OO-948: update credentials only if the algorithm or the password changed

95abc52e · srosse · 6fc2da37 · 95abc52e · 95abc52e
Commit 95abc52e authored 11 years ago by srosse
--- a/src/main/java/org/olat/basesecurity/BaseSecurityManager.java
+++ b/src/main/java/org/olat/basesecurity/BaseSecurityManager.java
@@ -1532,6 +1532,16 @@ public class BaseSecurityManager extends BasicManager implements BaseSecurity {
 	@Override
 	public Authentication updateCredentials(Authentication authentication, String password, Algorithm algorithm) {
+		if(authentication.getAlgorithm() != null && authentication.getAlgorithm().equals(algorithm.name())) {
+			//check if update is needed
+			String currentSalt = authentication.getSalt();
+			String newCredentials = Encoder.encrypt(password, currentSalt, algorithm);
+			if(newCredentials.equals(authentication.getCredential())) {
+				//same credentials
+				return authentication;
+			}
+		}
 		String salt = algorithm.isSalted() ? Encoder.getSalt() : null;
 		String newCredentials = Encoder.encrypt(password, salt, algorithm);
 		authentication.setSalt(salt);

--- a/src/test/java/org/olat/basesecurity/BaseSecurityManagerTest.java
+++ b/src/test/java/org/olat/basesecurity/BaseSecurityManagerTest.java
@@ -41,6 +41,7 @@ import org.olat.core.id.Roles;
 import org.olat.core.id.User;
 import org.olat.core.id.UserConstants;
 import org.olat.core.util.Encoder;
+import org.olat.login.LoginModule;
 import org.olat.resource.OLATResource;
 import org.olat.test.JunitTestHelper;
 import org.olat.test.OlatTestCase;
@@ -929,6 +930,31 @@ public class BaseSecurityManagerTest extends OlatTestCase {
 		dbInstance.commitAndCloseSession();	
 	}
+	@Test
+	public void updateToSaltedAuthentication() {
+		Identity ident = JunitTestHelper.createAndPersistIdentityAsUser("auth-c-" + UUID.randomUUID().toString());
+		dbInstance.commitAndCloseSession();
+		Authentication auth = securityManager.findAuthentication(ident, "OLAT");
+		String credentials = auth.getCredential();
+		Authentication updatedAuth = securityManager.updateCredentials(auth, "secret", LoginModule.getDefaultHashAlgorithm());
+		Assert.assertNotNull(auth);
+		Assert.assertNotNull(updatedAuth);
+		Assert.assertEquals(auth, updatedAuth);
+		Assert.assertFalse(credentials.equals(updatedAuth.getCredential()));
+		dbInstance.commitAndCloseSession();
+		Authentication auth2 = securityManager.findAuthentication(ident, "OLAT");
+		String credentials2 = auth2.getCredential();
+		Authentication notUpdatedAuth = securityManager.updateCredentials(auth2, "secret", LoginModule.getDefaultHashAlgorithm());
+		Assert.assertNotNull(auth2);
+		Assert.assertNotNull(notUpdatedAuth);
+		Assert.assertSame(auth2, notUpdatedAuth);
+		Assert.assertEquals(credentials2, notUpdatedAuth.getCredential());
+		Assert.assertFalse(credentials.equals(notUpdatedAuth.getCredential()));
+		dbInstance.commitAndCloseSession();
+	}
 	@Test
 	public void deleteAuthentication() {
 		Identity identity = JunitTestHelper.createAndPersistIdentityAsUser("auth-del-" + UUID.randomUUID().toString());