use scrypt (#902)

go.mod

@@ -9,11 +9,12 @@ require (
 	github.com/coreos/etcd v3.3.22+incompatible
 	github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea // v4
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
-	github.com/go-chassis/foundation v0.1.1-0.20200825060850-b16bf420f7b3
+	github.com/elithrar/simple-scrypt v1.3.0 // indirect
+	github.com/go-chassis/foundation v0.3.0
 	github.com/go-chassis/go-archaius v1.3.2
 	github.com/go-chassis/go-chassis v0.0.0-20200826064053-d90be848aa10
 	github.com/go-chassis/paas-lager v1.1.1
-	github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d
+	github.com/gogo/protobuf v1.3.1
 	github.com/golang/protobuf v1.3.2
 	github.com/gorilla/websocket v1.4.2
 	github.com/hashicorp/serf v0.8.3
@@ -34,7 +35,7 @@ require (
 	github.com/satori/go.uuid v1.1.0
 	github.com/spf13/cobra v0.0.0-20170624150100-4d647c8944eb
 	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.4.0
+	github.com/stretchr/testify v1.6.1
 	github.com/widuu/gojson v0.0.0-20170212122013-7da9d2cd949b
 	go.uber.org/zap v1.10.0
 	golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a

pkg/privacy/password.go

@@ -0,0 +1,62 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package privacy
+
+import (
+	"github.com/apache/servicecomb-service-center/pkg/log"
+	"github.com/elithrar/simple-scrypt"
+	"github.com/go-chassis/foundation/stringutil"
+	"golang.org/x/crypto/bcrypt"
+	"strings"
+)
+
+const (
+	algBcrypt = "$2a$"
+)
+
+//HashPassword
+//Deprecated: use ScryptPassword, this is only for unit test to test compatible with old version
+func HashPassword(pwd string) (string, error) {
+	hash, err := bcrypt.GenerateFromPassword([]byte(pwd), 14)
+	if err != nil {
+		return "", err
+	}
+	return stringutil.Bytes2str(hash), nil
+}
+func ScryptPassword(pwd string) (string, error) {
+	hash, err := scrypt.GenerateFromPassword([]byte(pwd), scrypt.DefaultParams)
+	if err != nil {
+		return "", err
+	}
+	return string(hash), nil
+}
+func SamePassword(hashedPwd, pwd string) bool {
+	if strings.HasPrefix(hashedPwd, algBcrypt) {
+		err := bcrypt.CompareHashAndPassword([]byte(hashedPwd), []byte(pwd))
+		if err == bcrypt.ErrMismatchedHashAndPassword {
+			log.Warn("incorrect password attempts")
+		}
+		return err == nil
+	}
+	err := scrypt.CompareHashAndPassword([]byte(hashedPwd), []byte(pwd))
+	if err == scrypt.ErrMismatchedHashAndPassword {
+		log.Warn("incorrect password attempts")
+	}
+	return err == nil
+
+}

pkg/privacy/password_test.go

@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package privacy_test
+
+import (
+	"github.com/apache/servicecomb-service-center/pkg/privacy"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestHashPassword(t *testing.T) {
+	h, _ := privacy.HashPassword("test")
+	t.Log(h)
+	mac, _ := privacy.ScryptPassword("test")
+	t.Log(mac)
+
+	t.Run("given old hash result, should be compatible", func(t *testing.T) {
+		same := privacy.SamePassword(h, "test")
+		assert.True(t, same)
+	})
+
+	sameMac := privacy.SamePassword(mac, "test")
+	assert.True(t, sameMac)
+}

server/service/rbac/authr_plugin.go

@@ -21,6 +21,7 @@ import (
 	"context"
 	"errors"
 	"github.com/apache/servicecomb-service-center/pkg/log"
+	"github.com/apache/servicecomb-service-center/pkg/privacy"
 	"github.com/apache/servicecomb-service-center/pkg/rbacframe"
 	"github.com/apache/servicecomb-service-center/server/service/rbac/dao"
 	"github.com/dgrijalva/jwt-go"
@@ -57,7 +58,7 @@ func (a *EmbeddedAuthenticator) Login(ctx context.Context, user string, password
 		log.Error("get account err", err)
 		return "", err
 	}
-	same := SamePassword(account.Password, password)
+	same := privacy.SamePassword(account.Password, password)
 	if user == account.Name && same {
 		secret, err := GetPrivateKey()
 		if err != nil {

server/service/rbac/dao/account_dao.go

@@ -25,12 +25,11 @@ import (
 	"fmt"
 	"github.com/apache/servicecomb-service-center/pkg/etcdsync"
 	"github.com/apache/servicecomb-service-center/pkg/log"
+	"github.com/apache/servicecomb-service-center/pkg/privacy"
 	"github.com/apache/servicecomb-service-center/pkg/rbacframe"
 	"github.com/apache/servicecomb-service-center/pkg/util"
 	"github.com/apache/servicecomb-service-center/server/core"
 	"github.com/apache/servicecomb-service-center/server/service/kv"
-	stringutil "github.com/go-chassis/foundation/string"
-	"golang.org/x/crypto/bcrypt"
 )
 
