Upgrade bcrypt library + explain env variables

2024-11-22 05:57:57 +01:00 · 2020-12-31 07:46:00 +01:00 · 2020-12-31 07:46:00 +01:00 · af15116bf9
commit af15116bf9
parent 36e5a9747b
5 changed files with 140 additions and 11 deletions
--- a/README.md
+++ b/README.md
@ -19,6 +19,7 @@ Demo
 ----

 A demo is available at [demo.teedy.io](https://demo.teedy.io)
+
 - Guest login is enabled with read access on all documents
 - "admin" login with "admin" password
 - "demo" login with "password" password 
@ -60,6 +61,7 @@ Install with Docker
 A preconfigured Docker image is available, including OCR and media conversion tools, listening on port 8080. The database is an embedded H2 database but PostgreSQL is also supported for more performance.

 **The default admin password is "admin". Don't forget to change it before going to production.**
+
 - Master branch, can be unstable. Not recommended for production use: `sismics/docs:latest`
 - Latest stable version: `sismics/docs:v1.8`

@ -67,10 +69,134 @@ The data directory is `/data`. Don't forget to mount a volume on it.

 To build external URL, the server is expecting a `DOCS_BASE_URL` environment variable (for example https://teedy.mycompany.com)

+### Available environment variables
+
+- General
+  
+  - `DOCS_BASE_URL` -> The base url used by the application. Generated url's will be using this as base.
+  
+  - `DOCS_GLOBAL_QUOTA` -> Defines the default quota applying to all users.
+
+- Admin
+  
+  - `DOCS_ADMIN_EMAIL_INIT` -> Defines the e-mail-address the admin user should have upon initialization.
+  
+  - `DOCS_ADMIN_PASSWORD_INIT` -> Defines the password the admin user should have upon initialization.  Needs to be a bcrypt hash.  **Be aware that `$` within the hash have to be escaped with a second `$`.**
+
+- Database
+  
+  - `DATABASE_URL` -> The jdbc connection string to be used by `hibernate`.
+  
+  - `DATABASE_USER` -> The user which should be used for the database connection.
+  
+  - `DATABASE_PASSWORD` -> The password to be used for the database connection.
+
+- Language
+  
+  - `DOCS_DEFAULT_LANGUAGE` -> The language which will be used as default. Currently supported values are:
+    
+    - `eng`, `fra`, `ita`, `deu`, `spa`, `por`, `pol`, `rus`, `ukr`, `ara`, `hin`, `chi_sim`, `chi_tra`, `jpn`, `tha`, `kor`, `nld`, `tur`, `heb`, `hun`, `fin`, `swe`, `lav`, `dan`
+
+- E-Mail
+  
+  - `DOCS_SMTP_HOSTNAME` -> Hostname of the SMTP-Server to be used by Teedy.
+  
+  - `DOCS_SMTP_PORT` -> The port which should be used.
+  
+  - `DOCS_SMTP_USERNAME` -> The username to be used.
+  
+  - `DOCS_SMTP_PASSWORD` -> The password to be used.
+
+### Examples
+
+In the following examples some passwords are exposed in cleartext. This was done in order to keep the examples simple. We strongly encourage you to use variables with an `.env` file or other means to securely store your passwords.
+
+#### Using the internal db
+
+```yaml
+version: '3'
+services:
+# Teedy Application
+  teedy-server:
+    image: sismics/docs:v1.8
+    restart: unless-stopped
+    ports:
+      # Map internal port to host
+      - 8080:8080
+    environment:
+      # Base url to be used
+      DOCS_BASE_URL: "https://docs.example.com"
+      # Set the admin email
+      DOCS_ADMIN_EMAIL_INIT: "admin@example.com"
+      # Set the admin password (in this example: "superSecure")
+      DOCS_ADMIN_PASSWORD_INIT: "$$2a$$05$$PcMNUbJvsk7QHFSfEIDaIOjk1VI9/E7IPjTKx.jkjPxkx2EOKSoPS"
+    volumes:
+      - ./docs/data:/data
+```
+
+#### Using postgres
+
+```yaml
+version: '3'
+services:
+# Teedy Application
+  teedy-server:
+    image: sismics/docs:v1.8
+    restart: unless-stopped
+    ports:
+      # Map internal port to host
+      - 8080:8080
+    environment:
+      # Base url to be used
+      DOCS_BASE_URL: "https://docs.example.com"
+      # Set the admin email
+      DOCS_ADMIN_EMAIL_INIT: "admin@example.com"
+      # Set the admin password (in this example: "superSecure")
+      DOCS_ADMIN_PASSWORD_INIT: "$$2a$$05$$PcMNUbJvsk7QHFSfEIDaIOjk1VI9/E7IPjTKx.jkjPxkx2EOKSoPS"
+      # Setup the database connection. "teedy-db" is the hostname
+      # and "teedy" is the name of the database the application
+      # will connect to.
+      DATABASE_URL: "jdbc:postgresql://teedy-db:5432/teedy"
+      DATABASE_USER: "teedy_db_user"
+      DATABASE_PASSWORD: "teedy_db_password"
+    volumes:
+      - ./docs/data:/data
+    networks:
+      - docker-internal
+      - internet
+    depends_on:
+      - teedy-db
+
+# DB for Teedy
+  teedy-db:
+    image: postgres:13.1-alpine
+    restart: unless-stopped
+    expose:
+      - 5432
+    environment:
+      POSTGRES_USER: "teedy_db_user"
+      POSTGRES_PASSWORD: "teedy_db_password"
+      POSTGRES_DB: "teedy"
+    volumes:
+      - ./docs/db:/var/lib/postgresql/data
+    networks:
+      - docker-internal
+
+networks:
+  # Network without internet access. The db does not need
+  # access to the host network.
+  docker-internal:
+    driver: bridge
+    internal: true
+  internet:
+    driver: bridge
+```
+
 Manual installation
 -------------------

