feat: allow import peppered/salted password hashes ory#2946

ci42 · Mar 6, 2023 · db6cbb6 · db6cbb6
1 parent 8396a55
commit db6cbb6
Show file tree

Hide file tree

Showing 14 changed files with 641 additions and 502 deletions.
diff --git a/cmd/serve/stub/kratos.yml b/cmd/serve/stub/kratos.yml
@@ -69,6 +69,19 @@ hashers:
     salt_length: 16
     key_length: 16
 
+passwordhash_comparators:
+  - Id: bcrypt
+  - Id: argon2id
+  - Id: pbkdf2
+  - Id: scrypt
+  - Id: firebasescrypt
+  - Id: md5
+  - Id: sha
+  - Id: ssha
+  - Id: pssha
+    Conf:
+      Pepper: secret
+
 identity:
   schemas:
     - id: default

diff --git a/driver/config/config.go b/driver/config/config.go
@@ -171,6 +171,7 @@ const (
 	ViperKeyHasherArgon2ConfigExpectedDeviation              = "hashers.argon2.expected_deviation"
 	ViperKeyHasherArgon2ConfigDedicatedMemory                = "hashers.argon2.dedicated_memory"
 	ViperKeyHasherBcryptCost                                 = "hashers.bcrypt.cost"
+	ViperKeyPasswordHashComparators                          = "passwordhash_comparators"
 	ViperKeyCipherAlgorithm                                  = "ciphers.algorithm"
 	ViperKeyDatabaseCleanupSleepTables                       = "database.cleanup.sleep.tables"
 	ViperKeyDatabaseCleanupBatchSize                         = "database.cleanup.batch_size"
@@ -212,6 +213,8 @@ const (
 // DefaultSessionCookieName returns the default cookie name for the kratos session.
 const DefaultSessionCookieName = "ory_kratos_session"
 
+var DefaultPasswordHashComparators = []PhcConf{{Id: "argon2id"}, {Id: "bcrypt"}}
+
 type (
 	Argon2 struct {
 		Memory            bytesize.ByteSize `json:"memory"`
@@ -1367,6 +1370,15 @@ func (p *Config) HasherPasswordHashingAlgorithm(ctx context.Context) string {
 	}
 }
 
+type PhcConf struct {
+	Id   string
+	Conf map[string]string
+}
+
+func (p *Config) PasswordHashComparators(ctx context.Context) []PhcConf {
+	return p.GetProvider(ctx).GetF(ViperKeyPasswordHashComparators, DefaultPasswordHashComparators).([]PhcConf)
+}
+
 func (p *Config) CipherAlgorithm(ctx context.Context) string {
 	configValue := p.GetProvider(ctx).StringF(ViperKeyCipherAlgorithm, DefaultCipherAlgorithm)
 	switch configValue {

diff --git a/driver/registry_default.go b/driver/registry_default.go
@@ -117,6 +117,8 @@ type RegistryDefault struct {
 	passwordHasher    hash.Hasher
 	passwordValidator password2.Validator
 
+	passwordHashComparators []hash.PasswordHashComparator
+
 	crypter cipher.Cipher
 
 	errorHandler *errorx.Handler
@@ -458,6 +460,39 @@ func (m *RegistryDefault) Hasher(ctx context.Context) hash.Hasher {
 	return m.passwordHasher
 }
 
+func (m *RegistryDefault) PasswordHashComparators(ctx context.Context) []hash.PasswordHashComparator {
+	if m.passwordHashComparators == nil {
+		configuredPHCs := m.c.PasswordHashComparators(ctx)
+		cs := make([]hash.PasswordHashComparator, 0, len(configuredPHCs))
+		for _, c := range configuredPHCs {
+			switch c.Id {
+			case "bcrypt":
+				cs = append(cs, hash.BcryptComparator{})
+			case "argon2id":
+				cs = append(cs, hash.Argon2idComparator{})
+			case "argon2i":
+				cs = append(cs, hash.Argon2iComparator{})
+			case "pbkdf2":
+				cs = append(cs, hash.Pbkdf2Comparator{})
+			case "scrypt":
+				cs = append(cs, hash.ScryptComparator{})
+			case "firebasescrypt":
+				cs = append(cs, hash.FirebaseScryptComparator{})
+			case "md5":
+				cs = append(cs, hash.MD5Comparator{})
+			case "sha":
+				cs = append(cs, hash.ShaComparator{})
+			case "ssha":
+				cs = append(cs, hash.SaltedShaComparator{})
+			case "pssha":
+				cs = append(cs, hash.PepperedSaltedShaComparator{Pepper: []byte(c.Conf["Pepper"])})
+			}
+		}
+		m.passwordHashComparators = cs
+	}
+	return m.passwordHashComparators
+}
+
 func (m *RegistryDefault) PasswordValidator() password2.Validator {
 	if m.passwordValidator == nil {
 		var err error

diff --git a/embedx/config.schema.json b/embedx/config.schema.json
@@ -2327,7 +2327,38 @@
       },
       "additionalProperties": false
     },
-    "ciphers": {
+    "passwordhash_comparators": {
+      "type": "array",
+      "title": "",
+      "description": "",
+      "items": {
+        "required": ["Id"],
+        "type": "object",
+        "properties": {
+          "Id": {
+            "type": "string",
+            "title": "",
+            "enum": [
+              "argon2id",
+              "argon2i",
+              "bcrypt",
+              "pbkdf2",
+              "scrypt",
+              "firebasescrypt",
+              "md5",
+              "sha",
+              "ssha",
+              "pssha"
+            ]
+          },
+          "Conf": {
+            "type": "object",
+            "title": ""
+          }
+        }
+      }
+    },
+      "ciphers": {
       "title": "Cipher Algorithm Configuration",
       "type": "object",
       "properties": {