FF-173 - Password Hashing (#108)

* added password hashing and updated unit tests.

* Fixed Integrationtests

* changed plain text passwords to hashed versions

* added salt to pws in PrepareDataBase

* updated date of last change and url to blog

Author: open-schnick

pom.xml

@@ -39,6 +39,18 @@
             <optional>true</optional>
         </dependency>
 
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot</artifactId>
+            <version>2.4.4</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-crypto</artifactId>
+            <version>5.3.4.RELEASE</version>
+        </dependency>
+
         <dependency>
             <groupId>org.projectlombok</groupId>
             <artifactId>lombok</artifactId>
@@ -122,11 +134,6 @@
                 </exclusion>
             </exclusions>
         </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot</artifactId>
-            <version>2.4.4</version>
-        </dependency>
         <!-- TESTING -->
 
     </dependencies>

src/main/java/de/filefighter/rest/configuration/PrepareDataBase.java

@@ -17,6 +17,7 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
 import org.springframework.core.env.Environment;
+import org.springframework.security.crypto.password.PasswordEncoder;
 
 import java.time.Instant;
 import java.util.ArrayList;
@@ -66,7 +67,7 @@ CommandLineRunner veryImportantFileFighterStartScript(Environment environment) {
             System.out.println("Running on http://localhost:" + serverPort);
             System.out.println();
             System.out.println("Developed by Gimleux, Valentin, Open-Schnick.");
-            System.out.println("Development Blog: https://blog.filefighter.de");
+            System.out.println("Development Blog: https://filefighter.de");
             System.out.println("The code can be found at: https://www.github.com/filefighter");
             System.out.println();
             System.out.println("-------------------------------< REST API >-------------------------------");
@@ -76,14 +77,14 @@ CommandLineRunner veryImportantFileFighterStartScript(Environment environment) {
 
     @Bean
     @Profile({"prod", "stage"})
-    CommandLineRunner initDataBaseProd(UserRepository userRepository, FileSystemRepository fileSystemRepository, AccessTokenRepository accessTokenRepository) {
+    CommandLineRunner initDataBaseProd(UserRepository userRepository, FileSystemRepository fileSystemRepository, AccessTokenRepository accessTokenRepository, PasswordEncoder passwordEncoder) {
         return args -> {
             ArrayList<UserEntity> foundUsers = (ArrayList<UserEntity>) userRepository.findAll();
             ArrayList<UserEntity> foundFileSystemEntities = (ArrayList<UserEntity>) userRepository.findAll();
             accessTokenRepository.deleteAll(); // Cleanup purposes.
 
             if (foundUsers.isEmpty() && foundFileSystemEntities.isEmpty()) {
-                addDefaultAdminAndRuntimeUser(userRepository);
+                addDefaultAdminAndRuntimeUser(userRepository, passwordEncoder);
                 log.info("Inserting Home directories and default structure: {} {}.", fileSystemRepository.save(FileSystemEntity
                                 .builder()
                                 .lastUpdatedBy(RUNTIME_USER_ID)
@@ -132,7 +133,7 @@ CommandLineRunner initDataBaseProd(UserRepository userRepository, FileSystemRepo
 
     @Bean
     @Profile({"dev", "debug"})
-    CommandLineRunner initDataBaseDev(UserRepository userRepository, AccessTokenRepository accessTokenRepository, FileSystemRepository fileSystemRepository) {
+    CommandLineRunner initDataBaseDev(UserRepository userRepository, AccessTokenRepository accessTokenRepository, FileSystemRepository fileSystemRepository, PasswordEncoder passwordEncoder) {
         return args -> {
             log.info("Starting with clean user collection.");
             userRepository.deleteAll();
@@ -141,7 +142,7 @@ CommandLineRunner initDataBaseDev(UserRepository userRepository, AccessTokenRepo
             log.info("Starting with clean accessToken collection.");
             accessTokenRepository.deleteAll();
 
-            addDevUsers(userRepository);
+            addDevUsers(userRepository, passwordEncoder);
             addTestingFileSystemItems(fileSystemRepository);
 
             log.info("Inserting default tokens: {} {}",
@@ -183,7 +184,7 @@ CommandLineRunner finishDatabaseWork(IdGenerationService idGenerationService) {
         return args -> idGenerationService.initializeService();
     }
 
