Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Config] Add password algorithm selector #9468

Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

[Config] Add password algorithm selector #9468

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
831d7b8
[Config] Add password algorithm selector
skarya22 Nov 14, 2024
b5f1f45
Add to raisinbread
skarya22 Nov 14, 2024
e23aca4
change select source
skarya22 Nov 14, 2024
e00ed67
Remove 'PASSWORD_DEFAULT' as it is now null after php 7.4
skarya22 Nov 14, 2024
9aa4afb
Fix missing ID from ConfigSettings
skarya22 Nov 14, 2024
870132e
Try to setup config for tests
skarya22 Nov 15, 2024
27883cb
Another attempt for config
skarya22 Nov 15, 2024
87a2fd5
Remove leftover space
skarya22 Nov 18, 2024
11d7c37
Add Shen's changes + Dave's suggestion
skarya22 Nov 27, 2024
d743e13
Fix tests?
skarya22 Nov 27, 2024
a655bcb
Fix nullable type declaration
skarya22 Nov 27, 2024
c40b600
Try re-using old configMock
skarya22 Nov 27, 2024
679c2ec
Try again
skarya22 Nov 27, 2024
3dd70e8
correct 2y name
skarya22 Dec 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 7 additions & 5 deletions SQL/0000-00-03-ConfigTables.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ CREATE TABLE `ConfigSettings` (
`Description` varchar(255) DEFAULT NULL,
`Visible` tinyint(1) DEFAULT '0',
`AllowMultiple` tinyint(1) DEFAULT '0',
`DataType` ENUM('text','boolean','email','instrument','textarea','scan_type','date_format','lookup_center','path','web_path', 'log_level') DEFAULT NULL,
`DataType` ENUM('text','boolean','email','instrument','textarea','scan_type','date_format','lookup_center','path','web_path','log_level','password_algo') DEFAULT NULL,
`Parent` int(11) DEFAULT NULL,
`Label` varchar(255) DEFAULT NULL,
`OrderNumber` int(11) DEFAULT NULL,
Expand Down Expand Up @@ -59,10 +59,11 @@ INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType,
INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'citation_policy', 'Citation Policy for Acknowledgements module', 1, 0, 'textarea', ID, 'Citation Policy', 25 FROM ConfigSettings WHERE Name="study";
INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'CSPAdditionalHeaders', 'Extensions to the Content-security policy allow only for self-hosted content', 1, 0, 'text', ID, 'Content-Security Extensions', 26 FROM ConfigSettings WHERE Name="study";
INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'usePwnedPasswordsAPI', 'Whether to query the Have I Been Pwned password API on password changes to prevent the usage of common and breached passwords', 1, 0, 'boolean', ID, 'Enable "Pwned Password" check', 27 FROM ConfigSettings WHERE Name="study";
INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'dateDisplayFormat', 'The date format to use throughout LORIS for displaying date information - formats for date inputs are browser- and locale-dependent.', 1, 0, 'text', ID, 'Date display format', 28 FROM ConfigSettings WHERE Name="study";
INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'adminContactEmail', 'An email address that users can write to in order to report issues or ask question', 1, 0, 'text', ID, 'Administrator Email', 29 FROM ConfigSettings WHERE Name="study";
INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'UserMaximumDaysInactive', 'The maximum number of days since last login before making a user inactive', 1, 0, 'text', ID, 'Maximum Days Before Making User Inactive', 30 FROM ConfigSettings WHERE Name="study";
INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'useDoB', 'Use DoB (Date of Birth)', 1, 0, 'boolean', ID, 'Use DoB', 31 FROM ConfigSettings WHERE Name="study";
INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'passwordAlgorithm','Which PHP password algorithm to use for hashing the passwords',1,0,'password_algo',1,'Password Algorithm',28 FROM ConfigSettings WHERE Name="study";
INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'dateDisplayFormat', 'The date format to use throughout LORIS for displaying date information - formats for date inputs are browser- and locale-dependent.', 1, 0, 'text', ID, 'Date display format', 29 FROM ConfigSettings WHERE Name="study";
INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'adminContactEmail', 'An email address that users can write to in order to report issues or ask question', 1, 0, 'text', ID, 'Administrator Email', 30 FROM ConfigSettings WHERE Name="study";
INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'UserMaximumDaysInactive', 'The maximum number of days since last login before making a user inactive', 1, 0, 'text', ID, 'Maximum Days Before Making User Inactive', 31 FROM ConfigSettings WHERE Name="study";
INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'useDoB', 'Use DoB (Date of Birth)', 1, 0, 'boolean', ID, 'Use DoB', 32 FROM ConfigSettings WHERE Name="study";

INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, Label, OrderNumber) VALUES ('paths', 'Specify directories where LORIS-related files are stored or created. Take care when editing these fields as changing them incorrectly can cause certain modules to lose functionality.', 1, 0, 'Paths', 2);
INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'imagePath', 'Path to images for display in Imaging Browser (e.g. /data/$project/data/) ', 1, 0, 'text', ID, 'Images', 9 FROM ConfigSettings WHERE Name="paths";
Expand Down Expand Up @@ -282,6 +283,7 @@ INSERT INTO Config (ConfigID, Value) SELECT ID, 't1' FROM ConfigSettings WHER
INSERT INTO Config (ConfigID, Value) SELECT ID, 't2' FROM ConfigSettings WHERE Name="modalities_to_deface";
INSERT INTO Config (ConfigID, Value) SELECT ID, 'pd' FROM ConfigSettings WHERE Name="modalities_to_deface";
INSERT INTO Config (ConfigID, Value) SELECT ID, 'false' FROM ConfigSettings WHERE Name="usePwnedPasswordsAPI";
INSERT INTO Config (ConfigID, Value) SELECT ID, 'PASSWORD_DEFAULT' FROM ConfigSettings WHERE Name="passwordAlgorithm";
INSERT INTO Config (ConfigID, Value) SELECT ID, 'Y-m-d H:i:s' FROM ConfigSettings WHERE Name="dateDisplayFormat";
INSERT INTO Config (ConfigID, Value) SELECT ID, '/data/issue_tracker/' FROM ConfigSettings WHERE Name="IssueTrackerDataPath";
INSERT INTO Config (ConfigID, Value) SELECT ID, '' FROM ConfigSettings WHERE Name="adminContactEmail";
Expand Down
7 changes: 7 additions & 0 deletions SQL/New_patches/2024-11-14-Add-Password-Algo-Config.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
ALTER TABLE ConfigSettings
MODIFY COLUMN DataType enum('text','boolean','email','instrument','textarea','scan_type','date_format','lookup_center','path','web_path','log_level', 'password_algo') DEFAULT NULL;

INSERT INTO `ConfigSettings` (`Name`, `Description`, `Visible`, `AllowMultiple`, `DataType`, `Parent`, `Label`, `OrderNumber`)
VALUES ('passwordAlgorithm','Which PHP password algorithm to use for hashing the passwords',1,0,'password_algo',1,'Password Algorithm',28);

INSERT INTO Config (`ConfigID`, `Value`) VALUES (LAST_INSERT_ID(), 'PASSWORD_DEFAULT');
4 changes: 3 additions & 1 deletion htdocs/postdeploy.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,9 @@
$sqls = file_get_contents($path_to_file);
$conn->exec($sqls);

$pw = password_hash($password, PASSWORD_DEFAULT);
$config =& \NDB_Config::singleton();
$password_algo = $config->getSetting("passwordAlgorithm");
$pw = password_hash($password, $password_algo);

$conn->query(
"UPDATE users SET Password_hash=" . $conn->quote($pw) .
Expand Down
8 changes: 8 additions & 0 deletions modules/configuration/php/configuration.class.inc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,14 @@ class Configuration extends \NDB_Form
'emergency' => 'Emergency',
];

$this->tpl_data['password_algos'] = [
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you use https://www.php.net/manual/en/function.password-algos.php (and add a "Default" option)

I'm not really sure what the point of having the blank option here is.

