Initial commit: Open sourcing all of the Maple Open Technologies code.
This commit is contained in:
commit
755d54a99d
2010 changed files with 448675 additions and 0 deletions
186
cloud/maplefile-backend/pkg/security/password/password.go
Normal file
186
cloud/maplefile-backend/pkg/security/password/password.go
Normal file
|
|
@ -0,0 +1,186 @@
|
|||
// File Path: monorepo/cloud/maplefile-backend/pkg/security/password/password.go
|
||||
package password
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
"crypto/subtle"
|
||||
"encoding/base64"
|
||||
"encoding/hex"
|
||||
"errors"
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/awnumar/memguard"
|
||||
"golang.org/x/crypto/argon2"
|
||||
|
||||
sstring "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/security/securestring"
|
||||
)
|
||||
|
||||
var (
|
||||
ErrInvalidHash = errors.New("the encoded hash is not in the correct format")
|
||||
ErrIncompatibleVersion = errors.New("incompatible version of argon2")
|
||||
)
|
||||
|
||||
type PasswordProvider interface {
|
||||
GenerateHashFromPassword(password *sstring.SecureString) (string, error)
|
||||
ComparePasswordAndHash(password *sstring.SecureString, hash string) (bool, error)
|
||||
AlgorithmName() string
|
||||
GenerateSecureRandomBytes(length int) ([]byte, error)
|
||||
GenerateSecureRandomString(length int) (string, error)
|
||||
}
|
||||
|
||||
type passwordProvider struct {
|
||||
memory uint32
|
||||
iterations uint32
|
||||
parallelism uint8
|
||||
saltLength uint32
|
||||
keyLength uint32
|
||||
}
|
||||
|
||||
func NewPasswordProvider() PasswordProvider {
|
||||
// DEVELOPERS NOTE:
|
||||
// The following code was copy and pasted from: "How to Hash and Verify Passwords With Argon2 in Go" via https://www.alexedwards.net/blog/how-to-hash-and-verify-passwords-with-argon2-in-go
|
||||
|
||||
// Establish the parameters to use for Argon2.
|
||||
return &passwordProvider{
|
||||
memory: 64 * 1024,
|
||||
iterations: 3,
|
||||
parallelism: 2,
|
||||
saltLength: 16,
|
||||
keyLength: 32,
|
||||
}
|
||||
}
|
||||
|
||||
// GenerateHashFromPassword function takes the plaintext string and returns an Argon2 hashed string.
|
||||
// SECURITY: Password bytes are wiped from memory after hashing to prevent memory dump attacks.
|
||||
func (p *passwordProvider) GenerateHashFromPassword(password *sstring.SecureString) (string, error) {
|
||||
salt, err := generateRandomBytes(p.saltLength)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
defer memguard.WipeBytes(salt) // SECURITY: Wipe salt after use
|
||||
|
||||
passwordBytes := password.Bytes()
|
||||
defer memguard.WipeBytes(passwordBytes) // SECURITY: Wipe password bytes after hashing
|
||||
|
||||
hash := argon2.IDKey(passwordBytes, salt, p.iterations, p.memory, p.parallelism, p.keyLength)
|
||||
defer memguard.WipeBytes(hash) // SECURITY: Wipe raw hash after encoding
|
||||
|
||||
// Base64 encode the salt and hashed password.
|
||||
b64Salt := base64.RawStdEncoding.EncodeToString(salt)
|
||||
b64Hash := base64.RawStdEncoding.EncodeToString(hash)
|
||||
|
||||
// Return a string using the standard encoded hash representation.
|
||||
encodedHash := fmt.Sprintf("$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s", argon2.Version, p.memory, p.iterations, p.parallelism, b64Salt, b64Hash)
|
||||
|
||||
return encodedHash, nil
|
||||
}
|
||||
|
||||
// CheckPasswordHash function checks the plaintext string and hash string and returns either true
|
||||
// or false depending.
|
||||
// SECURITY: All sensitive bytes (password, salt, hashes) are wiped from memory after comparison.
|
||||
func (p *passwordProvider) ComparePasswordAndHash(password *sstring.SecureString, encodedHash string) (match bool, err error) {
|
||||
// DEVELOPERS NOTE:
|
||||
// The following code was copy and pasted from: "How to Hash and Verify Passwords With Argon2 in Go" via https://www.alexedwards.net/blog/how-to-hash-and-verify-passwords-with-argon2-in-go
|
||||
|
||||
// Extract the parameters, salt and derived key from the encoded password
|
||||
// hash.
|
||||
p, salt, hash, err := decodeHash(encodedHash)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
defer memguard.WipeBytes(salt) // SECURITY: Wipe salt after use
|
||||
defer memguard.WipeBytes(hash) // SECURITY: Wipe stored hash after comparison
|
||||
|
||||
// Get password bytes and ensure they're wiped after use
|
||||
passwordBytes := password.Bytes()
|
||||
defer memguard.WipeBytes(passwordBytes)
|
||||
|
||||
// Derive the key from the other password using the same parameters.
|
||||
otherHash := argon2.IDKey(passwordBytes, salt, p.iterations, p.memory, p.parallelism, p.keyLength)
|
||||
defer memguard.WipeBytes(otherHash) // SECURITY: Wipe computed hash after comparison
|
||||
|
||||
// Check that the contents of the hashed passwords are identical. Note
|
||||
// that we are using the subtle.ConstantTimeCompare() function for this
|
||||
// to help prevent timing attacks.
