Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: allow importing salted sha hashing algorithms #2741

Merged
merged 37 commits into from
Jan 28, 2023
Merged

feat: allow importing salted sha hashing algorithms #2741

merged 37 commits into from
Jan 28, 2023

Conversation

zambien
Copy link
Contributor

@zambien zambien commented Sep 16, 2022
edited
Loading

Allows importing of salted SHA (SSHA, SSHA256, and SSHA512) passwords into Ory Kratos

Related issue(s)

#2422

Checklist

  • I have read the contributing guidelines.
  • I have referenced an issue containing the design document if my change
    introduces a new feature.
  • I am following the
    contributing code guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security. vulnerability, I
    confirm that I got green light (please contact
    security@ory.sh) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

@CLAassistant
Copy link

CLAassistant commented Sep 16, 2022
edited
Loading

CLA assistant check
All committers have signed the CLA.

@zambien
Copy link
Contributor Author

zambien commented Sep 16, 2022

I'll get started on updating the docs soon!

@codecov
Copy link

codecov bot commented Sep 16, 2022
edited
Loading

Codecov Report

Merging #2741 (d914324) into master (acf9261) will decrease coverage by 0.38%.
The diff coverage is 89.62%.

❗ Current head d914324 differs from pull request most recent head de64823. Consider uploading reports for the commit de64823 to get more accurate results

@@            Coverage Diff             @@
##           master    #2741      +/-   ##
==========================================
- Coverage   77.78%   77.40%   -0.38%     
==========================================
  Files         316      312       -4     
  Lines       19881    19484     -397     
==========================================
- Hits        15464    15082     -382     
+ Misses       3258     3244      -14     
+ Partials     1159     1158       -1
Impacted Files Coverage Δ
identity/handler_import.go 63.04% <0.00%> (ø)
hash/hash_comparator.go 85.61% <90.38%> (+1.40%) ⬆️
identity/credentials_migrate.go 74.19% <100.00%> (ø)
driver/config/config.go 82.77% <0.00%> (-5.24%) ⬇️
courier/courier.go 70.58% <0.00%> (-3.88%) ⬇️
courier/smtp.go 69.56% <0.00%> (-3.82%) ⬇️
identity/handler.go 87.95% <0.00%> (-1.40%) ⬇️
selfservice/strategy/webauthn/nodes.go 100.00% <0.00%> (ø)
identity/credentials_webauthn.go
x/keys.go
... and 4 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@zambien zambien mentioned this pull request Sep 16, 2022
Merged
6 tasks
hperl
hperl requested changes Sep 21, 2022
View reviewed changes
hash/hash_comparator.go Outdated Show resolved Hide resolved
hash/hash_comparator.go Outdated Show resolved Hide resolved
hperl
hperl requested changes Sep 21, 2022
View reviewed changes
Copy link
Contributor

@hperl hperl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you very much for your PR. It looks very good already. I have just left some comments for you.

@zambien zambien marked this pull request as draft September 21, 2022 18:00
@zambien zambien marked this pull request as ready for review September 22, 2022 14:06
hperl
hperl requested changes Sep 23, 2022
View reviewed changes
Copy link
Contributor

@hperl hperl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the update! It looks very good now 🎉, but I think we still need to iterate over the salting. 🧂

hash/hash_comparator.go Outdated Show resolved Hide resolved
@hugotiburtino
Copy link

So in short, I think we should inline the functionality and make the salting more flexible. WDYT?

Definitely having the possibility of prepending the salt would save many lifes (i.e. many password resets)

@zambien
Copy link
Contributor Author

zambien commented Oct 14, 2022
edited
Loading

So in short, I think we should inline the functionality and make the salting more flexible. WDYT?

Definitely having the possibility of prepending the salt would save many lifes (i.e. many password resets)

@hugotiburtino you have a use case where you are using SSHA, SSHA256, or SSHA512 where the salt is prepended instead of being appended? There is another thread where the latest comment @aeneasr thought to use the initial solution for SSHA (not using PHC). I want to be sure to consider everyone's needs. Even though using the {SSHA}... format is easier I agree that isn't really a standard, but is a norm/more. Although every implementation I've seen for SSHA uses the appended implementation.

