Commit 166b17c3 authored by Dave Cridland's avatar Dave Cridland Committed by akrherz

OF-1278 Do not be such an idiot while recursing (#751)

* OF-1278 Recurse more sensibly in SCRAM code

Previously, we called setPassword if (and only if) there was a plaintext password present AND the configuration was for SCRAM hashed passwords only.

However, we would then retest to see if there was a salt present, and then recurse, if there was a plaintext password present.

This meant that if there were pre-existing users (with only plaintext or encrypted passwords) but with no SCRAM information, and the userInfo.salt was unset, recursion would continue indefinitely.

* OF-1278 Recurse more sensibly in SCRAM code

This patch further proofs against infinite recursion, and is more aggressive about SCRAMming pre-existing users.

Recursion is now prevented from being more than one deep, as designed.
parent 49f4aa10
...@@ -78,6 +78,9 @@ public class DefaultAuthProvider implements AuthProvider { ...@@ -78,6 +78,9 @@ public class DefaultAuthProvider implements AuthProvider {
} }
private UserInfo getUserInfo(String username) throws UnsupportedOperationException, UserNotFoundException { private UserInfo getUserInfo(String username) throws UnsupportedOperationException, UserNotFoundException {
return getUserInfo(username, false);
}
private UserInfo getUserInfo(String username, boolean recurse) throws UnsupportedOperationException, UserNotFoundException {
if (!isScramSupported()) { if (!isScramSupported()) {
// Reject the operation since the provider does not support SCRAM // Reject the operation since the provider does not support SCRAM
throw new UnsupportedOperationException(); throw new UnsupportedOperationException();
...@@ -108,15 +111,15 @@ public class DefaultAuthProvider implements AuthProvider { ...@@ -108,15 +111,15 @@ public class DefaultAuthProvider implements AuthProvider {
// Ignore and return plain password instead. // Ignore and return plain password instead.
} }
} }
if (!recurse) {
if (userInfo.plainText != null) { if (userInfo.plainText != null) {
boolean scramOnly = JiveGlobals.getBooleanProperty("user.scramHashedPasswordOnly"); boolean scramOnly = JiveGlobals.getBooleanProperty("user.scramHashedPasswordOnly");
if (scramOnly) { if (scramOnly || userInfo.salt == null) {
// If we have a password here, but we're meant to be scramOnly, we should reset it. // If we have a password here, but we're meant to be scramOnly, we should reset it.
setPassword(username, userInfo.plainText); setPassword(username, userInfo.plainText);
}
if (userInfo.salt == null) {
// RECURSE // RECURSE
return getUserInfo(username); return getUserInfo(username, true);
}
} }
} }
// Good to go. // Good to go.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment