Always execute a JPA password action

aloubyansky · Nov 21, 2023 · 2c29d55 · 2c29d55
1 parent d443437
commit 2c29d55
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 3 deletions.
diff --git a/...ment/src/main/java/io/quarkus/security/jpa/common/deployment/JpaSecurityIdentityUtil.java b/...ment/src/main/java/io/quarkus/security/jpa/common/deployment/JpaSecurityIdentityUtil.java
@@ -45,18 +45,21 @@ public static void buildIdentity(Index index, JpaSecurityDefinition jpaSecurityD
             PanacheEntityPredicateBuildItem panacheEntityPredicate, FieldDescriptor passwordProviderField,
             MethodCreator outerMethod, ResultHandle userVar, BytecodeCreator innerMethod) {
         // if(user == null) throw new AuthenticationFailedException();
+
+        PasswordType passwordType = passwordTypeValue != null ? PasswordType.valueOf(passwordTypeValue.asEnum())
+                : PasswordType.MCF;
+
         try (BytecodeCreator trueBranch = innerMethod.ifNull(userVar).trueBranch()) {
+
             ResultHandle exceptionInstance = trueBranch
                     .newInstance(MethodDescriptor.ofConstructor(AuthenticationFailedException.class));
+            trueBranch.invokeStaticMethod(passwordActionMethod(), trueBranch.load(passwordType));
             trueBranch.throwException(exceptionInstance);
         }
 
         // :pass = user.pass | user.getPass()
         ResultHandle pass = jpaSecurityDefinition.password.readValue(innerMethod, userVar);
 
-        PasswordType passwordType = passwordTypeValue != null ? PasswordType.valueOf(passwordTypeValue.asEnum())
-                : PasswordType.MCF;
-
         if (passwordType == PasswordType.CUSTOM && passwordProviderValue == null) {
             throw new RuntimeException("Missing password provider for password type: " + passwordType);
         }
@@ -245,4 +248,8 @@ private static MethodDescriptor getUtilMethod(String passwordProviderMethod) {
         return MethodDescriptor.ofMethod(JpaIdentityProviderUtil.class, passwordProviderMethod,
                 org.wildfly.security.password.Password.class, String.class);
     }
+
+    private static MethodDescriptor passwordActionMethod() {
+        return MethodDescriptor.ofMethod(JpaIdentityProviderUtil.class, "passwordAction", void.class, PasswordType.class);
+    }
 }
diff --git a/...runtime/src/main/java/io/quarkus/security/jpa/common/runtime/JpaIdentityProviderUtil.java b/...runtime/src/main/java/io/quarkus/security/jpa/common/runtime/JpaIdentityProviderUtil.java
@@ -2,6 +2,7 @@
 
 import java.security.spec.InvalidKeySpecException;
 import java.util.List;
+import java.util.UUID;
 
 import org.wildfly.security.credential.PasswordCredential;
 import org.wildfly.security.evidence.PasswordGuessEvidence;
@@ -10,9 +11,11 @@
 import org.wildfly.security.password.util.ModularCrypt;
 import org.wildfly.security.provider.util.ProviderUtil;
 
+import io.quarkus.elytron.security.common.BcryptUtil;
 import io.quarkus.security.AuthenticationFailedException;
 import io.quarkus.security.identity.request.TrustedAuthenticationRequest;
 import io.quarkus.security.identity.request.UsernamePasswordAuthenticationRequest;
+import io.quarkus.security.jpa.PasswordType;
 import io.quarkus.security.runtime.QuarkusPrincipal;
 import io.quarkus.security.runtime.QuarkusSecurityIdentity;
 
@@ -70,4 +73,13 @@ public static Password getMcfPassword(String pass) {
             throw new RuntimeException(e);
         }
     }
+
+    public static void passwordAction(PasswordType type) {
+        String uuid = UUID.randomUUID().toString();
+        if (type == PasswordType.CLEAR) {
+            ClearPassword.createRaw(ClearPassword.ALGORITHM_CLEAR, uuid.toCharArray());
+        } else {
+            BcryptUtil.bcryptHash(uuid);
+        }
+    }
 }