summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorrinpatch <rinpatch@sdf.org>2021-01-14 18:29:25 +0000
committerrinpatch <rinpatch@sdf.org>2021-01-14 18:29:25 +0000
commit93ce7b0efbe57de3d458d1ad9cd88fcd76d63241 (patch)
treedd4f6af04ada4fc3df7041831cd40c1f771511b7
parentf917285b72dbc770be40478e1a55973f29d5db7d (diff)
parentc4b74c9c3fcf926de374f512e8b218e6785448e5 (diff)
Merge branch 'pleroma-password' into 'develop'
Add password module See merge request pleroma/pleroma!3253
-rw-r--r--benchmarks/load_testing/users.ex2
-rw-r--r--config/test.exs2
-rw-r--r--lib/pleroma/mfa.ex2
-rw-r--r--lib/pleroma/password/pbkdf2.ex55
-rw-r--r--lib/pleroma/user.ex2
-rw-r--r--lib/pleroma/web/plugs/authentication_plug.ex2
-rw-r--r--mix.exs1
-rw-r--r--test/pleroma/mfa_test.exs4
-rw-r--r--test/pleroma/password/pbkdf2_test.exs35
-rw-r--r--test/pleroma/web/auth/basic_auth_test.exs2
-rw-r--r--test/pleroma/web/auth/pleroma_authenticator_test.exs8
-rw-r--r--test/pleroma/web/auth/totp_authenticator_test.exs2
-rw-r--r--test/pleroma/web/mongoose_im_controller_test.exs4
-rw-r--r--test/pleroma/web/o_auth/ldap_authorization_test.exs4
-rw-r--r--test/pleroma/web/o_auth/mfa_controller_test.exs4
-rw-r--r--test/pleroma/web/o_auth/o_auth_controller_test.exs22
-rw-r--r--test/pleroma/web/plugs/authentication_plug_test.exs2
-rw-r--r--test/pleroma/web/twitter_api/password_controller_test.exs2
-rw-r--r--test/pleroma/web/twitter_api/util_controller_test.exs2
-rw-r--r--test/support/builders/user_builder.ex2
-rw-r--r--test/support/factory.ex2
21 files changed, 130 insertions, 31 deletions
diff --git a/benchmarks/load_testing/users.ex b/benchmarks/load_testing/users.ex
index 34a904ac2..0a33cbfdb 100644
--- a/benchmarks/load_testing/users.ex
+++ b/benchmarks/load_testing/users.ex
@@ -55,7 +55,7 @@ defmodule Pleroma.LoadTesting.Users do
name: "Test テスト User #{i}",
email: "user#{i}@example.com",
nickname: "nick#{i}",
- password_hash: Pbkdf2.hash_pwd_salt("test"),
+ password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("test"),
bio: "Tester Number #{i}",
local: !remote
}
diff --git a/config/test.exs b/config/test.exs
index 7fc457463..6f6b18558 100644
--- a/config/test.exs
+++ b/config/test.exs
@@ -53,7 +53,7 @@ config :pleroma, Pleroma.Repo,
config :pleroma, :dangerzone, override_repo_pool_size: true
# Reduce hash rounds for testing
-config :pbkdf2_elixir, rounds: 1
+config :pleroma, :password, iterations: 1
config :tesla, adapter: Tesla.Mock
diff --git a/lib/pleroma/mfa.ex b/lib/pleroma/mfa.ex
index f43e03a54..02dce7d49 100644
--- a/lib/pleroma/mfa.ex
+++ b/lib/pleroma/mfa.ex
@@ -71,7 +71,7 @@ defmodule Pleroma.MFA do
@spec generate_backup_codes(User.t()) :: {:ok, list(binary)} | {:error, String.t()}
def generate_backup_codes(%User{} = user) do
with codes <- BackupCodes.generate(),
- hashed_codes <- Enum.map(codes, &Pbkdf2.hash_pwd_salt/1),
+ hashed_codes <- Enum.map(codes, &Pleroma.Password.Pbkdf2.hash_pwd_salt/1),
changeset <- Changeset.cast_backup_codes(user, hashed_codes),
{:ok, _} <- User.update_and_set_cache(changeset) do
{:ok, codes}
diff --git a/lib/pleroma/password/pbkdf2.ex b/lib/pleroma/password/pbkdf2.ex
new file mode 100644
index 000000000..2fd5f4491
--- /dev/null
+++ b/lib/pleroma/password/pbkdf2.ex
@@ -0,0 +1,55 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Password.Pbkdf2 do
+ @moduledoc """
+ This module implements Pbkdf2 passwords in terms of Plug.Crypto.
+ """
+
+ alias Plug.Crypto.KeyGenerator
+
+ def decode64(str) do
+ str
+ |> String.replace(".", "+")
+ |> Base.decode64!(padding: false)
+ end
+
+ def encode64(bin) do
+ bin
+ |> Base.encode64(padding: false)
+ |> String.replace("+", ".")
+ end
+
+ def verify_pass(password, hash) do
+ ["pbkdf2-" <> digest, iterations, salt, hash] = String.split(hash, "$", trim: true)
+
+ salt = decode64(salt)
+
+ iterations = String.to_integer(iterations)
+
+ digest = String.to_atom(digest)
+
+ binary_hash =
+ KeyGenerator.generate(password, salt, digest: digest, iterations: iterations, length: 64)
+
+ encode64(binary_hash) == hash
+ end
+
+ def hash_pwd_salt(password, opts \\ []) do
+ salt =
+ Keyword.get_lazy(opts, :salt, fn ->
+ :crypto.strong_rand_bytes(16)
+ end)
+
+ digest = Keyword.get(opts, :digest, :sha512)
+
+ iterations =
+ Keyword.get(opts, :iterations, Pleroma.Config.get([:password, :iterations], 160_000))
+
+ binary_hash =
+ KeyGenerator.generate(password, salt, digest: digest, iterations: iterations, length: 64)
+
+ "$pbkdf2-#{digest}$#{iterations}$#{encode64(salt)}$#{encode64(binary_hash)}"
+ end
+end
diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex
index cd0c64acc..6a81adfd6 100644
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@@ -2187,7 +2187,7 @@ defmodule Pleroma.User do
defp put_password_hash(
%Ecto.Changeset{valid?: true, changes: %{password: password}} = changeset
) do
- change(changeset, password_hash: Pbkdf2.hash_pwd_salt(password))
+ change(changeset, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password))
end
defp put_password_hash(changeset), do: changeset
diff --git a/lib/pleroma/web/plugs/authentication_plug.ex b/lib/pleroma/web/plugs/authentication_plug.ex
index c3e13858a..8d58169cf 100644
--- a/lib/pleroma/web/plugs/authentication_plug.ex
+++ b/lib/pleroma/web/plugs/authentication_plug.ex
@@ -48,7 +48,7 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlug do
end
def checkpw(password, "$pbkdf2" <> _ = password_hash) do
- Pbkdf2.verify_pass(password, password_hash)
+ Pleroma.Password.Pbkdf2.verify_pass(password, password_hash)
end
def checkpw(_password, _password_hash) do
diff --git a/mix.exs b/mix.exs
index f26a5391a..14448f12f 100644
--- a/mix.exs
+++ b/mix.exs
@@ -125,7 +125,6 @@ defmodule Pleroma.Mixfile do
{:postgrex, ">= 0.15.5"},
{:oban, "~> 2.1.0"},
{:gettext, "~> 0.18"},
- {:pbkdf2_elixir, "~> 1.2"},
{:bcrypt_elixir, "~> 2.2"},
{:trailing_format_plug, "~> 0.0.7"},
{:fast_sanitize, "~> 0.2.0"},
diff --git a/test/pleroma/mfa_test.exs b/test/pleroma/mfa_test.exs
index 29e478892..76ba1a99d 100644
--- a/test/pleroma/mfa_test.exs
+++ b/test/pleroma/mfa_test.exs
@@ -30,8 +30,8 @@ defmodule Pleroma.MFATest do
{:ok, [code1, code2]} = MFA.generate_backup_codes(user)
updated_user = refresh_record(user)
[hash1, hash2] = updated_user.multi_factor_authentication_settings.backup_codes
- assert Pbkdf2.verify_pass(code1, hash1)
- assert Pbkdf2.verify_pass(code2, hash2)
+ assert Pleroma.Password.Pbkdf2.verify_pass(code1, hash1)
+ assert Pleroma.Password.Pbkdf2.verify_pass(code2, hash2)
end
end
diff --git a/test/pleroma/password/pbkdf2_test.exs b/test/pleroma/password/pbkdf2_test.exs
new file mode 100644
index 000000000..e55348f9a
--- /dev/null
+++ b/test/pleroma/password/pbkdf2_test.exs
@@ -0,0 +1,35 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Password.Pbkdf2Test do
+ use Pleroma.DataCase, async: true
+
+ alias Pleroma.Password.Pbkdf2, as: Password
+
+ test "it generates the same hash as pbkd2_elixir" do
+ # hash = Pbkdf2.hash_pwd_salt("password")
+ hash =
+ "$pbkdf2-sha512$1$QJpEYw8iBKcnY.4Rm0eCVw$UBPeWQ91RxSv3snxsb/ZzMeG/2aa03c541bbo8vQudREGNta5t8jBQrd00fyJp8RjaqfvgdZxy2rhSwljyu21g"
+
+ # Use the same randomly generated salt
+ salt = Password.decode64("QJpEYw8iBKcnY.4Rm0eCVw")
+
+ assert hash == Password.hash_pwd_salt("password", salt: salt)
+ end
+
+ @tag skip: "Works when Pbkd2 is present. Source: trust me bro"
+ test "Pbkdf2 can verify passwords generated with it" do
+ # Commented to prevent warnings.
+ # hash = Password.hash_pwd_salt("password")
+ # assert Pbkdf2.verify_pass("password", hash)
+ end
+
+ test "it verifies pbkdf2_elixir hashes" do
+ # hash = Pbkdf2.hash_pwd_salt("password")
+ hash =
+ "$pbkdf2-sha512$1$QJpEYw8iBKcnY.4Rm0eCVw$UBPeWQ91RxSv3snxsb/ZzMeG/2aa03c541bbo8vQudREGNta5t8jBQrd00fyJp8RjaqfvgdZxy2rhSwljyu21g"
+
+ assert Password.verify_pass("password", hash)
+ end
+end
diff --git a/test/pleroma/web/auth/basic_auth_test.exs b/test/pleroma/web/auth/basic_auth_test.exs
index f732c7e27..2816aae4c 100644
--- a/test/pleroma/web/auth/basic_auth_test.exs
+++ b/test/pleroma/web/auth/basic_auth_test.exs
@@ -11,7 +11,7 @@ defmodule Pleroma.Web.Auth.BasicAuthTest do
conn: conn
} do
user = insert(:user)
- assert Pbkdf2.verify_pass("test", user.password_hash)
+ assert Pleroma.Password.Pbkdf2.verify_pass("test", user.password_hash)
basic_auth_contents =
(URI.encode_www_form(user.nickname) <> ":" <> URI.encode_www_form("test"))
diff --git a/test/pleroma/web/auth/pleroma_authenticator_test.exs b/test/pleroma/web/auth/pleroma_authenticator_test.exs
index 477cf26ed..b1397c523 100644
--- a/test/pleroma/web/auth/pleroma_authenticator_test.exs
+++ b/test/pleroma/web/auth/pleroma_authenticator_test.exs
@@ -11,7 +11,13 @@ defmodule Pleroma.Web.Auth.PleromaAuthenticatorTest do
setup do
password = "testpassword"
name = "AgentSmith"
- user = insert(:user, nickname: name, password_hash: Pbkdf2.hash_pwd_salt(password))
+
+ user =
+ insert(:user,
+ nickname: name,
+ password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password)
+ )
+
{:ok, [user: user, name: name, password: password]}
end
diff --git a/test/pleroma/web/auth/totp_authenticator_test.exs b/test/pleroma/web/auth/totp_authenticator_test.exs
index 583612454..ac4209f2d 100644
--- a/test/pleroma/web/auth/totp_authenticator_test.exs
+++ b/test/pleroma/web/auth/totp_authenticator_test.exs
@@ -34,7 +34,7 @@ defmodule Pleroma.Web.Auth.TOTPAuthenticatorTest do
hashed_codes =
backup_codes
- |> Enum.map(&Pbkdf2.hash_pwd_salt(&1))
+ |> Enum.map(&Pleroma.Password.Pbkdf2.hash_pwd_salt(&1))
user =
insert(:user,
diff --git a/test/pleroma/web/mongoose_im_controller_test.exs b/test/pleroma/web/mongoose_im_controller_test.exs
index 031db53c8..a7225d45c 100644
--- a/test/pleroma/web/mongoose_im_controller_test.exs
+++ b/test/pleroma/web/mongoose_im_controller_test.exs
@@ -41,13 +41,13 @@ defmodule Pleroma.Web.MongooseIMControllerTest do
end
test "/check_password", %{conn: conn} do
- user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt("cool"))
+ user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("cool"))
_deactivated_user =
insert(:user,
nickname: "konata",
deactivated: true,
- password_hash: Pbkdf2.hash_pwd_salt("cool")
+ password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("cool")
)
res =
diff --git a/test/pleroma/web/o_auth/ldap_authorization_test.exs b/test/pleroma/web/o_auth/ldap_authorization_test.exs
index 4a2e940fd..61b9ce6b7 100644
--- a/test/pleroma/web/o_auth/ldap_authorization_test.exs
+++ b/test/pleroma/web/o_auth/ldap_authorization_test.exs
@@ -18,7 +18,7 @@ defmodule Pleroma.Web.OAuth.LDAPAuthorizationTest do
@tag @skip
test "authorizes the existing user using LDAP credentials" do
password = "testpassword"
- user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt(password))
+ user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password))
app = insert(:oauth_app, scopes: ["read", "write"])
host = Pleroma.Config.get([:ldap, :host]) |> to_charlist
@@ -101,7 +101,7 @@ defmodule Pleroma.Web.OAuth.LDAPAuthorizationTest do
@tag @skip
test "disallow authorization for wrong LDAP credentials" do
password = "testpassword"
- user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt(password))
+ user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password))
app = insert(:oauth_app, scopes: ["read", "write"])
host = Pleroma.Config.get([:ldap, :host]) |> to_charlist
diff --git a/test/pleroma/web/o_auth/mfa_controller_test.exs b/test/pleroma/web/o_auth/mfa_controller_test.exs
index 9fc1e0ec2..17bbde85b 100644
--- a/test/pleroma/web/o_auth/mfa_controller_test.exs
+++ b/test/pleroma/web/o_auth/mfa_controller_test.exs
@@ -20,7 +20,7 @@ defmodule Pleroma.Web.OAuth.MFAControllerTest do
insert(:user,
multi_factor_authentication_settings: %MFA.Settings{
enabled: true,
- backup_codes: [Pbkdf2.hash_pwd_salt("test-code")],
+ backup_codes: [Pleroma.Password.Pbkdf2.hash_pwd_salt("test-code")],
totp: %MFA.Settings.TOTP{secret: otp_secret, confirmed: true}
}
)
@@ -246,7 +246,7 @@ defmodule Pleroma.Web.OAuth.MFAControllerTest do
hashed_codes =
backup_codes
- |> Enum.map(&Pbkdf2.hash_pwd_salt(&1))
+ |> Enum.map(&Pleroma.Password.Pbkdf2.hash_pwd_salt(&1))
user =
insert(:user,
diff --git a/test/pleroma/web/o_auth/o_auth_controller_test.exs b/test/pleroma/web/o_auth/o_auth_controller_test.exs
index f01fdf660..bf47afed8 100644
--- a/test/pleroma/web/o_auth/o_auth_controller_test.exs
+++ b/test/pleroma/web/o_auth/o_auth_controller_test.exs
@@ -316,7 +316,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
app: app,
conn: conn
} do
- user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt("testpassword"))
+ user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("testpassword"))
registration = insert(:registration, user: nil)
redirect_uri = OAuthController.default_redirect_uri(app)
@@ -347,7 +347,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
app: app,
conn: conn
} do
- user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt("testpassword"))
+ user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("testpassword"))
registration = insert(:registration, user: nil)
unlisted_redirect_uri = "http://cross-site-request.com"
@@ -790,7 +790,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
test "issues a token for `password` grant_type with valid credentials, with full permissions by default" do
password = "testpassword"
- user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt(password))
+ user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password))
app = insert(:oauth_app, scopes: ["read", "write"])
@@ -818,7 +818,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
user =
insert(:user,
- password_hash: Pbkdf2.hash_pwd_salt(password),
+ password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password),
multi_factor_authentication_settings: %MFA.Settings{
enabled: true,
totp: %MFA.Settings.TOTP{secret: otp_secret, confirmed: true}
@@ -927,7 +927,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
password = "testpassword"
{:ok, user} =
- insert(:user, password_hash: Pbkdf2.hash_pwd_salt(password))
+ insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password))
|> User.confirmation_changeset(need_confirmation: true)
|> User.update_and_set_cache()
@@ -955,7 +955,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
user =
insert(:user,
- password_hash: Pbkdf2.hash_pwd_salt(password),
+ password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password),
deactivated: true
)
@@ -983,7 +983,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
user =
insert(:user,
- password_hash: Pbkdf2.hash_pwd_salt(password),
+ password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password),
password_reset_pending: true
)
