Skip to content

Bug 1874322: add bcrypt as a supported hashing method for htpasswd passwords #186

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 3, 2021
Merged

Bug 1874322: add bcrypt as a supported hashing method for htpasswd passwords #186

merged 2 commits into from
Jun 3, 2021

Conversation

stlaz
Copy link

@stlaz stlaz commented Sep 14, 2020

The PR is based on bitly@008ffae with the expection of not including the $2b$ prefix based on https://svn.apache.org/viewvc/apr/apr/trunk/crypto/crypt_blowfish.c?view=markup#l580

@openshift-ci-robot openshift-ci-robot added bugzilla/severity-low Referenced Bugzilla bug's severity is low for the branch this PR is targeting. bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. labels Sep 14, 2020
@openshift-ci-robot
Copy link

@stlaz: This pull request references Bugzilla bug 1874322, which is invalid:

  • expected the bug to target the "4.6.0" release, but it targets "---" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 1874322: add bcrypt as a supported hashing method for htpasswd passwords

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: stlaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 14, 2020
@openshift-ci-robot openshift-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 23, 2020
@openshift-ci-robot openshift-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 30, 2020
@stlaz
Copy link
Author

stlaz commented Oct 1, 2020

/refresh

@stlaz
Copy link
Author

stlaz commented Oct 1, 2020

/retest
impossibru, the unit test shouldn't fail

@stlaz
Copy link
Author

stlaz commented Oct 14, 2020

/bugzilla refresh

@openshift-ci-robot
Copy link

@stlaz: This pull request references Bugzilla bug 1874322, which is invalid:

  • expected the bug to target the "4.7.0" release, but it targets "---" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@stlaz
Copy link
Author

stlaz commented Oct 14, 2020

/bugzilla refresh

@openshift-ci-robot
Copy link

@stlaz: This pull request references Bugzilla bug 1874322, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.7.0) matches configured target release for branch (4.7.0)
  • bug is in the state NEW, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. and removed bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. labels Oct 14, 2020
@stlaz
Copy link
Author

stlaz commented Nov 3, 2020

/retest

deads2k
deads2k reviewed Dec 9, 2020
View reviewed changes
htpasswd.go

bcryptPrefix := realPassword[:4]
if bcryptPrefix == "$2a$" || bcryptPrefix == "$2x$" || bcryptPrefix == "$2y$" {
return bcrypt.CompareHashAndPassword([]byte(realPassword), []byte(password)) == nil
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you intentionally pass along the $2whatever? Also, where did that format come from?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is what upstream of this project did before it went archived, the format comes from https://svn.apache.org/viewvc/apr/apr/trunk/crypto/crypt_blowfish.c?view=markup#l580

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: maybe let's add a comment to this external reference

@deads2k
Copy link

deads2k commented Dec 9, 2020

I don't think this will actually resolve the bug since the bug is about the possibility to store passwords in sha1, not the requirement to do so.

Also, why do we attempt to verify passwords in this proxy at all? That doesn't make much sense to me.

@stlaz
Copy link
Author

stlaz commented Dec 10, 2020
edited
Loading

@deads2k we can't remove the sha1-logins as that would break everyone who is using those, unfortunately.

This is not exactly password verification for the oauth-users, it is a htpasswd config that allows to bypass the oauth-login. I think it might be thought about as kind of a service-account idp for the proxy.

@openshift-bot
Copy link

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci-robot openshift-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 10, 2021
@stlaz
Copy link
Author

stlaz commented Mar 19, 2021

/remove-lifecycle stale
for now

@openshift-ci-robot openshift-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 19, 2021
@s-urbaniak
Copy link

agreed with @stlaz, this just adds the bcrypt capability, while not removing sha1

@s-urbaniak
Copy link

/lgtm

@s-urbaniak
Copy link

/retest

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jun 3, 2021
@openshift-ci
Copy link

openshift-ci bot commented Jun 3, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: s-urbaniak, stlaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@s-urbaniak
Copy link

/retest

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@stlaz
Copy link
Author

stlaz commented Jun 3, 2021

/test e2e-component

@openshift-merge-robot openshift-merge-robot merged commit 3fc0d89 into openshift:master Jun 3, 2021
@openshift-ci
Copy link

openshift-ci bot commented Jun 3, 2021

@stlaz: All pull requests linked via external trackers have merged:

Bugzilla bug 1874322 has been moved to the MODIFIED state.

In response to this:

Bug 1874322: add bcrypt as a supported hashing method for htpasswd passwords

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-bot
Copy link

[ART PR BUILD NOTIFIER]

This PR has been included in build golang-github-openshift-oauth-proxy-container-v4.8.0-202311261141.p0.g3fc0d89.assembly.stream for distgit golang-github-openshift-oauth-proxy.
All builds following this will include this PR.

@andrewazores andrewazores mentioned this pull request May 7, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@s-urbaniak s-urbaniak s-urbaniak left review comments

@deads2k deads2k deads2k left review comments

@sttts sttts Awaiting requested review from sttts

Assignees

@s-urbaniak s-urbaniak

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-low Referenced Bugzilla bug's severity is low for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@stlaz @openshift-ci-robot @deads2k @openshift-bot @s-urbaniak @openshift-merge-robot