Cleanup models.User.HashPassword (#3334)

This commit is contained in:
Kim "BKC" Carlbäcker 2018-01-11 23:19:38 +01:00 committed by Lauris BH
parent 9aed18073d
commit e5b8b4b5ec
7 changed files with 18 additions and 23 deletions

View File

@ -107,11 +107,10 @@ func runChangePassword(c *cli.Context) error {
if err != nil { if err != nil {
return fmt.Errorf("%v", err) return fmt.Errorf("%v", err)
} }
user.Passwd = c.String("password")
if user.Salt, err = models.GetUserSalt(); err != nil { if user.Salt, err = models.GetUserSalt(); err != nil {
return fmt.Errorf("%v", err) return fmt.Errorf("%v", err)
} }
user.HashPassword() user.HashPassword(c.String("password"))
if err := models.UpdateUserCols(user, "passwd", "salt"); err != nil { if err := models.UpdateUserCols(user, "passwd", "salt"); err != nil {
return fmt.Errorf("%v", err) return fmt.Errorf("%v", err)
} }

View File

@ -388,17 +388,20 @@ func (u *User) NewGitSig() *git.Signature {
} }
} }
func hashPassword(passwd, salt string) string {
tempPasswd := pbkdf2.Key([]byte(passwd), []byte(salt), 10000, 50, sha256.New)
return fmt.Sprintf("%x", tempPasswd)
}
// HashPassword hashes a password using PBKDF. // HashPassword hashes a password using PBKDF.
func (u *User) HashPassword() { func (u *User) HashPassword(passwd string) {
newPasswd := pbkdf2.Key([]byte(u.Passwd), []byte(u.Salt), 10000, 50, sha256.New) u.Passwd = hashPassword(passwd, u.Salt)
u.Passwd = fmt.Sprintf("%x", newPasswd)
} }
// ValidatePassword checks if given password matches the one belongs to the user. // ValidatePassword checks if given password matches the one belongs to the user.
func (u *User) ValidatePassword(passwd string) bool { func (u *User) ValidatePassword(passwd string) bool {
newUser := &User{Passwd: passwd, Salt: u.Salt} tempHash := hashPassword(passwd, u.Salt)
newUser.HashPassword() return subtle.ConstantTimeCompare([]byte(u.Passwd), []byte(tempHash)) == 1
return subtle.ConstantTimeCompare([]byte(u.Passwd), []byte(newUser.Passwd)) == 1
} }
// IsPasswordSet checks if the password is set or left empty // IsPasswordSet checks if the password is set or left empty
@ -711,7 +714,7 @@ func CreateUser(u *User) (err error) {
if u.Salt, err = GetUserSalt(); err != nil { if u.Salt, err = GetUserSalt(); err != nil {
return err return err
} }
u.HashPassword() u.HashPassword(u.Passwd)
u.AllowCreateOrganization = setting.Service.DefaultAllowCreateOrganization u.AllowCreateOrganization = setting.Service.DefaultAllowCreateOrganization
u.MaxRepoCreation = -1 u.MaxRepoCreation = -1

View File

@ -135,13 +135,11 @@ func TestHashPasswordDeterministic(t *testing.T) {
pass := string(b) pass := string(b)
// save the current password in the user - hash it and store the result // save the current password in the user - hash it and store the result
u.Passwd = pass u.HashPassword(pass)
u.HashPassword()
r1 := u.Passwd r1 := u.Passwd
// run again // run again
u.Passwd = pass u.HashPassword(pass)
u.HashPassword()
r2 := u.Passwd r2 := u.Passwd
// assert equal (given the same salt+pass, the same result is produced) // assert equal (given the same salt+pass, the same result is produced)
@ -158,7 +156,6 @@ func BenchmarkHashPassword(b *testing.B) {
u := &User{Salt: string(bs), Passwd: pass} u := &User{Salt: string(bs), Passwd: pass}
b.ResetTimer() b.ResetTimer()
for i := 0; i < b.N; i++ { for i := 0; i < b.N; i++ {
u.HashPassword() u.HashPassword(pass)
u.Passwd = pass
} }
} }

View File

@ -194,13 +194,12 @@ func EditUserPost(ctx *context.Context, form auth.AdminEditUserForm) {
} }
if len(form.Password) > 0 { if len(form.Password) > 0 {
u.Passwd = form.Password
var err error var err error
if u.Salt, err = models.GetUserSalt(); err != nil { if u.Salt, err = models.GetUserSalt(); err != nil {
ctx.ServerError("UpdateUser", err) ctx.ServerError("UpdateUser", err)
return return
} }
u.HashPassword() u.HashPassword(form.Password)
} }
u.LoginName = form.LoginName u.LoginName = form.LoginName

View File

@ -126,13 +126,12 @@ func EditUser(ctx *context.APIContext, form api.EditUserOption) {
} }
if len(form.Password) > 0 { if len(form.Password) > 0 {
u.Passwd = form.Password
var err error var err error
if u.Salt, err = models.GetUserSalt(); err != nil { if u.Salt, err = models.GetUserSalt(); err != nil {
ctx.Error(500, "UpdateUser", err) ctx.Error(500, "UpdateUser", err)
return return
} }
u.HashPassword() u.HashPassword(form.Password)
} }
u.LoginName = form.LoginName u.LoginName = form.LoginName

View File

@ -984,7 +984,6 @@ func ResetPasswdPost(ctx *context.Context) {
return return
} }
u.Passwd = passwd
var err error var err error
if u.Rands, err = models.GetUserSalt(); err != nil { if u.Rands, err = models.GetUserSalt(); err != nil {
ctx.ServerError("UpdateUser", err) ctx.ServerError("UpdateUser", err)
@ -994,7 +993,7 @@ func ResetPasswdPost(ctx *context.Context) {
ctx.ServerError("UpdateUser", err) ctx.ServerError("UpdateUser", err)
return return
} }
u.HashPassword() u.HashPassword(passwd)
if err := models.UpdateUserCols(u, "passwd", "rands", "salt"); err != nil { if err := models.UpdateUserCols(u, "passwd", "rands", "salt"); err != nil {
ctx.ServerError("UpdateUser", err) ctx.ServerError("UpdateUser", err)
return return

View File

@ -229,13 +229,12 @@ func SettingsSecurityPost(ctx *context.Context, form auth.ChangePasswordForm) {
} else if form.Password != form.Retype { } else if form.Password != form.Retype {
ctx.Flash.Error(ctx.Tr("form.password_not_match")) ctx.Flash.Error(ctx.Tr("form.password_not_match"))
} else { } else {
ctx.User.Passwd = form.Password
var err error var err error
if ctx.User.Salt, err = models.GetUserSalt(); err != nil { if ctx.User.Salt, err = models.GetUserSalt(); err != nil {
ctx.ServerError("UpdateUser", err) ctx.ServerError("UpdateUser", err)
return return
} }
ctx.User.HashPassword() ctx.User.HashPassword(form.Password)
if err := models.UpdateUserCols(ctx.User, "salt", "passwd"); err != nil { if err := models.UpdateUserCols(ctx.User, "salt", "passwd"); err != nil {
ctx.ServerError("UpdateUser", err) ctx.ServerError("UpdateUser", err)
return return