From ff3db531e588eff9c7c78ea55361d8231c292f2c Mon Sep 17 00:00:00 2001
From: Vec7or <43302112+Vec7or@users.noreply.github.com>
Date: Tue, 5 Jan 2021 18:59:18 +0100
Subject: [PATCH] Configure bcrypt work

---
 README.md                                     |  1 +
 .../sismics/docs/core/constant/Constants.java | 10 +++++++
 .../com/sismics/docs/core/dao/UserDao.java    | 29 +++++++++++++++++--
 3 files changed, 37 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 1f3244c8..a3f26f30 100644
--- a/README.md
+++ b/README.md
@@ -74,6 +74,7 @@ To build external URL, the server is expecting a `DOCS_BASE_URL` environment var
 - General
   - `DOCS_BASE_URL`: The base url used by the application. Generated url's will be using this as base.
   - `DOCS_GLOBAL_QUOTA`: Defines the default quota applying to all users.
+  - `DOCS_BCRYPT_WORK`: Defines the work factor which is used for password hashing. The default is `10`. This value may be `4...31` including `4` and `31`. The specified value will be used for all new users and users changing their password. Be aware that setting this factor to high can heavily impact login and user creation performance.
 
 - Admin
   - `DOCS_ADMIN_EMAIL_INIT`: Defines the e-mail-address the admin user should have upon initialization.
diff --git a/docs-core/src/main/java/com/sismics/docs/core/constant/Constants.java b/docs-core/src/main/java/com/sismics/docs/core/constant/Constants.java
index 9c316d49..11a70f87 100644
--- a/docs-core/src/main/java/com/sismics/docs/core/constant/Constants.java
+++ b/docs-core/src/main/java/com/sismics/docs/core/constant/Constants.java
@@ -25,6 +25,11 @@ public class Constants {
      */
     public static final String DEFAULT_ADMIN_EMAIL = "admin@localhost";
 
+    /**
+     * Bcrypt default work factor
+     */
+    public static final int DEFAULT_BCRYPT_WORK = 10;
+
     /**
      * Guest user ID.
      */
@@ -73,6 +78,11 @@ public class Constants {
      */
     public static final String ADMIN_EMAIL_INIT_ENV = "DOCS_ADMIN_EMAIL_INIT";
 
+    /**
+     * Work factor to be used by Bcrypt
+     */
+    public static final String BCRYPT_WORK_ENV = "DOCS_BCRYPT_WORK";
+
     /**
      * Expiration time of the password recovery in hours.
      */
diff --git a/docs-core/src/main/java/com/sismics/docs/core/dao/UserDao.java b/docs-core/src/main/java/com/sismics/docs/core/dao/UserDao.java
index 6583a532..074a6c7c 100644
--- a/docs-core/src/main/java/com/sismics/docs/core/dao/UserDao.java
+++ b/docs-core/src/main/java/com/sismics/docs/core/dao/UserDao.java
@@ -1,8 +1,13 @@
 package com.sismics.docs.core.dao;
 
-import at.favre.lib.crypto.bcrypt.BCrypt;
 import com.google.common.base.Joiner;
+import at.favre.lib.crypto.bcrypt.BCrypt;
+import org.joda.time.DateTime;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 import com.sismics.docs.core.constant.AuditLogType;
+import com.sismics.docs.core.constant.Constants;
 import com.sismics.docs.core.dao.criteria.UserCriteria;
 import com.sismics.docs.core.dao.dto.UserDto;
 import com.sismics.docs.core.model.jpa.User;
@@ -12,7 +17,6 @@ import com.sismics.docs.core.util.jpa.QueryParam;
 import com.sismics.docs.core.util.jpa.QueryUtil;
 import com.sismics.docs.core.util.jpa.SortCriteria;
 import com.sismics.util.context.ThreadLocalContext;
-import org.joda.time.DateTime;
 
 import javax.persistence.EntityManager;
 import javax.persistence.NoResultException;
@@ -26,6 +30,11 @@ import java.util.*;
  * @author jtremeaux
  */
 public class UserDao {
+    /**
+     * Logger.
+     */
+    private static final Logger log = LoggerFactory.getLogger(UserDao.class);
+
     /**
      * Authenticates an user.
      * 
@@ -278,7 +287,21 @@ public class UserDao {
      * @return Hashed password
      */
     private String hashPassword(String password) {
-        return BCrypt.withDefaults().hashToString(10, password.toCharArray());
+        int bcryptWork = Constants.DEFAULT_BCRYPT_WORK;
+        String envBcryptWork = System.getenv(Constants.BCRYPT_WORK_ENV);
+        if (envBcryptWork != null) {
+            try {
+                int envBcryptWorkInt = Integer.parseInt(envBcryptWork);
+                if (envBcryptWorkInt >= 4 && envBcryptWorkInt <= 31) {
+                    bcryptWork = envBcryptWorkInt;
+                } else {
+                    log.warn(Constants.BCRYPT_WORK_ENV + " needs to be in range 4...31. Falling back to " + Constants.DEFAULT_BCRYPT_WORK + ".");
+                }
+            } catch (NumberFormatException e) {
+                log.warn(Constants.BCRYPT_WORK_ENV + " needs to be a number in range 4...31. Falling back to " + Constants.DEFAULT_BCRYPT_WORK + ".");
+            }
+        }
+        return BCrypt.withDefaults().hashToString(bcryptWork, password.toCharArray());
     }
     
     /**