 var ErrDuplicated = errors.New("account is duplicated")
@@ -58,12 +57,12 @@ func CreateAccount(ctx context.Context, a *rbacframe.Account) error {
 	if exist {
 		return ErrDuplicated
 	}
-	hash, err := bcrypt.GenerateFromPassword([]byte(a.Password), 14)
+	hash, err := privacy.ScryptPassword(a.Password)
 	if err != nil {
 		log.Errorf(err, "pwd hash failed")
 		return err
 	}
-	a.Password = stringutil.Bytes2str(hash)
+	a.Password = hash
 	a.ID = util.GenerateUUID()
 	value, err := json.Marshal(a)
 	if err != nil {

server/service/rbac/dao/account_dao_test.go

@@ -19,6 +19,7 @@ package dao_test
 
 import (
 	"context"
+	"github.com/apache/servicecomb-service-center/pkg/privacy"
 	"github.com/apache/servicecomb-service-center/pkg/rbacframe"
 	mgr "github.com/apache/servicecomb-service-center/server/plugin"
 	"github.com/apache/servicecomb-service-center/server/plugin/discovery/etcd"
@@ -27,7 +28,6 @@ import (
 	"github.com/apache/servicecomb-service-center/server/service/rbac/dao"
 	"github.com/astaxie/beego"
 	"github.com/stretchr/testify/assert"
-	"golang.org/x/crypto/bcrypt"
 	"testing"
 )
 
@@ -46,8 +46,8 @@ func TestAccountDao_CreateAccount(t *testing.T) {
 		r, err := dao.GetAccount(context.Background(), "admin")
 		assert.NoError(t, err)
 		assert.Equal(t, "admin", r.Name)
-		hash, err := bcrypt.GenerateFromPassword([]byte("pwd"), 14)
-		err = bcrypt.CompareHashAndPassword(hash, []byte("pwd"))
-		assert.NoError(t, err)
+		hash, err := privacy.ScryptPassword("pwd")
+		b := privacy.SamePassword(hash, "pwd")
+		assert.True(t, b)
 	})
 }

server/service/rbac/password.go

@@ -19,9 +19,8 @@ package rbac
 
 import (
 	"context"
+	"github.com/apache/servicecomb-service-center/pkg/privacy"
 	"github.com/apache/servicecomb-service-center/pkg/rbacframe"
-	stringutil "github.com/go-chassis/foundation/string"
-	"golang.org/x/crypto/bcrypt"
 
 	"github.com/apache/servicecomb-service-center/pkg/log"
 	"github.com/apache/servicecomb-service-center/server/service/rbac/dao"
@@ -63,7 +62,7 @@ func changePassword(ctx context.Context, name, currentPassword, pwd string) erro
 		log.Error("can not change pwd", err)
 		return err
 	}
-	same := SamePassword(old.Password, currentPassword)
+	same := privacy.SamePassword(old.Password, currentPassword)
 	if !same {
 		log.Error("current password is wrong", nil)
 		return ErrWrongPassword
@@ -76,24 +75,16 @@ func changePassword(ctx context.Context, name, currentPassword, pwd string) erro
 }
 
 func doChangePassword(ctx context.Context, old *rbacframe.Account, pwd string) error {
-	hash, err := bcrypt.GenerateFromPassword([]byte(pwd), 14)
+	hash, err := privacy.ScryptPassword(pwd)
 	if err != nil {
 		log.Error("pwd hash failed", err)
 		return err
 	}
-	old.Password = stringutil.Bytes2str(hash)
+	old.Password = hash
 	err = dao.EditAccount(ctx, old)
 	if err != nil {
 		log.Error("can not change pwd", err)
 		return err
 	}
 	return nil
 }
-
-func SamePassword(hashedPwd, pwd string) bool {
-	err := bcrypt.CompareHashAndPassword([]byte(hashedPwd), []byte(pwd))
-	if err == bcrypt.ErrMismatchedHashAndPassword {
-		log.Warn("incorrect password attempts")
-	}
-	return err == nil
-}

server/service/rbac/rbca_test.go

@@ -20,6 +20,7 @@ package rbac_test
 import (
 	"context"
 	"fmt"
+	"github.com/apache/servicecomb-service-center/pkg/privacy"
 	"github.com/apache/servicecomb-service-center/pkg/rbacframe"
 	"github.com/apache/servicecomb-service-center/server/service/rbac"
 	"github.com/apache/servicecomb-service-center/server/service/rbac/dao"
@@ -86,7 +87,7 @@ func TestInitRBAC(t *testing.T) {
 		assert.NoError(t, err)
 		a, err := dao.GetAccount(context.Background(), "a")
 		assert.NoError(t, err)
-		assert.True(t, rbac.SamePassword(a.Password, "Complicated_password2"))
+		assert.True(t, privacy.SamePassword(a.Password, "Complicated_password2"))
 	})
 	t.Run("change self password", func(t *testing.T) {
 		err := dao.CreateAccount(context.Background(), &rbacframe.Account{Name: "b", Password: "Complicated_password1"})
@@ -95,7 +96,7 @@ func TestInitRBAC(t *testing.T) {
 		assert.NoError(t, err)
 		a, err := dao.GetAccount(context.Background(), "b")
 		assert.NoError(t, err)
-		assert.True(t, rbac.SamePassword(a.Password, "Complicated_password2"))
+		assert.True(t, privacy.SamePassword(a.Password, "Complicated_password2"))
 
 	})
 	t.Run("list kv", func(t *testing.T) {