Skip to content

Commit 0000ff6

Browse files
tianxiaoliangtianxiaoliang
authored
use scrypt (#902)
1 parent f0f0016 commit 0000ff6

File tree

9 files changed

+207
-31
lines changed

9 files changed

+207
-31
lines changed

go.mod

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,11 +9,12 @@ require (
99
github.com/coreos/etcd v3.3.22+incompatible
1010
github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea // v4
1111
github.com/dgrijalva/jwt-go v3.2.0+incompatible
12-
github.com/go-chassis/foundation v0.1.1-0.20200825060850-b16bf420f7b3
12+
github.com/elithrar/simple-scrypt v1.3.0 // indirect
13+
github.com/go-chassis/foundation v0.3.0
1314
github.com/go-chassis/go-archaius v1.3.2
1415
github.com/go-chassis/go-chassis v0.0.0-20200826064053-d90be848aa10
1516
github.com/go-chassis/paas-lager v1.1.1
16-
github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d
17+
github.com/gogo/protobuf v1.3.1
1718
github.com/golang/protobuf v1.3.2
1819
github.com/gorilla/websocket v1.4.2
1920
github.com/hashicorp/serf v0.8.3
@@ -34,7 +35,7 @@ require (
3435
github.com/satori/go.uuid v1.1.0
3536
github.com/spf13/cobra v0.0.0-20170624150100-4d647c8944eb
3637
github.com/spf13/pflag v1.0.5
37-
github.com/stretchr/testify v1.4.0
38+
github.com/stretchr/testify v1.6.1
3839
github.com/widuu/gojson v0.0.0-20170212122013-7da9d2cd949b
3940
go.uber.org/zap v1.10.0
4041
golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a

go.sum

Lines changed: 86 additions & 4 deletions
Large diffs are not rendered by default.

pkg/privacy/password.go

Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
/*
2+
* Licensed to the Apache Software Foundation (ASF) under one or more
3+
* contributor license agreements. See the NOTICE file distributed with
4+
* this work for additional information regarding copyright ownership.
5+
* The ASF licenses this file to You under the Apache License, Version 2.0
6+
* (the "License"); you may not use this file except in compliance with
7+
* the License. You may obtain a copy of the License at
8+
*
9+
* http://www.apache.org/licenses/LICENSE-2.0
10+
*
11+
* Unless required by applicable law or agreed to in writing, software
12+
* distributed under the License is distributed on an "AS IS" BASIS,
13+
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14+
* See the License for the specific language governing permissions and
15+
* limitations under the License.
16+
*/
17+
18+
package privacy
19+
20+
import (
21+
"github.com/apache/servicecomb-service-center/pkg/log"
22+
"github.com/elithrar/simple-scrypt"
23+
"github.com/go-chassis/foundation/stringutil"
24+
"golang.org/x/crypto/bcrypt"
25+
"strings"
26+
)
27+
28+
const (
29+
algBcrypt = "$2a$"
30+
)
31+
32+
//HashPassword
33+
//Deprecated: use ScryptPassword, this is only for unit test to test compatible with old version
34+
func HashPassword(pwd string) (string, error) {
35+
hash, err := bcrypt.GenerateFromPassword([]byte(pwd), 14)
36+
if err != nil {
37+
return "", err
38+
}
39+
return stringutil.Bytes2str(hash), nil
40+
}
41+
func ScryptPassword(pwd string) (string, error) {
42+
hash, err := scrypt.GenerateFromPassword([]byte(pwd), scrypt.DefaultParams)
43+
if err != nil {
44+
return "", err
45+
}
46+
return string(hash), nil
47+
}
48+
func SamePassword(hashedPwd, pwd string) bool {
49+
if strings.HasPrefix(hashedPwd, algBcrypt) {
50+
err := bcrypt.CompareHashAndPassword([]byte(hashedPwd), []byte(pwd))
51+
if err == bcrypt.ErrMismatchedHashAndPassword {
52+
log.Warn("incorrect password attempts")
53+
}
54+
return err == nil
55+
}
56+
err := scrypt.CompareHashAndPassword([]byte(hashedPwd), []byte(pwd))
57+
if err == scrypt.ErrMismatchedHashAndPassword {
58+
log.Warn("incorrect password attempts")
59+
}
60+
return err == nil
61+
62+
}

