change hashing algorithm from SHA-512 to bcrypt

[C0rby]

Even though SHA-512 is currently considered a secure algorithm it is not the best choice for password hashing. As this change introduces a breaking change it is beast to introduce it as early as possible to prevent us from having to implement a migration strategy

Closes: owncloud/product#195

[kulmann]

Please add the changelog in /docs /changelog on the top level of the repo. Extensions are not supposed to have their own changelog anymore. :-)

[C0rby]

Ah thanks! Wasn't sure about that. 👍

[kulmann]

👍

[micbar]

please rebase

[kulmann]

Please rebase again :-)

[phil-davis]

I rebased - CI might be kinder this time.

[C0rby]

I really don't get the error of phoenixWebUI2... It's a bit frustrating... I need to dig deeper on monday...

[kulmann]

ocis-server logs in drone look like you might have a wrong password for the reva user...

2020-10-09T14:14:32Z ERR Login failed binddn=cn=reva,ou=sysusers,dc=example,dc=org handler=ocis service=glauth src={"IP":"127.0.0.1","Port":36030,"Zone":""} username=reva
--
19413 | 2020-10-09T14:14:32Z ERR bind with system user failed error="LDAP Result Code 49 \"Invalid Credentials\": " pkg=rgrpc service=storage traceid=0cbbb590ef485c1067ef84cff93ab30d

[kulmann]

... which is weird, because when I delete my local accounts data dir and run ocis from your branch, I can login as reva:reva.

[C0rby]

Seems like the requests from glauth to the accounts service timeout.

2020-10-13T21:27:49Z ERR Could not list accounts error="{\"id\":\"go.micro.client\",\"code\":408,\"detail\":\"context deadline exceeded\",\"status\":\"Request Timeout\"}" basedn=dc=example,dc=org binddn=cn=konnectd,ou=sysusers,dc=example,dc=org filter=(objectClass=posixaccount) handler=ocis query="on_premises_sam_account_name eq 'user1'" service=glauth src={"IP":"127.0.0.1","Port":55198,"Zone":""}

Maybe the accounts service crashes? But why is there no hint in the logs?

[C0rby]

I lowered the difficulty to 11 now which should half the hashing time.

[C0rby]

It looks better now but I'm still not happy about some tests taking 40+ minutes.

[phil-davis]

I am putting together some run-time stats. Will post here when CI finishes...

I changed the drone timeout from 1 to 2 hours for this repo - hopefully the currently running pipelines do not get killed after 1 hour. I want to see how long they run.

[C0rby]

And it got killed...

[C0rby]

@phil-davis, how hard would it be to make the api tests use OpenID?

[phil-davis]

Comparison of any earlier "typical" CI run today vs this PR with _hashDifficulty = 11

https://drone.owncloud.com/owncloud/ocis/1322 vs https://drone.owncloud.com/owncloud/ocis/1326
local-ownc 07:08 19:40
local-ocis 05:26 14:40
           13    34 = about 2.5 times longer

core-ownc1 11:01 27:05 - 
core-ocis1 11:28 25:54
core-ownc2 04:57 14:40
core-ocis2 06:40 24:50
core-ownc3 24:51 >60
core-ocis3 27:34 >60
core-ownc4 23:32 >60
core-ocis4 21:28 >60
core-ownc5 12:42 33:01
core-ocis5 12:12 31:58
core-ownc6 18:55 46:11
core-ocis6 23:02 >60
          198   >504 = at least 2.5 times longer

phoenix-1  12:11 19:07
phoenix-2  09:14 15:12 F
phoenix-3  12:51 17:02
phoenix-4  06:01 08:58
phoenix-5  19:56 31:42 F
phoenix-6  21:56 27:07
phoenix-7  12:16 13:24
phoenix-8  08:59 11:07
          103   143 + about 40% slower

The tests are quite intensive with setup and teardown (creating/deleting users/groups...). So the API tests show a bigger slowdown because the UI tests already spend more of their time waiting for the browser to be ready.

"the system" is a lot slower with this change.

[C0rby]

What we could do is to make the difficulty configurable and to lower it for the tests.

[C0rby]

This should have similar times to the master now.

EDIT: I lowered the difficulty even more to 4. This is the lowest possible value and takes around 1.5ms to compute a hash value on my machine. Let's see if it makes any differences in the pipelines.

[C0rby]

Ok, looks better now.

[phil-davis]

What we could do is to make the difficulty configurable and to lower it for the tests.

That was a good idea. And if someone wants to test with a bigger hash difficulty they can easily change (or remove) the environment variable ACCOUNTS_HASH_DIFFICULTY and measure the time/CPU dfference.

[phil-davis]

There were some UI test fails - those are annoying. I restarted drone CI.

[kulmann]

What we could do is to make the difficulty configurable and to lower it for the tests.

That was a good idea. And if someone wants to test with a bigger hash difficulty they can easily change (or remove) the environment variable ACCOUNTS_HASH_DIFFICULTY and measure the time/CPU dfference.

