Example 1 with PasswordHash
use of com.gitblit.utils.PasswordHash in project gitblit by gitblit.
the class AuthenticationManager method authenticateLocal.
/**
* Returns a UserModel if local authentication succeeds.
*
* @param user
* @param password
* @return a UserModel if local authentication succeeds, null otherwise
*/
protected UserModel authenticateLocal(UserModel user, char[] password) {
UserModel returnedUser = null;
// Create a copy of the password that we can use to rehash to upgrade to a more secure hashing method.
// This is done to be independent from the implementation of the PasswordHash, which might already clear out
// the password it gets passed in. This looks a bit stupid, as we could simply clean up the mess, but this
// falls under "better safe than sorry".
char[] pwdToUpgrade = Arrays.copyOf(password, password.length);
try {
PasswordHash pwdHash = PasswordHash.instanceFor(user.password);
if (pwdHash != null) {
if (pwdHash.matches(user.password, password, user.username)) {
returnedUser = user;
}
} else if (user.password.equals(new String(password))) {
// plain-text password
returnedUser = user;
}
// validate user
returnedUser = validateAuthentication(returnedUser, AuthenticationType.CREDENTIALS);
// try to upgrade the stored password hash to a stronger hash, if necessary
upgradeStoredPassword(returnedUser, pwdToUpgrade, pwdHash);
} finally {
// Now we make sure that the password is zeroed out in any case.
Arrays.fill(password, Character.MIN_VALUE);
Arrays.fill(pwdToUpgrade, Character.MIN_VALUE);
}
return returnedUser;
}
Also used :
UserModel(com.gitblit.models.UserModel)
PasswordHash(com.gitblit.utils.PasswordHash)
Example 2 with PasswordHash
use of com.gitblit.utils.PasswordHash in project gitblit by gitblit.
the class EditUserPage method setupPage.
protected void setupPage(final UserModel userModel) {
if (isCreate) {
super.setupPage(getString("gb.newUser"), "");
} else {
super.setupPage(getString("gb.edit"), userModel.username);
}
final Model<String> confirmPassword = new Model<String>(StringUtils.isEmpty(userModel.password) ? "" : userModel.password);
CompoundPropertyModel<UserModel> model = new CompoundPropertyModel<UserModel>(userModel);
// build list of projects including all repositories wildcards
List<String> repos = getAccessRestrictedRepositoryList(true, userModel);
List<String> userTeams = new ArrayList<String>();
for (TeamModel team : userModel.teams) {
userTeams.add(team.name);
}
Collections.sort(userTeams);
final String oldName = userModel.username;
final List<RegistrantAccessPermission> permissions = app().repositories().getUserAccessPermissions(userModel);
final Palette<String> teams = new Palette<String>("teams", new ListModel<String>(new ArrayList<String>(userTeams)), new CollectionModel<String>(app().users().getAllTeamNames()), new StringChoiceRenderer(), 10, false);
Locale locale = userModel.getPreferences().getLocale();
List<Language> languages = UserPage.getLanguages();
Language preferredLanguage = UserPage.getPreferredLanguage(locale, languages);
final IModel<Language> language = Model.of(preferredLanguage);
Form<UserModel> form = new Form<UserModel>("editForm", model) {
private static final long serialVersionUID = 1L;
/*
* (non-Javadoc)
*
* @see org.apache.wicket.markup.html.form.Form#onSubmit()
*/
@Override
protected void onSubmit() {
if (StringUtils.isEmpty(userModel.username)) {
error(getString("gb.pleaseSetUsername"));
return;
}
Language lang = language.getObject();
if (lang != null) {
userModel.getPreferences().setLocale(lang.code);
}
// force username to lower-case
userModel.username = userModel.username.toLowerCase();
String username = userModel.username;
if (isCreate) {
UserModel model = app().users().getUserModel(username);
if (model != null) {
error(MessageFormat.format(getString("gb.usernameUnavailable"), username));
return;
}
}
boolean rename = !StringUtils.isEmpty(oldName) && !oldName.equalsIgnoreCase(username);
if (app().authentication().supportsCredentialChanges(userModel)) {
if (!userModel.password.equals(confirmPassword.getObject())) {
error(getString("gb.passwordsDoNotMatch"));
return;
}
String password = userModel.password;
if (!PasswordHash.isHashedEntry(password)) {
// This is a plain text password.
// Check length.
int minLength = app().settings().getInteger(Keys.realm.minPasswordLength, 5);
if (minLength < 4) {
minLength = 4;
}
if (password.trim().length() < minLength) {
// TODO: Why do we trim here, but not in EditUserDialog and ChangePasswordPage?
error(MessageFormat.format(getString("gb.passwordTooShort"), minLength));
return;
}
// change the cookie
userModel.cookie = userModel.createCookie();
// Optionally store the password MD5 digest.
String type = app().settings().getString(Keys.realm.passwordStorage, PasswordHash.getDefaultType().name());
PasswordHash pwdh = PasswordHash.instanceOf(type);
if (pwdh != null) {
// Hash the password
userModel.password = pwdh.toHashedEntry(password, username);
}
} else if (rename && password.toUpperCase().startsWith(PasswordHash.Type.CMD5.name())) {
error(getString("gb.combinedMd5Rename"));
return;
}
}
// update user permissions
for (RegistrantAccessPermission repositoryPermission : permissions) {
if (repositoryPermission.mutable) {
userModel.setRepositoryPermission(repositoryPermission.registrant, repositoryPermission.permission);
}
}
Iterator<String> selectedTeams = teams.getSelectedChoices();
userModel.teams.clear();
while (selectedTeams.hasNext()) {
TeamModel team = app().users().getTeamModel(selectedTeams.next());
if (team == null) {
continue;
}
userModel.teams.add(team);
}
try {
if (isCreate) {
app().gitblit().addUser(userModel);
} else {
app().gitblit().reviseUser(oldName, userModel);
}
} catch (GitBlitException e) {
error(e.getMessage());
return;
}
setRedirect(false);
if (isCreate) {
// create another user
info(MessageFormat.format(getString("gb.userCreated"), userModel.username));
setResponsePage(EditUserPage.class);
} else {
// back to users page
setResponsePage(UsersPage.class);
}
}
};
// do not let the browser pre-populate these fields
form.add(new SimpleAttributeModifier("autocomplete", "off"));
// not all user providers support manipulating username and password
boolean editCredentials = app().authentication().supportsCredentialChanges(userModel);
// not all user providers support manipulating display name
boolean editDisplayName = app().authentication().supportsDisplayNameChanges(userModel);
// not all user providers support manipulating email address
boolean editEmailAddress = app().authentication().supportsEmailAddressChanges(userModel);
// not all user providers support manipulating team memberships
boolean editTeams = app().authentication().supportsTeamMembershipChanges(userModel);
// not all user providers support manipulating the admin role
boolean changeAdminRole = app().authentication().supportsRoleChanges(userModel, Role.ADMIN);
// not all user providers support manipulating the create role
boolean changeCreateRole = app().authentication().supportsRoleChanges(userModel, Role.CREATE);
// not all user providers support manipulating the fork role
boolean changeForkRole = app().authentication().supportsRoleChanges(userModel, Role.FORK);
// field names reflective match UserModel fields
form.add(new TextField<String>("username").setEnabled(editCredentials));
NonTrimmedPasswordTextField passwordField = new NonTrimmedPasswordTextField("password");
passwordField.setResetPassword(false);
form.add(passwordField.setEnabled(editCredentials));
NonTrimmedPasswordTextField confirmPasswordField = new NonTrimmedPasswordTextField("confirmPassword", confirmPassword);
confirmPasswordField.setResetPassword(false);
form.add(confirmPasswordField.setEnabled(editCredentials));
form.add(new TextField<String>("displayName").setEnabled(editDisplayName));
