Add a registry lock password to contacts (#226)

* Add a registry lock password to contacts * enabled -> allowed * Simple CR responses, still need to add tests * Add a very simple hashing test file * Allow setting of RL password rather than directly setting it * Round out pw tests * Include 'allowedToSet...' in registrar contact JSON * Responses to CR * fix the hardcoded tests * Use null or empty rather than just null
2025-07-21 18:26:12 +02:00 · 2019-08-23 22:34:43 -04:00 · 2019-08-23 22:34:43 -04:00 · a5f27c693f
commit a5f27c693f
parent 584f887099
16 changed files with 274 additions and 57 deletions
--- a/util/src/main/java/google/registry/util/PasswordUtils.java
+++ b/util/src/main/java/google/registry/util/PasswordUtils.java
@ -0,0 +1,47 @@
+// Copyright 2019 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.util;
+
+import static com.google.common.io.BaseEncoding.base64;
+import static java.nio.charset.StandardCharsets.US_ASCII;
+
+import com.google.common.base.Supplier;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+
+/** Common utility class to handle password hashing and salting */
+public final class PasswordUtils {
+
+  public static final Supplier<byte[]> SALT_SUPPLIER =
+      () -> {
+        // There are 32 bytes in a SHA-256 hash, and the salt should generally be the same size.
+        byte[] salt = new byte[32];
+        new SecureRandom().nextBytes(salt);
+        return salt;
+      };
+
+  public static String hashPassword(String password, String salt) {
+    try {
+      return base64()
+          .encode(
+              MessageDigest.getInstance("SHA-256").digest((password + salt).getBytes(US_ASCII)));
+    } catch (NoSuchAlgorithmException e) {
+      // All implementations of MessageDigest are required to support SHA-256.
+      throw new RuntimeException(
+          "All MessageDigest implementations are required to support SHA-256 but this didn't", e);
+    }
+  }
+}
--- a/util/src/test/java/google/registry/util/PasswordUtilsTest.java
+++ b/util/src/test/java/google/registry/util/PasswordUtilsTest.java
@ -0,0 +1,50 @@
+// Copyright 2019 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.util;
+
+import static com.google.common.io.BaseEncoding.base64;
+import static com.google.common.truth.Truth.assertThat;
+import static google.registry.util.PasswordUtils.SALT_SUPPLIER;
+import static google.registry.util.PasswordUtils.hashPassword;
+
+import java.util.Arrays;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.JUnit4;
+
+/** Unit tests for {@link google.registry.util.PasswordUtils}. */
+@RunWith(JUnit4.class)
+public final class PasswordUtilsTest {
+
+  @Test
+  public void testDifferentSalts() {
+    byte[] first = SALT_SUPPLIER.get();
+    byte[] second = SALT_SUPPLIER.get();
+    assertThat(first.length).isEqualTo(32);
+    assertThat(second.length).isEqualTo(32);
+    assertThat(Arrays.equals(first, second)).isFalse();
+  }
+
+  @Test
+  public void testHash() {
+    String salt = base64().encode(SALT_SUPPLIER.get());
+    String password = "mySuperSecurePassword";
+    String hashedPassword = hashPassword(password, salt);
+    assertThat(hashedPassword).isEqualTo(hashPassword(password, salt));
+    assertThat(hashedPassword).isNotEqualTo(hashPassword(password + "a", salt));
+    String secondSalt = base64().encode(SALT_SUPPLIER.get());
+    assertThat(hashedPassword).isNotEqualTo(hashPassword(password, secondSalt));
+  }
+}