Added hashing of passwords

This commit is contained in:
Mary Tran 2018-12-02 11:21:08 -05:00
parent 4d25a0c460
commit 9b19c2e820
15 changed files with 267 additions and 36 deletions

View file

@ -17,6 +17,10 @@ public class Admin extends UserType {
super("admin", "admin", "Admin", "Admin");
}
Admin(String hash, String salt){
super("admin", hash, salt, "Admin", "Admin");
}
/**
* The getRole() method returns a string "Admin"
* the app gets role of user type objects for access

View file

@ -27,7 +27,7 @@ import com.uottawa.olympus.olympusservices.Booking.Status;
public class DBHelper extends SQLiteOpenHelper {
//version of db used for update method
private static final int DB_VERSION = 6;
private static final int DB_VERSION = 7;
//name of db in app data
private static final String DB_NAME = "UsersDB.db";
@ -265,7 +265,23 @@ public class DBHelper extends SQLiteOpenHelper {
+ ")");
case 5:
db.execSQL("ALTER TABLE " + TABLE_BOOKINGS + " ADD COLUMN " + COLUMN_COMMENT + " TEXT DEFAULT ''");
case 6:
Cursor cursor = db.query(TABLE_LOGIN, new String[]{COLUMN_USERNAME, COLUMN_PASSWORD}, null, null,
null, null, null);
if (cursor.moveToFirst()){
for (int i = 0; i<cursor.getCount(); i++){
String salt = PasswordEncryption.generateSalt();
String password = cursor.getString(1);
values = new ContentValues();
values.put(COLUMN_PASSWORD, PasswordEncryption.encrypt(password, salt));
values.put(COLUMN_SALT, salt);
db.update(TABLE_LOGIN, values,
COLUMN_USERNAME + " = ?",
new String[]{cursor.getString(0)});
cursor.moveToNext();
}
}
}
}
@ -304,9 +320,10 @@ public class DBHelper extends SQLiteOpenHelper {
//Put values of UserType into columns
ContentValues values = new ContentValues();
values.put(COLUMN_USERNAME, userType.getUsername());
values.put(COLUMN_PASSWORD, userType.getPassword());
values.put(COLUMN_PASSWORD, userType.getHash());
values.put(COLUMN_FIRSTNAME, userType.getFirstname());
values.put(COLUMN_LASTNAME, userType.getLastname());
values.put(COLUMN_SALT, userType.getSalt());
values.put(COLUMN_USERTYPE, userType.getClass().getSimpleName());
//special case for ServiceProvider
@ -373,7 +390,7 @@ public class DBHelper extends SQLiteOpenHelper {
new String[]{username});
if (cursor.moveToFirst()){
String password = cursor.getString(1);
String hash = cursor.getString(1);
String firstname = cursor.getString(2);
String lastname = cursor.getString(3);
String address = cursor.getString(5);
@ -381,17 +398,18 @@ public class DBHelper extends SQLiteOpenHelper {
String companyname = cursor.getString(7);
boolean licensed = Boolean.parseBoolean(cursor.getString(8));
String description = cursor.getString(9);
String salt = cursor.getString(10);
if (cursor.getString(4)
.equals("Admin")){
usertype = new Admin();
usertype = new Admin(hash, salt);
} else if (cursor.getString(4)
.equals("ServiceProvider")){
ServiceProvider serviceProvider = new ServiceProvider(username, password, firstname, lastname, address, phonenumber, companyname, licensed, description);
ServiceProvider serviceProvider = new ServiceProvider(username, hash, salt, firstname, lastname, address, phonenumber, companyname, licensed, description);
getAllServicesProvidedByUser(serviceProvider);
getAvailabilities(serviceProvider);
usertype = serviceProvider;
} else {
usertype = new HomeOwner(username, password, firstname, lastname);
usertype = new HomeOwner(username, hash, salt, firstname, lastname);
}
}
@ -441,7 +459,13 @@ public class DBHelper extends SQLiteOpenHelper {
if (username == null) return false;
ContentValues values = new ContentValues();
if (password != null && !password.equals("")) values.put(COLUMN_PASSWORD, password);
if (password != null && !password.equals("")) {
String salt = PasswordEncryption.generateSalt();
values.put(COLUMN_SALT, salt);
String hash = PasswordEncryption.encrypt(password, salt);
values.put(COLUMN_PASSWORD, hash);
}
if (firstname != null && !firstname.equals("")) values.put(COLUMN_FIRSTNAME, firstname);
if (lastname != null && !lastname.equals(""))values.put(COLUMN_LASTNAME, lastname);
if (address != null && !address.equals(""))values.put(COLUMN_ADDRESS, address);

