Only store a sha1 hash of REST API passwords in the config files and hash the...

Only store a sha1 hash of REST API passwords in the config files and hash the password provided upon request

Only store a sha1 hash of REST API passwords in the config files and hash the...
Only store a sha1 hash of REST API passwords in the config files and hash the password provided upon request
e4383ac8 · Michael Ott · 5720b46a · e4383ac8 · e4383ac8 · e4383ac8
Commit e4383ac8 authored May 04, 2020 by Michael Ott
--- a/collectagent/config/collectagent.conf
+++ b/collectagent/config/collectagent.conf
@@ -19,13 +19,13 @@ restAPI {
    dhFile      /Users/di34bap/Projects/dcdb-devel/deps/openssl-1.1.1c/crypto/dh/dh2048.pem

    user admin {
-        password  admin
+        password  d033e22ae348aeb5660fc214aec3585c4da997
        PUT
        GET
    }

    user asdf {
-        password qwertz
+        password 8c829ee6a1ac6ffdbcf8bc0ad72b73795fff34e8
        GET
    }
 }

--- a/common/src/RESTHttpsServer.cpp
+++ b/common/src/RESTHttpsServer.cpp
@@ -32,6 +32,7 @@
 #include <boost/archive/iterators/binary_from_base64.hpp>
 #include <boost/archive/iterators/remove_whitespace.hpp>
 #include <boost/archive/iterators/transform_width.hpp>
+#include <boost/uuid/detail/sha1.hpp>

 // This is the C++11 equivalent of a generic lambda.
 // The function object is used to send an HTTP message.
@@ -284,8 +285,18 @@ bool RESTHttpsServer::validateUser(const http::request<Body>& req, Send&& send)
        return false;
    }

-    if (pwd != userData.first) {
-        ServerLOG(warning) << "Invalid password provided: " << usr << ":" << pwd;
+	boost::uuids::detail::sha1 sha1;
+	sha1.process_bytes(pwd.data(), pwd.size());
+	unsigned hash[5] = {0};
+	sha1.get_digest(hash);
+	std::stringstream ss;
+	ss << std::hex << std::setw(8) << std::setfill(' ');
+	for (int i = 0; i < 5; i++)	{
+		ss << hash[i];
+	}
+	
+    if (ss.str() != userData.first) {
+        ServerLOG(warning) << "Invalid password provided for user " << usr;
        send(std::move(res));
        return false;
    }

--- a/common/src/globalconfiguration.cpp
+++ b/common/src/globalconfiguration.cpp
@@ -178,7 +178,9 @@ bool GlobalConfiguration::readRestAPIUsers(RESTHttpsServer* server) {
 #endif
                }
            }
-            if (server->addUser(username, attributes)) {
+	    if (attributes.first.size() != 38) {
+		LOG(warning) << "User " << username << "'s password does not appear to be a sha1 hash!";
+	    } else if (server->addUser(username, attributes)) {
                LOG(warning) << "User " << username << " already existed and was overwritten!";
            }
        } else {

--- a/dcdbpusher/config/dcdbpusher.conf
+++ b/dcdbpusher/config/dcdbpusher.conf
@@ -17,13 +17,13 @@ restAPI {
    dhFile      ../../deps/openssl-1.1.1c/crypto/dh/dh2048.pem

    user admin {
-        password  admin
+        password  d033e22ae348aeb5660fc214aec3585c4da997
        PUT
        GET
    }

    user asdf {
-        password qwertz
+        password 8c829ee6a1ac6ffdbcf8bc0ad72b73795fff34e8
        GET
    }
 }

--- a/grafana/config/grafana.conf
+++ b/grafana/config/grafana.conf
@@ -21,19 +21,19 @@ restAPI {


    user user1 {
-        password pass1
+        password f0578f1e7174b1a41c4ea8c6e17f7a8a3b88c92a
        POST
        GET
        PUT
    }

    user user2 {
-        password pass2
+        password 8be52126a6fde450a7162a3651d589bb51e9579d
        POST
    }

    user user3 {
-        password pass3
+        password de2a4d5751ab06dc4f987142db57c26d50925c8a
    }

 }