Fixed authentication using profiles when under LDAP/AD

Change-Id: I011ae876a98e0d29a1c6e49f6129973af745f2e8

Fixed authentication using profiles when under LDAP/AD
6818865d · William Enright · Larbi Gharib · e2b8a574 · 6818865d · 6818865d
Commit 6818865d authored 4 years ago by William Enright Committed by Larbi Gharib 4 years ago
--- a/authentication-module/src/main/java/net/jami/jams/authmodule/UserAuthenticationModule.java
+++ b/authentication-module/src/main/java/net/jami/jams/authmodule/UserAuthenticationModule.java
@@ -135,21 +135,21 @@ public class UserAuthenticationModule implements AuthenticationModule {
    @Override
    public AuthTokenResponse authenticateUser(String username, String password) {
        AuthTokenResponse res = null;
+        String hashPass = "";
        if(datastore.userExists(username)){
            StatementList statementList = new StatementList();
            StatementElement statementElement = new StatementElement("username","=",username,"");
            statementList.addStatement(statementElement);
            User user = datastore.getUserDao().getObjects(statementList).get(0);
-            if((user.getUserType() == AuthenticationSourceType.LOCAL)) password = PasswordUtil.hashPassword(password, Base64.decodeBase64(user.getSalt()));
-            if(authenticationSources.get(new AuthModuleKey(user.getRealm(),user.getUserType()))
-                    .authenticate(username,password))
+            if((user.getUserType() == AuthenticationSourceType.LOCAL)) hashPass = PasswordUtil.hashPassword(password, Base64.decodeBase64(user.getSalt()));
+            if(hashPass != null && authenticationSources.get(new AuthModuleKey(user.getRealm(),user.getUserType()))
+                    .authenticate(username,hashPass))
                return tokenController.getToken(user,null);
        }
        //The second case is much more violent, because we don't know in advance "where" this user comes
        //from, so we have to infer (this is only really true for "users", all others are usually pre-marked)
        //This is also the case when we store the user into the DAO - because he never existed before.
        for(AuthModuleKey key : authenticationSources.keySet()){
-            if(key.getType() == AuthenticationSourceType.LOCAL) password = PasswordUtil.hashPassword(password, new byte[16]);
            if(authenticationSources.get(key).authenticate(username,password)){
                User user = new User();
                user.setUsername(username);

--- a/datastore/src/main/java/net/jami/datastore/main/DataStore.java
+++ b/datastore/src/main/java/net/jami/datastore/main/DataStore.java
@@ -162,7 +162,7 @@ public class DataStore implements AuthenticationSource {
        StatementElement statementElement = new StatementElement("username","=",username,"");
        statementList.addStatement(statementElement);
        List<User> userList = userDao.getObjects(statementList);
-        if(userList.size() != 1) return false;
+        if(userList.size() != 1 || userList.get(0).getPassword() == null) return false;
        return userList.get(0).getPassword().equals(password);
    }