forgejo/modules/auth/password/hash/setting.go

77 lines
2.7 KiB
Go
Raw Normal View History

// Copyright 2023 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package hash
// DefaultHashAlgorithmName represents the default value of PASSWORD_HASH_ALGO
// configured in app.ini.
//
// It is NOT the same and does NOT map to the defaultEmptyHashAlgorithmSpecification.
//
// It will be dealiased as per aliasAlgorithmNames whereas
// defaultEmptyHashAlgorithmSpecification does not undergo dealiasing.
[SECURITY] default to pbkdf2 with 320,000 iterations (cherry picked from commit 3ea0b287d74b8fc0dad08b2a539105e1aa1c1e67) (cherry picked from commit db8392a8ac093d4d3760e8bb40c56d8e194d44fb) (cherry picked from commit bd2a5fa2923c320e01faeaa1fdc1ad823c337027) (cherry picked from commit 2436acb3d986bad08aa134e450420fc4a08f5d62) (cherry picked from commit 62f50e1c521c30729781e5cd58882e743bb8b851) (cherry picked from commit dba18925217254d22f76306c0fe1c046c419268e) (cherry picked from commit 4b58e3b6d41f9e42fd34469184a3c7d4c5205c86) (cherry picked from commit 12470568569fec0644319d3d263a82bc7acdc0c3) (cherry picked from commit afbaea700972ddd4cb788d0b6d5e78de5558756a) (cherry picked from commit dcd4813d96f8d4e429914f4c8f951bd25b23afca) (cherry picked from commit b51dc963d1625bd7b9869302ec1ae70bbafb4442) (cherry picked from commit 611e895efd28026fdc4661893172356e76f6c3d0) (cherry picked from commit fd492a03f5335c138e143e784657f7012484bd8c) (cherry picked from commit 2c99991f44a15466339bb82b29d455c66795721b) (cherry picked from commit 7426c1edb4b904424cded473c94c9739fde83ed0) (cherry picked from commit 373244f8b2d449e8811e488e3a3732ba9bc79eaa) (cherry picked from commit 4f6efecdb9d932459dd9f4d7ee393a121a7bbb96) (cherry picked from commit 61d500808e443ce770b06fa1b87728a7785bd387) (cherry picked from commit 65f8384b6361c39d48df95227b047a20977482be) (cherry picked from commit 12ed28e734f79203ad6bf94774008715da6efd21) (cherry picked from commit ec6cdc9e1a9544f4f2b0ad7256ed2a8b15cf5335) (cherry picked from commit 08653ba05119906e066455a3e3913e66c179dbf3) (cherry picked from commit d5847c87cbcf0fd15953fb7aeadd1cece989b6c9) (cherry picked from commit 640a96e19be0c7faedf5aedfd90c15df8dc8f376) (cherry picked from commit 46177814a9ee8596b58055b57bea5441a893de7f) (cherry picked from commit b0098f5a80356757107cc4dd58bf24e2acba6b26) (cherry picked from commit ce5ddeeca9fa39180a2f9630c82007f8e9410867) (cherry picked from commit 5736fa1025681244b8eefef9a14b0715fa37d9a1) (cherry picked from commit c43ca210fcbc2589158df8c2c3036dedb00eaa52) (cherry picked from commit 7f92906bf3c72649dd2668263761ded71cf5ee91) (cherry picked from commit f726525d2dba5e481f758624e62eeaa3d38be564) (cherry picked from commit db86c93b0b7d2c1a7c17fcb6047b3d75873f9bbe) (cherry picked from commit 6751bd93c3faf4be0f29b52b4c41626a244a2a54) (cherry picked from commit 74bb523ac96062f93f20c174dcc9b1dc7ad94b13) (cherry picked from commit 94f9045a81ef58ecb6671d1e8f2ad31a7758ea9a) (cherry picked from commit 5297eac42d905d10060de688963f111cbefe49d4) (cherry picked from commit 57e3c57c519f41a595845be3f2505610ae8ad690) (cherry picked from commit c5cacfee51e2e7846234c9dd9c053b6cdfaf3947) (cherry picked from commit dfa31ee0048dcf5c3b8d6fec6184f665a019f014) (cherry picked from commit d7d10a76b41079cab423f00a96426a8de19fb876) (cherry picked from commit 62bd4edd4622ea778d8994d05c535de677819544) (cherry picked from commit 798c211f86f4ce713ab3fc18411fd72a57a219ef) (cherry picked from commit 1f645aeceafdf6f4f74864b14d939c4bcdf096be) (cherry picked from commit 8a8b62e10e9678fe33e32fa75f4b8c78e6aef68f) (cherry picked from commit d3ff4e1fdfdaa272941d86735c91107f03280294) (cherry picked from commit 81412571f8daeb4797556ba846ef7d7280844ef2) (cherry picked from commit e9faa1f4e02c567721d2c28426580a839b96de5e) (cherry picked from commit bce1ab85f7cef1696a4560f079bc346e813814b2)
2023-02-20 22:25:12 +00:00
const DefaultHashAlgorithmName = "pbkdf2_hi"
var DefaultHashAlgorithm *PasswordHashAlgorithm
// aliasAlgorithNames provides a mapping between the value of PASSWORD_HASH_ALGO
// configured in the app.ini and the parameters used within the hashers internally.