pkg/privacy/password_test.go

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
/*
2+
* Licensed to the Apache Software Foundation (ASF) under one or more
3+
* contributor license agreements. See the NOTICE file distributed with
4+
* this work for additional information regarding copyright ownership.
5+
* The ASF licenses this file to You under the Apache License, Version 2.0
6+
* (the "License"); you may not use this file except in compliance with
7+
* the License. You may obtain a copy of the License at
8+
*
9+
* http://www.apache.org/licenses/LICENSE-2.0
10+
*
11+
* Unless required by applicable law or agreed to in writing, software
12+
* distributed under the License is distributed on an "AS IS" BASIS,
13+
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14+
* See the License for the specific language governing permissions and
15+
* limitations under the License.
16+
*/
17+
18+
package privacy_test
19+
20+
import (
21+
"github.com/apache/servicecomb-service-center/pkg/privacy"
22+
"github.com/stretchr/testify/assert"
23+
"testing"
24+
)
25+
26+
func TestHashPassword(t *testing.T) {
27+
h, _ := privacy.HashPassword("test")
28+
t.Log(h)
29+
mac, _ := privacy.ScryptPassword("test")
30+
t.Log(mac)
31+
32+
t.Run("given old hash result, should be compatible", func(t *testing.T) {
33+
same := privacy.SamePassword(h, "test")
34+
assert.True(t, same)
35+
})
36+
37+
sameMac := privacy.SamePassword(mac, "test")
38+
assert.True(t, sameMac)
39+
}

server/service/rbac/authr_plugin.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ import (
2121
"context"
2222
"errors"
2323
"github.com/apache/servicecomb-service-center/pkg/log"
24+
"github.com/apache/servicecomb-service-center/pkg/privacy"
2425
"github.com/apache/servicecomb-service-center/pkg/rbacframe"
2526
"github.com/apache/servicecomb-service-center/server/service/rbac/dao"
2627
"github.com/dgrijalva/jwt-go"
@@ -57,7 +58,7 @@ func (a *EmbeddedAuthenticator) Login(ctx context.Context, user string, password
5758
log.Error("get account err", err)
5859
return "", err
5960
}
60-
same := SamePassword(account.Password, password)
61+
same := privacy.SamePassword(account.Password, password)
6162
if user == account.Name && same {
6263
secret, err := GetPrivateKey()
6364
if err != nil {

server/service/rbac/dao/account_dao.go

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -25,12 +25,11 @@ import (
2525
"fmt"
2626
"github.com/apache/servicecomb-service-center/pkg/etcdsync"
2727
"github.com/apache/servicecomb-service-center/pkg/log"
28+
"github.com/apache/servicecomb-service-center/pkg/privacy"
2829
"github.com/apache/servicecomb-service-center/pkg/rbacframe"
2930
"github.com/apache/servicecomb-service-center/pkg/util"
3031
"github.com/apache/servicecomb-service-center/server/core"
3132
"github.com/apache/servicecomb-service-center/server/service/kv"
32-
stringutil "github.com/go-chassis/foundation/string"
33-
"golang.org/x/crypto/bcrypt"
3433
)
3534

3635
var ErrDuplicated = errors.New("account is duplicated")
@@ -58,12 +57,12 @@ func CreateAccount(ctx context.Context, a *rbacframe.Account) error {
5857
if exist {
5958
return ErrDuplicated
6059
}
61-
hash, err := bcrypt.GenerateFromPassword([]byte(a.Password), 14)
60+
hash, err := privacy.ScryptPassword(a.Password)
6261
if err != nil {
6362
log.Errorf(err, "pwd hash failed")
6463
return err
6564
}
66-
a.Password = stringutil.Bytes2str(hash)
65+
a.Password = hash
6766
a.ID = util.GenerateUUID()
6867
value, err := json.Marshal(a)
6968
if err != nil {

server/service/rbac/dao/account_dao_test.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ package dao_test
1919

2020
import (
2121
"context"
22+
"github.com/apache/servicecomb-service-center/pkg/privacy"
2223
"github.com/apache/servicecomb-service-center/pkg/rbacframe"
2324
mgr "github.com/apache/servicecomb-service-center/server/plugin"
2425
"github.com/apache/servicecomb-service-center/server/plugin/discovery/etcd"
@@ -27,7 +28,6 @@ import (
2728
"github.com/apache/servicecomb-service-center/server/service/rbac/dao"
2829
"github.com/astaxie/beego"
2930
"github.com/stretchr/testify/assert"
30-
"golang.org/x/crypto/bcrypt"
3131
"testing"
3232
)
3333

