User password encryption upgraded from MD5 to SHA256. (apache#15680)

* User password encryption upgraded from MD5 to SHA256. Existing users' passwords will be upgraded upon next login.

* fix some issues

* fix login4pipe

Author: hongzhi-gao

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java

@@ -36,6 +36,7 @@
 import org.apache.iotdb.commons.exception.MetadataException;
 import org.apache.iotdb.commons.path.PartialPath;
 import org.apache.iotdb.commons.path.PathPatternTree;
+import org.apache.iotdb.commons.security.encrypt.AsymmetricEncrypt;
 import org.apache.iotdb.commons.utils.AuthUtils;
 import org.apache.iotdb.commons.utils.TestOnly;
 import org.apache.iotdb.confignode.rpc.thrift.TAuthizedPatternTreeResp;
@@ -481,6 +482,10 @@ public TSStatus checkUser(String username, String password) {
         return RpcUtils.getStatus(TSStatusCode.SUCCESS_STATUS);
       } else if (password != null && AuthUtils.validatePassword(password, user.getPassword())) {
         return RpcUtils.getStatus(TSStatusCode.SUCCESS_STATUS);
+      } else if (password != null
+          && AuthUtils.validatePassword(
+              password, user.getPassword(), AsymmetricEncrypt.DigestAlgorithm.MD5)) {
+        return RpcUtils.getStatus(TSStatusCode.SUCCESS_STATUS);
       } else {
         return RpcUtils.getStatus(TSStatusCode.WRONG_LOGIN_PASSWORD, "Authentication failed.");
       }

iotdb-core/datanode/src/test/java/org/apache/iotdb/db/security/encrypt/MessageDigestEncryptTest.java

@@ -25,6 +25,7 @@
 import org.apache.iotdb.commons.conf.CommonDescriptor;
 import org.apache.iotdb.commons.exception.IllegalPathException;
 import org.apache.iotdb.commons.path.PartialPath;
+import org.apache.iotdb.commons.security.encrypt.AsymmetricEncrypt;
 import org.apache.iotdb.commons.security.encrypt.MessageDigestEncrypt;
 import org.apache.iotdb.db.utils.EnvironmentUtils;
 import org.apache.iotdb.db.utils.constant.TestConstant;
@@ -85,13 +86,20 @@ public void testMessageDigestEncrypt() throws AuthException, IllegalPathExceptio
     for (User user1 : users) {
       user = manager.getEntity(user1.getName());
       assertEquals(user1.getName(), user.getName());
-      assertEquals(messageDigestEncrypt.encrypt(user1.getPassword()), user.getPassword());
+      assertEquals(
+          messageDigestEncrypt.encrypt(
+              user1.getPassword(), AsymmetricEncrypt.DigestAlgorithm.SHA_256),
+          user.getPassword());
     }
   }
 
   @Test
   public void testMessageDigestValidatePassword() {
     String password = "root";
-    assertTrue(messageDigestEncrypt.validate(password, messageDigestEncrypt.encrypt(password)));
+    assertTrue(
+        messageDigestEncrypt.validate(
+            password,
+            messageDigestEncrypt.encrypt(password, AsymmetricEncrypt.DigestAlgorithm.SHA_256),
+            AsymmetricEncrypt.DigestAlgorithm.SHA_256));
   }
 }

iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java

@@ -28,6 +28,7 @@
 import org.apache.iotdb.commons.conf.CommonDescriptor;
 import org.apache.iotdb.commons.exception.StartupException;
 import org.apache.iotdb.commons.path.PartialPath;
+import org.apache.iotdb.commons.security.encrypt.AsymmetricEncrypt;
 import org.apache.iotdb.commons.service.IService;
 import org.apache.iotdb.commons.service.ServiceType;
 import org.apache.iotdb.commons.utils.AuthUtils;
@@ -109,20 +110,43 @@ private void checkAdmin(String username, String errmsg) throws AuthException {
   @Override
   public boolean login(String username, String password) throws AuthException {
     User user = userManager.getEntity(username);
-    return user != null
-        && password != null
-        && AuthUtils.validatePassword(password, user.getPassword());
+    if (user == null || password == null) {
+      return false;
+    }
+    if (AuthUtils.validatePassword(
+        password, user.getPassword(), AsymmetricEncrypt.DigestAlgorithm.SHA_256)) {
+      return true;
+    }
+    if (AuthUtils.validatePassword(
+        password, user.getPassword(), AsymmetricEncrypt.DigestAlgorithm.MD5)) {
+      userManager.updateUserPassword(username, password);
+      return true;
+    }
+    return false;
   }
 
   @Override
   public String login4Pipe(final String username, final String password) {
     final User user = userManager.getEntity(username);
-    return (user != null
-                && password != null
-                && AuthUtils.validatePassword(password, user.getPassword())
-            || Objects.isNull(password))
-        ? user.getPassword()
-        : null;
+    if (Objects.isNull(password)) {
+      return user.getPassword();
+    }
+    if (user == null) {
+      return null;
+    }
+    if (AuthUtils.validatePassword(
+        password, user.getPassword(), AsymmetricEncrypt.DigestAlgorithm.SHA_256)) {
+      return user.getPassword();
+    }
+    if (AuthUtils.validatePassword(
+        password, user.getPassword(), AsymmetricEncrypt.DigestAlgorithm.MD5)) {
+      try {
+        userManager.updateUserPassword(username, password);
+      } catch (AuthException ignore) {
+      }
+      return userManager.getEntity(username).getPassword();
+    }
+    return null;
   }
 
