From 95abc52e2748ee30c1975056a5604d276deee2cc Mon Sep 17 00:00:00 2001
From: srosse <none@none>
Date: Wed, 22 Jan 2014 08:33:30 +0100
Subject: [PATCH] OO-948: update credentials only if the algorithm or the
 password changed

---
 .../basesecurity/BaseSecurityManager.java     | 10 +++++++
 .../basesecurity/BaseSecurityManagerTest.java | 26 +++++++++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/src/main/java/org/olat/basesecurity/BaseSecurityManager.java b/src/main/java/org/olat/basesecurity/BaseSecurityManager.java
index f482b1f5d76..01b48d82fa9 100644
--- a/src/main/java/org/olat/basesecurity/BaseSecurityManager.java
+++ b/src/main/java/org/olat/basesecurity/BaseSecurityManager.java
@@ -1532,6 +1532,16 @@ public class BaseSecurityManager extends BasicManager implements BaseSecurity {
 
 	@Override
 	public Authentication updateCredentials(Authentication authentication, String password, Algorithm algorithm) {
+		if(authentication.getAlgorithm() != null && authentication.getAlgorithm().equals(algorithm.name())) {
+			//check if update is needed
+			String currentSalt = authentication.getSalt();
+			String newCredentials = Encoder.encrypt(password, currentSalt, algorithm);
+			if(newCredentials.equals(authentication.getCredential())) {
+				//same credentials
+				return authentication;
+			}
+		}
+
 		String salt = algorithm.isSalted() ? Encoder.getSalt() : null;
 		String newCredentials = Encoder.encrypt(password, salt, algorithm);
 		authentication.setSalt(salt);
diff --git a/src/test/java/org/olat/basesecurity/BaseSecurityManagerTest.java b/src/test/java/org/olat/basesecurity/BaseSecurityManagerTest.java
index d95763126e5..054a84d83f1 100644
--- a/src/test/java/org/olat/basesecurity/BaseSecurityManagerTest.java
+++ b/src/test/java/org/olat/basesecurity/BaseSecurityManagerTest.java
@@ -41,6 +41,7 @@ import org.olat.core.id.Roles;
 import org.olat.core.id.User;
 import org.olat.core.id.UserConstants;
 import org.olat.core.util.Encoder;
+import org.olat.login.LoginModule;
 import org.olat.resource.OLATResource;
 import org.olat.test.JunitTestHelper;
 import org.olat.test.OlatTestCase;
@@ -929,6 +930,31 @@ public class BaseSecurityManagerTest extends OlatTestCase {
 		dbInstance.commitAndCloseSession();	
 	}
 	
+	@Test
+	public void updateToSaltedAuthentication() {
+		Identity ident = JunitTestHelper.createAndPersistIdentityAsUser("auth-c-" + UUID.randomUUID().toString());
+		dbInstance.commitAndCloseSession();
+		
+		Authentication auth = securityManager.findAuthentication(ident, "OLAT");
+		String credentials = auth.getCredential();
+		Authentication updatedAuth = securityManager.updateCredentials(auth, "secret", LoginModule.getDefaultHashAlgorithm());
+		Assert.assertNotNull(auth);
+		Assert.assertNotNull(updatedAuth);
+		Assert.assertEquals(auth, updatedAuth);
+		Assert.assertFalse(credentials.equals(updatedAuth.getCredential()));
+		dbInstance.commitAndCloseSession();
+		
+		Authentication auth2 = securityManager.findAuthentication(ident, "OLAT");
+		String credentials2 = auth2.getCredential();
+		Authentication notUpdatedAuth = securityManager.updateCredentials(auth2, "secret", LoginModule.getDefaultHashAlgorithm());
+		Assert.assertNotNull(auth2);
+		Assert.assertNotNull(notUpdatedAuth);
+		Assert.assertSame(auth2, notUpdatedAuth);
+		Assert.assertEquals(credentials2, notUpdatedAuth.getCredential());
+		Assert.assertFalse(credentials.equals(notUpdatedAuth.getCredential()));
+		dbInstance.commitAndCloseSession();
+	}
+	
 	@Test
 	public void deleteAuthentication() {
 		Identity identity = JunitTestHelper.createAndPersistIdentityAsUser("auth-del-" + UUID.randomUUID().toString());
-- 
GitLab