form.add(new TextField<String>("emailAddress").setEnabled(editEmailAddress));
DropDownChoice<Language> choice = new DropDownChoice<Language>("language", language, languages);
form.add(choice.setEnabled(languages.size() > 0));
if (userModel.canAdmin() && !userModel.canAdmin) {
// user inherits Admin permission
// display a disabled-yet-checked checkbox
form.add(new CheckBox("canAdmin", Model.of(true)).setEnabled(false));
} else {
form.add(new CheckBox("canAdmin").setEnabled(changeAdminRole));
}
if (userModel.canFork() && !userModel.canFork) {
// user inherits Fork permission
// display a disabled-yet-checked checkbox
form.add(new CheckBox("canFork", Model.of(true)).setEnabled(false));
} else {
final boolean forkingAllowed = app().settings().getBoolean(Keys.web.allowForking, true);
form.add(new CheckBox("canFork").setEnabled(forkingAllowed && changeForkRole));
}
if (userModel.canCreate() && !userModel.canCreate) {
// user inherits Create permission
// display a disabled-yet-checked checkbox
form.add(new CheckBox("canCreate", Model.of(true)).setEnabled(false));
} else {
form.add(new CheckBox("canCreate").setEnabled(changeCreateRole));
}
form.add(new CheckBox("excludeFromFederation"));
form.add(new CheckBox("disabled"));
form.add(new RegistrantPermissionsPanel("repositories", RegistrantType.REPOSITORY, repos, permissions, getAccessPermissions()));
form.add(teams.setEnabled(editTeams));
form.add(new TextField<String>("organizationalUnit").setEnabled(editDisplayName));
form.add(new TextField<String>("organization").setEnabled(editDisplayName));
form.add(new TextField<String>("locality").setEnabled(editDisplayName));
form.add(new TextField<String>("stateProvince").setEnabled(editDisplayName));
form.add(new TextField<String>("countryCode").setEnabled(editDisplayName));
form.add(new Button("save"));
Button cancel = new Button("cancel") {
private static final long serialVersionUID = 1L;
@Override
public void onSubmit() {
setResponsePage(UsersPage.class);
}
};
cancel.setDefaultFormProcessing(false);
form.add(cancel);
add(form);
}
Also used :
Locale(java.util.Locale)
Palette(org.apache.wicket.extensions.markup.html.form.palette.Palette)
Form(org.apache.wicket.markup.html.form.Form)
RegistrantPermissionsPanel(com.gitblit.wicket.panels.RegistrantPermissionsPanel)
ArrayList(java.util.ArrayList)
GitBlitException(com.gitblit.GitBlitException)
SimpleAttributeModifier(org.apache.wicket.behavior.SimpleAttributeModifier)
UserModel(com.gitblit.models.UserModel)
TeamModel(com.gitblit.models.TeamModel)
Button(org.apache.wicket.markup.html.form.Button)
RegistrantAccessPermission(com.gitblit.models.RegistrantAccessPermission)
TextField(org.apache.wicket.markup.html.form.TextField)
NonTrimmedPasswordTextField(com.gitblit.wicket.NonTrimmedPasswordTextField)
CompoundPropertyModel(org.apache.wicket.model.CompoundPropertyModel)
NonTrimmedPasswordTextField(com.gitblit.wicket.NonTrimmedPasswordTextField)
DropDownChoice(org.apache.wicket.markup.html.form.DropDownChoice)
StringChoiceRenderer(com.gitblit.wicket.StringChoiceRenderer)
CheckBox(org.apache.wicket.markup.html.form.CheckBox)
CompoundPropertyModel(org.apache.wicket.model.CompoundPropertyModel)
IModel(org.apache.wicket.model.IModel)
CollectionModel(org.apache.wicket.model.util.CollectionModel)
ListModel(org.apache.wicket.model.util.ListModel)
Model(org.apache.wicket.model.Model)
UserModel(com.gitblit.models.UserModel)
TeamModel(com.gitblit.models.TeamModel)
PasswordHash(com.gitblit.utils.PasswordHash)
Example 3 with PasswordHash
use of com.gitblit.utils.PasswordHash in project gitblit by gitblit.
the class EditUserDialog method validateFields.
