Added hashing of passwords

OlympusServices/app/src/main/java/com/uottawa/olympus/olympusservices/Admin.java

@@ -17,6 +17,10 @@ public class Admin extends UserType {
         super("admin", "admin", "Admin", "Admin");
     }
 
+    Admin(String hash, String salt){
+        super("admin", hash, salt, "Admin", "Admin");
+    }
+
     /**
      * The getRole() method returns a string "Admin"
      * the app gets role of user type objects for access

OlympusServices/app/src/main/java/com/uottawa/olympus/olympusservices/DBHelper.java

@@ -27,7 +27,7 @@ import com.uottawa.olympus.olympusservices.Booking.Status;
 public class DBHelper extends SQLiteOpenHelper {
 
     //version of db used for update method
-    private static final int DB_VERSION = 6;
+    private static final int DB_VERSION = 7;
     //name of db in app data
     private static final String DB_NAME = "UsersDB.db";
 
@@ -265,7 +265,23 @@ public class DBHelper extends SQLiteOpenHelper {
                         + ")");
             case 5:
                 db.execSQL("ALTER TABLE " + TABLE_BOOKINGS + " ADD COLUMN " + COLUMN_COMMENT + " TEXT DEFAULT ''");
+            case 6:
+                Cursor cursor = db.query(TABLE_LOGIN, new String[]{COLUMN_USERNAME, COLUMN_PASSWORD}, null, null,
+                        null, null, null);
+                if (cursor.moveToFirst()){
+                    for (int i = 0; i<cursor.getCount(); i++){
+                       String salt = PasswordEncryption.generateSalt();
+                       String password = cursor.getString(1);
 
+                       values = new ContentValues();
+                       values.put(COLUMN_PASSWORD, PasswordEncryption.encrypt(password, salt));
+                       values.put(COLUMN_SALT, salt);
+                       db.update(TABLE_LOGIN, values,
+                               COLUMN_USERNAME + " = ?",
+                               new String[]{cursor.getString(0)});
+                       cursor.moveToNext();
+                    }
+                }
         }
     }
 
@@ -304,9 +320,10 @@ public class DBHelper extends SQLiteOpenHelper {
         //Put values of UserType into columns
         ContentValues values = new ContentValues();
         values.put(COLUMN_USERNAME, userType.getUsername());
-        values.put(COLUMN_PASSWORD, userType.getPassword());
+        values.put(COLUMN_PASSWORD, userType.getHash());
         values.put(COLUMN_FIRSTNAME, userType.getFirstname());
         values.put(COLUMN_LASTNAME, userType.getLastname());
+        values.put(COLUMN_SALT, userType.getSalt());
         values.put(COLUMN_USERTYPE, userType.getClass().getSimpleName());
 
         //special case for ServiceProvider
@@ -373,7 +390,7 @@ public class DBHelper extends SQLiteOpenHelper {
                 new String[]{username});
 
         if (cursor.moveToFirst()){
-            String password = cursor.getString(1);
+            String hash = cursor.getString(1);
             String firstname = cursor.getString(2);
             String lastname = cursor.getString(3);
             String address = cursor.getString(5);
@@ -381,17 +398,18 @@ public class DBHelper extends SQLiteOpenHelper {
             String companyname = cursor.getString(7);
             boolean licensed = Boolean.parseBoolean(cursor.getString(8));
             String description = cursor.getString(9);
+            String salt = cursor.getString(10);
             if (cursor.getString(4)
                     .equals("Admin")){
-                usertype = new Admin();
+                usertype = new Admin(hash, salt);
             } else if (cursor.getString(4)
                     .equals("ServiceProvider")){
-                ServiceProvider serviceProvider = new ServiceProvider(username, password, firstname, lastname, address, phonenumber, companyname, licensed, description);
+                ServiceProvider serviceProvider = new ServiceProvider(username, hash, salt, firstname, lastname, address, phonenumber, companyname, licensed, description);
                 getAllServicesProvidedByUser(serviceProvider);
                 getAvailabilities(serviceProvider);
                 usertype = serviceProvider;
             } else {
-                usertype = new HomeOwner(username, password, firstname, lastname);
+                usertype = new HomeOwner(username, hash, salt, firstname, lastname);
             }
         }
 
@@ -441,7 +459,13 @@ public class DBHelper extends SQLiteOpenHelper {
         if (username == null) return false;
 
