-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Implement an upgrade plugin to update passwords hashing algorithm - EXO-65151 - Meeds-io/MIPs#69 #161
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
139 changes: 139 additions & 0 deletions
139
data-upgrade-users/src/main/java/org/exoplatform/migration/UserPasswordHashMigration.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,139 @@ | ||
/* | ||
* This file is part of the Meeds project (https://meeds.io/). | ||
* Copyright (C) 2023 Meeds Association | ||
* [email protected] | ||
* This program is free software; you can redistribute it and/or | ||
* modify it under the terms of the GNU Lesser General Public | ||
* License as published by the Free Software Foundation; either | ||
* version 3 of the License, or (at your option) any later version. | ||
* This program is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
* Lesser General Public License for more details. | ||
* You should have received a copy of the GNU Lesser General Public License | ||
* along with this program; if not, write to the Free Software Foundation, | ||
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. | ||
*/ | ||
package org.exoplatform.migration; | ||
|
||
import org.apache.commons.codec.binary.Hex; | ||
import org.exoplatform.commons.persistence.impl.EntityManagerService; | ||
import org.exoplatform.commons.upgrade.UpgradePluginExecutionContext; | ||
import org.exoplatform.commons.upgrade.UpgradeProductPlugin; | ||
import org.exoplatform.container.PortalContainer; | ||
import org.exoplatform.container.component.RequestLifeCycle; | ||
import org.exoplatform.container.xml.InitParams; | ||
import org.exoplatform.services.log.ExoLogger; | ||
import org.exoplatform.services.log.Log; | ||
import org.exoplatform.services.organization.idm.PicketLinkIDMService; | ||
import org.exoplatform.web.security.security.SecureRandomService; | ||
import org.picketlink.idm.api.User; | ||
|
||
import javax.persistence.EntityManager; | ||
import javax.persistence.Query; | ||
import java.security.SecureRandom; | ||
import java.util.HashMap; | ||
import java.util.List; | ||
import java.util.Map; | ||
import java.util.concurrent.atomic.AtomicInteger; | ||
|
||
public class UserPasswordHashMigration extends UpgradeProductPlugin { | ||
|
||
private static final Log LOG = ExoLogger.getExoLogger(UserPasswordHashMigration.class); | ||
|
||
private final EntityManagerService entityManagerService; | ||
|
||
private final PicketLinkIDMService picketLinkIDMService; | ||
|
||
private final SecureRandomService secureRandomService; | ||
|
||
private static final String PASSWORD_SALT_USER_ATTRIBUTE = "passwordSalt128"; | ||
|
||
private static final String DEFAULT_ENCODER = "org.exoplatform.web.security.hash.Argon2IdPasswordEncoder"; | ||
|
||
private boolean hasErrors = false; | ||
|
||
public UserPasswordHashMigration(EntityManagerService entityManagerService, | ||
PicketLinkIDMService picketLinkIDMService, | ||
SecureRandomService secureRandomService, | ||
InitParams initParams) { | ||
super(initParams); | ||
this.entityManagerService = entityManagerService; | ||
this.picketLinkIDMService = picketLinkIDMService; | ||
this.secureRandomService = secureRandomService; | ||
} | ||
|
||
@Override | ||
public void processUpgrade(String s, String s1) { | ||
LOG.info("Start upgrade of users passwords hashing algorithm"); | ||
long startupTime = System.currentTimeMillis(); | ||
|
||
PortalContainer container = PortalContainer.getInstance(); | ||
RequestLifeCycle.begin(container); | ||
AtomicInteger updatedPasswords = new AtomicInteger(); | ||
EntityManager entityManager = this.entityManagerService.getEntityManager(); | ||
try { | ||
String sqlString = "SELECT jbid_io.NAME, jbid_io_creden.TEXT FROM" + | ||
" (jbid_io_creden INNER JOIN jbid_io ON jbid_io_creden.IDENTITY_OBJECT_ID = jbid_io.ID)" + | ||
" INNER JOIN( SELECT jbid_io_attr.IDENTITY_OBJECT_ID," + | ||
" min(CASE WHEN jbid_io_attr.NAME = 'passwordSalt128' THEN jbid_io_attr.NAME ELSE NULL END) AS salt128" + | ||
" FROM jbid_io_attr GROUP BY jbid_io_attr.IDENTITY_OBJECT_ID" + | ||
" HAVING salt128 IS NOT NULL) jia ON jbid_io_creden.IDENTITY_OBJECT_ID = jia.IDENTITY_OBJECT_ID;"; | ||
|
||
Query nativeQuery = entityManager.createNativeQuery(sqlString); | ||
List<Object[]> result = nativeQuery.getResultList(); | ||
result.forEach(item -> { | ||
String userName = (String) item[0]; | ||
String passwordHash = (String) item[1]; | ||
try { | ||
String saltString = Hex.encodeHexString(generateRandomSalt()); | ||
User user = picketLinkIDMService.getIdentitySession().getPersistenceManager().findUser(userName); | ||