 #### Requirements
+
 - Java 8 with the [Java Cryptography Extension](http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html)
 - Tesseract 3 or 4 for OCR
 - ffmpeg for video thumbnails
@ -78,6 +204,7 @@ Manual installation
 - A webapp server like [Jetty](http://eclipse.org/jetty/) or [Tomcat](http://tomcat.apache.org/)

 #### Download
+
 The latest release is downloadable here: <https://github.com/sismics/docs/releases> in WAR format. 
 **The default admin password is "admin". Don't forget to change it before going to production.**

@ -88,9 +215,9 @@ Prerequisites: JDK 8 with JCE, Maven 3, NPM, Grunt, Tesseract 3 or 4

 Teedy is organized in several Maven modules:

-  - docs-core
-  - docs-web
-  - docs-web-common
+- docs-core
+- docs-web
+- docs-web-common

 First off, clone the repository: `git clone git://github.com/sismics/docs.git`
 or download the sources from GitHub.
--- a/docs-core/pom.xml
+++ b/docs-core/pom.xml
@ -91,10 +91,11 @@
      <groupId>org.slf4j</groupId>
      <artifactId>jcl-over-slf4j</artifactId>
    </dependency>
-    
+
    <dependency>
-      <groupId>org.mindrot</groupId>
-      <artifactId>jbcrypt</artifactId>
+      <groupId>at.favre.lib</groupId>
+      <artifactId>bcrypt</artifactId>
+      <version>0.9.0</version>
    </dependency>
    
    <dependency>
--- a/docs-core/src/main/java/com/sismics/docs/core/constant/Constants.java
+++ b/docs-core/src/main/java/com/sismics/docs/core/constant/Constants.java
@ -18,7 +18,7 @@ public class Constants {
    /**
     * Administrator's default password ("admin").
     */
-    public static final String DEFAULT_ADMIN_PASSWORD = "$2a$05$6Ny3TjrW3aVAL1or2SlcR.fhuDgPKp5jp.P9fBXwVNePgeLqb4i3C";
+    public static final String DEFAULT_ADMIN_PASSWORD = "$2y$10$xg0EEKVUehutDI1m6qQhVeFz7SMQMl1jQzjf2KkVsR2c7aV2vyyjK";