-    private void addDevUsers(UserRepository userRepository) {
+    private void addDevUsers(UserRepository userRepository, PasswordEncoder passwordEncoder) {
         log.info("Inserting system runtime user. {}", userRepository.save(UserEntity
                 .builder()
                 .userId(RUNTIME_USER_ID)
@@ -200,7 +201,7 @@ private void addDevUsers(UserRepository userRepository) {
                         .userId(1)
                         .username("user")
                         .lowercaseUsername("user")
-                        .password("1234")
+                        .password(passwordEncoder.encode("D3500EF92337ED226F500EE57084D8FEEE559D0E411A635BC861DFD8159C0FBC")) // 1234 with salt
                         .refreshToken("rft1234")
                         .groupIds(new long[]{ADMIN.getGroupId()})
                         .build()),
@@ -209,13 +210,13 @@ private void addDevUsers(UserRepository userRepository) {
                         .userId(2)
                         .username("user1")
                         .lowercaseUsername("user1")
-                        .password("12345")
+                        .password(passwordEncoder.encode("6216104FA48274A78E291166EA2083E2EAAA5F4F200B2A8E83EE5B30D18019F0")) // 12345
                         .refreshToken("rft")
                         .groupIds(new long[]{FAMILY.getGroupId()})
                         .build()));
     }
 
-    private void addDefaultAdminAndRuntimeUser(UserRepository userRepository) {
+    private void addDefaultAdminAndRuntimeUser(UserRepository userRepository, PasswordEncoder passwordEncoder) {
         log.info("Database seems to be empty. Creating new default entities...");
         log.info("Inserting system runtime user: {}", userRepository.save(UserEntity
                 .builder()
@@ -231,7 +232,7 @@ private void addDefaultAdminAndRuntimeUser(UserRepository userRepository) {
                 .userId(1)
                 .username("Admin")
                 .lowercaseUsername("admin")
-                .password("admin")
+                .password(passwordEncoder.encode("B6381E537A537181763A1A0E4CB00F6E70B57E01F18A2BF9AB602783BF8C22B3")) // admin
                 .refreshToken("rft1234")
                 .groupIds(new long[]{ADMIN.getGroupId()})
                 .build()));

src/main/java/de/filefighter/rest/configuration/Security.java

@@ -0,0 +1,15 @@
+package de.filefighter.rest.configuration;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+
+@Configuration
+public class Security {
+
+    @Bean
+    public PasswordEncoder encoder() {
+        return new BCryptPasswordEncoder();
+    }
+}

src/main/java/de/filefighter/rest/domain/authentication/AuthenticationBusinessService.java

@@ -10,6 +10,7 @@
 import de.filefighter.rest.domain.user.exceptions.UserNotAuthenticatedException;
 import de.filefighter.rest.domain.user.group.Group;
 import lombok.extern.log4j.Log4j2;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.stereotype.Service;
 
 import java.nio.charset.StandardCharsets;
@@ -22,11 +23,13 @@ public class AuthenticationBusinessService {
     private final UserRepository userRepository;
     private final UserDTOService userDtoService;
     private final InputSanitizerService inputSanitizerService;
+    private final PasswordEncoder passwordEncoder;
 
-    public AuthenticationBusinessService(UserRepository userRepository, UserDTOService userDtoService, InputSanitizerService inputSanitizerService) {
+    public AuthenticationBusinessService(UserRepository userRepository, UserDTOService userDtoService, InputSanitizerService inputSanitizerService, PasswordEncoder passwordEncoder) {
         this.userRepository = userRepository;
         this.userDtoService = userDtoService;
         this.inputSanitizerService = inputSanitizerService;
+        this.passwordEncoder = passwordEncoder;
     }
 
     public User authenticateUserWithUsernameAndPassword(String base64encodedUserAndPassword) {
@@ -47,10 +50,16 @@ public User authenticateUserWithUsernameAndPassword(String base64encodedUserAndP
         String lowerCaseUsername = inputSanitizerService.sanitizeString(split[0].toLowerCase());
         String password = inputSanitizerService.sanitizeString(split[1]);
 
-        UserEntity userEntity = userRepository.findByLowercaseUsernameAndPassword(lowerCaseUsername, password);
+        if (!inputSanitizerService.passwordIsValid(password))
+            throw new UserNotAuthenticatedException("The password didnt match requirenments, please hash the password with SHA-256.");
+
+        UserEntity userEntity = userRepository.findByLowercaseUsername(lowerCaseUsername);
         if (null == userEntity)
             throw new UserNotAuthenticatedException("No User found with this username and password.");
 
+        if (!passwordEncoder.matches(password, userEntity.getPassword()))
+            throw new UserNotAuthenticatedException("No User found with this username and password.");
+
         return userDtoService.createDto(userEntity);
     }
 

src/main/java/de/filefighter/rest/domain/common/InputSanitizerService.java

@@ -2,6 +2,7 @@
 
 import de.filefighter.rest.domain.common.exceptions.RequestDidntMeetFormalRequirementsException;
 import de.filefighter.rest.domain.filesystem.data.dto.upload.FileSystemUpload;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
 
 import java.util.regex.Matcher;
@@ -10,6 +11,9 @@
 @Service
 public class InputSanitizerService {
 
+    @Value("${filefighter.disable-password-check}")
+    private boolean passwordCheckDisabled;
+
     public static boolean stringIsValid(String s) {
         return !(null == s || s.isEmpty() || s.isBlank());
     }
@@ -51,6 +55,14 @@ public String sanitizeRequestHeader(String header, String testString) {
         return split[1];
     }
 
+    public boolean passwordIsValid(String password) {
+        if (this.passwordCheckDisabled)
+            return true;
+
+        Pattern pattern = Pattern.compile("\\b[A-Fa-f0-9]{64}\\b");
+        return pattern.matcher(password).matches();
+    }
+
     public boolean pathIsValid(String path) {
         String validString = sanitizeString(path);
 

src/main/java/de/filefighter/rest/domain/user/business/UserBusinessService.java

@@ -1,5 +1,6 @@
 package de.filefighter.rest.domain.user.business;
 
+import de.filefighter.rest.domain.common.InputSanitizerService;
 import de.filefighter.rest.domain.token.business.AccessTokenBusinessService;
 import de.filefighter.rest.domain.token.data.dto.RefreshToken;
 import de.filefighter.rest.domain.user.data.dto.User;
@@ -11,16 +12,15 @@
 import de.filefighter.rest.domain.user.exceptions.UserNotUpdatedException;
 import de.filefighter.rest.domain.user.group.Group;
 import de.filefighter.rest.domain.user.group.GroupRepository;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.data.mongodb.core.MongoTemplate;
 import org.springframework.data.mongodb.core.query.Criteria;
 import org.springframework.data.mongodb.core.query.Query;
 import org.springframework.data.mongodb.core.query.Update;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.stereotype.Service;
 
 import java.security.SecureRandom;
 import java.util.Arrays;
-import java.util.regex.Pattern;
 
 import static de.filefighter.rest.domain.common.InputSanitizerService.stringIsValid;
 
@@ -32,14 +32,16 @@ public class UserBusinessService {
     private final UserDTOService userDtoService;
     private final GroupRepository groupRepository;
     private final MongoTemplate mongoTemplate;
-    @Value("${filefighter.disable-password-check}")
-    public boolean passwordCheckDisabled;
+    private final InputSanitizerService inputSanitizerService;
+    private final PasswordEncoder passwordEncoder;
 
-    public UserBusinessService(UserRepository userRepository, UserDTOService userDtoService, GroupRepository groupRepository, MongoTemplate mongoTemplate) {
+    public UserBusinessService(UserRepository userRepository, UserDTOService userDtoService, GroupRepository groupRepository, MongoTemplate mongoTemplate, InputSanitizerService inputSanitizerService, PasswordEncoder passwordEncoder) {
         this.userRepository = userRepository;
         this.userDtoService = userDtoService;
         this.groupRepository = groupRepository;
         this.mongoTemplate = mongoTemplate;
+        this.inputSanitizerService = inputSanitizerService;
+        this.passwordEncoder = passwordEncoder;
     }
 
     public long getUserCount() {
@@ -96,15 +98,12 @@ public UserEntity registerNewUser(UserRegisterForm newUser) {
         if (!stringIsValid(password) || !stringIsValid(confirmationPassword))
             throw new UserNotRegisteredException("Wanted to change password, but password was not valid.");
 
-        if (!passwordIsValid(password))
-            throw new UserNotRegisteredException("Password needs to be at least 8 characters long and, contains at least one uppercase and lowercase letter and a number.");
+        if (!inputSanitizerService.passwordIsValid(password))
+            throw new UserNotRegisteredException("Password needs to be a valid SHA-265 hash.");
 
         if (!password.contentEquals(confirmationPassword))
             throw new UserNotRegisteredException("Passwords do not match.");
 
-        if (password.toLowerCase().contains(username.toLowerCase()))
-            throw new UserNotRegisteredException("Username must not appear in password.");
-
         //check groups
         long[] userGroups = newUser.getGroupIds();
         if (null == userGroups)
@@ -121,25 +120,20 @@ public UserEntity registerNewUser(UserRegisterForm newUser) {
             }
         }
 