|
||||
if subtle.ConstantTimeCompare(hash, otherHash) == 1 {
|
||||
return true, nil
|
||||
}
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// AlgorithmName function returns the algorithm used for hashing.
|
||||
func (p *passwordProvider) AlgorithmName() string {
|
||||
return "argon2id"
|
||||
}
|
||||
|
||||
func generateRandomBytes(n uint32) ([]byte, error) {
|
||||
// DEVELOPERS NOTE:
|
||||
// The following code was copy and pasted from: "How to Hash and Verify Passwords With Argon2 in Go" via https://www.alexedwards.net/blog/how-to-hash-and-verify-passwords-with-argon2-in-go
|
||||
|
||||
b := make([]byte, n)
|
||||
_, err := rand.Read(b)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return b, nil
|
||||
}
|
||||
|
||||
func decodeHash(encodedHash string) (p *passwordProvider, salt, hash []byte, err error) {
|
||||
// DEVELOPERS NOTE:
|
||||
// The following code was copy and pasted from: "How to Hash and Verify Passwords With Argon2 in Go" via https://www.alexedwards.net/blog/how-to-hash-and-verify-passwords-with-argon2-in-go
|
||||
|
||||
vals := strings.Split(encodedHash, "$")
|
||||
if len(vals) != 6 {
|
||||
return nil, nil, nil, ErrInvalidHash
|
||||
}
|
||||
|
||||
var version int
|
||||
_, err = fmt.Sscanf(vals[2], "v=%d", &version)
|
||||
if err != nil {
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
if version != argon2.Version {
|
||||
return nil, nil, nil, ErrIncompatibleVersion
|
||||
}
|
||||
|
||||
p = &passwordProvider{}
|
||||
_, err = fmt.Sscanf(vals[3], "m=%d,t=%d,p=%d", &p.memory, &p.iterations, &p.parallelism)
|
||||
if err != nil {
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
|
||||
salt, err = base64.RawStdEncoding.Strict().DecodeString(vals[4])
|
||||
if err != nil {
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
p.saltLength = uint32(len(salt))
|
||||
|
||||
hash, err = base64.RawStdEncoding.Strict().DecodeString(vals[5])
|
||||
if err != nil {
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
p.keyLength = uint32(len(hash))
|
||||
|
||||
return p, salt, hash, nil
|
||||
}
|
||||
|
||||
// GenerateSecureRandomBytes generates a secure random byte slice of the specified length.
|
||||
func (p *passwordProvider) GenerateSecureRandomBytes(length int) ([]byte, error) {
|
||||
bytes := make([]byte, length)
|
||||
_, err := rand.Read(bytes)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to generate secure random bytes: %v", err)
|
||||
}
|
||||
return bytes, nil
|
||||
}
|
||||
|
||||
// GenerateSecureRandomString generates a secure random string of the specified length.
|
||||
func (p *passwordProvider) GenerateSecureRandomString(length int) (string, error) {
|
||||
bytes, err := p.GenerateSecureRandomBytes(length)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return hex.EncodeToString(bytes), nil
|
||||
}
|
||||
|
|
@ -0,0 +1,50 @@
|
|||
package password
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
sstring "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/security/securestring"
|
||||
)
|
||||
|
||||
func TestPasswordHashing(t *testing.T) {
|
||||
t.Log("TestPasswordHashing: Starting")
|
||||
|
||||
provider := NewPasswordProvider()
|
||||
t.Log("TestPasswordHashing: Provider created")
|
||||
|
||||
password, err := sstring.NewSecureString("test-password")
|
||||
require.NoError(t, err)
|
||||
t.Log("TestPasswordHashing: Password SecureString created")
|
||||
fmt.Println("TestPasswordHashing: Password SecureString created")
|
||||
|
||||
// Let's add a timeout to see if we can pinpoint the issue
|
||||
done := make(chan bool)
|
||||
go func() {
|
||||
fmt.Println("TestPasswordHashing: Generating hash...")
|
||||
hash, err := provider.GenerateHashFromPassword(password)
|
||||
fmt.Printf("TestPasswordHashing: Hash generated: %v, error: %v\n", hash != "", err)
|
||||
|
||||
if err == nil {
|
||||
fmt.Println("TestPasswordHashing: Comparing password and hash...")
|
||||
match, err := provider.ComparePasswordAndHash(password, hash)
|
||||
fmt.Printf("TestPasswordHashing: Comparison done: match=%v, error=%v\n", match, err)
|
||||
}
|
||||
|
||||
done <- true
|
||||
}()
|
||||
|
||||
select {
|
||||
case <-done:
|
||||
fmt.Println("TestPasswordHashing: Test completed successfully")
|
||||
case <-time.After(10 * time.Second):
|
||||
t.Fatal("Test timed out after 10 seconds")
|
||||
}
|
||||
|
||||
fmt.Println("TestPasswordHashing: Cleaning up password...")
|
||||
password.Wipe()
|
||||
fmt.Println("TestPasswordHashing: Done")
|
||||
}
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
package password
|
||||
|
||||
// ProvidePasswordProvider provides a password provider instance for Wire DI
|
||||
func ProvidePasswordProvider() PasswordProvider {
|
||||
return NewPasswordProvider()
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue