You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@rave.apache.org by mp...@apache.org on 2011/08/10 00:28:54 UTC

svn commit: r1155576 - in /incubator/rave/trunk/rave-commons: pom.xml src/main/java/org/apache/rave/jdbc/util/SqlFileParser.java

Author: mpierce
Date: Tue Aug  9 22:28:53 2011
New Revision: 1155576

URL: http://svn.apache.org/viewvc?rev=1155576&view=rev
Log:
(RAVE-167) adding hashing and salting based on user name for built in user accounts.

Modified:
    incubator/rave/trunk/rave-commons/pom.xml
    incubator/rave/trunk/rave-commons/src/main/java/org/apache/rave/jdbc/util/SqlFileParser.java

Modified: incubator/rave/trunk/rave-commons/pom.xml
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-commons/pom.xml?rev=1155576&r1=1155575&r2=1155576&view=diff
==============================================================================
--- incubator/rave/trunk/rave-commons/pom.xml (original)
+++ incubator/rave/trunk/rave-commons/pom.xml Tue Aug  9 22:28:53 2011
@@ -46,6 +46,11 @@
             <groupId>org.springframework</groupId>
             <artifactId>spring-orm</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-web</artifactId>
+        </dependency>
+
         <!--Persistence-->
         <dependency>
             <groupId>org.apache.openjpa</groupId>

Modified: incubator/rave/trunk/rave-commons/src/main/java/org/apache/rave/jdbc/util/SqlFileParser.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-commons/src/main/java/org/apache/rave/jdbc/util/SqlFileParser.java?rev=1155576&r1=1155575&r2=1155576&view=diff
==============================================================================
--- incubator/rave/trunk/rave-commons/src/main/java/org/apache/rave/jdbc/util/SqlFileParser.java (original)
+++ incubator/rave/trunk/rave-commons/src/main/java/org/apache/rave/jdbc/util/SqlFileParser.java Tue Aug  9 22:28:53 2011
@@ -20,6 +20,9 @@
 package org.apache.rave.jdbc.util;
 
 import org.springframework.core.io.Resource;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.encoding.PasswordEncoder;
+import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
 
 import java.io.BufferedReader;
 import java.io.File;
@@ -30,6 +33,7 @@ import java.util.Set;
 import java.util.Stack;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import java.util.StringTokenizer;
 
 /**
  * Parses a file looking for create, alter, insert, update, delete or drop commands and appends them to an output
@@ -63,14 +67,19 @@ public class SqlFileParser {
     private Stack<State> stateStack;
     private Resource resource;
 
+	 private PasswordEncoder passwordEncoder;
+
     /**
      * Constructor takes a Spring {@link org.springframework.core.io.Resource}
      *
      * @param resource the initial file to parse
      */
+
     public SqlFileParser(Resource resource) {
         stateStack = new Stack<State>();
         this.resource = resource;
+
+		  passwordEncoder=new ShaPasswordEncoder();
     }
 
     /**
@@ -139,6 +148,10 @@ public class SqlFileParser {
                 break;
             }
             case READSQL: {
+					 //This is specific to Rave's initial_data.sql.
+					 //TODO replace this with an external, pluggable utility class.
+					 line=hashAndSaltPassword(line);
+
                 sql.append(line);
                 //add a space to accommodate line breaks.  Not a big deal if extraneous spaces are added
                 sql.append(" ");
@@ -153,9 +166,57 @@ public class SqlFileParser {
             }
         }
     }
+	 
+	 //TODO: this is specific to initial_data.sql while rest of the class code is 
+	 //general purpose.  Need to find a better way to do this.
+	 private String hashAndSaltPassword(String line) {
+		  String newLine=line;
+
+		  //TODO This will BREAK if the SQL line ever gets changed.
+		  //TODO This is a not very good way to make sure we have the correct line.
+		  if(line.indexOf("@user_id_")>-1 && line.indexOf("user_id_seq")>-1) {
+				StringTokenizer st=new StringTokenizer(newLine,",");
+				if(st.countTokens()>4) {
+					 String userid=st.nextToken();
+					 String userseq=st.nextToken();
+					 String username=st.nextToken();
+					 String password=st.nextToken();
+					 username=stripQuotes(username);
+					 password=stripQuotes(password);
+					 //TODO: This assumes that the user name is used for the salt. This may change.
+					 //See DefaultNewAccountService
+					 String saltedHash=passwordEncoder.encodePassword(password,username);
+					 newLine=replacePassword(newLine,password,saltedHash);
+				}
+				else {
+					 //Line was unexpectedly formatted
+				}
+		  }
+		  else {
+				//Do nothing.
+		  }
+		  
+		  return newLine;
+	 }
+	 
+	 //Used to strip the single quotes around the input string
+	 private String stripQuotes(String quotedString) {
+		  StringBuilder unquoted=new StringBuilder(quotedString);
+		  int index1=unquoted.indexOf("'");
+		  int index2=unquoted.lastIndexOf("'");
+		  return unquoted.substring(index1+1,index2);
+	 }
+
+	 //Replace the password in the original string with the hashed and salted password
+	 private String replacePassword(String line, String password, String hashedPassword) {
+		  StringBuilder newLine=new StringBuilder(line);
+		  newLine=newLine.replace(line.lastIndexOf(password),line.lastIndexOf(password)+password.length(),hashedPassword);
+		  return newLine.toString();
+	 }
 
     private static String getFirstWord(String line) {
         Matcher match = WORD_PATTERN.matcher(line);
         return match.find() ? match.group(1) : null;
     }
+
 }