+        // hash password.
+        String hashedPassword = passwordEncoder.encode(password);
+
         //create new user.
         return userRepository.save(UserEntity.builder()
                 .lowercaseUsername(username.toLowerCase())
                 .username(username)
                 .groupIds(userGroups)
-                .password(password)
+                .password(hashedPassword)
                 .refreshToken(AccessTokenBusinessService.generateRandomTokenValue())
                 .userId(generateRandomUserId())
                 .build());
     }
 
-    public boolean passwordIsValid(String password) {
-        if (this.passwordCheckDisabled)
-            return true;
-
-        Pattern pattern = Pattern.compile("^(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=\\S+).{8,20}$");
-        return pattern.matcher(password).matches();
-    }
-
     /**
      * @param username username to find.
      * @return null or the found user.
@@ -164,17 +158,14 @@ public void updateUser(long userId, UserRegisterForm userToUpdate, User authenti
         if (null == userEntityToUpdate)
             throw new UserNotUpdatedException("User does not exist, use register endpoint.");
 
-        if (Arrays.stream(userEntityToUpdate.getGroupIds()).asDoubleStream().anyMatch(id -> id == Group.SYSTEM.getGroupId()))
+        if (Arrays.stream(userEntityToUpdate.getGroupIds()).anyMatch(id -> id == Group.SYSTEM.getGroupId()))
             throw new UserNotUpdatedException("Runtime users cannot be modified.");
 
         Update newUpdate = new Update();
 
         boolean changesWereMade = updateUserName(newUpdate, userToUpdate.getUsername());
-        boolean usernameIsValid = stringIsValid(userToUpdate.getUsername());
-        String lowerCaseUsername = usernameIsValid ? userToUpdate.getUsername().toLowerCase() : userEntityToUpdate.getLowercaseUsername();
-        boolean passwordWasUpdated = updatePassword(newUpdate, userToUpdate.getPassword(), userToUpdate.getConfirmationPassword(), lowerCaseUsername);
+        boolean passwordWasUpdated = updatePassword(newUpdate, userToUpdate.getPassword(), userToUpdate.getConfirmationPassword());
         changesWereMade = passwordWasUpdated || changesWereMade;
-
         boolean userGroupsWereUpdated = updateGroups(newUpdate, userToUpdate.getGroupIds(), authenticatedUserIsAdmin);
         changesWereMade = userGroupsWereUpdated || changesWereMade;
 
@@ -205,22 +196,22 @@ private boolean updateGroups(Update newUpdate, long[] groupIds, boolean authenti
         return false;
     }
 
-    private boolean updatePassword(Update newUpdate, String password, String confirmationPassword, String lowercaseUserName) {
+    private boolean updatePassword(Update newUpdate, String password, String confirmationPassword) {
         if (null != password) {
 
             if (!stringIsValid(password) || !stringIsValid(confirmationPassword))
                 throw new UserNotUpdatedException("Wanted to change password, but password was not valid.");
 
-            if (!passwordIsValid(password))
-                throw new UserNotUpdatedException("Password needs to be at least 8 characters long and, contains at least one uppercase and lowercase letter and a number.");
+            if (!inputSanitizerService.passwordIsValid(password))
+                throw new UserNotUpdatedException("Password needs to be a valid SHA-256 hash.");
 
             if (!password.contentEquals(confirmationPassword))
                 throw new UserNotUpdatedException("Passwords do not match.");
 
-            if (password.toLowerCase().contains(lowercaseUserName))
-                throw new UserNotUpdatedException("Username must not appear in password.");
+            // hash password.
+            String hashedPassword = passwordEncoder.encode(password);
 
-            newUpdate.set("password", password);
+            newUpdate.set("password", hashedPassword);
             //update refreshToken
             String newRefreshToken = AccessTokenBusinessService.generateRandomTokenValue();
             newUpdate.set("refreshToken", newRefreshToken);

src/main/java/de/filefighter/rest/domain/user/data/persistence/UserRepository.java

@@ -6,7 +6,6 @@
 @Service
 public interface UserRepository extends MongoRepository<UserEntity, String> {
     UserEntity findByUserIdAndUsername(long userId, String username);
-    UserEntity findByLowercaseUsernameAndPassword(String username, String password);
     UserEntity findByRefreshToken(String refreshToken);
     UserEntity findByUserId(long userId);
     UserEntity findByLowercaseUsername(String lowercaseUsername);

src/main/resources/application.properties

@@ -17,5 +17,5 @@ spring.data.mongodb.port=20000
 spring.data.mongodb.auto-index-creation=true
 #------------------- Custom -----------------------
 filefighter.version=0.0.8
-filefighter.date=11.05.2021
+filefighter.date=16.05.2021
 filefighter.disable-password-check=false