From 75f6484032e2afeef1985b7ca0c3cea488a3066b Mon Sep 17 00:00:00 2001 From: JianBo He Date: Mon, 18 Apr 2022 20:40:28 +0800 Subject: [PATCH] feat(authn): support disable salt --- apps/emqx/src/emqx_passwd.erl | 4 +++- apps/emqx/test/emqx_passwd_SUITE.erl | 16 ++++++++++++++ .../src/emqx_authn_password_hashing.erl | 10 ++++++--- .../emqx_authn_password_hashing_SUITE.erl | 4 ++-- .../test/emqx_authn_redis_SUITE.erl | 21 +++++++++++++++++++ 5 files changed, 49 insertions(+), 6 deletions(-) diff --git a/apps/emqx/src/emqx_passwd.erl b/apps/emqx/src/emqx_passwd.erl index c737e949e..756bcc7b8 100644 --- a/apps/emqx/src/emqx_passwd.erl +++ b/apps/emqx/src/emqx_passwd.erl @@ -39,7 +39,7 @@ -type hash_type_simple() :: plain | md5 | sha | sha256 | sha512. -type hash_type() :: hash_type_simple() | bcrypt | pbkdf2. --type salt_position() :: prefix | suffix. +-type salt_position() :: disable | prefix | suffix. -type salt() :: binary(). -type pbkdf2_mac_fun() :: md4 | md5 | ripemd160 | sha | sha224 | sha256 | sha384 | sha512. @@ -91,6 +91,8 @@ hash({bcrypt, Salt}, Password) -> {error, Reason} -> error(Reason) end; +hash({SimpleHash, _Salt, disable}, Password) when is_binary(Password) -> + hash_data(SimpleHash, Password); hash({SimpleHash, Salt, prefix}, Password) when is_binary(Password), is_binary(Salt) -> hash_data(SimpleHash, <>); hash({SimpleHash, Salt, suffix}, Password) when is_binary(Password), is_binary(Salt) -> diff --git a/apps/emqx/test/emqx_passwd_SUITE.erl b/apps/emqx/test/emqx_passwd_SUITE.erl index a647fad26..7558e2b8f 100644 --- a/apps/emqx/test/emqx_passwd_SUITE.erl +++ b/apps/emqx/test/emqx_passwd_SUITE.erl @@ -65,16 +65,28 @@ t_hash(_) -> Md5 = emqx_passwd:hash({md5, Salt, prefix}, Password), true = emqx_passwd:check_pass({md5, Salt, prefix}, Md5, Password), false = emqx_passwd:check_pass({md5, Salt, prefix}, Md5, WrongPassword), + ?assertEqual( + emqx_passwd:hash_data(md5, Password), + emqx_passwd:hash({md5, Salt, disable}, Password) + ), Sha = <<"59b3e8d637cf97edbe2384cf59cb7453dfe30789">>, Sha = emqx_passwd:hash({sha, Salt, prefix}, Password), true = emqx_passwd:check_pass({sha, Salt, prefix}, Sha, Password), false = emqx_passwd:check_pass({sha, Salt, prefix}, Sha, WrongPassword), + ?assertEqual( + emqx_passwd:hash_data(sha, Password), + emqx_passwd:hash({sha, Salt, disable}, Password) + ), Sha256 = <<"7a37b85c8918eac19a9089c0fa5a2ab4dce3f90528dcdeec108b23ddf3607b99">>, Sha256 = emqx_passwd:hash({sha256, Salt, suffix}, Password), true = emqx_passwd:check_pass({sha256, Salt, suffix}, Sha256, Password), false = emqx_passwd:check_pass({sha256, Salt, suffix}, Sha256, WrongPassword), + ?assertEqual( + emqx_passwd:hash_data(sha256, Password), + emqx_passwd:hash({sha256, Salt, disable}, Password) + ), Sha512 = iolist_to_binary( [ @@ -85,6 +97,10 @@ t_hash(_) -> Sha512 = emqx_passwd:hash({sha512, Salt, suffix}, Password), true = emqx_passwd:check_pass({sha512, Salt, suffix}, Sha512, Password), false = emqx_passwd:check_pass({sha512, Salt, suffix}, Sha512, WrongPassword), + ?assertEqual( + emqx_passwd:hash_data(sha512, Password), + emqx_passwd:hash({sha512, Salt, disable}, Password) + ), BcryptSalt = <<"$2b$12$wtY3h20mUjjmeaClpqZVve">>, Bcrypt = <<"$2b$12$wtY3h20mUjjmeaClpqZVvehyw7F.V78F3rbK2xDkCzRTMi6pmfUB6">>, diff --git a/apps/emqx_authn/src/emqx_authn_password_hashing.erl b/apps/emqx_authn/src/emqx_authn_password_hashing.erl index 959d9030a..7867963cd 100644 --- a/apps/emqx_authn/src/emqx_authn_password_hashing.erl +++ b/apps/emqx_authn/src/emqx_authn_password_hashing.erl @@ -19,7 +19,7 @@ -include_lib("typerefl/include/types.hrl"). -type simple_algorithm_name() :: plain | md5 | sha | sha256 | sha512. --type salt_position() :: prefix | suffix. +-type salt_position() :: disable | prefix | suffix. -type simple_algorithm() :: #{ name := simple_algorithm_name(), @@ -110,7 +110,7 @@ desc(other_algorithms) -> desc(_) -> undefined. -salt_position(type) -> {enum, [prefix, suffix]}; +salt_position(type) -> {enum, [disable, prefix, suffix]}; salt_position(default) -> prefix; salt_position(desc) -> "Salt position for PLAIN, MD5, SHA, SHA256 and SHA512 algorithms."; salt_position(_) -> undefined. @@ -191,7 +191,11 @@ hash( Hash = emqx_passwd:hash({pbkdf2, MacFun, Salt, Iterations, DKLength}, Password), {Hash, Salt}; hash(#{name := Other, salt_position := SaltPosition} = Algorithm, Password) -> - Salt = gen_salt(Algorithm), + Salt = + case SaltPosition of + disable -> <<>>; + _ -> gen_salt(Algorithm) + end, Hash = emqx_passwd:hash({Other, Salt, SaltPosition}, Password), {Hash, Salt}. diff --git a/apps/emqx_authn/test/emqx_authn_password_hashing_SUITE.erl b/apps/emqx_authn/test/emqx_authn_password_hashing_SUITE.erl index 0052fcfe1..57b99b508 100644 --- a/apps/emqx_authn/test/emqx_authn_password_hashing_SUITE.erl +++ b/apps/emqx_authn/test/emqx_authn_password_hashing_SUITE.erl @@ -109,12 +109,12 @@ hash_examples() -> } }, #{ - password_hash => <<"9b4d0c43d206d48279e69b9ad7132e22">>, + password_hash => <<"1bc29b36f623ba82aaf6724fd3b16718">>, salt => <<"salt">>, password => <<"md5">>, password_hash_algorithm => #{ name => md5, - salt_position => suffix + salt_position => disable } }, #{ diff --git a/apps/emqx_authn/test/emqx_authn_redis_SUITE.erl b/apps/emqx_authn/test/emqx_authn_redis_SUITE.erl index ade356a3c..6d5b89f10 100644 --- a/apps/emqx_authn/test/emqx_authn_redis_SUITE.erl +++ b/apps/emqx_authn/test/emqx_authn_redis_SUITE.erl @@ -325,6 +325,27 @@ user_seeds() -> result => {ok, #{is_superuser => true}} }, + #{ + data => #{ + password_hash => + <<"a3c7f6b085c3e5897ffb9b86f18a9d905063f8550a74444b5892e193c1b50428">>, + is_superuser => <<"1">> + }, + credentials => #{ + clientid => <<"sha256_no_salt">>, + password => <<"sha256_no_salt">> + }, + key => <<"mqtt_user:sha256_no_salt">>, + config_params => #{ + cmd => <<"HMGET mqtt_user:${clientid} password_hash is_superuser">>, + password_hash_algorithm => #{ + name => <<"sha256">>, + salt_position => <<"disable">> + } + }, + result => {ok, #{is_superuser => true}} + }, + #{ data => #{ password_hash =>