From fb035a5353499eaf9e1ebd7eda090fca212a970f Mon Sep 17 00:00:00 2001 From: Raiki Date: Sat, 5 Jul 2025 18:41:37 +0800 Subject: [PATCH] feat: CredManager.GetHashedPassword() only contains one salt arg now (#3928) --- controllers/user.go | 2 +- cred/argon2id.go | 2 +- cred/bcrypt.go | 2 +- cred/manager.go | 2 +- cred/md5-user-salt.go | 13 ++++++------- cred/pbkdf2-salt.go | 9 ++++++--- cred/pbkdf2_django.go | 6 +----- cred/plain.go | 2 +- cred/sha256-salt.go | 13 ++++++------- cred/sha256-salt_test.go | 4 ++-- cred/sha512-salt.go | 13 ++++++------- object/organization.go | 2 +- object/user_cred.go | 3 ++- 13 files changed, 35 insertions(+), 38 deletions(-) diff --git a/controllers/user.go b/controllers/user.go index 17581b88..70f57859 100644 --- a/controllers/user.go +++ b/controllers/user.go @@ -574,7 +574,7 @@ func (c *ApiController) SetPassword() { targetUser.LastChangePasswordTime = util.GetCurrentTime() if user.Ldap == "" { - _, err = object.UpdateUser(userId, targetUser, []string{"password", "need_update_password", "password_type", "last_change_password_time"}, false) + _, err = object.UpdateUser(userId, targetUser, []string{"password", "password_salt", "need_update_password", "password_type", "last_change_password_time"}, false) } else { if isAdmin { err = object.ResetLdapPassword(targetUser, "", newPassword, c.GetAcceptLanguage()) diff --git a/cred/argon2id.go b/cred/argon2id.go index 089153c1..ed0a9b29 100644 --- a/cred/argon2id.go +++ b/cred/argon2id.go @@ -23,7 +23,7 @@ func NewArgon2idCredManager() *Argon2idCredManager { return cm } -func (cm *Argon2idCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string { +func (cm *Argon2idCredManager) GetHashedPassword(password string, salt string) string { hash, err := argon2id.CreateHash(password, argon2id.DefaultParams) if err != nil { return "" diff --git a/cred/bcrypt.go b/cred/bcrypt.go index 2c9eb77c..964d1a44 100644 --- a/cred/bcrypt.go +++ b/cred/bcrypt.go @@ -9,7 +9,7 @@ func NewBcryptCredManager() *BcryptCredManager { return cm } -func (cm *BcryptCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string { +func (cm *BcryptCredManager) GetHashedPassword(password string, salt string) string { bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost) if err != nil { return "" diff --git a/cred/manager.go b/cred/manager.go index 780def13..ecc3df00 100644 --- a/cred/manager.go +++ b/cred/manager.go @@ -15,7 +15,7 @@ package cred type CredManager interface { - GetHashedPassword(password string, userSalt string, organizationSalt string) string + GetHashedPassword(password string, salt string) string IsPasswordCorrect(password string, passwordHash string, userSalt string, organizationSalt string) bool } diff --git a/cred/md5-user-salt.go b/cred/md5-user-salt.go index b26fb145..830bc0e0 100644 --- a/cred/md5-user-salt.go +++ b/cred/md5-user-salt.go @@ -37,14 +37,13 @@ func NewMd5UserSaltCredManager() *Md5UserSaltCredManager { return cm } -func (cm *Md5UserSaltCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string { - res := getMd5HexDigest(password) - if userSalt != "" { - res = getMd5HexDigest(res + userSalt) - } - return res +func (cm *Md5UserSaltCredManager) GetHashedPassword(password string, salt string) string { + return getMd5HexDigest(getMd5HexDigest(password) + salt) } func (cm *Md5UserSaltCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, userSalt string, organizationSalt string) bool { - return hashedPwd == cm.GetHashedPassword(plainPwd, userSalt, organizationSalt) + if hashedPwd == cm.GetHashedPassword(plainPwd, organizationSalt) { + return true + } + return hashedPwd == cm.GetHashedPassword(plainPwd, userSalt) } diff --git a/cred/pbkdf2-salt.go b/cred/pbkdf2-salt.go index 3b8df52d..7de0fd89 100644 --- a/cred/pbkdf2-salt.go +++ b/cred/pbkdf2-salt.go @@ -28,13 +28,16 @@ func NewPbkdf2SaltCredManager() *Pbkdf2SaltCredManager { return cm } -func (cm *Pbkdf2SaltCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string { +func (cm *Pbkdf2SaltCredManager) GetHashedPassword(password string, salt string) string { // https://www.keycloak.org/docs/latest/server_admin/index.html#password-database-compromised - decodedSalt, _ := base64.StdEncoding.DecodeString(userSalt) + decodedSalt, _ := base64.StdEncoding.DecodeString(salt) res := pbkdf2.Key([]byte(password), decodedSalt, 27500, 64, sha256.New) return base64.StdEncoding.EncodeToString(res) } func (cm *Pbkdf2SaltCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, userSalt string, organizationSalt string) bool { - return hashedPwd == cm.GetHashedPassword(plainPwd, userSalt, organizationSalt) + if hashedPwd == cm.GetHashedPassword(plainPwd, organizationSalt) { + return true + } + return hashedPwd == cm.GetHashedPassword(plainPwd, userSalt) } diff --git a/cred/pbkdf2_django.go b/cred/pbkdf2_django.go index 54e1769a..c5bd45aa 100644 --- a/cred/pbkdf2_django.go +++ b/cred/pbkdf2_django.go @@ -32,12 +32,8 @@ func NewPbkdf2DjangoCredManager() *Pbkdf2DjangoCredManager { return cm } -func (m *Pbkdf2DjangoCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string { +func (m *Pbkdf2DjangoCredManager) GetHashedPassword(password string, salt string) string { iterations := 260000 - salt := userSalt - if salt == "" { - salt = organizationSalt - } saltBytes := []byte(salt) passwordBytes := []byte(password) diff --git a/cred/plain.go b/cred/plain.go index ebd47488..76e59e4b 100644 --- a/cred/plain.go +++ b/cred/plain.go @@ -21,7 +21,7 @@ func NewPlainCredManager() *PlainCredManager { return cm } -func (cm *PlainCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string { +func (cm *PlainCredManager) GetHashedPassword(password string, salt string) string { return password } diff --git a/cred/sha256-salt.go b/cred/sha256-salt.go index 006e35b7..5253b61d 100644 --- a/cred/sha256-salt.go +++ b/cred/sha256-salt.go @@ -37,14 +37,13 @@ func NewSha256SaltCredManager() *Sha256SaltCredManager { return cm } -func (cm *Sha256SaltCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string { - res := getSha256HexDigest(password) - if organizationSalt != "" { - res = getSha256HexDigest(res + organizationSalt) - } - return res +func (cm *Sha256SaltCredManager) GetHashedPassword(password string, salt string) string { + return getSha256HexDigest(getSha256HexDigest(password) + salt) } func (cm *Sha256SaltCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, userSalt string, organizationSalt string) bool { - return hashedPwd == cm.GetHashedPassword(plainPwd, userSalt, organizationSalt) + if hashedPwd == cm.GetHashedPassword(plainPwd, organizationSalt) { + return true + } + return hashedPwd == cm.GetHashedPassword(plainPwd, userSalt) } diff --git a/cred/sha256-salt_test.go b/cred/sha256-salt_test.go index 87901e6b..aa3eda97 100644 --- a/cred/sha256-salt_test.go +++ b/cred/sha256-salt_test.go @@ -23,12 +23,12 @@ func TestGetSaltedPassword(t *testing.T) { password := "123456" salt := "123" cm := NewSha256SaltCredManager() - fmt.Printf("%s -> %s\n", password, cm.GetHashedPassword(password, "", salt)) + fmt.Printf("%s -> %s\n", password, cm.GetHashedPassword(password, salt)) } func TestGetPassword(t *testing.T) { password := "123456" cm := NewSha256SaltCredManager() // https://passwordsgenerator.net/sha256-hash-generator/ - fmt.Printf("%s -> %s\n", "8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92", cm.GetHashedPassword(password, "", "")) + fmt.Printf("%s -> %s\n", "8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92", cm.GetHashedPassword(password, "")) } diff --git a/cred/sha512-salt.go b/cred/sha512-salt.go index ed8043b8..3689203f 100644 --- a/cred/sha512-salt.go +++ b/cred/sha512-salt.go @@ -37,14 +37,13 @@ func NewSha512SaltCredManager() *Sha512SaltCredManager { return cm } -func (cm *Sha512SaltCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string { - res := getSha512HexDigest(password) - if organizationSalt != "" { - res = getSha512HexDigest(res + organizationSalt) - } - return res +func (cm *Sha512SaltCredManager) GetHashedPassword(password string, salt string) string { + return getSha512HexDigest(getSha512HexDigest(password) + salt) } func (cm *Sha512SaltCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, userSalt string, organizationSalt string) bool { - return hashedPwd == cm.GetHashedPassword(plainPwd, userSalt, organizationSalt) + if hashedPwd == cm.GetHashedPassword(plainPwd, organizationSalt) { + return true + } + return hashedPwd == cm.GetHashedPassword(plainPwd, userSalt) } diff --git a/object/organization.go b/object/organization.go index eff0c89f..81c768f7 100644 --- a/object/organization.go +++ b/object/organization.go @@ -222,7 +222,7 @@ func UpdateOrganization(id string, organization *Organization, isGlobalAdmin boo if organization.MasterPassword != "" && organization.MasterPassword != "***" { credManager := cred.GetCredManager(organization.PasswordType) if credManager != nil { - hashedPassword := credManager.GetHashedPassword(organization.MasterPassword, "", organization.PasswordSalt) + hashedPassword := credManager.GetHashedPassword(organization.MasterPassword, organization.PasswordSalt) organization.MasterPassword = hashedPassword } } diff --git a/object/user_cred.go b/object/user_cred.go index 240c4144..0172a428 100644 --- a/object/user_cred.go +++ b/object/user_cred.go @@ -42,8 +42,9 @@ func (user *User) UpdateUserHash() error { func (user *User) UpdateUserPassword(organization *Organization) { credManager := cred.GetCredManager(organization.PasswordType) if credManager != nil { - hashedPassword := credManager.GetHashedPassword(user.Password, user.PasswordSalt, organization.PasswordSalt) + hashedPassword := credManager.GetHashedPassword(user.Password, organization.PasswordSalt) user.Password = hashedPassword user.PasswordType = organization.PasswordType + user.PasswordSalt = organization.PasswordSalt } }