@@ -46,8 +46,8 @@ func TestAccountDao_CreateAccount(t *testing.T) {
4646
r, err := dao.GetAccount(context.Background(), "admin")
4747
assert.NoError(t, err)
4848
assert.Equal(t, "admin", r.Name)
49-
hash, err := bcrypt.GenerateFromPassword([]byte("pwd"), 14)
50-
err = bcrypt.CompareHashAndPassword(hash, []byte("pwd"))
51-
assert.NoError(t, err)
49+
hash, err := privacy.ScryptPassword("pwd")
50+
b := privacy.SamePassword(hash, "pwd")
51+
assert.True(t, b)
5252
})
5353
}

server/service/rbac/password.go

Lines changed: 4 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -19,9 +19,8 @@ package rbac
1919

2020
import (
2121
"context"
22+
"github.com/apache/servicecomb-service-center/pkg/privacy"
2223
"github.com/apache/servicecomb-service-center/pkg/rbacframe"
23-
stringutil "github.com/go-chassis/foundation/string"
24-
"golang.org/x/crypto/bcrypt"
2524

2625
"github.com/apache/servicecomb-service-center/pkg/log"
2726
"github.com/apache/servicecomb-service-center/server/service/rbac/dao"
@@ -63,7 +62,7 @@ func changePassword(ctx context.Context, name, currentPassword, pwd string) erro
6362
log.Error("can not change pwd", err)
6463
return err
6564
}
66-
same := SamePassword(old.Password, currentPassword)
65+
same := privacy.SamePassword(old.Password, currentPassword)
6766
if !same {
6867
log.Error("current password is wrong", nil)
6968
return ErrWrongPassword
@@ -76,24 +75,16 @@ func changePassword(ctx context.Context, name, currentPassword, pwd string) erro
7675
}
7776

7877
func doChangePassword(ctx context.Context, old *rbacframe.Account, pwd string) error {
79-
hash, err := bcrypt.GenerateFromPassword([]byte(pwd), 14)
78+
hash, err := privacy.ScryptPassword(pwd)
8079
if err != nil {
8180
log.Error("pwd hash failed", err)
8281
return err
8382
}
84-
old.Password = stringutil.Bytes2str(hash)
83+
old.Password = hash
8584
err = dao.EditAccount(ctx, old)
8685
if err != nil {
8786
log.Error("can not change pwd", err)
8887
return err
8988
}
9089
return nil
9190
}
92-
93-
func SamePassword(hashedPwd, pwd string) bool {
94-
err := bcrypt.CompareHashAndPassword([]byte(hashedPwd), []byte(pwd))
95-
if err == bcrypt.ErrMismatchedHashAndPassword {
96-
log.Warn("incorrect password attempts")
97-
}
98-
return err == nil
99-
}

server/service/rbac/rbca_test.go

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ package rbac_test
2020
import (
2121
"context"
2222
"fmt"
23+
"github.com/apache/servicecomb-service-center/pkg/privacy"
2324
"github.com/apache/servicecomb-service-center/pkg/rbacframe"
2425
"github.com/apache/servicecomb-service-center/server/service/rbac"
2526
"github.com/apache/servicecomb-service-center/server/service/rbac/dao"
@@ -86,7 +87,7 @@ func TestInitRBAC(t *testing.T) {
8687
assert.NoError(t, err)
8788
a, err := dao.GetAccount(context.Background(), "a")
8889
assert.NoError(t, err)
89-
assert.True(t, rbac.SamePassword(a.Password, "Complicated_password2"))
90+
assert.True(t, privacy.SamePassword(a.Password, "Complicated_password2"))
9091
})
9192
t.Run("change self password", func(t *testing.T) {
9293
err := dao.CreateAccount(context.Background(), &rbacframe.Account{Name: "b", Password: "Complicated_password1"})
@@ -95,7 +96,7 @@ func TestInitRBAC(t *testing.T) {
9596
assert.NoError(t, err)
9697
a, err := dao.GetAccount(context.Background(), "b")
9798
assert.NoError(t, err)
98-
assert.True(t, rbac.SamePassword(a.Password, "Complicated_password2"))
99+
assert.True(t, privacy.SamePassword(a.Password, "Complicated_password2"))
99100

100101
})
101102
t.Run("list kv", func(t *testing.T) {

0 commit comments

Comments
 (0)