View file

@ -24,6 +24,21 @@ public class HomeOwner extends UserType {
super(username, password, firstname, lastname);
}
/**
* Constructor of the HomeOwner object that takes the username, password,
* lastname, and firstname as parameters to use for the creation of a
* HomeOwner object.
*
* @param username String for username.
* @param hash String for hash.
* @param salt String for salt.
* @param firstname String for firstname.
* @param lastname String for lastname.
*/
HomeOwner(String username, String hash, String salt, String firstname, String lastname){
super(username, hash, salt, firstname, lastname);
}
/**
* Returns the type of role the user is for this class.
* will return the string "HomeOwner".

View file

@ -29,7 +29,7 @@ public class HomeOwnerEditProfile extends AppCompatActivity {
firstname.setText(user.getFirstname());
lastname.setText(user.getLastname());
password.setText(user.getPassword());
password.setText("");
}
/**
@ -56,7 +56,7 @@ public class HomeOwnerEditProfile extends AppCompatActivity {
TextView password = findViewById(R.id.PasswordInput);
//Checks for the fields
if(password.getText().toString().length()>=5 && firstname.getText().toString().length()>0
if(firstname.getText().toString().length()>0
&& lastname.getText().toString().length()>0
&& password.getText().toString().matches("[a-zA-Z0-9]*")
&& firstname.getText().toString().matches("[a-zA-Z]*")

View file

@ -44,7 +44,8 @@ public class LogIn extends AppCompatActivity {
if (dbHelper.findUserByUsername(username) != null) {
UserType user = dbHelper.findUserByUsername(username);
if (user.getUsername().equals(username) &&
user.getPassword().equals(password)) {
PasswordEncryption.slowEquals(user.getHash(),
PasswordEncryption.encrypt(password, user.getSalt()))) {
if(user.getRole()=="Admin"){
Intent intent = new Intent(getApplicationContext(),AdminWelcome.class);
startActivity(intent);

View file

@ -0,0 +1,80 @@
package com.uottawa.olympus.olympusservices;
import android.os.Message;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.lang.Math;
public class PasswordEncryption {
private static final MessageDigest MESSAGE_DIGEST;
private static final char[] POSSIBLE_CHARS;
private static final SecureRandom random;
static{
MessageDigest messageDigest;
try{
messageDigest = MessageDigest.getInstance("SHA-256");
} catch (NoSuchAlgorithmException e){
messageDigest = null;
}
MESSAGE_DIGEST = messageDigest;
POSSIBLE_CHARS = new char[94];
for (int i = 33; i<127; i++){
POSSIBLE_CHARS[i-33] = (char)i;
}
random = new SecureRandom();
}
public static String encrypt(String password, String salt){
password = salt + password;
byte[] passwordBytes = password.getBytes();
byte[] hashedPassword;
MESSAGE_DIGEST.reset();
MESSAGE_DIGEST.update(passwordBytes);
hashedPassword = MESSAGE_DIGEST.digest();
StringBuilder sb = new StringBuilder();
for (int i = 0; i < hashedPassword.length; i++) {
if ((hashedPassword[i] & 0xff) < 0x10) {
sb.append("0");
}
sb.append(Long.toString(hashedPassword[i] & 0xff, 16));
}
return sb.toString();
}
public static String generateSalt(){
long stringID = Math.abs(random.nextLong());
String salt = "";
while(stringID > 0){
//the least significant digit is added to nonce string first
int index = (int)(stringID%94);
salt += POSSIBLE_CHARS[index];
stringID /= 94;
}
return salt;
}
public static boolean slowEquals(String one, String two){
byte[] first = one.getBytes();
byte[] second = two.getBytes();
int length = first.length > second.length ? second.length : first.length;
boolean same = true;
for (int i = 0; i<length; i++){
if (first[i] != second[i]){
same = false;
}
}
return same;
}
}