Copy link
Contributor Author

@skarya22 skarya22 Nov 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That function doesn't output usable strings for the password_hash function unfortunately. It gives values such as: '2y','argon2i, 'argon2id', but password_hash uses, 'PASSWORD_DEFAULT','PASSWORD_BCRYPT', 'PASSWORD_ARGON2I', and 'PASSWORD_ARGON2ID'

I will remove the blank option though. It was just there in-case somehow a non-usable value was saved so it doesn't show PASSWORD_DEFAULT instead. But it probably just makes it confusing

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PASSWORD_DEFAULT/PASSWORD_BCRYPT/etc are just built in constants with those values.

$ php -a
Interactive shell

php > print PASSWORD_DEFAULT;
2y
php > print PASSWORD_ARGON2I;
argon2i
php > print_r(password_algos());
Array
(
    [0] => 2y
    [1] => argon2i
    [2] => argon2id
)
php > print password_hash('test', 'argon2i');
$argon2i$v=19$m=65536,t=4,p=1$WlBObVNleHU0RHVCMG9DTw$3jZ/HN8N4r6YERoJJbMGup/d8rebjUZ72lYZcbTsjno
php >

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh sweet, thanks!

'' => '',
'PASSWORD_DEFAULT' => 'PASSWORD_DEFAULT',
'PASSWORD_BCRYPT' => 'PASSWORD_BCRYPT',
'PASSWORD_ARGON2I' => 'PASSWORD_ARGON2I',
'PASSWORD_ARGON2ID' => 'PASSWORD_ARGON2ID'
];

skarya22 marked this conversation as resolved.
Show resolved Hide resolved
$this->tpl_data['date_format'] = $date_format;
$this->tpl_data['lookup_center'] = [
'' => '',
Expand Down
10 changes: 9 additions & 1 deletion modules/configuration/templates/form_configuration.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,13 @@
</div>
{/function}


{function name=createPasswordAlgo}
<select class="form-control" name="{$k}" {if $d eq "Yes"}disabled{/if}>
{foreach from=$password_algos key=name item=label}
<option {if $v eq $name}selected{/if} value="{$name}">{$label}</option>
{/foreach}
</select>
{/function}

{function name=createScanType}
<select class="form-control" name="{$k}" {if $d eq "Yes"}disabled{/if}>
Expand Down Expand Up @@ -108,6 +114,8 @@
{call createInstrument k=$id v=$v d=$node['Disabled']}
{elseif $node['DataType'] eq 'scan_type'}
{call createScanType k=$id v=$v d=$node['Disabled']}
{elseif $node['DataType'] eq 'password_algo'}
{call createPasswordAlgo k=$id v=$v d=$node['Disabled']}
{elseif $node['DataType'] eq 'date_format'}
{call createDateFormat k=$id v=$v d=$node['Disabled']}
{elseif $node['DataType'] eq 'email'}
Expand Down
4 changes: 3 additions & 1 deletion php/installer/Installer.class.inc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -543,12 +543,14 @@ class Installer
Active='Y'
WHERE ID=1"
);
$config =& \NDB_Config::singleton();
$password_algo = $config->getSetting("passwordAlgorithm");
return $stmt->execute(
[
'q_userID' => $values['frontenduser'],
'q_password' => password_hash(
$values['frontendpassword'],
PASSWORD_DEFAULT
$password_algo
),
]
);
Expand Down
4 changes: 3 additions & 1 deletion php/libraries/Password.class.inc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,7 +205,9 @@ class Password
$this->_validate($value);
// Don't store the value in the object; instead use the hashed version
// This mitigates the risk of accidentally revealing the plaintext.
$this->_hash = password_hash($value, PASSWORD_DEFAULT);
$config =& \NDB_Config::singleton();
$password_algo = $config->getSetting("passwordAlgorithm");
$this->_hash = password_hash($value, $password_algo);
}