Also needs to be used when updating ocis in phoenix CI. Good solution 👍
cc @dpakach

[phil-davis]

@C0rby other good stuff for fixing the intermittent fails issue #820 has been merged.
If you rebase this, it might pass!

[C0rby]

The scenario tests/acceptance/features/webUISharingInternalUsers/shareWithUsers.feature:359 does also fail quite consistently.
For some reason the method prepareCollaborators in apps/files/src/components/Collaborators/SharedFilesList.vue gets called multiple times. The first time with the correct shares array and then multiple times with undefined.
But only in the tests not when doing it manually...

shares  Array(1) files.bundle.js:301 
shares  undefined core.bundle.js:17
TypeError: Cannot read property 'forEach' of undefined
    at s.prepareCollaborators (files.bundle.js:301)
    at fn (files.bundle.js:301)
    at r (core.bundle.js:17)
    at s.ge [as _t] (core.bundle.js:17)
    at fn (files.bundle.js:301)
    at r (core.bundle.js:17)
    at s.ge [as _t] (core.bundle.js:17)
    at files.bundle.js:296
    at s.ve [as _l] (core.bundle.js:17)
    at s.w (files.bundle.js:296) files.bundle.js:301 
shares  undefined core.bundle.js:17
TypeError: Cannot read property 'forEach' of undefined
    at s.prepareCollaborators (files.bundle.js:301)
    at fn (files.bundle.js:301)
    at r (core.bundle.js:17)
    at s.ge [as _t] (core.bundle.js:17)
    at fn (files.bundle.js:301)
    at r (core.bundle.js:17)
    at s.ge [as _t] (core.bundle.js:17)
    at files.bundle.js:296
    at s.ve [as _l] (core.bundle.js:17)
    at s.w (files.bundle.js:296) files.bundle.js:301
shares  undefined core.bundle.js:17
TypeError: Cannot read property 'forEach' of undefined
    at s.prepareCollaborators (files.bundle.js:301)
    at fn (files.bundle.js:301)
    at r (core.bundle.js:17)
    at s.ge [as _t] (core.bundle.js:17)
    at fn (files.bundle.js:301)
    at r (core.bundle.js:17)
    at s.ge [as _t] (core.bundle.js:17)
    at files.bundle.js:296
    at s.ve [as _l] (core.bundle.js:17)
    at s.w (files.bundle.js:296)

[C0rby]

The UI tests are something for tomorrow...

[C0rby]

Waiting for owncloud/web#4297

[phil-davis]

owncloud/web#4297 has been merged in the phoenix repo.
#836 bumped the commit id used for the Phoenix UI tests and is now in master
I rebased this. Let's see what CI says.

[phil-davis]

https://drone.owncloud.com/owncloud/ocis/1348/29/7 failed.

Failures:

1) Scenario: upload new file with same name to see if different versions are shown (attempt 2) # tests/acceptance/features/webUIFiles/versions.feature:14
   ✔ Before # tests/acceptance/setup.js:28
   ✔ Before # tests/acceptance/setup.js:32
   ✔ Before # tests/acceptance/setup.js:36
   ✔ Before # tests/acceptance/setup.js:46
   ✔ Before # tests/acceptance/setup.js:68
   ✔ Before # tests/acceptance/setup.js:75
   ✔ Before # tests/acceptance/stepDefinitions/filesContext.js:18
   ✔ Before # tests/acceptance/stepDefinitions/generalContext.js:234
   ✔ Before # tests/acceptance/stepDefinitions/generalContext.js:273
   ✔ Given these users have been created with default attributes: # tests/acceptance/stepDefinitions/provisioningContext.js:199
       | username |
       | user0    |
       | user1    |
   ✔ Given user "user0" has logged in using the webUI # tests/acceptance/stepDefinitions/loginContext.js:67
   ✔ And the user has browsed to the files page # tests/acceptance/stepDefinitions/filesContext.js:82
   ✔ And user "user0" has uploaded file with content "lorem content" to "lorem.txt" # tests/acceptance/stepDefinitions/filesContext.js:92
   ✔ And user "user0" has uploaded file with content "new lorem content" to "lorem.txt" # tests/acceptance/stepDefinitions/filesContext.js:92
   ✔ When the user browses to display the "versions" details of file "lorem.txt" # tests/acceptance/stepDefinitions/filesContext.js:112
   ✔ Then the content of file "lorem.txt" for user "user0" should be "new lorem content" # tests/acceptance/stepDefinitions/filesContext.js:482
   ✖ And the versions list should contain 2 entries # tests/acceptance/stepDefinitions/filesContext.js:458
       AssertionError [ERR_ASSERTION]: Expected values to be strictly equal:

       2 !== 1

That's sad. Only one of the expected versions is displayed. There is likely some timing issue with the multiple uploads?

I restarted drone.

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities (and 0 Security Hotspots to review)
0 Code Smells

No Coverage information
No Duplication information

[phil-davis]

@C0rby CI passed. IMO this PR is "a good thing" and does not make CI any less reliable. Feel free to merge if you agree.