         ContentValues values = new ContentValues();
-        if (password != null && !password.equals("")) values.put(COLUMN_PASSWORD, password);
+        if (password != null && !password.equals("")) {
+            String salt = PasswordEncryption.generateSalt();
+            values.put(COLUMN_SALT, salt);
+
+            String hash = PasswordEncryption.encrypt(password, salt);
+            values.put(COLUMN_PASSWORD, hash);
+        }
         if (firstname != null && !firstname.equals("")) values.put(COLUMN_FIRSTNAME, firstname);
         if (lastname != null && !lastname.equals(""))values.put(COLUMN_LASTNAME, lastname);
         if (address != null && !address.equals(""))values.put(COLUMN_ADDRESS, address);

OlympusServices/app/src/main/java/com/uottawa/olympus/olympusservices/HomeOwner.java

@@ -24,6 +24,21 @@ public class HomeOwner extends UserType {
         super(username, password, firstname, lastname);
     }
 
+    /**
+     * Constructor of the HomeOwner object that takes the username, password,
+     * lastname, and firstname as parameters to use for the creation of a
+     * HomeOwner object.
+     *
+     * @param username String for username.
+     * @param hash String for hash.
+     * @param salt String for salt.
+     * @param firstname String for firstname.
+     * @param lastname String for lastname.
+     */
+    HomeOwner(String username, String hash, String salt, String firstname, String lastname){
+        super(username, hash, salt, firstname, lastname);
+    }
+
     /**
      * Returns the type of role the user is for this class.
      * will return the string "HomeOwner".

OlympusServices/app/src/main/java/com/uottawa/olympus/olympusservices/HomeOwnerEditProfile.java

@@ -29,7 +29,7 @@ public class HomeOwnerEditProfile extends AppCompatActivity {
 
         firstname.setText(user.getFirstname());
         lastname.setText(user.getLastname());
-        password.setText(user.getPassword());
+        password.setText("");
 
     }
     /**
@@ -56,7 +56,7 @@ public class HomeOwnerEditProfile extends AppCompatActivity {
         TextView password = findViewById(R.id.PasswordInput);
 
         //Checks for the fields
-        if(password.getText().toString().length()>=5 && firstname.getText().toString().length()>0
+        if(firstname.getText().toString().length()>0
                 && lastname.getText().toString().length()>0
                 && password.getText().toString().matches("[a-zA-Z0-9]*")
                 && firstname.getText().toString().matches("[a-zA-Z]*")

OlympusServices/app/src/main/java/com/uottawa/olympus/olympusservices/LogIn.java

@@ -44,7 +44,8 @@ public class LogIn extends AppCompatActivity {
             if (dbHelper.findUserByUsername(username) != null) {
                 UserType user = dbHelper.findUserByUsername(username);
                 if (user.getUsername().equals(username) &&
-                        user.getPassword().equals(password)) {
+                        PasswordEncryption.slowEquals(user.getHash(),
+                                PasswordEncryption.encrypt(password, user.getSalt()))) {
                     if(user.getRole()=="Admin"){
                         Intent intent = new Intent(getApplicationContext(),AdminWelcome.class);
                         startActivity(intent);

OlympusServices/app/src/main/java/com/uottawa/olympus/olympusservices/PasswordEncryption.java

@@ -0,0 +1,80 @@
+package com.uottawa.olympus.olympusservices;
+
+import android.os.Message;
+
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.lang.Math;
+
+public class PasswordEncryption {
+    private static final MessageDigest MESSAGE_DIGEST;
+    private static final char[] POSSIBLE_CHARS;
+    private static final SecureRandom random;
+
+    static{
+        MessageDigest messageDigest;
+        try{
+            messageDigest = MessageDigest.getInstance("SHA-256");
+        } catch (NoSuchAlgorithmException e){
+            messageDigest = null;
+        }
+        MESSAGE_DIGEST = messageDigest;
+
+        POSSIBLE_CHARS = new char[94];
+        for (int i = 33; i<127; i++){
+            POSSIBLE_CHARS[i-33] = (char)i;
+        }
+
+        random = new SecureRandom();
+    }
+
+    public static String encrypt(String password, String salt){
+        password = salt + password;
+
+        byte[] passwordBytes = password.getBytes();
+        byte[] hashedPassword;
+
+        MESSAGE_DIGEST.reset();
+        MESSAGE_DIGEST.update(passwordBytes);
+        hashedPassword = MESSAGE_DIGEST.digest();
+
+
+        StringBuilder sb = new StringBuilder();
+        for (int i = 0; i < hashedPassword.length; i++) {
+            if ((hashedPassword[i] & 0xff) < 0x10) {
+                sb.append("0");
+            }
+
+            sb.append(Long.toString(hashedPassword[i] & 0xff, 16));
+        }
+        return sb.toString();
+    }
+
+    public static String generateSalt(){
+        long stringID = Math.abs(random.nextLong());
+        String salt = "";
+
+        while(stringID > 0){
+            //the least significant digit is added to nonce string first
+            int index = (int)(stringID%94);
+            salt += POSSIBLE_CHARS[index];
+            stringID /= 94;
+        }
+        return salt;
+    }
+
+    public static boolean slowEquals(String one, String two){
+        byte[] first = one.getBytes();
+        byte[] second = two.getBytes();
+
+        int length = first.length > second.length ? second.length : first.length;
+        boolean same = true;
+        for (int i = 0; i<length; i++){
+            if (first[i] != second[i]){
+                same = false;
+            }
+        }
+        return same;
+    }
+}

