode()); m.hexdigest(); print(bcrypt.hashpw(m.hexdigest().encode(), bcrypt.gensalt(rounds=10, prefix=b"2a")))' +``` + +Default credentials are admin/password and cs0008/password. + + diff --git a/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java b/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java index d9e5ef29..4dff9ce1 100644 --- a/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java +++ b/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java @@ -30,6 +30,7 @@ import java.io.IOException; import org.onap.clamp.clds.config.ClampProperties; import org.onap.clamp.clds.config.CldsUserJsonDecoder; +import org.onap.clamp.clds.exception.CldsConfigException; import org.onap.clamp.clds.exception.CldsUsersException; import org.onap.clamp.clds.service.CldsUser; import org.springframework.beans.factory.annotation.Autowired; @@ -40,6 +41,8 @@ import org.springframework.security.config.annotation.authentication.builders.Au import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; +import org.springframework.security.crypto.password.PasswordEncoder; /** * This class is used to enable the HTTP authentication to login. It requires a @@ -59,6 +62,10 @@ public class CldsSecurityConfigUsers extends WebSecurityConfigurerAdapter { private String cldsPersmissionTypeCl; @Value("${CLDS_PERMISSION_INSTANCE:dev}") private String cldsPermissionInstance; + @Value("${clamp.config.security.encoder:bcrypt}") + private String cldsEncoderMethod; + @Value("${clamp.config.security.encoder.bcrypt.strength:10}") + private Integer cldsBcryptEncoderStrength; /** * This method configures on which URL the authorization will be enabled. @@ -83,6 +90,9 @@ public class CldsSecurityConfigUsers extends WebSecurityConfigurerAdapter { */ @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) { + // configure algorithm used for password hashing + final PasswordEncoder passwordEncoder = getPasswordEncoder(); + try { CldsUser[] usersList = loadUsers(); // no users defined @@ -92,7 +102,7 @@ public class CldsSecurityConfigUsers extends WebSecurityConfigurerAdapter { } for (CldsUser user : usersList) { auth.inMemoryAuthentication().withUser(user.getUser()).password(user.getPassword()) - .roles(user.getPermissionsString()); + .roles(user.getPermissionsString()).and().passwordEncoder(passwordEncoder); } } catch (Exception e) { logger.error("Exception occurred during the setup of the Web users in memory", e); @@ -112,4 +122,15 @@ public class CldsSecurityConfigUsers extends WebSecurityConfigurerAdapter { logger.info("Load from clds-users.properties"); return CldsUserJsonDecoder.decodeJson(refProp.getFileContent("files.cldsUsers")); } + + /** + * This methods returns the chosen encoder for password hashing. + */ + private PasswordEncoder getPasswordEncoder() { + if ("bcrypt".equals(cldsEncoderMethod)) { + return new BCryptPasswordEncoder(cldsBcryptEncoderStrength); + } else { + throw new CldsConfigException("Invalid clamp.config.security.encoder value. Must be one of [bcrypt, none]"); + } + } } diff --git a/src/main/resources/clds/clds-users.json b/src/main/resources/clds/clds-users.json index d2c06c80..3fa32e81 100644 --- a/src/main/resources/clds/clds-users.json +++ b/src/main/resources/clds/clds-users.json @@ -1,6 +1,6 @@ [{ "user":"admin", - "password":"5f4dcc3b5aa765d61d8327deb882cf99", + "password":"$2a$10$j7wM0G1gcpJTJygRY2ZG8O2HafSwlvM.tIb18/eusVPKBhrpwB6xC", "permissions": [ "permission-type-cl|dev|read", @@ -12,7 +12,7 @@ }, { "user":"cs0008", - "password":"5f4dcc3b5aa765d61d8327deb882cf99", + "password":"$2a$10$j7wM0G1gcpJTJygRY2ZG8O2HafSwlvM.tIb18/eusVPKBhrpwB6xC", "permissions": [ "permission-type-cl|dev|read", @@ -23,4 +23,4 @@ "permission-type-template|dev|update" ] } -] \ No newline at end of file +] -- 2.16.6