@@ -1012,7 +1012,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
user =
insert(:user,
- password_hash: Pbkdf2.hash_pwd_salt(password),
+ password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password),
confirmation_pending: true
)
@@ -1038,7 +1038,11 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
test "rejects token exchange for valid credentials belonging to an unapproved user" do
password = "testpassword"
- user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt(password), approval_pending: true)
+ user =
+ insert(:user,
+ password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password),
+ approval_pending: true
+ )
refute Pleroma.User.account_status(user) == :active
diff --git a/test/pleroma/web/plugs/authentication_plug_test.exs b/test/pleroma/web/plugs/authentication_plug_test.exs
index 9d66681ce..118ab302a 100644
--- a/test/pleroma/web/plugs/authentication_plug_test.exs
+++ b/test/pleroma/web/plugs/authentication_plug_test.exs
@@ -17,7 +17,7 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlugTest do
user = %User{
id: 1,
name: "dude",
- password_hash: Pbkdf2.hash_pwd_salt("guy")
+ password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("guy")
}
conn =
diff --git a/test/pleroma/web/twitter_api/password_controller_test.exs b/test/pleroma/web/twitter_api/password_controller_test.exs
index a552af4c3..cf99e2434 100644
--- a/test/pleroma/web/twitter_api/password_controller_test.exs
+++ b/test/pleroma/web/twitter_api/password_controller_test.exs
@@ -92,7 +92,7 @@ defmodule Pleroma.Web.TwitterAPI.PasswordControllerTest do
assert response =~ "<h2>Password changed!</h2>"
user = refresh_record(user)
- assert Pbkdf2.verify_pass("test", user.password_hash)
+ assert Pleroma.Password.Pbkdf2.verify_pass("test", user.password_hash)
assert Enum.empty?(Token.get_user_tokens(user))
end
diff --git a/test/pleroma/web/twitter_api/util_controller_test.exs b/test/pleroma/web/twitter_api/util_controller_test.exs
index 882122848..6d007ab66 100644
--- a/test/pleroma/web/twitter_api/util_controller_test.exs
+++ b/test/pleroma/web/twitter_api/util_controller_test.exs
@@ -397,7 +397,7 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
assert json_response(conn, 200) == %{"status" => "success"}
fetched_user = User.get_cached_by_id(user.id)
- assert Pbkdf2.verify_pass("newpass", fetched_user.password_hash) == true
+ assert Pleroma.Password.Pbkdf2.verify_pass("newpass", fetched_user.password_hash) == true
end
end
diff --git a/test/support/builders/user_builder.ex b/test/support/builders/user_builder.ex
index 0c687c029..6bccbb35a 100644
--- a/test/support/builders/user_builder.ex
+++ b/test/support/builders/user_builder.ex
@@ -7,7 +7,7 @@ defmodule Pleroma.Builders.UserBuilder do
email: "test@example.org",
name: "Test Name",
nickname: "testname",
- password_hash: Pbkdf2.hash_pwd_salt("test"),
+ password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("test"),
bio: "A tester.",
ap_id: "some id",
last_digest_emailed_at: NaiveDateTime.truncate(NaiveDateTime.utc_now(), :second),
diff --git a/test/support/factory.ex b/test/support/factory.ex
index bf7121901..bf9592064 100644
--- a/test/support/factory.ex
+++ b/test/support/factory.ex
@@ -29,7 +29,7 @@ defmodule Pleroma.Factory do
name: sequence(:name, &"Test テスト User #{&1}"),
email: sequence(:email, &"user#{&1}@example.com"),
nickname: sequence(:nickname, &"nick#{&1}"),
- password_hash: Pbkdf2.hash_pwd_salt("test"),
+ password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("test"),
bio: sequence(:bio, &"Tester Number #{&1}"),
is_discoverable: true,
last_digest_emailed_at: NaiveDateTime.utc_now(),