   @Override

iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/security/encrypt/AsymmetricEncrypt.java

@@ -21,6 +21,25 @@
 
 public interface AsymmetricEncrypt {
 
+  /**
+   * Defines cryptographic hash algorithms supported by the system. Each enum constant represents a
+   * specific message digest algorithm compatible with {@link java.security.MessageDigest}.
+   */
+  enum DigestAlgorithm {
+    MD5("MD5"),
+    SHA_256("SHA-256");
+
+    private final String algorithmName;
+
+    DigestAlgorithm(String algorithmName) {
+      this.algorithmName = algorithmName;
+    }
+
+    public String getAlgorithmName() {
+      return this.algorithmName;
+    }
+  }
+
   /**
    * init some providerParameter
    *
@@ -34,7 +53,7 @@ public interface AsymmetricEncrypt {
    * @param originPassword password to be crypt
    * @return encrypt password
    */
-  String encrypt(String originPassword);
+  String encrypt(String originPassword, DigestAlgorithm digestAlgorithm);
 
   /**
    * validate originPassword and encryptPassword
@@ -43,5 +62,5 @@ public interface AsymmetricEncrypt {
    * @param encryptPassword encrypt password
    * @return true if validate success
    */
-  boolean validate(String originPassword, String encryptPassword);
+  boolean validate(String originPassword, String encryptPassword, DigestAlgorithm digestAlgorithm);
 }

iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/security/encrypt/MessageDigestEncrypt.java

@@ -29,16 +29,15 @@
 public class MessageDigestEncrypt implements AsymmetricEncrypt {
   private static final Logger logger = LoggerFactory.getLogger(MessageDigestEncrypt.class);
 
-  private static final String ENCRYPT_ALGORITHM = "MD5";
   private static final String STRING_ENCODING = "utf-8";
 
   @Override
   public void init(String providerParameters) {}
 
   @Override
-  public String encrypt(String originPassword) {
+  public String encrypt(String originPassword, DigestAlgorithm digestAlgorithm) {
     try {
-      MessageDigest messageDigest = MessageDigest.getInstance(ENCRYPT_ALGORITHM);
+      MessageDigest messageDigest = MessageDigest.getInstance(digestAlgorithm.getAlgorithmName());
       messageDigest.update(originPassword.getBytes(STRING_ENCODING));
       return new String(messageDigest.digest(), STRING_ENCODING);
     } catch (NoSuchAlgorithmException | UnsupportedEncodingException e) {
@@ -48,10 +47,11 @@ public String encrypt(String originPassword) {
   }
 
   @Override
-  public boolean validate(String originPassword, String encryptPassword) {
+  public boolean validate(
+      String originPassword, String encryptPassword, DigestAlgorithm digestAlgorithm) {
     if (originPassword == null) {
       return false;
     }
-    return encrypt(originPassword).equals(encryptPassword);
+    return encrypt(originPassword, digestAlgorithm).equals(encryptPassword);
   }
 }

iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java

@@ -26,6 +26,7 @@
 import org.apache.iotdb.commons.path.PartialPath;
 import org.apache.iotdb.commons.path.PathDeserializeUtil;
 import org.apache.iotdb.commons.path.PathPatternUtil;
+import org.apache.iotdb.commons.security.encrypt.AsymmetricEncrypt;
 import org.apache.iotdb.commons.security.encrypt.AsymmetricEncryptFactory;
 import org.apache.iotdb.confignode.rpc.thrift.TPermissionInfoResp;
 import org.apache.iotdb.confignode.rpc.thrift.TRoleResp;
@@ -81,7 +82,24 @@ public static boolean validatePassword(String originPassword, String encryptPass
     return AsymmetricEncryptFactory.getEncryptProvider(
             CommonDescriptor.getInstance().getConfig().getEncryptDecryptProvider(),
             CommonDescriptor.getInstance().getConfig().getEncryptDecryptProviderParameter())
-        .validate(originPassword, encryptPassword);
+        .validate(originPassword, encryptPassword, AsymmetricEncrypt.DigestAlgorithm.SHA_256);
+  }
+
+  /**
+   * Checking whether origin password is mapping to encrypt password by encryption
+   *
+   * @param originPassword the password before encryption
+   * @param encryptPassword the password after encryption
+   * @param digestAlgorithm the algorithm for encryption
+   */
+  public static boolean validatePassword(
+      String originPassword,
+      String encryptPassword,
+      AsymmetricEncrypt.DigestAlgorithm digestAlgorithm) {
+    return AsymmetricEncryptFactory.getEncryptProvider(
+            CommonDescriptor.getInstance().getConfig().getEncryptDecryptProvider(),
+            CommonDescriptor.getInstance().getConfig().getEncryptDecryptProviderParameter())
+        .validate(originPassword, encryptPassword, digestAlgorithm);
   }
 
   /**
@@ -171,7 +189,7 @@ public static String encryptPassword(String password) {
     return AsymmetricEncryptFactory.getEncryptProvider(
             CommonDescriptor.getInstance().getConfig().getEncryptDecryptProvider(),
             CommonDescriptor.getInstance().getConfig().getEncryptDecryptProviderParameter())
-        .encrypt(password);
+        .encrypt(password, AsymmetricEncrypt.DigestAlgorithm.SHA_256);
   }
 
   /**