From cf72c81382456714e7655191cb6c0cf9179a2555 Mon Sep 17 00:00:00 2001
From: saLeox <282130830@qq.com>
Date: Thu, 31 Aug 2023 14:26:02 +0800
Subject: [PATCH] [Improve] enhance login password protection

---
 .../security/impl/AuthenticatorImpl.java      | 30 +++++--------------
 .../console/system/service/UserService.java   |  2 --
 .../system/service/impl/UserServiceImpl.java  | 15 ++++------
 3 files changed, 13 insertions(+), 34 deletions(-)

diff --git a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/security/impl/AuthenticatorImpl.java b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/security/impl/AuthenticatorImpl.java
index 73956a6e66..2b81a5dd0d 100644
--- a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/security/impl/AuthenticatorImpl.java
+++ b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/security/impl/AuthenticatorImpl.java
@@ -59,9 +59,11 @@ public User authenticate(String username, String password, String loginType) thr
 
   private User passwordAuthenticate(String username, String password) {
     User user = usersService.findByName(username);
-    if (user == null || user.getLoginType() != LoginType.PASSWORD) {
-      throw new ApiAlertException(
-          String.format("user [%s] does not exist or can not login with PASSWORD", username));
+    if (user == null) {
+      throw new ApiAlertException(String.format("user [%s] does not exist", username));
+    }
+    if (user.getLoginType() != LoginType.PASSWORD) {
+      throw new ApiAlertException(String.format("user [%s] can not login with PASSWORD", username));
     }
     String salt = user.getSalt();
     password = ShaHashUtils.encrypt(salt, password);
@@ -84,21 +86,9 @@ private User ldapAuthenticate(String username, String password) throws Exception
         throw new ApiAlertException(
             String.format("user [%s] can only sign in with %s", username, user.getLoginType()));
       }
-      String saltPassword = ShaHashUtils.encrypt(user.getSalt(), password);
-
-      // ldap password changed, we should update user password
-      if (!StringUtils.equals(saltPassword, user.getPassword())) {
-
-        // encrypt password again
-        String salt = ShaHashUtils.getRandomSalt();
-        saltPassword = ShaHashUtils.encrypt(salt, password);
-        user.setSalt(salt);
-        user.setPassword(saltPassword);
-        usersService.updateSaltPassword(user);
-      }
       return user;
     }
-    return this.newUserCreate(LoginType.LDAP, username, password);
+    return this.newUserCreate(LoginType.LDAP, username);
   }
 
   private User ssoAuthenticate(String username) throws Exception {
@@ -111,11 +101,10 @@ private User ssoAuthenticate(String username) throws Exception {
       }
       return user;
     }
-    return this.newUserCreate(LoginType.SSO, username, null);
+    return this.newUserCreate(LoginType.SSO, username);
   }
 
-  private User newUserCreate(LoginType loginType, String username, String password)
-      throws Exception {
+  private User newUserCreate(LoginType loginType, String username) throws Exception {
     User newUser = new User();
     newUser.setCreateTime(new Date());
     newUser.setUsername(username);
@@ -124,9 +113,6 @@ private User newUserCreate(LoginType loginType, String username, String password
     newUser.setUserType(UserType.USER);
     newUser.setStatus(User.STATUS_VALID);
     newUser.setSex(User.SEX_UNKNOWN);
-    if (password != null) {
-      newUser.setPassword(password);
-    }
     usersService.createUser(newUser);
     return newUser;
   }
diff --git a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/service/UserService.java b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/service/UserService.java
index af513023e2..b1709acdad 100644
--- a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/service/UserService.java
+++ b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/service/UserService.java
@@ -80,8 +80,6 @@ public interface UserService extends IService<User> {
    */
   void updatePassword(User user) throws Exception;
 
-  void updateSaltPassword(User user) throws Exception;
-
   /**
    * reset password
    *
diff --git a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/service/impl/UserServiceImpl.java b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/service/impl/UserServiceImpl.java
index 514dbc9467..6622a959f6 100644
--- a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/service/impl/UserServiceImpl.java
+++ b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/service/impl/UserServiceImpl.java
@@ -26,6 +26,7 @@
 import org.apache.streampark.console.base.properties.ShiroProperties;
 import org.apache.streampark.console.base.util.ShaHashUtils;
 import org.apache.streampark.console.base.util.WebUtils;
+import org.apache.streampark.console.core.enums.LoginType;
 import org.apache.streampark.console.core.service.ApplicationService;
 import org.apache.streampark.console.core.service.ResourceService;
 import org.apache.streampark.console.system.authentication.JWTToken;
@@ -125,6 +126,7 @@ public void createUser(User user) {
   @Transactional(rollbackFor = Exception.class)
   public RestResponse updateUser(User user) {
     User existsUser = getById(user.getUserId());
+    user.setLoginType(null);
     user.setPassword(null);
     user.setModifyTime(new Date());
     if (needTransferResource(existsUser, user)) {
@@ -148,6 +150,9 @@ private boolean needTransferResource(User existsUser, User user) {
   public void updatePassword(User userParam) {
     User user = getById(userParam.getUserId());
     ApiAlertException.throwIfNull(user, "User is null. Update password failed.");
+    ApiAlertException.throwIfFalse(
+        user.getLoginType() == LoginType.PASSWORD,
+        "Can only update password for user who sign in with PASSWORD");
 
     String saltPassword = ShaHashUtils.encrypt(user.getSalt(), userParam.getOldPassword());
     ApiAlertException.throwIfFalse(
@@ -161,16 +166,6 @@ public void updatePassword(User userParam) {
     this.baseMapper.updateById(user);
   }
 
-  @Override
-  @Transactional(rollbackFor = Exception.class)
-  public void updateSaltPassword(User userParam) {
-    User user = getById(userParam.getUserId());
-    ApiAlertException.throwIfNull(user, "User is null. Update password failed.");
-    user.setSalt(userParam.getSalt());
-    user.setPassword(userParam.getPassword());
-    this.baseMapper.updateById(user);
-  }
-
   @Override
   @Transactional(rollbackFor = Exception.class)
   public String resetPassword(String username) {