private boolean validateFields() {
if (StringUtils.isEmpty(usernameField.getText())) {
error("Please enter a username!");
return false;
}
String uname = usernameField.getText().toLowerCase();
boolean rename = false;
// verify username uniqueness on create
if (isCreate) {
if (usernames.contains(uname)) {
error(MessageFormat.format("Username ''{0}'' is unavailable.", uname));
return false;
}
} else {
// check rename collision
rename = !StringUtils.isEmpty(username) && !username.equalsIgnoreCase(uname);
if (rename) {
if (usernames.contains(uname)) {
error(MessageFormat.format("Failed to rename ''{0}'' because ''{1}'' already exists.", username, uname));
return false;
}
}
}
user.username = uname;
int minLength = settings.get(Keys.realm.minPasswordLength).getInteger(5);
if (minLength < 4) {
minLength = 4;
}
String password = new String(passwordField.getPassword());
if (StringUtils.isEmpty(password) || password.length() < minLength) {
error(MessageFormat.format("Password is too short. Minimum length is {0} characters.", minLength));
return false;
}
// password if by now the storage has been changed to a hashed variant.
if (!PasswordHash.isHashedEntry(password)) {
String cpw = new String(confirmPasswordField.getPassword());
if (cpw == null || cpw.length() != password.length()) {
error("Please confirm the password!");
return false;
}
if (!password.equals(cpw)) {
error("Passwords do not match!");
return false;
}
// change the cookie
user.cookie = user.createCookie();
String type = settings.get(Keys.realm.passwordStorage).getString(PasswordHash.getDefaultType().name());
PasswordHash pwdHash = PasswordHash.instanceOf(type);
if (pwdHash != null) {
user.password = pwdHash.toHashedEntry(password, user.username);
} else {
// plain-text password.
// TODO: This is also used when the "realm.passwordStorage" configuration is not a valid type.
// This is a rather bad default, and should probably caught and changed to a secure default.
user.password = password;
}
} else if (rename && password.toUpperCase().startsWith(PasswordHash.Type.CMD5.name())) {
error("Gitblit is configured for combined-md5 password hashing. You must enter a new password on account rename.");
return false;
} else {
// no change in password
user.password = password;
}
user.displayName = displayNameField.getText().trim();
user.emailAddress = emailAddressField.getText().trim();
user.canAdmin = canAdminCheckbox.isSelected();
user.canFork = canForkCheckbox.isSelected();
user.canCreate = canCreateCheckbox.isSelected();
user.excludeFromFederation = notFederatedCheckbox.isSelected();
user.disabled = disabledCheckbox.isSelected();
user.organizationalUnit = organizationalUnitField.getText().trim();
user.organization = organizationField.getText().trim();
user.locality = localityField.getText().trim();
user.stateProvince = stateProvinceField.getText().trim();
user.countryCode = countryCodeField.getText().trim();
for (RegistrantAccessPermission rp : repositoryPalette.getPermissions()) {
user.setRepositoryPermission(rp.registrant, rp.permission);
}
user.teams.clear();
user.teams.addAll(teamsPalette.getSelections());
return true;
}
Also used :
RegistrantAccessPermission(com.gitblit.models.RegistrantAccessPermission)
PasswordHash(com.gitblit.utils.PasswordHash)
Aggregations
PasswordHash (com.gitblit.utils.PasswordHash)3
RegistrantAccessPermission (com.gitblit.models.RegistrantAccessPermission)2
UserModel (com.gitblit.models.UserModel)2
GitBlitException (com.gitblit.GitBlitException)1
TeamModel (com.gitblit.models.TeamModel)1
NonTrimmedPasswordTextField (com.gitblit.wicket.NonTrimmedPasswordTextField)1
StringChoiceRenderer (com.gitblit.wicket.StringChoiceRenderer)1
RegistrantPermissionsPanel (com.gitblit.wicket.panels.RegistrantPermissionsPanel)1
ArrayList (java.util.ArrayList)1
Locale (java.util.Locale)1
SimpleAttributeModifier (org.apache.wicket.behavior.SimpleAttributeModifier)1
Palette (org.apache.wicket.extensions.markup.html.form.palette.Palette)1
Button (org.apache.wicket.markup.html.form.Button)1
CheckBox (org.apache.wicket.markup.html.form.CheckBox)1
DropDownChoice (org.apache.wicket.markup.html.form.DropDownChoice)1
Form (org.apache.wicket.markup.html.form.Form)1
TextField (org.apache.wicket.markup.html.form.TextField)1
CompoundPropertyModel (org.apache.wicket.model.CompoundPropertyModel)1
IModel (org.apache.wicket.model.IModel)1
Model (org.apache.wicket.model.Model)1