Edit: punctuation

@elbotho
Copy link

elbotho commented Oct 14, 2022

@hugotiburtino you have a use case where you are using SSHA, SSHA256, or SSHA512 where the salt is prepended instead of being appended? There is another thread where the latest comment @aeneasr thought to use the initial solution for SSHA (not using PHC). I want to be sure to consider everyone's needs. Even though using the {SSHA}... format is easier I agree that isn't really a standard, but is a norm/more. Although every implementation I've seen for SSHA uses the appended implementation.

Edit: punctuation

Our use case (same org. as @hugotiburtino) is actually not SSHA but a custom flavour of SHA so we would be well served with the PHC syntax. Thanks for your consideration.

If we can help you with this PR in any way, just get in touch.

hugotiburtino and others added 10 commits October 30, 2022 22:03
@hugotiburtino
style(hash): put decodeFirebaseScryptHash before sha since it was
f1103d3 
merge first into ory/kratos's master.
@hugotiburtino
refactor(hash): abstract SSHA comparators
4e86499
@hugotiburtino
refactor(hash): reduce SSHA regex and handling to just one
4b0db1e
@hugotiburtino
refactor(hash): avoid unecessary double converting and minor renaming
71b4d60 
to maintain the convention.
@hugotiburtino
style(hasher): put tests for firescrypt after the ones for scrypt
787fbbe 
since the former's hash comparator was added after the latter's one.
@zambien
Merge pull request #3 from serlo/ssha_algs
07dce17 
Refactor SSHA and SHA comparators
@zambien
Revert "Refactor SSHA and SHA comparators"
f0ef517
@zambien
Merge pull request #4 from zambien/revert-3-ssha_algs
33332d8 
Revert "Refactor SSHA and SHA comparators"
@hugotiburtino
refactor(hash): abstract SSHA comparator and minor improvements
7f0e826 
It is like #3 but without
trying to solve the conflicts of current ory/kratos master branch
(head at f5c4cca), which caused many unwanted changes.
@zambien
Merge pull request #5 from serlo/ssha_algs
c6b3a6e 
Abstract SSHA comparator and minor changes without merging from ory/kratos master
@aeneasr aeneasr requested a review from hperl November 21, 2022 15:10
hperl
hperl previously approved these changes Nov 21, 2022
View reviewed changes
Copy link
Contributor

@hperl hperl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the changes, LGTM!

There was a bug in the error handling for short SSHA passwords that I fixed in fea0bbd. PTAL.

@aeneasr
Copy link
Member

aeneasr commented Nov 21, 2022

We probably also need to update the documentation to now include regular SHA?

@elbotho
Copy link

elbotho commented Nov 23, 2022

We probably also need to update the documentation to now include regular SHA?

@aeneasr that's right. I'm awaiting the review of ory/docs#1090 so we can explain the formatting in the same way and can add the changes then.

@aeneasr
Copy link
Member

aeneasr commented Dec 6, 2022

That's merged now! There's a few conflicts left that need resolving.

@hperl are the changes good to go now?

@elbotho elbotho mentioned this pull request Dec 6, 2022
Closed
@ci42 ci42 mentioned this pull request Dec 12, 2022
Closed
6 tasks
@hperl hperl self-requested a review January 27, 2023 08:56
hperl
hperl previously approved these changes Jan 27, 2023
View reviewed changes
Copy link
Contributor

@hperl hperl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks very good now 🎉!

I just merged master, if CI passes we should be ready to merge 💪

@hperl hperl self-requested a review January 27, 2023 12:17
@aeneasr aeneasr merged commit 132255e into ory:master Jan 28, 2023
@aeneasr
Copy link
Member

aeneasr commented Jan 28, 2023

epic!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@elbotho elbotho elbotho left review comments

@jsimonetti jsimonetti jsimonetti left review comments

@hperl hperl hperl approved these changes

@aeneasr aeneasr Awaiting requested review from aeneasr aeneasr is a code owner

@zepatrik zepatrik Awaiting requested review from zepatrik zepatrik is a code owner

Assignees

@hperl hperl

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@zambien @CLAassistant @hugotiburtino @elbotho @aeneasr @hperl @jsimonetti