From fe9919d5cb9c2a44bcdc5d93d0577cbeccbe2739 Mon Sep 17 00:00:00 2001 From: David Christofas Date: Tue, 10 Nov 2020 14:01:22 +0100 Subject: [PATCH] make hash difficulty configurable --- .drone.star | 2 ++ accounts/pkg/config/config.go | 1 + accounts/pkg/flagset/flagset.go | 7 +++++++ accounts/pkg/service/v0/accounts.go | 8 ++------ 4 files changed, 12 insertions(+), 6 deletions(-) diff --git a/.drone.star b/.drone.star index 880c8d95d73..6391ac53e5b 100644 --- a/.drone.star +++ b/.drone.star @@ -1411,6 +1411,8 @@ def ocisServer(storage): 'KONNECTD_IDENTIFIER_REGISTRATION_CONF': '/drone/src/ocis/tests/config/drone/identifier-registration.yml', 'KONNECTD_ISS': 'https://ocis-server:9200', 'KONNECTD_TLS': 'true', + # 4 is the lowest possible value. ONLY FOR TESTS + 'ACCOUNTS_HASH_DIFFICULTY': 4, }, 'commands': [ 'apk add mailcap', # install /etc/mime.types diff --git a/accounts/pkg/config/config.go b/accounts/pkg/config/config.go index d3730f003e6..ac0b6abe866 100644 --- a/accounts/pkg/config/config.go +++ b/accounts/pkg/config/config.go @@ -42,6 +42,7 @@ type Server struct { Version string Name string AccountsDataPath string + HashDifficulty int } // Asset defines the available asset configuration. diff --git a/accounts/pkg/flagset/flagset.go b/accounts/pkg/flagset/flagset.go index 88e67f2744e..1eb93815395 100644 --- a/accounts/pkg/flagset/flagset.go +++ b/accounts/pkg/flagset/flagset.go @@ -85,6 +85,13 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"ACCOUNTS_DATA_PATH"}, Destination: &cfg.Server.AccountsDataPath, }, + &cli.IntFlag{ + Name: "accounts-hash-difficulty", + Value: 11, + Usage: "accounts password hash difficulty", + EnvVars: []string{"ACCOUNTS_HASH_DIFFICULTY"}, + Destination: &cfg.Server.HashDifficulty, + }, &cli.StringFlag{ Name: "asset-path", Value: "", diff --git a/accounts/pkg/service/v0/accounts.go b/accounts/pkg/service/v0/accounts.go index 50d34bd3207..2d88c313f4e 100644 --- a/accounts/pkg/service/v0/accounts.go +++ b/accounts/pkg/service/v0/accounts.go @@ -29,10 +29,6 @@ import ( "google.golang.org/protobuf/types/known/timestamppb" ) -const ( - _hashDifficulty = 11 -) - // accLock mutually exclude readers from writers on account files var accLock sync.Mutex @@ -315,7 +311,7 @@ func (s Service) CreateAccount(ctx context.Context, in *proto.CreateAccountReque if out.PasswordProfile != nil { if out.PasswordProfile.Password != "" { // encrypt password - hashed, err := bcrypt.GenerateFromPassword([]byte(in.Account.PasswordProfile.Password), _hashDifficulty) + hashed, err := bcrypt.GenerateFromPassword([]byte(in.Account.PasswordProfile.Password), s.Config.Server.HashDifficulty) if err != nil { s.log.Error().Err(err).Str("id", id).Msg("could not hash password") return merrors.InternalServerError(s.id, "could not hash password: %v", err.Error()) @@ -499,7 +495,7 @@ func (s Service) UpdateAccount(ctx context.Context, in *proto.UpdateAccountReque } if in.Account.PasswordProfile.Password != "" { // encrypt password - hashed, err := bcrypt.GenerateFromPassword([]byte(in.Account.PasswordProfile.Password), _hashDifficulty) + hashed, err := bcrypt.GenerateFromPassword([]byte(in.Account.PasswordProfile.Password), s.Config.Server.HashDifficulty) if err != nil { in.Account.PasswordProfile.Password = "" s.log.Error().Err(err).Str("id", id).Msg("could not hash password")