/**
Expand Down
6 changes: 4 additions & 2 deletions php/libraries/SinglePointLogin.class.inc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -287,8 +287,10 @@ class SinglePointLogin
// Validate passsword
$oldhash = $row['Password_hash'] ?? '';
if (password_verify($password, $oldhash)) {
$config =& \NDB_Config::singleton();
$password_algo = $config->getSetting("passwordAlgorithm");
// Rehash according to latest standards if necessary.
if (password_needs_rehash($oldhash, PASSWORD_DEFAULT)) {
if (password_needs_rehash($oldhash, $password_algo)) {
try {
$newHash = new \Password($password);
\User::factory($username)->updatePassword(
Expand All @@ -302,7 +304,7 @@ class SinglePointLogin
// update the password here without using the Password class
$newHash = password_hash(
$password,
PASSWORD_DEFAULT
$password_algo
);
\NDB_Factory::singleton()->database()->update(
'users',
Expand Down
1 change: 1 addition & 0 deletions raisinbread/RB_files/RB_Config.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,7 @@ INSERT INTO `Config` (`ID`, `ConfigID`, `Value`) VALUES (126,129,'365');
INSERT INTO `Config` (`ID`, `ConfigID`, `Value`) VALUES (127,130,'/var/www/loris/');
INSERT INTO `Config` (`ID`, `ConfigID`, `Value`) VALUES (128,131,'/data/EEGUploadIncomingPath/');
INSERT INTO `Config` (`ID`, `ConfigID`, `Value`) VALUES (129,132,'false');
INSERT INTO `Config` (`ID`, `ConfigID`, `Value`) VALUES (130,133,'PASSWORD_DEFAULT');

UNLOCK TABLES;
SET FOREIGN_KEY_CHECKS=1;
1 change: 1 addition & 0 deletions raisinbread/RB_files/RB_ConfigSettings.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,5 +121,6 @@ INSERT INTO `ConfigSettings` (`ID`, `Name`, `Description`, `Visible`, `AllowMult
INSERT INTO `ConfigSettings` (`ID`, `Name`, `Description`, `Visible`, `AllowMultiple`, `DataType`, `Parent`, `Label`, `OrderNumber`) VALUES (130,'DownloadPath','Where files are downloaded',1,0,'text',26,'Downloads',4);
INSERT INTO `ConfigSettings` (`ID`, `Name`, `Description`, `Visible`, `AllowMultiple`, `DataType`, `Parent`, `Label`, `OrderNumber`) VALUES (131,'EEGUploadIncomingPath', 'Path to the upload directory for incoming EEG studies', 1, 0, 'text', 26, 'EEG Incoming Directory', 15);
INSERT INTO `ConfigSettings` (`ID`, `Name`, `Description`, `Visible`, `AllowMultiple`, `DataType`, `Parent`, `Label`, `OrderNumber`) VALUES (132,'useDoB','Use DoB (Date of Birth)',1,0,'boolean',1,'Use DoB',12);
INSERT INTO `ConfigSettings` (`ID`, `Name`, `Description`, `Visible`, `AllowMultiple`, `DataType`, `Parent`, `Label`, `OrderNumber`) VALUES (133, 'passwordAlgorithm','Which PHP password algorithm to use for hashing the passwords',1,0,'password_algo',1,'Password Algorithm',28);
UNLOCK TABLES;
SET FOREIGN_KEY_CHECKS=1;
4 changes: 3 additions & 1 deletion tools/resetpassword.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,9 @@
// Don't echo the password being typed
`/bin/stty -echo`;
$newPass = trim(fgets(STDIN));
$newHash = password_hash($newPass, PASSWORD_DEFAULT);
$config =& \NDB_Config::singleton();
$password_algo = $config->getSetting("passwordAlgorithm");
$newHash = password_hash($newPass, $password_algo);
`/bin/stty echo`;

;
Expand Down
Loading