Remove client usage of md5

Md5 usage introduce a security flow by reducing the amount of test needed
for a brute force attack.

Change-Id: Ifa4e6259d0a3fb06c91c03d1c67470ddd02284fc
Issue-ID: CLAMP-143
Signed-off-by: ac2550 <ac2550@intl.att.com>

diff --git a/README.md b/README.md
index f9a3414..d129e5b 100644 (file)
--- a/README.md
+++ b/README.md
@@ -98,10 +98,10 @@ You can see the swagger definition for the jaxrs apis at `/restservices/clds/v1/
 \r
 Credentials should be specified in `src/main/resources/clds/clds-users.json`. You might specify you own credential file by redefining the `clamp.config.files.cldsUsers` in `application.properties`.\r
 \r
-Passwords should be hashed using md5, then using Bcrypt :\r
+Passwords should be hashed using Bcrypt :\r
 ```\r
 # pip3 install bcrypt  # if you don't have the bcrypt python lib installed, should be done once.\r
-# python3 -c 'import bcrypt; import hashlib; m = hashlib.md5(); m.update("password".encode()); m.hexdigest(); print(bcrypt.hashpw(m.hexdigest().encode(), bcrypt.gensalt(rounds=10, prefix=b"2a")))'\r
+# python3 -c 'import bcrypt; print(bcrypt.hashpw("password".encode(), bcrypt.gensalt(rounds=10, prefix=b"2a")))'\r
 ```\r
 \r
 Default credentials are admin/password and cs0008/password.\r

diff --git a/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java b/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java
index 4dff9ce..0f3d0d5 100644 (file)
--- a/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java
+++ b/src/main/java/org/onap/clamp/clds/config/spring/CldsSecurityConfigUsers.java
@@ -130,7 +130,7 @@ public class CldsSecurityConfigUsers extends WebSecurityConfigurerAdapter {
         if ("bcrypt".equals(cldsEncoderMethod)) {
             return new BCryptPasswordEncoder(cldsBcryptEncoderStrength);
         } else {
-            throw new CldsConfigException("Invalid clamp.config.security.encoder value. Must be one of [bcrypt, none]");
+            throw new CldsConfigException("Invalid clamp.config.security.encoder value. 'bcrypt' is the only option at this time.");
         }
     }
 }

diff --git a/src/main/resources/META-INF/resources/designer/index.html b/src/main/resources/META-INF/resources/designer/index.html
index 83928a9..45b0c4b 100644 (file)
--- a/src/main/resources/META-INF/resources/designer/index.html
+++ b/src/main/resources/META-INF/resources/designer/index.html
@@ -106,7 +106,6 @@
        <!--  <script src="lib/angular.min.js"></script>-->
        <script src="lib/angular-route.js"></script>
        <script src="lib/angular-resource.min.js"></script>
-       <script src="lib/angular-md5.js"></script>
 
        <!-- jQuery Include and Bootstrap -->
 

diff --git a/src/main/resources/META-INF/resources/designer/lib/angular-md5.js b/src/main/resources/META-INF/resources/designer/lib/angular-md5.js
deleted file mode 100644 (file)
index 7896bb4..0000000
--- a/src/main/resources/META-INF/resources/designer/lib/angular-md5.js
+++ /dev/null
@@ -1,208 +0,0 @@
-/*
-  angular-md5 - v0.1.8 
-  2015-11-17
-*/
-
-/* commonjs package manager support (eg componentjs) */
-if (typeof module !== "undefined" && typeof exports !== "undefined" && module.exports === exports) {
-  module.exports = "angular-md5";
-}
-(function(angular) {
-  angular.module("angular-md5", [ "gdi2290.md5" ]);
-  angular.module("ngMd5", [ "gdi2290.md5" ]);
-  angular.module("gdi2290.md5", [ "gdi2290.gravatar-filter", "gdi2290.md5-service", "gdi2290.md5-filter" ]);
-  "use strict";
-  angular.module("gdi2290.gravatar-filter", []).filter("gravatar", [ "md5", function(md5) {
-    var cache = {};
-    return function(text, defaultText) {
-      if (!cache[text]) {
-        defaultText = defaultText ? md5.createHash(defaultText.toString().toLowerCase()) : "";
-        cache[text] = text ? md5.createHash(text.toString().toLowerCase()) : defaultText;
-      }
-      return cache[text];
-    };
-  } ]);
-  "use strict";
-  angular.module("gdi2290.md5-filter", []).filter("md5", [ "md5", function(md5) {
-    return function(text) {
-      return text ? md5.createHash(text.toString().toLowerCase()) : text;
-    };
-  } ]);
-  "use strict";
-  angular.module("gdi2290.md5-service", []).factory("md5", [ function() {
-    var md5 = {
-      createHash: function(str) {
-        if (null === str) {
-          return null;
-        }
-        var xl;
-        var rotateLeft = function(lValue, iShiftBits) {
-          return lValue << iShiftBits | lValue >>> 32 - iShiftBits;
-        };
-        var addUnsigned = function(lX, lY) {
-          var lX4, lY4, lX8, lY8, lResult;
-          lX8 = lX & 2147483648;
-          lY8 = lY & 2147483648;
-          lX4 = lX & 1073741824;
-          lY4 = lY & 1073741824;
-          lResult = (lX & 1073741823) + (lY & 1073741823);
-          if (lX4 & lY4) {
-            return lResult ^ 2147483648 ^ lX8 ^ lY8;
-          }
-          if (lX4 | lY4) {
-            if (lResult & 1073741824) {
-              return lResult ^ 3221225472 ^ lX8 ^ lY8;
-            } else {
-              return lResult ^ 1073741824 ^ lX8 ^ lY8;
-            }
-          } else {
-            return lResult ^ lX8 ^ lY8;
-          }
-        };
-        var _F = function(x, y, z) {
-          return x & y | ~x & z;
-        };
-        var _G = function(x, y, z) {
-          return x & z | y & ~z;
-        };
-        var _H = function(x, y, z) {
-          return x ^ y ^ z;
-        };
-        var _I = function(x, y, z) {
-          return y ^ (x | ~z);
-        };
-        var _FF = function(a, b, c, d, x, s, ac) {
-          a = addUnsigned(a, addUnsigned(addUnsigned(_F(b, c, d), x), ac));
-          return addUnsigned(rotateLeft(a, s), b);
-        };
-        var _GG = function(a, b, c, d, x, s, ac) {
-          a = addUnsigned(a, addUnsigned(addUnsigned(_G(b, c, d), x), ac));
-          return addUnsigned(rotateLeft(a, s), b);
-        };
-        var _HH = function(a, b, c, d, x, s, ac) {
-          a = addUnsigned(a, addUnsigned(addUnsigned(_H(b, c, d), x), ac));
-          return addUnsigned(rotateLeft(a, s), b);
-        };
-        var _II = function(a, b, c, d, x, s, ac) {
-          a = addUnsigned(a, addUnsigned(addUnsigned(_I(b, c, d), x), ac));
-          return addUnsigned(rotateLeft(a, s), b);
-        };
-        var convertToWordArray = function(str) {
-          var lWordCount;
-          var lMessageLength = str.length;
-          var lNumberOfWords_temp1 = lMessageLength + 8;
-          var lNumberOfWords_temp2 = (lNumberOfWords_temp1 - lNumberOfWords_temp1 % 64) / 64;
-          var lNumberOfWords = (lNumberOfWords_temp2 + 1) * 16;
-          var lWordArray = new Array(lNumberOfWords - 1);
-          var lBytePosition = 0;
-          var lByteCount = 0;
-          while (lByteCount < lMessageLength) {
-            lWordCount = (lByteCount - lByteCount % 4) / 4;
-            lBytePosition = lByteCount % 4 * 8;
-            lWordArray[lWordCount] = lWordArray[lWordCount] | str.charCodeAt(lByteCount) << lBytePosition;
-            lByteCount++;
-          }
-          lWordCount = (lByteCount - lByteCount % 4) / 4;
-          lBytePosition = lByteCount % 4 * 8;
-          lWordArray[lWordCount] = lWordArray[lWordCount] | 128 << lBytePosition;
-          lWordArray[lNumberOfWords - 2] = lMessageLength << 3;
-          lWordArray[lNumberOfWords - 1] = lMessageLength >>> 29;
-          return lWordArray;
-        };
-        var wordToHex = function(lValue) {
-          var wordToHexValue = "", wordToHexValue_temp = "", lByte, lCount;
-          for (lCount = 0; lCount <= 3; lCount++) {
-            lByte = lValue >>> lCount * 8 & 255;
-            wordToHexValue_temp = "0" + lByte.toString(16);
-            wordToHexValue = wordToHexValue + wordToHexValue_temp.substr(wordToHexValue_temp.length - 2, 2);
-          }
-          return wordToHexValue;
-        };
-        var x = [], k, AA, BB, CC, DD, a, b, c, d, S11 = 7, S12 = 12, S13 = 17, S14 = 22, S21 = 5, S22 = 9, S23 = 14, S24 = 20, S31 = 4, S32 = 11, S33 = 16, S34 = 23, S41 = 6, S42 = 10, S43 = 15, S44 = 21;
-        x = convertToWordArray(str);
-        a = 1732584193;
-        b = 4023233417;
-        c = 2562383102;
-        d = 271733878;
-        xl = x.length;
-        for (k = 0; k < xl; k += 16) {
-          AA = a;
-          BB = b;
-          CC = c;
-          DD = d;
-          a = _FF(a, b, c, d, x[k + 0], S11, 3614090360);
-          d = _FF(d, a, b, c, x[k + 1], S12, 3905402710);
-          c = _FF(c, d, a, b, x[k + 2], S13, 606105819);
-          b = _FF(b, c, d, a, x[k + 3], S14, 3250441966);
-          a = _FF(a, b, c, d, x[k + 4], S11, 4118548399);
-          d = _FF(d, a, b, c, x[k + 5], S12, 1200080426);
-          c = _FF(c, d, a, b, x[k + 6], S13, 2821735955);
-          b = _FF(b, c, d, a, x[k + 7], S14, 4249261313);
-          a = _FF(a, b, c, d, x[k + 8], S11, 1770035416);
-          d = _FF(d, a, b, c, x[k + 9], S12, 2336552879);
-          c = _FF(c, d, a, b, x[k + 10], S13, 4294925233);
-          b = _FF(b, c, d, a, x[k + 11], S14, 2304563134);
-          a = _FF(a, b, c, d, x[k + 12], S11, 1804603682);
-          d = _FF(d, a, b, c, x[k + 13], S12, 4254626195);
-          c = _FF(c, d, a, b, x[k + 14], S13, 2792965006);
-          b = _FF(b, c, d, a, x[k + 15], S14, 1236535329);
-          a = _GG(a, b, c, d, x[k + 1], S21, 4129170786);
-          d = _GG(d, a, b, c, x[k + 6], S22, 3225465664);
-          c = _GG(c, d, a, b, x[k + 11], S23, 643717713);
-          b = _GG(b, c, d, a, x[k + 0], S24, 3921069994);
-          a = _GG(a, b, c, d, x[k + 5], S21, 3593408605);
-          d = _GG(d, a, b, c, x[k + 10], S22, 38016083);
-          c = _GG(c, d, a, b, x[k + 15], S23, 3634488961);
-          b = _GG(b, c, d, a, x[k + 4], S24, 3889429448);
-          a = _GG(a, b, c, d, x[k + 9], S21, 568446438);
-          d = _GG(d, a, b, c, x[k + 14], S22, 3275163606);
-          c = _GG(c, d, a, b, x[k + 3], S23, 4107603335);
-          b = _GG(b, c, d, a, x[k + 8], S24, 1163531501);
-          a = _GG(a, b, c, d, x[k + 13], S21, 2850285829);
-          d = _GG(d, a, b, c, x[k + 2], S22, 4243563512);
-          c = _GG(c, d, a, b, x[k + 7], S23, 1735328473);
-          b = _GG(b, c, d, a, x[k + 12], S24, 2368359562);
-          a = _HH(a, b, c, d, x[k + 5], S31, 4294588738);
-          d = _HH(d, a, b, c, x[k + 8], S32, 2272392833);
-          c = _HH(c, d, a, b, x[k + 11], S33, 1839030562);
-          b = _HH(b, c, d, a, x[k + 14], S34, 4259657740);
-          a = _HH(a, b, c, d, x[k + 1], S31, 2763975236);
-          d = _HH(d, a, b, c, x[k + 4], S32, 1272893353);
-          c = _HH(c, d, a, b, x[k + 7], S33, 4139469664);
-          b = _HH(b, c, d, a, x[k + 10], S34, 3200236656);
-          a = _HH(a, b, c, d, x[k + 13], S31, 681279174);
-          d = _HH(d, a, b, c, x[k + 0], S32, 3936430074);
-          c = _HH(c, d, a, b, x[k + 3], S33, 3572445317);
-          b = _HH(b, c, d, a, x[k + 6], S34, 76029189);
-          a = _HH(a, b, c, d, x[k + 9], S31, 3654602809);
-          d = _HH(d, a, b, c, x[k + 12], S32, 3873151461);
-          c = _HH(c, d, a, b, x[k + 15], S33, 530742520);
-          b = _HH(b, c, d, a, x[k + 2], S34, 3299628645);
-          a = _II(a, b, c, d, x[k + 0], S41, 4096336452);
-          d = _II(d, a, b, c, x[k + 7], S42, 1126891415);
-          c = _II(c, d, a, b, x[k + 14], S43, 2878612391);
-          b = _II(b, c, d, a, x[k + 5], S44, 4237533241);
-          a = _II(a, b, c, d, x[k + 12], S41, 1700485571);
-          d = _II(d, a, b, c, x[k + 3], S42, 2399980690);
-          c = _II(c, d, a, b, x[k + 10], S43, 4293915773);
-          b = _II(b, c, d, a, x[k + 1], S44, 2240044497);
-          a = _II(a, b, c, d, x[k + 8], S41, 1873313359);
-          d = _II(d, a, b, c, x[k + 15], S42, 4264355552);
-          c = _II(c, d, a, b, x[k + 6], S43, 2734768916);
-          b = _II(b, c, d, a, x[k + 13], S44, 1309151649);
-          a = _II(a, b, c, d, x[k + 4], S41, 4149444226);
-          d = _II(d, a, b, c, x[k + 11], S42, 3174756917);
-          c = _II(c, d, a, b, x[k + 2], S43, 718787259);
-          b = _II(b, c, d, a, x[k + 9], S44, 3951481745);
-          a = addUnsigned(a, AA);
-          b = addUnsigned(b, BB);
-          c = addUnsigned(c, CC);
-          d = addUnsigned(d, DD);
-        }
-        var temp = wordToHex(a) + wordToHex(b) + wordToHex(c) + wordToHex(d);
-        return temp.toLowerCase();
-      }
-    };
-    return md5;
-  } ]);
-})(angular);
\ No newline at end of file

