Implement hashing of the passcode

juice-shop · Oct 18, 2024 · 5884d7a · 5884d7a
1 parent cf2e77c
commit 5884d7a
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 3 deletions.
diff --git a/balancer/go.mod b/balancer/go.mod
@@ -4,6 +4,7 @@ go 1.23.2
 
 require (
 	github.com/stretchr/testify v1.9.0
+	golang.org/x/crypto v0.24.0
 	k8s.io/api v0.31.1
 	k8s.io/apimachinery v0.31.1
 	k8s.io/client-go v0.31.1

diff --git a/balancer/go.sum b/balancer/go.sum
@@ -85,6 +85,8 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
+golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=

diff --git a/balancer/pkg/bundle/bundle.go b/balancer/pkg/bundle/bundle.go
@@ -6,6 +6,7 @@ import (
 	"os"
 
 	"github.com/juice-shop/multi-juicer/balancer/pkg/passcode"
+	"golang.org/x/crypto/bcrypt"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/client-go/kubernetes"
@@ -16,6 +17,7 @@ type Bundle struct {
 	RuntimeEnvironment    RuntimeEnvironment
 	ClientSet             kubernetes.Interface
 	PasscodeGenerator     func() string
+	BcryptRounds          int
 	StaticAssetsDirectory string `json:"staticAssetsDirectory"`
 	Config                *Config
 	Log                   *log.Logger
@@ -83,6 +85,7 @@ func New() *Bundle {
 			Namespace: namespace,
 		},
 		PasscodeGenerator: passcode.GeneratePasscode,
+		BcryptRounds:      bcrypt.DefaultCost,
 		Log:               log.New(os.Stdout, "", log.LstdFlags),
 		Config: &Config{
 			JuiceShopConfig: JuiceShopConfig{

diff --git a/balancer/pkg/testutil/testUtils.go b/balancer/pkg/testutil/testUtils.go
@@ -29,7 +29,8 @@ func NewTestBundleWithCustomFakeClient(clientset kubernetes.Interface) *bundle.B
 		PasscodeGenerator: func() string {
 			return "12345678"
 		},
-		Log: log.New(os.Stdout, "", log.LstdFlags),
+		BcryptRounds: 2,
+		Log:          log.New(os.Stdout, "", log.LstdFlags),
 		Config: &bundle.Config{
 			JuiceShopConfig: bundle.JuiceShopConfig{
 				ImagePullPolicy: "IfNotPresent",

diff --git a/balancer/routes/join.go b/balancer/routes/join.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"time"
 
+	"golang.org/x/crypto/bcrypt"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -27,12 +28,21 @@ func handleTeamJoin(bundle *bundle.Bundle) http.Handler {
 			if err != nil && errors.IsNotFound(err) {
 
 				passcode := bundle.PasscodeGenerator()
-				passcodeHash := "todo-acutally-hash-here"
+
+				// Generate a bcrypt hash of the password
+				passcodeHashBytes, err := bcrypt.GenerateFromPassword([]byte(passcode), bundle.BcryptRounds)
+				if err != nil {
+					bundle.Log.Printf("Failed to hash passcode!: %s", err)
+					http.Error(responseWriter, "", http.StatusInternalServerError)
+					return
+				}
+				passcodeHash := string(passcodeHashBytes)
 
 				// Create a deployment for the team
-				err := createDeploymentForTeam(bundle, team, passcodeHash)
+				err = createDeploymentForTeam(bundle, team, passcodeHash)
 				if err != nil {
 					bundle.Log.Printf("Failed to create deployment: %s", err)
+
 					http.Error(responseWriter, "failed to create deployment", http.StatusInternalServerError)
 					return
 				}