View file

@ -49,6 +49,18 @@ public class ServiceProvider extends UserType {
this(username, password, firstname, lastname, address, phonenumber, companyname, licensed, "");
}
/**
*
* @param username
* @param password
* @param firstname
* @param lastname
* @param address
* @param phonenumber
* @param companyname
* @param licensed
* @param description
*/
ServiceProvider(String username, String password, String firstname, String lastname, String address,
String phonenumber, String companyname, boolean licensed, String description){
super(username, password, firstname, lastname);
@ -62,6 +74,33 @@ public class ServiceProvider extends UserType {
this.rating = 0;
}
/**
*
* @param username
* @param hash
* @param salt
* @param firstname
* @param lastname
* @param address
* @param phonenumber
* @param companyname
* @param licensed
* @param description
*/
ServiceProvider(String username, String hash, String salt, String firstname, String lastname, String address,
String phonenumber, String companyname, boolean licensed, String description){
super(username, hash, salt, firstname, lastname);
services = new ArrayList<>();
availabilities = new int[7][4];
this.address = address;
this.phonenumber = phonenumber;
this.companyname = companyname;
this.licensed = licensed;
this.description = description;
this.rating = 0;
}
/**
* gets the role of the UserType.
*

View file

@ -37,15 +37,13 @@ public class ServiceProviderEditProfile extends AppCompatActivity {
firstname.setText(user.getFirstname());
lastname.setText(user.getLastname());
password.setText(user.getPassword());
password.setText("");
companyname.setText(user.getCompanyname());
address.setText(user.getAddress());
phonenumber.setText(user.getPhonenumber());
description.setText(user.getDescription());
licensed.setChecked(user.isLicensed());
}
/**
@ -76,7 +74,7 @@ public class ServiceProviderEditProfile extends AppCompatActivity {
CheckBox licensed = findViewById(R.id.LicensedInput);
//Checks for the fields
if(password.getText().toString().length()>=5 && firstname.getText().toString().length()>0
if(firstname.getText().toString().length()>0
&& lastname.getText().toString().length()>0 && companyname.getText().toString().length()>0
&& address.getText().toString().length()>0 && phonenumber.getText().toString().length()>0
&& password.getText().toString().matches("[a-zA-Z0-9]*")
@ -88,6 +86,7 @@ public class ServiceProviderEditProfile extends AppCompatActivity {
&& phonenumber.getText().toString().matches("^(\\+\\d{1,2}\\s)?\\(?\\d{3}\\)?[\\s.-]?\\d{3}[\\s.-]?\\d{4}$")
&& address.getText().toString().replaceAll("\\s+","").length()>0) {
if(dbHelper.updateUserInfo(username, password.getText().toString(), firstname.getText().toString(), lastname.getText().toString(),
address.getText().toString(), phonenumber.getText().toString(), companyname.getText().toString(), licensed.isChecked(), description.getText().toString())){
//add comment method here