diff --git a/src/main/resources/META-INF/resources/designer/scripts/app.js b/src/main/resources/META-INF/resources/designer/scripts/app.js
index 19906d9..a1e48a6 100644 (file)
--- a/src/main/resources/META-INF/resources/designer/scripts/app.js
+++ b/src/main/resources/META-INF/resources/designer/scripts/app.js
@@ -46,7 +46,6 @@ var app = angular.module('clds-app', ['ngRoute',
     'ui.grid.exporter',
     'angucomplete',
     'kendo.directives',
-    'angular-md5'
   ])
   .config(['cfpLoadingBarProvider', function(cfpLoadingBarProvider) {
 
@@ -77,8 +76,6 @@ var app = angular.module('clds-app', ['ngRoute',
       function($routeProvider, $locationProvider,
         cfpLoadingBarProvider, $timeout, dialogs,
         $cookies) {
-        console
-          .log("$routeProvider','$locationProvider', '$compileProvider','cfpLoadingBarProvider','md5'")
         $locationProvider.html5Mode(false);
         // alert("App.js");
 

diff --git a/src/main/resources/META-INF/resources/designer/scripts/authcontroller.js b/src/main/resources/META-INF/resources/designer/scripts/authcontroller.js
index b138c96..0072a24 100644 (file)
--- a/src/main/resources/META-INF/resources/designer/scripts/authcontroller.js
+++ b/src/main/resources/META-INF/resources/designer/scripts/authcontroller.js
@@ -23,7 +23,7 @@
 
 'use strict';
 
-function AuthenticateCtrl($scope, $rootScope, $window, $resource, $http, $location, $cookies, md5) {
+function AuthenticateCtrl($scope, $rootScope, $window, $resource, $http, $location, $cookies) {
   console.log("//////////AuthenticateCtrl");
   $scope.getInclude = function() {
     console.log("getInclude011111111");
@@ -50,10 +50,9 @@ function AuthenticateCtrl($scope, $rootScope, $window, $resource, $http, $locati
       $window.localStorage.setItem("isInvalidUser", true);
       return;
     }
-    var hashpass = md5.createHash(pass);
     var headers = username ? {
       authorization: "Basic " +
-        btoa(username + ":" + hashpass)
+        btoa(username + ":" + pass)
     } : {};
     // send request to a test API with the username/password to verify the authorization
     $http.get('/restservices/clds/v1/user/testUser', {

diff --git a/src/main/resources/clds/clds-users.json b/src/main/resources/clds/clds-users.json
index 3fa32e8..8be08e1 100644 (file)
--- a/src/main/resources/clds/clds-users.json
+++ b/src/main/resources/clds/clds-users.json
@@ -1,6 +1,6 @@
  [{
        "user":"admin",
-       "password":"$2a$10$j7wM0G1gcpJTJygRY2ZG8O2HafSwlvM.tIb18/eusVPKBhrpwB6xC",
+       "password":"$2a$10$H/e21kl04Dw9C978CHuM7OewyMGUN5WGzAAx7SgIaR4ix8.wTcssi",
        "permissions":
                    [
                       "permission-type-cl|dev|read",
@@ -12,7 +12,7 @@
        },
        {
        "user":"cs0008",
-       "password":"$2a$10$j7wM0G1gcpJTJygRY2ZG8O2HafSwlvM.tIb18/eusVPKBhrpwB6xC",
+       "password":"$2a$10$H/e21kl04Dw9C978CHuM7OewyMGUN5WGzAAx7SgIaR4ix8.wTcssi",
        "permissions":
                    [
                       "permission-type-cl|dev|read",