Skip to content

Commit

Permalink
Noobaa Account: Replace bcrypt password hashing by argon2
Browse files Browse the repository at this point in the history
As bcrypt is not under active maintenance, we need to
replace it with argon2 hashing module.

Signed-off-by: Ashish Pandey <[email protected]>
  • Loading branch information
aspandey committed Jul 30, 2024
1 parent 147bc7e commit 5a86b22
Show file tree
Hide file tree
Showing 5 changed files with 37 additions and 23 deletions.
1 change: 1 addition & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@
"ajv": "8.17.1",
"aws-sdk": "2.1659.0",
"bcrypt": "5.1.1",
"argon2": "0.40.3",
"big-integer": "1.6.52",
"bindings": "1.5.0",
"bufferutil": "4.0.8",
Expand Down
20 changes: 19 additions & 1 deletion src/server/common_services/auth_server.js
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@

const _ = require('lodash');
const bcrypt = require('bcrypt');
const argon2 = require('argon2');
const ip_module = require('ip');

const P = require('../../util/promise');
Expand Down Expand Up @@ -66,7 +67,7 @@ function create_auth(req) {
if (!password) return;

return P.resolve()
.then(() => bcrypt.compare(password.unwrap(), target_account.password.unwrap()))
.then(() => compare_password_hash(password, target_account))
.then(match => {
if (!match) {
dbg.log0('password mismatch', email, system_name);
Expand Down Expand Up @@ -157,6 +158,23 @@ function create_auth(req) {
});
}

/**
* This function is verifying the password given by user
* with saved hash, either bcrypt or argon2
*/
async function compare_password_hash(password, target_account) {
const isBcrypt = await bcrypt.compare(password.unwrap(), target_account.password.unwrap());
if (isBcrypt) {
return true;
}

const isArgon = await argon2.verify(target_account.password.unwrap(), password.unwrap());
if (isArgon) {
return true;
}
return false;
}

/**
*
* CREATE_K8S_AUTH
Expand Down
22 changes: 16 additions & 6 deletions src/server/system_services/account_server.js
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ const net = require('net');
const chance = require('chance')();
const GoogleStorage = require('../../util/google_storage_wrap');
const bcrypt = require('bcrypt');
const argon2 = require('argon2');
const server_rpc = require('../server_rpc');

const config = require('../../../config');
Expand Down Expand Up @@ -79,7 +80,7 @@ async function create_account(req) {

if (req.rpc_params.has_login) {
account.password = req.rpc_params.password;
const password_hash = await bcrypt_password(account.password.unwrap());
const password_hash = await argon2_password(account.password.unwrap());
account.password = password_hash;
}

Expand Down Expand Up @@ -574,7 +575,7 @@ async function reset_password(req) {

const params = req.rpc_params;

const password = await bcrypt_password(params.password.unwrap());
const password = await argon2_password(params.password.unwrap());

const changes = {
password: new SensitiveString(password),
Expand Down Expand Up @@ -1334,7 +1335,7 @@ function ensure_support_account() {
}

console.log('CREATING SUPPORT ACCOUNT...');
return bcrypt_password(system_store.get_server_secret())
return argon2_password(system_store.get_server_secret())
.then(password => {
const support_account = {
_id: system_store.new_system_store_id(),
Expand All @@ -1358,9 +1359,9 @@ function ensure_support_account() {
});
}

function bcrypt_password(password) {
function argon2_password(password) {
return P.resolve()
.then(() => password && bcrypt.hash(password, 10));
.then(() => password && argon2.hash(password));
}

function is_support_or_admin_or_me(system, account, target_account) {
Expand Down Expand Up @@ -1454,7 +1455,16 @@ async function verify_authorized_account(req) {
if (req.role === 'operator') {
return true;
}
return bcrypt.compare(req.rpc_params.verification_password.unwrap(), req.account.password.unwrap());
// We are moving to argon2. However, if some users still have password in bcrypt hash they should be
// verified.
if (bcrypt.compare(req.rpc_params.verification_password.unwrap(), req.account.password.unwrap())) {
return true;
}
if (argon2.verify(req.account.password.unwrap(), req.rpc_params.verification_password.unwrap())) {
return true;
}

return false;
}

function _list_connection_usage(account, credentials) {
Expand Down
2 changes: 1 addition & 1 deletion src/server/system_services/schemas/account_schema.js
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ module.exports = {

// password login
has_login: { type: 'boolean' },
password: { wrapper: SensitiveString }, // bcrypted password
password: { wrapper: SensitiveString }, // bcrypted or argon2 password
next_password_change: { date: true },

// default policy for new buckets
Expand Down
15 changes: 0 additions & 15 deletions src/tools/bcrypt_cli.js

This file was deleted.

0 comments on commit 5a86b22

Please sign in to comment.