Remove LdapShaPasswordEncoder from core

Issue: gh-4674

ldap/src/integration-test/java/org/springframework/security/ldap/authentication/PasswordComparisonAuthenticatorTests.java

@@ -19,11 +19,12 @@ package org.springframework.security.ldap.authentication;
 import org.junit.*;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.authentication.encoding.LdapShaPasswordEncoder;
-import org.springframework.security.authentication.encoding.PasswordEncoder;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.crypto.keygen.KeyGenerators;
+import org.springframework.security.crypto.password.LdapShaPasswordEncoder;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.ldap.AbstractLdapIntegrationTests;
 
 import org.springframework.ldap.core.DirContextAdapter;
@@ -114,7 +115,8 @@ public class PasswordComparisonAuthenticatorTests extends AbstractLdapIntegratio
 	public void testLdapCompareSucceedsWithShaEncodedPassword() {
 		// Don't retrieve the password
 		authenticator.setUserAttributes(new String[] { "uid" });
-		authenticator.setPasswordEncoder(new LdapShaPasswordEncoder());
+		authenticator.setPasswordEncoder(new LdapShaPasswordEncoder(KeyGenerators.shared(0)));
+		authenticator.setUsePasswordAttrCompare(false);
 		authenticator.authenticate(ben);
 	}
 

ldap/src/main/java/org/springframework/security/ldap/authentication/PasswordComparisonAuthenticator.java

@@ -23,11 +23,12 @@ import org.springframework.ldap.core.DirContextOperations;
 import org.springframework.ldap.core.support.BaseLdapPathContextSource;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.authentication.encoding.LdapShaPasswordEncoder;
-import org.springframework.security.authentication.encoding.PasswordEncoder;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.crypto.codec.Utf8;
+import org.springframework.security.crypto.keygen.KeyGenerators;
+import org.springframework.security.crypto.password.LdapShaPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.ldap.SpringSecurityLdapTemplate;
 import org.springframework.util.Assert;
 
@@ -55,7 +56,7 @@ public final class PasswordComparisonAuthenticator extends AbstractLdapAuthentic
 	// ~ Instance fields
 	// ================================================================================================
 
-	private PasswordEncoder passwordEncoder = new LdapShaPasswordEncoder();
+	private PasswordEncoder passwordEncoder = new LdapShaPasswordEncoder(KeyGenerators.shared(0));
 	private String passwordAttributeName = "userPassword";
 	private boolean usePasswordAttrCompare = false;
 
@@ -116,14 +117,24 @@ public final class PasswordComparisonAuthenticator extends AbstractLdapAuthentic
 	}
 
 	private boolean isPasswordAttrCompare(DirContextOperations user, String password) {
-		Object passwordAttrValue = user.getObjectAttribute(passwordAttributeName);
-		return passwordEncoder.isPasswordValid(new String((byte[]) passwordAttrValue),
-				password, null);
+		String passwordAttrValue = getPassword(user);
+		return passwordEncoder.matches(password, passwordAttrValue);
+	}
+
+	private String getPassword(DirContextOperations user) {
+		Object passwordAttrValue = user.getObjectAttribute(this.passwordAttributeName);
+		if(passwordAttrValue == null) {
+			return null;
+		}
+		if(passwordAttrValue instanceof byte[]) {
+			return new String((byte[])passwordAttrValue);
+		}
+		return String.valueOf(passwordAttrValue);
 	}
 
 	private boolean isLdapPasswordCompare(DirContextOperations user,
 			SpringSecurityLdapTemplate ldapTemplate, String password) {
-		String encodedPassword = passwordEncoder.encodePassword(password, null);
+		String encodedPassword = passwordEncoder.encode(password);
 		byte[] passwordBytes = Utf8.encode(encodedPassword);
 		return ldapTemplate.compare(user.getDn().toString(), passwordAttributeName,
 				passwordBytes);
@@ -135,41 +146,13 @@ public final class PasswordComparisonAuthenticator extends AbstractLdapAuthentic
 		this.passwordAttributeName = passwordAttribute;
 	}
 
-	private void setPasswordEncoder(PasswordEncoder passwordEncoder) {
+	public void setUsePasswordAttrCompare(boolean usePasswordAttrCompare) {
+		this.usePasswordAttrCompare = usePasswordAttrCompare;
+	}
+
+	public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
 		Assert.notNull(passwordEncoder, "passwordEncoder must not be null.");
 		this.passwordEncoder = passwordEncoder;
-	}
-
-	public void setPasswordEncoder(Object passwordEncoder) {
-		if (passwordEncoder instanceof PasswordEncoder) {
-			this.usePasswordAttrCompare = false;
-			setPasswordEncoder((PasswordEncoder) passwordEncoder);
-			return;
-		}
-
-		if (passwordEncoder instanceof org.springframework.security.crypto.password.PasswordEncoder) {
-			final org.springframework.security.crypto.password.PasswordEncoder delegate = (org.springframework.security.crypto.password.PasswordEncoder) passwordEncoder;
-			setPasswordEncoder(new PasswordEncoder() {
-				public String encodePassword(String rawPass, Object salt) {
-					checkSalt(salt);
-					return delegate.encode(rawPass);
-				}
-
-				public boolean isPasswordValid(String encPass, String rawPass, Object salt) {
-					checkSalt(salt);
-					return delegate.matches(rawPass, encPass);
-				}
-
-				private void checkSalt(Object salt) {
-					Assert.isNull(salt,
-							"Salt value must be null when used with crypto module PasswordEncoder");
-				}
-			});
-			this.usePasswordAttrCompare = true;
-			return;
-		}
-
-		throw new IllegalArgumentException(
-				"passwordEncoder must be a PasswordEncoder instance");
+		setUsePasswordAttrCompare(true);
 	}
 }

ldap/src/test/java/org/springframework/security/ldap/authentication/LdapShaPasswordEncoderTests.java

@@ -1,134 +0,0 @@
-/*
- * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.ldap.authentication;
-
-import static org.assertj.core.api.Assertions.*;
-
-import org.junit.Before;
-import org.junit.Test;
-import org.springframework.security.authentication.encoding.LdapShaPasswordEncoder;
-
-/**
- * Tests {@link LdapShaPasswordEncoder}.
- *
- * @author Luke Taylor
- */
-public class LdapShaPasswordEncoderTests {
-	// ~ Instance fields
-	// ================================================================================================
-
-	LdapShaPasswordEncoder sha;
-
-	// ~ Methods
-	// ========================================================================================================
-
-	@Before
-	public void setUp() throws Exception {
-		sha = new LdapShaPasswordEncoder();
-	}
-
-	@Test
-	public void invalidPasswordFails() {
-		assertThat(sha.isPasswordValid("{SHA}ddSFGmjXYPbZC+NXR2kCzBRjqiE=",
-				"wrongpassword", null)).isFalse();
-	}
-
-	@Test
-	public void invalidSaltedPasswordFails() {
-		assertThat(sha.isPasswordValid("{SSHA}25ro4PKC8jhQZ26jVsozhX/xaP0suHgX",
-				"wrongpassword", null)).isFalse();
-		assertThat(sha.isPasswordValid("{SSHA}PQy2j+6n5ytA+YlAKkM8Fh4p6u2JxfVd",
-				"wrongpassword", null)).isFalse();
-	}
-
-	@Test(expected = IllegalArgumentException.class)
-	public void nonByteArraySaltThrowsException() {
-		sha.encodePassword("password", "AStringNotAByteArray");
-	}
-
-	/**
-	 * Test values generated by 'slappasswd -h {SHA} -s boabspasswurd'
-	 */
-	@Test
-	public void validPasswordSucceeds() {
-		sha.setForceLowerCasePrefix(false);
-		assertThat(sha.isPasswordValid("{SHA}ddSFGmjXYPbZC+NXR2kCzBRjqiE=",
-				"boabspasswurd", null)).isTrue();
-		assertThat(sha.isPasswordValid("{sha}ddSFGmjXYPbZC+NXR2kCzBRjqiE=",
-				"boabspasswurd", null)).isTrue();
-		sha.setForceLowerCasePrefix(true);
-		assertThat(sha.isPasswordValid("{SHA}ddSFGmjXYPbZC+NXR2kCzBRjqiE=",
-				"boabspasswurd", null)).isTrue();
-		assertThat(sha.isPasswordValid("{sha}ddSFGmjXYPbZC+NXR2kCzBRjqiE=",
-				"boabspasswurd", null)).isTrue();
-	}
-
-	/**
-	 * Test values generated by 'slappasswd -s boabspasswurd'
-	 */
-	@Test
-	public void validSaltedPasswordSucceeds() {
-		sha.setForceLowerCasePrefix(false);
-		assertThat(sha.isPasswordValid("{SSHA}25ro4PKC8jhQZ26jVsozhX/xaP0suHgX",
-				"boabspasswurd", null)).isTrue();
-		assertThat(sha.isPasswordValid("{ssha}PQy2j+6n5ytA+YlAKkM8Fh4p6u2JxfVd",
-				"boabspasswurd", null)).isTrue();
-		sha.setForceLowerCasePrefix(true);
-		assertThat(sha.isPasswordValid("{SSHA}25ro4PKC8jhQZ26jVsozhX/xaP0suHgX",
-				"boabspasswurd", null)).isTrue();
-		assertThat(sha.isPasswordValid("{ssha}PQy2j+6n5ytA+YlAKkM8Fh4p6u2JxfVd",
-				"boabspasswurd", null)).isTrue();
-	}
-
-	@Test
-	// SEC-1031
-	public void fullLengthOfHashIsUsedInComparison() throws Exception {
-		// Change the first hash character from '2' to '3'
-		assertThat(sha.isPasswordValid("{SSHA}35ro4PKC8jhQZ26jVsozhX/xaP0suHgX",
-				"boabspasswurd", null)).isFalse();
-		// Change the last hash character from 'X' to 'Y'
-		assertThat(sha.isPasswordValid("{SSHA}25ro4PKC8jhQZ26jVsozhX/xaP0suHgY",
-				"boabspasswurd", null)).isFalse();
-	}
-
-	@Test
-	public void correctPrefixCaseIsUsed() {
-		sha.setForceLowerCasePrefix(false);
-		assertThat("{SHA}ddSFGmjXYPbZC+NXR2kCzBRjqiE=").isEqualTo(
-				sha.encodePassword("boabspasswurd", null));
-		assertThat(sha.encodePassword("somepassword", "salt".getBytes()).startsWith(
-				"{SSHA}"));
-
-		sha.setForceLowerCasePrefix(true);
-		assertThat("{sha}ddSFGmjXYPbZC+NXR2kCzBRjqiE=").isEqualTo(
-				sha.encodePassword("boabspasswurd", null));
-		assertThat(sha.encodePassword("somepassword", "salt".getBytes()).startsWith(
-				"{ssha}"));
-
-	}
-
-	@Test(expected = IllegalArgumentException.class)
-	public void invalidPrefixIsRejected() {
-		sha.isPasswordValid("{MD9}xxxxxxxxxx", "somepassword", null);
-	}
-
-	@Test(expected = IllegalArgumentException.class)
-	public void malformedPrefixIsRejected() {
-		// No right brace
-		sha.isPasswordValid("{SSHA25ro4PKC8jhQZ26jVsozhX/xaP0suHgX", "somepassword", null);
-	}
-}