encrypt hash in db

choosen encryption algorithm forbid comparaison of same hash encrypted twice, have to first fecth stored crypted hash corresponding to uuid, then to check for match.

Author: cmangeat

core/src/main/java/org/fao/geonet/security/GrantViewMdAuthorityFilter.java

@@ -26,13 +26,16 @@
 import org.fao.geonet.domain.AnonymousAccessLink;
 import org.fao.geonet.kernel.security.ViewMdGrantedAuthority;
 import org.fao.geonet.repository.AnonymousAccessLinkRepository;
+import org.fao.geonet.util.PasswordUtil;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
 import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.web.filter.GenericFilterBean;
 
@@ -49,6 +52,10 @@ public class GrantViewMdAuthorityFilter extends GenericFilterBean {
     @Autowired
     AnonymousAccessLinkRepository anonymousAccessLinkRepository;
 
+    @Autowired
+    @Qualifier(PasswordUtil.ENCODER_ID)
+    PasswordEncoder encoder;
+
     private HttpSessionSecurityContextRepository repo;
 
     public GrantViewMdAuthorityFilter(HttpSessionSecurityContextRepository httpSessionSecurityContextRepository) {
@@ -78,9 +85,15 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
             filterChain.doFilter(servletRequest, servletResponse);
             return;
         }
-        String hash = servletRequest.getParameter("hash");
-        AnonymousAccessLink authority = anonymousAccessLinkRepository.findOneByHash(hash);
-        if (authority == null) {
+        String hashParam = servletRequest.getParameter("hash");
+        if (hashParam == null || hashParam.length() < AnonymousAccessLink.getRandomHashLength() + 1) {
+            filterChain.doFilter(servletRequest, servletResponse);
+            return;
+        }
+        String hash = hashParam.substring(0, AnonymousAccessLink.getRandomHashLength());
+        String uuid = hashParam.substring(AnonymousAccessLink.getRandomHashLength());
+        AnonymousAccessLink authority = anonymousAccessLinkRepository.findOneByMetadataUuid(uuid);
+        if (authority == null || !encoder.matches(hash, authority.getHash())) {
             filterChain.doFilter(servletRequest, servletResponse);
             return;
         }

core/src/test/java/org/fao/geonet/security/GrantViewAuthorityFilterTest.java

@@ -33,6 +33,7 @@
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 
 import javax.servlet.ServletException;
@@ -45,10 +46,12 @@
 import static org.junit.Assert.assertTrue;
 import static org.mockito.ArgumentMatchers.argThat;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
 
 public class GrantViewAuthorityFilterTest extends AbstractCoreIntegrationTest {
 
 	private int mdId;
+	private String uuid;
 	private String hash;
 	private MockHttpServletRequest requestMock;
 	private MockFilterChain filterChainMock;
@@ -105,9 +108,9 @@ public void canViewManyDifferentMds() throws ServletException, IOException {
 
 		toTest.doFilter(requestMock, responseMock, filterChainMock);
 		filterChainMock.reset();
-		Mockito.when(repositoryMock.findOneByHash(argThat("hush-hush"::equals))).thenReturn(
-				new AnonymousAccessLink().setMetadataId(123));
-		requestMock.setParameter("hash", "hush-hush");
+		Mockito.when(repositoryMock.findOneByMetadataUuid(argThat("uuid2"::equals))).thenReturn(
+				new AnonymousAccessLink().setMetadataId(123).setMetadataUuid("uuid2").setHash("Y".repeat(AnonymousAccessLink.getRandomHashLength())));
+		requestMock.setParameter("hash", "Y".repeat(AnonymousAccessLink.getRandomHashLength()) + "uuid2");
 		toTest.doFilter(requestMock, responseMock, filterChainMock);
 
 		assertEquals(requestMock, filterChainMock.getRequest());
@@ -127,7 +130,7 @@ public void canViewManyDifferentMds() throws ServletException, IOException {
 	public void unknownHashIgnored() throws ServletException, IOException {
 		GrantViewMdAuthorityFilter toTest = prepareToTest();
 
