Avoid exception if PBKDF2WithHmacSHA256 is not available

marcusdacoregio · marcusdacoregio · commit d5603a944d0d · 2023-04-04T09:33:12.000-03:00
Issue gh-12873
diff --git a/crypto/spring-security-crypto.gradle b/crypto/spring-security-crypto.gradle
@@ -11,5 +11,6 @@ dependencies {
 	testImplementation "org.junit.jupiter:junit-jupiter-engine"
 	testImplementation "org.mockito:mockito-core"
 	testImplementation "org.mockito:mockito-junit-jupiter"
+	testImplementation "org.mockito:mockito-inline"
 	testImplementation "org.springframework:spring-test"
 }
diff --git a/crypto/src/main/java/org/springframework/security/crypto/factory/PasswordEncoderFactories.java b/crypto/src/main/java/org/springframework/security/crypto/factory/PasswordEncoderFactories.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,8 +16,13 @@
 
 package org.springframework.security.crypto.factory;
 
+import java.security.NoSuchAlgorithmException;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.function.Supplier;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 
 import org.springframework.security.crypto.argon2.Argon2PasswordEncoder;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@@ -34,6 +39,8 @@
  */
 public final class PasswordEncoderFactories {
 
+	private static final Log logger = LogFactory.getLog(PasswordEncoderFactories.class);
+
 	private PasswordEncoderFactories() {
 	}
 
@@ -78,7 +85,8 @@ public static PasswordEncoder createDelegatingPasswordEncoder() {
 		encoders.put("MD5", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("MD5"));
 		encoders.put("noop", org.springframework.security.crypto.password.NoOpPasswordEncoder.getInstance());
 		encoders.put("pbkdf2", Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_5());
-		encoders.put("pbkdf2@SpringSecurity_v5_8", Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_8());
+		putIfAlgorithmSupported("pbkdf2@SpringSecurity_v5_8", Pbkdf2PasswordEncoder::defaultsForSpringSecurity_v5_8,
+				encoders);
 		encoders.put("scrypt", SCryptPasswordEncoder.defaultsForSpringSecurity_v4_1());
 		encoders.put("scrypt@SpringSecurity_v5_8", SCryptPasswordEncoder.defaultsForSpringSecurity_v5_8());
 		encoders.put("SHA-1", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-1"));
@@ -90,4 +98,22 @@ public static PasswordEncoder createDelegatingPasswordEncoder() {
 		return new DelegatingPasswordEncoder(encodingId, encoders);
 	}
 
+	private static void putIfAlgorithmSupported(String encodingId, Supplier<PasswordEncoder> encoderSupplier,
+			Map<String, PasswordEncoder> encoders) {
+		try {
+			PasswordEncoder passwordEncoder = encoderSupplier.get();
+			encoders.put(encodingId, passwordEncoder);
+		}
+		catch (Exception ex) {
+			if (ex.getCause() instanceof NoSuchAlgorithmException) {
+				logger.warn(String.format(
+						"Cannot create PasswordEncoder with encodingId [%s] because the algorithm is not available",
+						encodingId), ex);
+			}
+			else {
+				throw ex;
+			}
+		}
+	}
+
 }
diff --git a/crypto/src/test/java/org/springframework/security/crypto/factory/PasswordEncoderFactoriesTests.java b/crypto/src/test/java/org/springframework/security/crypto/factory/PasswordEncoderFactoriesTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,11 +16,17 @@
 
 package org.springframework.security.crypto.factory;
 
+import java.security.NoSuchAlgorithmException;
+
 import org.junit.jupiter.api.Test;
+import org.mockito.MockedStatic;
 
 import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.crypto.password.Pbkdf2PasswordEncoder;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatNoException;
+import static org.mockito.Mockito.mockStatic;
 
 /**
  * @author Rob Winch
@@ -123,4 +129,14 @@ public void matchesWhenArgon2SpringSecurity_v5_8ThenWorks() {
 		assertThat(this.encoder.matches(this.rawPassword, encodedPassword)).isTrue();
 	}
 
+	@Test
+	void constructWhenAlgorithmNotAvailableThenSkip() {
+		try (MockedStatic<Pbkdf2PasswordEncoder> pbkdf2PasswordEncoderMock = mockStatic(Pbkdf2PasswordEncoder.class)) {
+			pbkdf2PasswordEncoderMock.when(Pbkdf2PasswordEncoder::defaultsForSpringSecurity_v5_8)
+					.thenThrow(new IllegalArgumentException(new NoSuchAlgorithmException()));
+
+			assertThatNoException().isThrownBy(PasswordEncoderFactories::createDelegatingPasswordEncoder);
+		}
+	}
+
 }

Original file line number	Diff line number	Diff line change
`@@ -11,5 +11,6 @@ dependencies {`
`11`	`11`	`testImplementation "org.junit.jupiter:junit-jupiter-engine"`
`12`	`12`	`testImplementation "org.mockito:mockito-core"`
`13`	`13`	`testImplementation "org.mockito:mockito-junit-jupiter"`
	`14`	`+ testImplementation "org.mockito:mockito-inline"`
`14`	`15`	`testImplementation "org.springframework:spring-test"`
`15`	`16`	`}`