Fix hash-related method signatures to prevent hash functions that do …

…not produce unique values (globocom#530)
rogeriobastos · Jul 6, 2021 · 4000c5b · 4000c5b
1 parent 94d81e6
commit 4000c5b
Show file tree

Hide file tree

Showing 9 changed files with 19 additions and 29 deletions.
diff --git a/api/auth/authmongo.go b/api/auth/authmongo.go
@@ -32,34 +32,34 @@ func (cM *ClientPbkdf2) GetPassFromDB(username string) (string, error) {
 // GetValidHashFunction is an auxiliary function called by GetHashedPass.
 // It will return a valid hash function and a boolean if the hash was returned
 // with success.
-func GetValidHashFunction(hashStr string) (hash.Hash, bool) {
+func GetValidHashFunction(hashStr string) (func() hash.Hash, bool) {
 	hashLower := strings.ToLower(hashStr)
-	var hashFunction hash.Hash
+	var hashFunction func() hash.Hash
 	var isValid bool
 	switch hashLower {
 	case "sha256":
-		hashFunction = sha256.New()
+		hashFunction = sha256.New
 		isValid = true
 	case "sha224":
-		hashFunction = sha256.New224()
+		hashFunction = sha256.New224
 		isValid = true
 	case "sha384":
-		hashFunction = sha512.New384()
+		hashFunction = sha512.New384
 		isValid = true
 	case "sha512":
-		hashFunction = sha512.New()
+		hashFunction = sha512.New
 		isValid = true
 	case "sha3_224":
-		hashFunction = sha3.New224()
+		hashFunction = sha3.New224
 		isValid = true
 	case "sha3_256":
-		hashFunction = sha3.New256()
+		hashFunction = sha3.New256
 		isValid = true
 	case "sha3_384":
-		hashFunction = sha3.New384()
+		hashFunction = sha3.New384
 		isValid = true
 	case "sha3_512":
-		hashFunction = sha3.New512()
+		hashFunction = sha3.New512
 		isValid = true
 	default:
 		isValid = false

diff --git a/api/auth/authmongo_test.go b/api/auth/authmongo_test.go
@@ -23,7 +23,7 @@ type FakeGen struct {
 	expectedDecodeSaltError error
 }
 
-func (fG *FakeGen) GenHashValue(value, salt []byte, iter, keyLen int, h hash.Hash) string {
+func (fG *FakeGen) GenHashValue(value, salt []byte, iter, keyLen int, hashFunc func() hash.Hash) string {
 	return fG.expectedHash
 }
 

diff --git a/api/auth/pbkdf2caller.go b/api/auth/pbkdf2caller.go
@@ -29,10 +29,8 @@ func (pC *Pbkdf2Caller) DecodeSaltValue(salt string) ([]byte, error) {
 }
 
 // GenHashValue returns the hash value given all pbkdf2 parameters.
-func (pC *Pbkdf2Caller) GenHashValue(value, salt []byte, iter, keyLen int, h hash.Hash) string {
-	return base64.StdEncoding.EncodeToString(pbkdf2.Key(value, salt, iter, keyLen, func() hash.Hash {
-		return h
-	}))
+func (pC *Pbkdf2Caller) GenHashValue(value, salt []byte, iter, keyLen int, hashFunc func() hash.Hash) string {
+	return base64.StdEncoding.EncodeToString(pbkdf2.Key(value, salt, iter, keyLen, hashFunc))
 }
 
 // GenerateSalt returns a random salt and en error.

diff --git a/api/auth/types.go b/api/auth/types.go
@@ -20,7 +20,7 @@ type UserCredsHandler interface {
 type Pbkdf2Generator interface {
 	GetCredsFromDB(username string) (types.User, error)
 	DecodeSaltValue(salt string) ([]byte, error)
-	GenHashValue(value, salt []byte, iter, keyLen int, h hash.Hash) string
+	GenHashValue(value, salt []byte, iter, keyLen int, hashFund func() hash.Hash) string
 	GenerateSalt() (string, error)
 	GetHashName() string
 	GetIterations() int

diff --git a/api/routes/user.go b/api/routes/user.go
@@ -8,7 +8,6 @@ import (
 	"net/http"
 
 	"encoding/base64"
-	"hash"
 
 	"github.com/globocom/huskyCI/api/auth"
 	apiContext "github.com/globocom/huskyCI/api/context"
@@ -68,18 +67,14 @@ func UpdateUser(c echo.Context) error {
 		reply := map[string]interface{}{"success": false, "error": "failed to update user data"}
 		return c.JSON(http.StatusInternalServerError, reply)
 	}
-	hashedPass := pbkdf2.Key([]byte(attemptUser.Password), salt, user.Iterations, user.KeyLen, func() hash.Hash {
-		return hashFunction
-	})
+	hashedPass := pbkdf2.Key([]byte(attemptUser.Password), salt, user.Iterations, user.KeyLen, hashFunction)
 	if base64.StdEncoding.EncodeToString(hashedPass) != user.Password {
 		reply := map[string]interface{}{"success": false, "error": "unauthorized"}
 		return c.JSON(http.StatusUnauthorized, reply)
 	}
 
 	// step 5.1: prepare new user struct to be updated
-	newHashedPass := pbkdf2.Key([]byte(attemptUser.NewPassword), salt, user.Iterations, user.KeyLen, func() hash.Hash {
-		return hashFunction
-	})
+	newHashedPass := pbkdf2.Key([]byte(attemptUser.NewPassword), salt, user.Iterations, user.KeyLen, hashFunction)
 
 	updatedUser := types.User{
 		Username:     attemptUser.Username,

diff --git a/api/token/token_test.go b/api/token/token_test.go
@@ -106,7 +106,7 @@ func (fH *FakeHashGen) GetIterations() int {
 	return fH.expectedIterations
 }
 
-func (fH *FakeHashGen) GenHashValue(value, salt []byte, iter, keyLen int, h hash.Hash) string {
+func (fH *FakeHashGen) GenHashValue(value, salt []byte, iter, keyLen int, hashFunc func() hash.Hash) string {
 	return fH.expectedHashValue
 }
 

diff --git a/api/user/user.go b/api/user/user.go
@@ -10,7 +10,6 @@ import (
 	"crypto/rand"
 	"encoding/base64"
 	"errors"
-	"hash"
 	"io"
 
 	"github.com/globocom/huskyCI/api/auth"
@@ -55,9 +54,7 @@ func InsertDefaultUser() error {
 	newUser.Iterations = iterations
 	newUser.KeyLen = keyLength
 	newUser.Salt = base64.StdEncoding.EncodeToString(salt)
-	hashedPass := pbkdf2.Key([]byte(DefaultAPIPassword), salt, iterations, keyLength, func() hash.Hash {
-		return hashFunction
-	})
+	hashedPass := pbkdf2.Key([]byte(DefaultAPIPassword), salt, iterations, keyLength, hashFunction)
 	newUser.Password = base64.StdEncoding.EncodeToString(hashedPass)
 	return apiContext.APIConfiguration.DBInstance.InsertDBUser(newUser)
 }
diff --git a/deployments/dockerfiles/api.Dockerfile b/deployments/dockerfiles/api.Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.15
+FROM golang:1.16
 WORKDIR /go/src/app
 COPY api/ .
 RUN go build -o huskyci-api server.go

diff --git a/deployments/scripts/generate-local-token.sh b/deployments/scripts/generate-local-token.sh