make hash difficulty configurable

owncloud · Nov 10, 2020 · fe9919d · fe9919d
1 parent 8296251
commit fe9919d
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 6 deletions.
diff --git a/.drone.star b/.drone.star
@@ -1411,6 +1411,8 @@ def ocisServer(storage):
         'KONNECTD_IDENTIFIER_REGISTRATION_CONF': '/drone/src/ocis/tests/config/drone/identifier-registration.yml',
         'KONNECTD_ISS': 'https://ocis-server:9200',
         'KONNECTD_TLS': 'true',
+        # 4 is the lowest possible value. ONLY FOR TESTS
+        'ACCOUNTS_HASH_DIFFICULTY': 4,
       },
       'commands': [
         'apk add mailcap', # install /etc/mime.types

diff --git a/accounts/pkg/config/config.go b/accounts/pkg/config/config.go
@@ -42,6 +42,7 @@ type Server struct {
 	Version          string
 	Name             string
 	AccountsDataPath string
+	HashDifficulty   int
 }
 
 // Asset defines the available asset configuration.

diff --git a/accounts/pkg/flagset/flagset.go b/accounts/pkg/flagset/flagset.go
@@ -85,6 +85,13 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"ACCOUNTS_DATA_PATH"},
 			Destination: &cfg.Server.AccountsDataPath,
 		},
+		&cli.IntFlag{
+			Name:        "accounts-hash-difficulty",
+			Value:       11,
+			Usage:       "accounts password hash difficulty",
+			EnvVars:     []string{"ACCOUNTS_HASH_DIFFICULTY"},
+			Destination: &cfg.Server.HashDifficulty,
+		},
 		&cli.StringFlag{
 			Name:        "asset-path",
 			Value:       "",

diff --git a/accounts/pkg/service/v0/accounts.go b/accounts/pkg/service/v0/accounts.go
@@ -29,10 +29,6 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
-const (
-	_hashDifficulty = 11
-)
-
 // accLock mutually exclude readers from writers on account files
 var accLock sync.Mutex
 
@@ -315,7 +311,7 @@ func (s Service) CreateAccount(ctx context.Context, in *proto.CreateAccountReque
 	if out.PasswordProfile != nil {
 		if out.PasswordProfile.Password != "" {
 			// encrypt password
-			hashed, err := bcrypt.GenerateFromPassword([]byte(in.Account.PasswordProfile.Password), _hashDifficulty)
+			hashed, err := bcrypt.GenerateFromPassword([]byte(in.Account.PasswordProfile.Password), s.Config.Server.HashDifficulty)
 			if err != nil {
 				s.log.Error().Err(err).Str("id", id).Msg("could not hash password")
 				return merrors.InternalServerError(s.id, "could not hash password: %v", err.Error())
@@ -499,7 +495,7 @@ func (s Service) UpdateAccount(ctx context.Context, in *proto.UpdateAccountReque
 		}
 		if in.Account.PasswordProfile.Password != "" {
 			// encrypt password
-			hashed, err := bcrypt.GenerateFromPassword([]byte(in.Account.PasswordProfile.Password), _hashDifficulty)
+			hashed, err := bcrypt.GenerateFromPassword([]byte(in.Account.PasswordProfile.Password), s.Config.Server.HashDifficulty)
 			if err != nil {
 				in.Account.PasswordProfile.Password = ""
 				s.log.Error().Err(err).Str("id", id).Msg("could not hash password")