Skip to content

Allow upgrading between different BCrypt encodings #7042

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

Allow upgrading between different BCrypt encodings #7042

wants to merge 3 commits into from

Conversation

larsgrefer
Copy link
Contributor

This will allow the upgradeEncoding mechanism to upgrade from a lower-strength bcrypt to a higher-strength bcrypt encoding.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jun 26, 2019
rwinch
rwinch requested changes Jun 27, 2019
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @larsgrefer! I have provided comments inline

@larsgrefer
Copy link
Contributor Author

I'm not sure what the default behavior for invalid inputs should be.

org.springframework.security.crypto.password.DelegatingPasswordEncoder#upgradeEncoding returns true for all invalid inputs (null, no parseable id, unknown id) while org.springframework.security.crypto.password.PasswordEncoder#upgradeEncoding always returns false.

The default of false makes sense, because it prevents useless re-encodings on every login.

How should org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder#upgradeEncoding behave for invalid inputs (null or non-bcrypt)? true, false or IllegalArgumentException ?

@rwinch
Copy link
Member

rwinch commented Jun 28, 2019

Good question @larsgrefer

DelegatingPasswordEncoder returns true for null, no id, unknown id because we expect its configuration to change over time. All we care about is that the value is encoded with the configured PasswordEncoder. Note that these are actually valid as there is the potential to fallback if there is an unknown id, null id, etc.

BCryptPasswordEncoder should return false for a null input because it will blow up if it is encoded. For non-bcrypt it should fail with an Exception.

@larsgrefer larsgrefer force-pushed the feature/upgradeBcryptEncoding branch from 07130ee to 1e05294 Compare June 28, 2019 16:47
@rwinch rwinch added in: crypto An issue in spring-security-crypto type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 28, 2019
@rwinch
Copy link
Member

rwinch commented Jun 28, 2019

Thanks for the updates @larsgrefer. It appears that the tests fail.

org.springframework.security.crypto.bcrypt.BCryptPasswordEncoderTests > upgradeFromNullOrEmpty FAILED
    org.junit.ComparisonFailure at BCryptPasswordEncoderTests.java:191

@larsgrefer larsgrefer force-pushed the feature/upgradeBcryptEncoding branch from 1e05294 to f96bcd3 Compare June 28, 2019 20:07
@larsgrefer larsgrefer force-pushed the feature/upgradeBcryptEncoding branch from f96bcd3 to a875499 Compare June 28, 2019 20:52
@larsgrefer
Copy link
Contributor Author

@rwinch The tests are fixed now

This was referenced Jun 28, 2019
Closed
Merged
@rwinch rwinch self-assigned this Jul 3, 2019
@rwinch rwinch added this to the 5.2.0.RC1 milestone Jul 3, 2019
@rwinch rwinch closed this in d3d6a87 Jul 3, 2019
rwinch added a commit that referenced this pull request Jul 3, 2019
@rwinch
Polish BCrypt upgrade
742df2c 
Issue gh-7042
@rwinch
Copy link
Member

rwinch commented Jul 3, 2019

Thanks for all your work on this PR @larsgrefer! This is now merged into master via d3d6a87 I added a little polish to the tests via 742df2c

kostya05983 pushed a commit to kostya05983/spring-security that referenced this pull request Aug 26, 2019
@larsgrefer @kostya05983
Allow upgrading between different BCrypt encodings
d16ce17 
Fixes spring-projectsgh-7042
kostya05983 pushed a commit to kostya05983/spring-security that referenced this pull request Aug 26, 2019
@rwinch @kostya05983
Polish BCrypt upgrade
9dfe648 
Issue spring-projectsgh-7042
@larsgrefer larsgrefer mentioned this pull request Sep 9, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rwinch rwinch rwinch approved these changes

Assignees

@rwinch rwinch

Labels
in: crypto An issue in spring-security-crypto type: enhancement A general enhancement
Projects
None yet
Milestone
5.2.0.M4
Development

Successfully merging this pull request may close these issues.
3 participants
@larsgrefer @rwinch @spring-projects-issues