-		requestMock.setParameter("hash", "hush-hush");
+		requestMock.setParameter("hash", "Y".repeat(AnonymousAccessLink.getRandomHashLength()) + uuid);
 		toTest.doFilter(requestMock, responseMock, filterChainMock);
 
 		assertEquals(requestMock, filterChainMock.getRequest());
@@ -138,17 +141,26 @@ public void unknownHashIgnored() throws ServletException, IOException {
 	}
 
 	private GrantViewMdAuthorityFilter prepareToTest() {
-		hash = "hash-hash";
+		uuid = "uuid";
+		hash = "X".repeat(AnonymousAccessLink.getRandomHashLength()) + uuid;
 		mdId = 666;
 		repositoryMock = mock(AnonymousAccessLinkRepository.class);
-		Mockito.when(repositoryMock.findOneByHash(argThat(hash::equals))).thenReturn(new AnonymousAccessLink().setMetadataId(mdId));
+		Mockito.when(repositoryMock.findOneByMetadataUuid(argThat(uuid::equals))).thenReturn(
+				new AnonymousAccessLink().setMetadataId(mdId).setMetadataUuid(uuid).setHash("X".repeat(AnonymousAccessLink.getRandomHashLength())));
+		PasswordEncoder encodeMock = Mockito.mock(PasswordEncoder.class);
+		when(encodeMock.matches("X".repeat(AnonymousAccessLink.getRandomHashLength()), "X".repeat(AnonymousAccessLink.getRandomHashLength()))).thenReturn(true);
+		when(encodeMock.encode("X".repeat(AnonymousAccessLink.getRandomHashLength()))).thenReturn("X".repeat(AnonymousAccessLink.getRandomHashLength()));
+		when(encodeMock.matches("Y".repeat(AnonymousAccessLink.getRandomHashLength()), "Y".repeat(AnonymousAccessLink.getRandomHashLength()))).thenReturn(true);
+		when(encodeMock.encode("Y".repeat(AnonymousAccessLink.getRandomHashLength()))).thenReturn("Y".repeat(AnonymousAccessLink.getRandomHashLength()));
 		GrantViewMdAuthorityFilter toTest = new GrantViewMdAuthorityFilter(mock(HttpSessionSecurityContextRepository.class));
 		toTest.anonymousAccessLinkRepository = repositoryMock;
+		toTest.encoder = encodeMock;
 		requestMock = new MockHttpServletRequest();
 		requestMock.setParameter("hash", hash);
 		responseMock = new MockHttpServletResponse();
 		filterChainMock = new MockFilterChain();
 		requestMock.setSession(loginAsAnonymous());
+
 		return toTest;
 	}
 }

domain/src/main/java/org/fao/geonet/domain/AnonymousAccessLink.java

@@ -102,8 +102,11 @@ public int hashCode() {
 		return Objects.hash(id, metadataId, metadataUuid, hash);
 	}
 
+	public static int getRandomHashLength() {
+		return 43;
+	}
 	public static String getRandomHash() {
-		BytesKeyGenerator generator = KeyGenerators.secureRandom(64);
-		return Base64.getUrlEncoder().encodeToString(generator.generateKey());
+		BytesKeyGenerator generator = KeyGenerators.secureRandom(32);
+		return Base64.getUrlEncoder().withoutPadding().encodeToString(generator.generateKey());
 	}
 }

domain/src/main/java/org/fao/geonet/repository/AnonymousAccessLinkRepository.java

@@ -27,8 +27,6 @@
 
 public interface AnonymousAccessLinkRepository extends GeonetRepository<AnonymousAccessLink, Integer> {
 
-	AnonymousAccessLink findOneByHash(String hash);
-
 	AnonymousAccessLink findOneByMetadataUuid(String uuid);
 
 }

domain/src/test/java/org/fao/geonet/repository/AnonymousAccessLinkRepositoryTest.java