    /**
     * Administrator's default email.
--- a/docs-core/src/main/java/com/sismics/docs/core/dao/UserDao.java
+++ b/docs-core/src/main/java/com/sismics/docs/core/dao/UserDao.java
@ -1,5 +1,6 @@
 package com.sismics.docs.core.dao;

+import at.favre.lib.crypto.bcrypt.BCrypt;
 import com.google.common.base.Joiner;
 import com.sismics.docs.core.constant.AuditLogType;
 import com.sismics.docs.core.dao.criteria.UserCriteria;
@ -12,7 +13,6 @@ import com.sismics.docs.core.util.jpa.QueryUtil;
 import com.sismics.docs.core.util.jpa.SortCriteria;
 import com.sismics.util.context.ThreadLocalContext;
 import org.joda.time.DateTime;
-import org.mindrot.jbcrypt.BCrypt;

 import javax.persistence.EntityManager;
 import javax.persistence.NoResultException;
@ -39,7 +39,8 @@ public class UserDao {
        q.setParameter("username", username);
        try {
            User user = (User) q.getSingleResult();
-            if (!BCrypt.checkpw(password, user.getPassword()) || user.getDisableDate() != null) {
+            BCrypt.Result result = BCrypt.verifyer().verify(password.toCharArray(), user.getPassword());
+            if (!result.verified || user.getDisableDate() != null) {
                return null;
            }
            return user;
@ -277,7 +278,7 @@ public class UserDao {
     * @return Hashed password
     */
    private String hashPassword(String password) {
-        return BCrypt.hashpw(password, BCrypt.gensalt());
+        return BCrypt.withDefaults().hashToString(10, password.toCharArray());
    }
    
    /**
--- a/docs-core/src/main/resources/db/update/dbupdate-000-0.sql
+++ b/docs-core/src/main/resources/db/update/dbupdate-000-0.sql
@ -41,4 +41,4 @@ insert into T_LOCALE(LOC_ID_C) values('fr');
 insert into T_ROLE(ROL_ID_C, ROL_NAME_C, ROL_CREATEDATE_D) values('admin', 'Admin', NOW());
 insert into T_ROLE(ROL_ID_C, ROL_NAME_C, ROL_CREATEDATE_D) values('user', 'User', NOW());
 insert into T_ROLE_BASE_FUNCTION(RBF_ID_C, RBF_IDROLE_C, RBF_IDBASEFUNCTION_C, RBF_CREATEDATE_D) values('admin_ADMIN', 'admin', 'ADMIN', NOW());
-insert into T_USER(USE_ID_C, USE_IDLOCALE_C, USE_IDROLE_C, USE_USERNAME_C, USE_PASSWORD_C, USE_EMAIL_C, USE_THEME_C, USE_FIRSTCONNECTION_B, USE_CREATEDATE_D, USE_PRIVATEKEY_C) values('admin', 'en', 'admin', 'admin', '$2a$05$6Ny3TjrW3aVAL1or2SlcR.fhuDgPKp5jp.P9fBXwVNePgeLqb4i3C', 'admin@localhost', 'default.less', true, NOW(), 'AdminPk');
+insert into T_USER(USE_ID_C, USE_IDLOCALE_C, USE_IDROLE_C, USE_USERNAME_C, USE_PASSWORD_C, USE_EMAIL_C, USE_THEME_C, USE_FIRSTCONNECTION_B, USE_CREATEDATE_D, USE_PRIVATEKEY_C) values('admin', 'en', 'admin', 'admin', '$2y$10$xg0EEKVUehutDI1m6qQhVeFz7SMQMl1jQzjf2KkVsR2c7aV2vyyjK', 'admin@localhost', 'default.less', true, NOW(), 'AdminPk');