View file

@ -13,12 +13,14 @@ public abstract class UserType {
//field for the username attached to the userType.
String username;
//field for the password attached to the userType.
String password;
//field for the password hash attached to the userType.
String hash;
//field for the firstname attached to the userType.
String firstname;
//field for the lastname attached to the userType.
String lastname;
//field for the salt attached to the userType.
String salt;
/**
@ -32,9 +34,30 @@ public abstract class UserType {
*/
UserType(String username, String password, String firstname, String lastname){
this.username = username;
this.password = password;
this.firstname = firstname;
this.lastname = lastname;
this.salt = PasswordEncryption.generateSalt();
this.hash = PasswordEncryption.encrypt(password, salt);
}
/**
* Constructor filling out all the field values with given parameters
* entered by a new user for the app.
*
* @param username String object containing the username.
* @param hash String object containing the password hash.
* @param firstname String object containing the firstname.
* @param lastname String object containing the lastname.
* @param salt String object containing the salt.
*/
UserType(String username, String hash, String salt, String firstname, String lastname){
this.username = username;
this.firstname = firstname;
this.lastname = lastname;
this.salt = salt;
this.hash = hash;
}
/**
@ -54,12 +77,12 @@ public abstract class UserType {
}
/**
* Gets the password field of userType.
* Gets the hash field of userType.
*
* @return String of the password.
* @return String of the hash.
*/
public String getPassword() {
return password;
public String getHash() {
return hash;
}
/**
@ -80,6 +103,15 @@ public abstract class UserType {
return lastname;
}
/**
* Gets the salt field of userType.
*
* @return String of salt
*/
public String getSalt() {
return salt;
}
/**
* Sets the username field with given parameters.
*
@ -102,7 +134,8 @@ public abstract class UserType {
//remember to call updateUser(String username, String password, String firstname, String lastname)
//in activity whenever a setter is called. DBHelper requires a Context (Activity) to be initialized
//so cannot be initialized in this class
this.password = password;
this.salt = PasswordEncryption.generateSalt();
this.hash = PasswordEncryption.encrypt(password, salt);
}
/**
@ -130,8 +163,9 @@ public abstract class UserType {
* @param other Usertype object that is compared to this userType.
*/
public boolean equals(UserType other){
if(this.username.equals(other.username)&&this.password.equals(other.password)&&
this.firstname.equals(other.firstname)&&this.lastname.equals(other.lastname)){
if(this.username.equals(other.username)&&this.hash.equals(other.hash)&&
this.firstname.equals(other.firstname)&&this.lastname.equals(other.lastname)
&&this.salt.equals(other.salt)){
return true;
}
return false;

View file

@ -14,13 +14,12 @@ public class AdminTest {
public void testAdmin() {
Admin admin = new Admin();
String username = admin.getUsername();
String password = admin.getPassword();
String firstname = admin.getFirstname();
String lastname = admin.getLastname();
String role = admin.getRole();
assertEquals("Admin", role);
assertEquals("admin", username);
assertEquals("admin", password);
assertEquals(PasswordEncryption.encrypt("admin", admin.getSalt()), admin.getHash());
assertEquals("Admin", firstname);
assertEquals("Admin", lastname);
}

View file

@ -38,9 +38,9 @@ public class DBIntegrationTest {
UserType dbUser = dbHelper.findUserByUsername("admin");
assertEquals("Admin", dbUser.getClass().getSimpleName());
assertEquals("admin", dbUser.getUsername());
assertEquals("admin", dbUser.getPassword());
assertEquals("Admin", dbUser.getFirstname());
assertEquals("Admin", dbUser.getLastname());
assertEquals(PasswordEncryption.encrypt("admin", dbUser.getSalt()), dbUser.getHash());
}
@Test
@ -56,7 +56,8 @@ public class DBIntegrationTest {
dbUser = dbHelper.findUserByUsername("mgarzon");
assertEquals("HomeOwner", dbUser.getClass().getSimpleName());
assertEquals("mgarzon", dbUser.getUsername());
assertEquals("soccer", dbUser.getPassword());
assertEquals(originalUser.getHash(), dbUser.getHash());
assertEquals(originalUser.getSalt(), dbUser.getSalt());
assertEquals("Miguel", dbUser.getFirstname());
assertEquals("Garzon", dbUser.getLastname());
@ -69,7 +70,8 @@ public class DBIntegrationTest {
dbUser = dbHelper.findUserByUsername("jbO4aBF4dC");
assertEquals("ServiceProvider", dbUser.getClass().getSimpleName());
assertEquals("jbO4aBF4dC", dbUser.getUsername());
assertEquals("seg2105", dbUser.getPassword());
assertEquals(originalUser.getHash(), dbUser.getHash());
assertEquals(originalUser.getSalt(), dbUser.getSalt());
assertEquals("Juan", dbUser.getFirstname());
assertEquals("Guzman", dbUser.getLastname());
@ -171,7 +173,6 @@ public class DBIntegrationTest {
dbUser = dbHelper.findUserByUsername("jbO4aBF4dC");
assertEquals("jbO4aBF4dC", dbUser.getUsername());
assertEquals("soccer", dbUser.getPassword());
assertEquals("Juan", dbUser.getFirstname());
assertEquals("Guzman", dbUser.getLastname());
@ -561,6 +562,11 @@ public class DBIntegrationTest {
}
@Test
public void printUsersTable(){
dbHelper.printTable("user");
}
// Ever gotten tired of adding things at the start of a test just to delete it all again?
// I have.
// This is a work in progress