//
// If it is necessary to change the default parameters for any hasher in future you
// should change these values and not those in argon2.go etc.
var aliasAlgorithmNames = map[string]string{
"argon2": "argon2$2$65536$8$50",
"bcrypt": "bcrypt$10",
"scrypt": "scrypt$65536$16$2$50",
"pbkdf2": "pbkdf2_v2", // pbkdf2 should default to pbkdf2_v2
"pbkdf2_v1": "pbkdf2$10000$50",
// The latest PBKDF2 password algorithm is used as the default since it doesn't
// use a lot of memory and is safer to use on less powerful devices.
"pbkdf2_v2": "pbkdf2$50000$50",
// The pbkdf2_hi password algorithm is offered as a stronger alternative to the
// slightly improved pbkdf2_v2 algorithm
"pbkdf2_hi": "pbkdf2$320000$50",
}
var RecommendedHashAlgorithms = []string{
"pbkdf2",
"argon2",
"bcrypt",
"scrypt",
"pbkdf2_hi",
}
Fix various bugs for "install" page (#23194) ## TLDR * Fix the broken page / broken image problem when click "Install" * Close #20089 * Fix the Password Hash Algorithm display problem for #22942 * Close #23183 * Close #23184 ## Details ### The broken page / broken image problem when click "Install" (Redirect failed after install gitea #23184) Before: when click "install", all new requests will fail, because the server has been restarted. Users just see a broken page with broken images, sometimes the server is not ready but the user would have been redirect to "/user/login" page, then the users see a new broken page (connection refused or something wrong ...) After: only check InstallLock=true for necessary handlers, and sleep for a while before restarting the server, then the browser has enough time to load the "post-install" page. And there is a script to check whether "/user/login" is ready, the user will only be redirected to the login page when the server is ready. ### During new instance setup make 'Gitea Base URL' filled from window.location.origin #20089 If the "app_url" input contains `localhost` (the default value from config), use current window's location href as the `app_url` (aka ROOT_URL) ### Fix the Password Hash Algorithm display problem for "Provide the ability to set password hash algorithm parameters #22942" Before: the UI shows `pbkdf2$50000$50` <details> ![image](https://user-images.githubusercontent.com/2114189/221917143-e1e54798-1698-4fee-a18d-00c48081fc39.png) </details> After: the UI shows `pbkdf2` <details> ![image](https://user-images.githubusercontent.com/2114189/221916999-97a15be8-2ebb-4a01-bf93-dac18e354fcc.png) </details> ### GET data: net::ERR_INVALID_URL #23183 Cause by empty `data:` in `<link rel="manifest" href="data:{{.ManifestData}}">` --------- Co-authored-by: Jason Song <i@wolfogre.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2023-03-04 02:12:02 +00:00
// hashAlgorithmToSpec converts an algorithm name or a specification to a full algorithm specification
func hashAlgorithmToSpec(algorithmName string) string {
if algorithmName == "" {
algorithmName = DefaultHashAlgorithmName
}
alias, has := aliasAlgorithmNames[algorithmName]
for has {
algorithmName = alias
alias, has = aliasAlgorithmNames[algorithmName]
}
Fix various bugs for "install" page (#23194) ## TLDR * Fix the broken page / broken image problem when click "Install" * Close #20089 * Fix the Password Hash Algorithm display problem for #22942 * Close #23183 * Close #23184 ## Details ### The broken page / broken image problem when click "Install" (Redirect failed after install gitea #23184) Before: when click "install", all new requests will fail, because the server has been restarted. Users just see a broken page with broken images, sometimes the server is not ready but the user would have been redirect to "/user/login" page, then the users see a new broken page (connection refused or something wrong ...) After: only check InstallLock=true for necessary handlers, and sleep for a while before restarting the server, then the browser has enough time to load the "post-install" page. And there is a script to check whether "/user/login" is ready, the user will only be redirected to the login page when the server is ready. ### During new instance setup make 'Gitea Base URL' filled from window.location.origin #20089 If the "app_url" input contains `localhost` (the default value from config), use current window's location href as the `app_url` (aka ROOT_URL) ### Fix the Password Hash Algorithm display problem for "Provide the ability to set password hash algorithm parameters #22942" Before: the UI shows `pbkdf2$50000$50` <details> ![image](https://user-images.githubusercontent.com/2114189/221917143-e1e54798-1698-4fee-a18d-00c48081fc39.png) </details> After: the UI shows `pbkdf2` <details> ![image](https://user-images.githubusercontent.com/2114189/221916999-97a15be8-2ebb-4a01-bf93-dac18e354fcc.png) </details> ### GET data: net::ERR_INVALID_URL #23183 Cause by empty `data:` in `<link rel="manifest" href="data:{{.ManifestData}}">` --------- Co-authored-by: Jason Song <i@wolfogre.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2023-03-04 02:12:02 +00:00