@@ -29,11 +29,8 @@
 import org.springframework.beans.factory.annotation.Autowired;
 
 import java.util.List;
-import java.util.Optional;
 
 import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 
 public class AnonymousAccessLinkRepositoryTest extends AbstractSpringDataTest {
@@ -66,22 +63,4 @@ public void nominal() {
 		assertEquals(0, accesses.size());
 	}
 
-	@Test
-	public void findByHash() {
-		AnonymousAccessLink anonymousAccessLink = new AnonymousAccessLink() //
-				.setMetadataId(666) //
-				.setMetadataUuid("uuid") //
-				.setHash("hash");
-		anonymousAccessLinkRepository.save(anonymousAccessLink);
-
-		AnonymousAccessLink auth = anonymousAccessLinkRepository.findOneByHash("hash");
-
-		assertNotNull(auth);
-		assertEquals(666, auth.getMetadataId());
-
-		auth = anonymousAccessLinkRepository.findOneByHash("hush");
-
-		assertNull(auth);
-	}
-
 }

services/src/main/java/org/fao/geonet/api/anonymousAccessLink/AnonymousAccessLinkService.java

@@ -33,8 +33,11 @@
 import org.fao.geonet.kernel.datamanager.IMetadataUtils;
 import org.fao.geonet.repository.AnonymousAccessLinkRepository;
 import org.fao.geonet.repository.OperationAllowedRepository;
+import org.fao.geonet.util.PasswordUtil;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.stereotype.Service;
 
 import java.io.IOException;
@@ -63,6 +66,10 @@ public class AnonymousAccessLinkService {
     @Autowired
     private OperationAllowedRepository opAllowedRepo;
 
+    @Autowired
+    @Qualifier(PasswordUtil.ENCODER_ID)
+    private PasswordEncoder encoder;
+
     public AnonymousAccessLinkDto createAnonymousAccessLink(String uuid) throws ResourceAlreadyExistException {
         if (anonymousAccessLinkRepository.findOneByMetadataUuid(uuid) != null) {
             throw new ResourceAlreadyExistException();
@@ -75,15 +82,19 @@ public AnonymousAccessLinkDto createAnonymousAccessLink(String uuid) throws Reso
         AnonymousAccessLink anonymousAccessLinkToCreate = new AnonymousAccessLink()
                 .setMetadataId(mdId)
                 .setMetadataUuid(uuid)
-                .setHash(randomHash);
+                .setHash(encoder.encode(randomHash));
         anonymousAccessLinkRepository.save(anonymousAccessLinkToCreate);
-        return mapper.toDto(anonymousAccessLinkToCreate).setHash(randomHash);
+        return mapper.toDto(anonymousAccessLinkToCreate).setHash(String.format("%s%s", randomHash, uuid));
     }
 
     public List<AnonymousAccessLinkDto> getAllAnonymousAccessLinksWithMdInfos() throws IOException {
         List<AnonymousAccessLink> anonymousAccessLinks = anonymousAccessLinkRepository.findAll();
 
         List<String> uuids = anonymousAccessLinks.stream().map(AnonymousAccessLink::getMetadataUuid).collect(Collectors.toList());
+        if (uuids.isEmpty()) {
+            return List.of();
+        }
+
         MgetRequest request = new MgetRequest.Builder()
                 .ids(uuids)
                 .index(defaultIndex)

services/src/test/java/org/fao/geonet/api/anonymousAccessLink/AnonymousAccessLinkServiceTest.java

@@ -69,7 +69,7 @@ public void createAnonymousAccessLink() throws Exception {
 		AnonymousAccessLink stored = anonymousAccessLinkRepository.findOneByMetadataUuid(md.getUuid());
 		assertEquals(stored.getMetadataUuid(), created.getMetadataUuid());
 		assertEquals(stored.getMetadataId(), created.getMetadataId());
-		assertEquals(stored.getHash(), created.getHash());
+		assertEquals(stored.getHash() + stored.getMetadataUuid(), created.getHash());
 	}
 
 	@Test