couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rnew...@apache.org
Subject [33/50] couchdb commit: updated refs/heads/master to 6526051
Date Thu, 10 Jul 2014 14:51:06 GMT
Upgrade password hashes on authentication

We now upgrade user docs to the new PBKDF2 password scheme on successful
authentication if the password hash is still from the old days where we
only used plain SHA-1 for hashing salted passwords.

Closes COUCHDB-1780.


Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/5d194bc9
Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/5d194bc9
Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/5d194bc9

Branch: refs/heads/master
Commit: 5d194bc9bf18630ef5f0f104f4236f168ae1656c
Parents: 6662772
Author: Klaus Trainer <klaus_trainer@posteo.de>
Authored: Wed Feb 19 23:17:02 2014 +0100
Committer: Robert Newson <rnewson@apache.org>
Committed: Wed May 21 17:03:20 2014 +0100

----------------------------------------------------------------------
 share/www/script/test/users_db_security.js | 61 ++++++++++++++++++++++++-
 1 file changed, 59 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb/blob/5d194bc9/share/www/script/test/users_db_security.js
----------------------------------------------------------------------
diff --git a/share/www/script/test/users_db_security.js b/share/www/script/test/users_db_security.js
index 1569271..c468821 100644
--- a/share/www/script/test/users_db_security.js
+++ b/share/www/script/test/users_db_security.js
@@ -150,6 +150,63 @@ couchTests.users_db_security = function(debug) {
       TEquals(true, userDoc.derived_key != jchrisDoc.derived_key,
         "should have new derived_key");
 
+      // SHA-1 password hashes are upgraded to PBKDF2 on successful
+      // authentication
+      var rnewsonDoc = {
+        _id: "org.couchdb.user:rnewson",
+        type: "user",
+        name: "rnewson",
+        // password: "plaintext_password",
+        password_sha: "e29dc3aeed5abf43185c33e479f8998558c59474",
+        salt: "24f1e0a87c2e374212bda1073107e8ae",
+        roles: []
+      };
+
+      var password_sha = rnewsonDoc.password_sha,
+        salt = rnewsonDoc.salt,
+        derived_key,
+        iterations;
+
+      usersDb.save(rnewsonDoc);
+      rnewsonDoc = open_as(usersDb, rnewsonDoc._id, "jan");
+      T(!rnewsonDoc.password_scheme);
+      T(!rnewsonDoc.derived_key);
+      T(!rnewsonDoc.iterations);
+
+      // check that we don't upgrade when the password is wrong
+      TEquals("unauthorized", CouchDB.login("rnewson", "wrong_password").error);
+      rnewsonDoc = open_as(usersDb, rnewsonDoc._id, "jan");
+      TEquals(salt, rnewsonDoc.salt);
+      TEquals(password_sha, rnewsonDoc.password_sha);
+      T(!rnewsonDoc.password_scheme);
+      T(!rnewsonDoc.derived_key);
+      T(!rnewsonDoc.iterations);
+
+      TEquals(true, CouchDB.login("rnewson", "plaintext_password").ok);
+      rnewsonDoc = usersDb.open(rnewsonDoc._id);
+      TEquals("pbkdf2", rnewsonDoc.password_scheme);
+      T(rnewsonDoc.salt != salt);
+      T(!rnewsonDoc.password_sha);
+      T(rnewsonDoc.derived_key);
+      T(rnewsonDoc.iterations);
+
+      salt = rnewsonDoc.salt,
+      derived_key = rnewsonDoc.derived_key,
+      iterations = rnewsonDoc.iterations;
+
+      // check that authentication is still working
+      // and everything is staying the same now
+      CouchDB.logout();
+      TEquals(true, CouchDB.login("rnewson", "plaintext_password").ok);
+      rnewsonDoc = usersDb.open(rnewsonDoc._id);
+      TEquals("pbkdf2", rnewsonDoc.password_scheme);
+      TEquals(salt, rnewsonDoc.salt);
+      T(!rnewsonDoc.password_sha);
+      TEquals(derived_key, rnewsonDoc.derived_key);
+      TEquals(iterations, rnewsonDoc.iterations);
+
+      CouchDB.logout();
+
       // user should not be able to read another user's user document
       var fdmananaDoc = {
         _id: "org.couchdb.user:fdmanana",
@@ -208,11 +265,11 @@ couchTests.users_db_security = function(debug) {
 
       // admin should be able to read from any view
       var result = view_as(usersDb, "user_db_auth/test", "jan");
-      TEquals(3, result.total_rows, "should allow access and list two users to admin");
+      TEquals(4, result.total_rows, "should allow access and list four users to admin");
 
       // db admin should be able to read from any view
       var result = view_as(usersDb, "user_db_auth/test", "benoitc");
-      TEquals(3, result.total_rows, "should allow access and list two users to db admin");
+      TEquals(4, result.total_rows, "should allow access and list four users to db admin");
 
 
       // non-admins can't read design docs


Mime
View raw message