picketLinkIDMService.getExtendedAttributeManager().addAttribute(userName, PASSWORD_SALT_USER_ATTRIBUTE, saltString); | ||
picketLinkIDMService.getExtendedAttributeManager().updatePassword(user, passwordHash); | ||
int count = updatedPasswords.getAndIncrement(); | ||
if (count % 50 == 0 || count == result.size()) { | ||
LOG.info("{}/{} passwords have been updated", count, result.size()); | ||
} | ||
} catch (Exception e) { | ||
hasErrors = true; | ||
LOG.error("Error while creating attribute salt and updating password hash for user : {}", userName, e); | ||
} | ||
}); | ||
if (hasErrors) { | ||
throw new IllegalStateException("UserPasswordHashMigration upgrade failed due to previous errors"); | ||
} | ||
} catch (Exception e) { | ||
LOG.error("Error while getting old users passwords hash", e); | ||
throw new IllegalStateException("UserPasswordHashMigration upgrade failed due to previous errors"); | ||
} finally { | ||
RequestLifeCycle.end(); | ||
} | ||
LOG.info("End upgrade of users passwords hashing algorithm. {} passwords has been updated. It took {} ms", | ||
updatedPasswords.get(), | ||
(System.currentTimeMillis() - startupTime)); | ||
} | ||
|
||
@Override | ||
public boolean shouldProceedToUpgrade(String newVersion, | ||
String previousGroupVersion, | ||
UpgradePluginExecutionContext previousUpgradePluginExecution) { | ||
try { | ||
return picketLinkIDMService.getExtendedAttributeManager() | ||
.getDefaultCredentialEncoder() | ||
.getClass() | ||
.getName() | ||
.equals(DEFAULT_ENCODER) | ||
&& super.shouldProceedToUpgrade(newVersion, previousGroupVersion, previousUpgradePluginExecution); | ||
} catch (Exception e) { | ||
LOG.error("Error while checking current default credential encoder", e); | ||
return false; | ||
} | ||
} | ||
|
||
private byte[] generateRandomSalt() { | ||
SecureRandom secureRandom = secureRandomService.getSecureRandom(); | ||
byte[] salt = new byte[16]; | ||
secureRandom.nextBytes(salt); | ||
return salt; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
130 changes: 130 additions & 0 deletions
130
...-upgrade-users/src/test/java/org/exoplatform/migration/UserPasswordHashMigrationTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,130 @@ | ||
/* | ||
* This file is part of the Meeds project (https://meeds.io/). | ||
* Copyright (C) 2023 Meeds Association | ||
* [email protected] | ||
* This program is free software; you can redistribute it and/or | ||
* modify it under the terms of the GNU Lesser General Public | ||
* License as published by the Free Software Foundation; either | ||
* version 3 of the License, or (at your option) any later version. | ||
* This program is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
* Lesser General Public License for more details. | ||
* You should have received a copy of the GNU Lesser General Public License | ||
* along with this program; if not, write to the Free Software Foundation, | ||
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. | ||
*/ | ||
package org.exoplatform.migration; | ||
|
||
import org.exoplatform.commons.persistence.impl.EntityManagerService; | ||
import org.exoplatform.commons.upgrade.UpgradePluginExecutionContext; | ||
import org.exoplatform.container.PortalContainer; | ||
import org.exoplatform.container.xml.InitParams; | ||
import org.exoplatform.container.xml.ValueParam; | ||
import org.exoplatform.services.organization.idm.PicketLinkIDMService; | ||
import org.exoplatform.web.security.hash.Argon2IdPasswordEncoder; | ||
import org.exoplatform.web.security.security.SecureRandomService; | ||
import org.gatein.portal.idm.impl.store.attribute.ExtendedAttributeManager; | ||
import org.junit.Before; | ||
import org.junit.Test; | ||
import org.junit.runner.RunWith; | ||
import org.mockito.Mock; | ||
import org.mockito.junit.MockitoJUnitRunner; | ||
import org.picketlink.idm.api.IdentitySession; | ||
import org.picketlink.idm.api.PersistenceManager; | ||
import org.picketlink.idm.spi.configuration.metadata.IdentityConfigurationMetaData; | ||
import org.picketlink.idm.spi.configuration.metadata.RealmConfigurationMetaData; | ||
|
||
import javax.persistence.EntityManager; | ||
import javax.persistence.Query; | ||
|
||
import java.util.ArrayList; | ||
import java.util.HashMap; | ||
import java.util.List; | ||
import java.util.Map; | ||
|
||
import static org.junit.Assert.*; | ||
import static org.mockito.ArgumentMatchers.anyString; | ||
import static org.mockito.Mockito.*; | ||
|
||
@RunWith(MockitoJUnitRunner.class) | ||
public class UserPasswordHashMigrationTest { | ||
|
||
@Mock | ||
private EntityManagerService entityManagerService; | ||
|
||
@Mock | ||
private PicketLinkIDMService picketLinkIDMService; | ||
|
||
private SecureRandomService secureRandomService; | ||
|
||
private PortalContainer container; | ||
|
||
private UserPasswordHashMigration userPasswordHashMigration; | ||
|
||
private static final String DEFAULT_ENCODER = "org.exoplatform.web.security.hash.Argon2IdPasswordEncoder"; | ||
|
||
@Before | ||
public void setUp() { | ||
container = PortalContainer.getInstance(); | ||
secureRandomService = container.getComponentInstanceOfType(SecureRandomService.class); | ||
InitParams initParams = new InitParams(); | ||
ValueParam valueParam = new ValueParam(); | ||
valueParam.setName("product.group.id"); | ||
valueParam.setValue("org.exoplatform.platform"); | ||
ValueParam valueParamVersion = new ValueParam(); | ||
valueParamVersion.setName("plugin.upgrade.target.version"); | ||
valueParamVersion.setValue("6.5.0"); | ||
ValueParam oldAppNamevalueParam = new ValueParam(); | ||
oldAppNamevalueParam.setName("plugin.execution.order"); | ||
oldAppNamevalueParam.setValue("100"); | ||
ValueParam oldAppIdvalueParam = new ValueParam(); | ||
oldAppIdvalueParam.setName("plugin.upgrade.execute.once"); | ||
oldAppIdvalueParam.setValue("true"); | ||
ValueParam newAppIdvalueParam = new ValueParam(); | ||
newAppIdvalueParam.setName("plugin.upgrade.async.execution"); | ||
newAppIdvalueParam.setValue("true"); | ||
initParams.addParameter(valueParam); | ||
initParams.addParameter(valueParamVersion); | ||
initParams.addParameter(oldAppNamevalueParam); | ||
initParams.addParameter(oldAppIdvalueParam); | ||
initParams.addParameter(newAppIdvalueParam); | ||
userPasswordHashMigration = new UserPasswordHashMigration(entityManagerService, | ||
picketLinkIDMService, | ||
secureRandomService, | ||
initParams); | ||
} | ||
|
||
@Test | ||
public void tesProcessUpgrade() throws Exception { | ||
List<Object[]> result = new ArrayList<>(); | ||
result.add(new String[] { "user", "passwordHash" }); | ||
EntityManager entityManager = mock(EntityManager.class); | ||
Query query = mock(Query.class); | ||
when(entityManager.createNativeQuery(anyString())).thenReturn(query); | ||
when(query.getResultList()).thenReturn(result); | ||
when(entityManagerService.getEntityManager()).thenReturn(entityManager); | ||
|
||
IdentitySession identitySession = mock(IdentitySession.class); | ||
PersistenceManager persistenceManager = mock(PersistenceManager.class); | ||
ExtendedAttributeManager extendedAttributeManager = mock(ExtendedAttributeManager.class); | ||
when(identitySession.getPersistenceManager()).thenReturn(persistenceManager); | ||
when(picketLinkIDMService.getIdentitySession()).thenReturn(identitySession); | ||
when(picketLinkIDMService.getExtendedAttributeManager()).thenReturn(extendedAttributeManager); | ||
userPasswordHashMigration.processUpgrade(null, null); | ||
verify(extendedAttributeManager, times(1)).updatePassword(any(), anyString()); | ||
verify(extendedAttributeManager, times(1)).addAttribute(anyString(), anyString(), anyString()); | ||
|
||
when(extendedAttributeManager.getDefaultCredentialEncoder()).thenReturn(new Argon2IdPasswordEncoder()); | ||
boolean proceedToUpgrade = userPasswordHashMigration.shouldProceedToUpgrade(null, null, null); | ||
assertFalse(proceedToUpgrade); | ||
|
||
UpgradePluginExecutionContext upgradePluginExecutionContext = new UpgradePluginExecutionContext("6.4.0", 0); | ||
proceedToUpgrade = userPasswordHashMigration.shouldProceedToUpgrade("6.5.0", "6.4.0", upgradePluginExecutionContext); | ||
assertTrue(proceedToUpgrade); | ||
// Case of exceptions existing during upgrade | ||
doThrow(new RuntimeException()).when(picketLinkIDMService).getIdentitySession(); | ||
Throwable exception = assertThrows(IllegalStateException.class, () -> userPasswordHashMigration.processUpgrade(null, null)); | ||
assertEquals("UserPasswordHashMigration upgrade failed due to previous errors", exception.getMessage()); | ||
} | ||
} | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you add a test with an error during process upgrade, to check that the upgrade correctly restart ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
already exists by not calling the afterUpgrade, the shouldProceedToUpgrade is true, so when inttrepring server start or stop the server during the UP execution , the afterUpgrade will not be called, so the next restart the UP will be launched again .
https://github.com/exoplatform/data-upgrade/pull/161/files#diff-1a9349cb98114358fe6ed02277b76ad326d706337cec3efe4e732b4f6ed39b41R100
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In fact, my test would be
boolean upgrade = processUpgrade
//with mock find a way to fail it
assertFalse(upgrade)
//restart processUpgrade
assert(process upgrade correctly restart and finish)