View file

@ -14,9 +14,10 @@ public class HomeOwnerTest {
public void testHomeOwner(){
UserType user = new HomeOwner( "John123", "1234567890", "John", "Doe" );
String role = user.getRole();
String salt = user.getSalt();
assertEquals("HomeOwner", role);
assertEquals("John123", user.getUsername());
assertEquals("1234567890", user.getPassword());
assertEquals( PasswordEncryption.encrypt("1234567890", salt), user.getHash());
assertEquals("John", user.getFirstname());
assertEquals("Doe", user.getLastname());
user.setUsername( "username" );
@ -24,7 +25,10 @@ public class HomeOwnerTest {
user.setFirstname( "firstname" );
user.setLastname( "lastname" );
assertNotEquals("John123", user.getUsername());
assertNotEquals("1234567890", user.getPassword());
assertNotEquals("1234567890", user.getHash());
assertNotEquals("password", user.getHash());
assertNotEquals( PasswordEncryption.encrypt("1234567890", salt), user.getHash());
assertNotEquals(PasswordEncryption.encrypt("password", salt), user.getHash());
assertNotEquals("John", user.getFirstname());
assertNotEquals("Doe", user.getLastname());
}

View file

@ -0,0 +1,22 @@
package com.uottawa.olympus.olympusservices;
import org.junit.Test;
import static org.junit.Assert.*;
public class PasswordTest {
@Test
public void testHashes(){
String string1 = PasswordEncryption.encrypt("helloworld", "i]/S9evY\\,");
String string2 = PasswordEncryption.encrypt("helloworld", "i]/S9evY\\,");
assertTrue(PasswordEncryption.slowEquals(string1, string2));
String string3 = PasswordEncryption.encrypt("helloworld", "i]/S9evY\\");
assertTrue(!PasswordEncryption.slowEquals(string1, string3));
String string4 = PasswordEncryption.encrypt("helloworl", "i]/S9evY\\,");
assertTrue(!PasswordEncryption.slowEquals(string1, string4));
}
}

View file

@ -17,8 +17,9 @@ public class ServiceProviderTest {
@Test
public void testServiceProvider() {
String salt = serviceprovider.getSalt();
assertEquals( "John123", serviceprovider.getUsername());
assertEquals( "1234567890", serviceprovider.getPassword());
assertEquals( PasswordEncryption.encrypt("1234567890", salt), serviceprovider.getHash());
assertEquals( "John", serviceprovider.getFirstname());
assertEquals( "Doe", serviceprovider.getLastname());
assertEquals( "ServiceProvider", serviceprovider.getRole());
@ -27,7 +28,10 @@ public class ServiceProviderTest {
serviceprovider.setFirstname("firstname");
serviceprovider.setLastname("lastname");
assertNotEquals("John123", serviceprovider.getUsername());
assertNotEquals("1234567890", serviceprovider.getPassword());
assertNotEquals("1234567890", serviceprovider.getHash());
assertNotEquals("password", serviceprovider.getHash());
assertNotEquals( PasswordEncryption.encrypt("1234567890", salt), serviceprovider.getHash());
assertNotEquals(PasswordEncryption.encrypt("password", salt), serviceprovider.getHash());
assertNotEquals("John", serviceprovider.getFirstname());
assertNotEquals("Doe", serviceprovider.getLastname());
}

View file

@ -27,8 +27,8 @@ public class UserTypeTest {
assertNotEquals( true, useradmin );
assertNotEquals( true, serviceadmin );
assertNotEquals( true, userservice );
user.setFirstname(serviceprovider.getFirstname());
user.setUsername(serviceprovider.getUsername());
user = new HomeOwner(serviceprovider.getUsername(), serviceprovider.getHash(), serviceprovider.getSalt(),
serviceprovider.getFirstname(), serviceprovider.getLastname());
userservice = user.equals(serviceprovider);
assertEquals( true, userservice );
}