Package io.conducive.server.db.impl

Source Code of io.conducive.server.db.impl.UserDAOImpl

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
package io.conducive.server.db.impl;

import io.conducive.server.bind.DBFile;
import io.conducive.server.db.UserDAO;
import io.conducive.server.db.exception.DuplicateUserException;
import io.conducive.shared.model.User;
import static com.google.common.base.Preconditions.*;
import static com.google.common.hash.Hashing.*;
import org.mapdb.*;

import javax.inject.Inject;
import javax.inject.Singleton;
import java.io.File;
import java.util.*;

@Singleton
public class UserDAOImpl extends AbstractMapDBDao implements UserDAO {

    private final static int EXP = 17;

    @Inject
    public UserDAOImpl(@DBFile File dbFile, DB db) {
        super(dbFile, db);
    }

    @Override
    public User getUser(final String username, final String password, final String salt) {
        checkNotNull(username, "Username should not be null");
        checkNotNull(password, "Password should not be null");

        final User user = users().get(username);
        if (user != null) {
            if (stretch(password, salt, EXP).equals(user.getHash())) {
                // don't surface the hash
                return new User(username);
            }
        }
        return null;
    }

    @Override
    public void createUser(final User user)
        throws DuplicateUserException
    {
        checkNotNull(user.getUsername(), "Username should not be null");
        checkNotNull(user.getHash(), "Password should not be null");
        checkNotNull(user.getSalt(), "Salt should not be null");

        if (users().containsKey(user.getUsername())) {
            throw new DuplicateUserException();
        }

        // hash from client is already stretched. stretch some more. distance from what is stored vs password is
        // 2^(LoginView.EXP + UserDAOImpl.EXP), i.e. 2^29
        logger.info("Stretching");
        User toStore = new User(user.getUsername(), stretch(user.getHash(), user.getSalt(), EXP));
        toStore.setSalt(user.getSalt());
        logger.info("Done stretching");
        users().put(user.getUsername(), toStore);
        // save to disk
        commit();
    }

    private NavigableMap<String, User> users() {
        return oneToOne("users");
    }

    public static String hash(final String password) {
        try {
            return sha256().hashBytes(password.getBytes("UTF-8")).toString();
        } catch (Exception e) {
            throw new RuntimeException(e.getMessage(), e);
        }
    }

    /**
     * Lifted from "Cryptographic Engineering" - make it more expensive to crack a password by repeatedly hashing
     * with salt.
     *
     * TODO use scrypt once we have time.
     *
     * The effort to crack the password is increased by 2^exp. Salt can be public, as can exp.
     * @param password
     * @param salt
     * @param exp
     * @return
     */
    public static String stretch(String password, String salt, int exp) {
        String hash = hash(password + salt);
        for (int i = 0; i < Math.pow(2, exp); i++) {
            hash = hash(hash + password + salt);
        }
        return hash;
    }
}
TOP

Related Classes of io.conducive.server.db.impl.UserDAOImpl

  • io.conducive.shared.model.User
  • io.conducive.server.db.exception.DuplicateUserException
    • TOP
    Copyright © 2018 www.massapi.com. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.