return algorithmName
}
Fix various bugs for "install" page (#23194) ## TLDR * Fix the broken page / broken image problem when click "Install" * Close #20089 * Fix the Password Hash Algorithm display problem for #22942 * Close #23183 * Close #23184 ## Details ### The broken page / broken image problem when click "Install" (Redirect failed after install gitea #23184) Before: when click "install", all new requests will fail, because the server has been restarted. Users just see a broken page with broken images, sometimes the server is not ready but the user would have been redirect to "/user/login" page, then the users see a new broken page (connection refused or something wrong ...) After: only check InstallLock=true for necessary handlers, and sleep for a while before restarting the server, then the browser has enough time to load the "post-install" page. And there is a script to check whether "/user/login" is ready, the user will only be redirected to the login page when the server is ready. ### During new instance setup make 'Gitea Base URL' filled from window.location.origin #20089 If the "app_url" input contains `localhost` (the default value from config), use current window's location href as the `app_url` (aka ROOT_URL) ### Fix the Password Hash Algorithm display problem for "Provide the ability to set password hash algorithm parameters #22942" Before: the UI shows `pbkdf2$50000$50` <details> ![image](https://user-images.githubusercontent.com/2114189/221917143-e1e54798-1698-4fee-a18d-00c48081fc39.png) </details> After: the UI shows `pbkdf2` <details> ![image](https://user-images.githubusercontent.com/2114189/221916999-97a15be8-2ebb-4a01-bf93-dac18e354fcc.png) </details> ### GET data: net::ERR_INVALID_URL #23183 Cause by empty `data:` in `<link rel="manifest" href="data:{{.ManifestData}}">` --------- Co-authored-by: Jason Song <i@wolfogre.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2023-03-04 02:12:02 +00:00
// SetDefaultPasswordHashAlgorithm will take a provided algorithmName and de-alias it to
// a complete algorithm specification.
func SetDefaultPasswordHashAlgorithm(algorithmName string) (string, *PasswordHashAlgorithm) {
algoSpec := hashAlgorithmToSpec(algorithmName)
// now we get a full specification, e.g. pbkdf2$50000$50 rather than pbdkf2
DefaultHashAlgorithm = Parse(algoSpec)
return algoSpec, DefaultHashAlgorithm
}
Fix various bugs for "install" page (#23194) ## TLDR * Fix the broken page / broken image problem when click "Install" * Close #20089 * Fix the Password Hash Algorithm display problem for #22942 * Close #23183 * Close #23184 ## Details ### The broken page / broken image problem when click "Install" (Redirect failed after install gitea #23184) Before: when click "install", all new requests will fail, because the server has been restarted. Users just see a broken page with broken images, sometimes the server is not ready but the user would have been redirect to "/user/login" page, then the users see a new broken page (connection refused or something wrong ...) After: only check InstallLock=true for necessary handlers, and sleep for a while before restarting the server, then the browser has enough time to load the "post-install" page. And there is a script to check whether "/user/login" is ready, the user will only be redirected to the login page when the server is ready. ### During new instance setup make 'Gitea Base URL' filled from window.location.origin #20089 If the "app_url" input contains `localhost` (the default value from config), use current window's location href as the `app_url` (aka ROOT_URL) ### Fix the Password Hash Algorithm display problem for "Provide the ability to set password hash algorithm parameters #22942" Before: the UI shows `pbkdf2$50000$50` <details> ![image](https://user-images.githubusercontent.com/2114189/221917143-e1e54798-1698-4fee-a18d-00c48081fc39.png) </details> After: the UI shows `pbkdf2` <details> ![image](https://user-images.githubusercontent.com/2114189/221916999-97a15be8-2ebb-4a01-bf93-dac18e354fcc.png) </details> ### GET data: net::ERR_INVALID_URL #23183 Cause by empty `data:` in `<link rel="manifest" href="data:{{.ManifestData}}">` --------- Co-authored-by: Jason Song <i@wolfogre.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2023-03-04 02:12:02 +00:00
// ConfigHashAlgorithm will try to find a "recommended algorithm name" defined by RecommendedHashAlgorithms for config
// This function is not fast and is only used for the installation page
func ConfigHashAlgorithm(algorithm string) string {
algorithm = hashAlgorithmToSpec(algorithm)
for _, recommAlgo := range RecommendedHashAlgorithms {
if algorithm == hashAlgorithmToSpec(recommAlgo) {
return recommAlgo
}
}
return algorithm
}