OlympusServices/app/src/main/java/com/uottawa/olympus/olympusservices/ServiceProvider.java

@@ -49,6 +49,18 @@ public class ServiceProvider extends UserType {
         this(username, password, firstname, lastname, address, phonenumber, companyname, licensed, "");
     }
 
+    /**
+     *
+     * @param username
+     * @param password
+     * @param firstname
+     * @param lastname
+     * @param address
+     * @param phonenumber
+     * @param companyname
+     * @param licensed
+     * @param description
+     */
     ServiceProvider(String username, String password, String firstname, String lastname, String address,
                     String phonenumber, String companyname, boolean licensed, String description){
         super(username, password, firstname, lastname);
@@ -62,6 +74,33 @@ public class ServiceProvider extends UserType {
         this.rating = 0;
     }
 
+    /**
+     *
+     * @param username
+     * @param hash
+     * @param salt
+     * @param firstname
+     * @param lastname
+     * @param address
+     * @param phonenumber
+     * @param companyname
+     * @param licensed
+     * @param description
+     */
+    ServiceProvider(String username, String hash, String salt, String firstname, String lastname, String address,
+                    String phonenumber, String companyname, boolean licensed, String description){
+        super(username, hash, salt, firstname, lastname);
+        services = new ArrayList<>();
+        availabilities = new int[7][4];
+        this.address = address;
+        this.phonenumber = phonenumber;
+        this.companyname = companyname;
+        this.licensed = licensed;
+        this.description = description;
+        this.rating = 0;
+    }
+
+
     /**
      * gets the role of the UserType.
      *

OlympusServices/app/src/main/java/com/uottawa/olympus/olympusservices/ServiceProviderEditProfile.java

@@ -37,15 +37,13 @@ public class ServiceProviderEditProfile extends AppCompatActivity {
 
         firstname.setText(user.getFirstname());
         lastname.setText(user.getLastname());
-        password.setText(user.getPassword());
+        password.setText("");
         companyname.setText(user.getCompanyname());
         address.setText(user.getAddress());
         phonenumber.setText(user.getPhonenumber());
         description.setText(user.getDescription());
         licensed.setChecked(user.isLicensed());
 
-
-
     }
 
     /**
@@ -76,7 +74,7 @@ public class ServiceProviderEditProfile extends AppCompatActivity {
         CheckBox licensed = findViewById(R.id.LicensedInput);
 
         //Checks for the fields
-        if(password.getText().toString().length()>=5 && firstname.getText().toString().length()>0
+        if(firstname.getText().toString().length()>0
             && lastname.getText().toString().length()>0 && companyname.getText().toString().length()>0
             && address.getText().toString().length()>0 && phonenumber.getText().toString().length()>0
             && password.getText().toString().matches("[a-zA-Z0-9]*")
@@ -88,6 +86,7 @@ public class ServiceProviderEditProfile extends AppCompatActivity {
             && phonenumber.getText().toString().matches("^(\\+\\d{1,2}\\s)?\\(?\\d{3}\\)?[\\s.-]?\\d{3}[\\s.-]?\\d{4}$")
             && address.getText().toString().replaceAll("\\s+","").length()>0) {
 
+
             if(dbHelper.updateUserInfo(username, password.getText().toString(), firstname.getText().toString(), lastname.getText().toString(),
                 address.getText().toString(), phonenumber.getText().toString(), companyname.getText().toString(), licensed.isChecked(), description.getText().toString())){
                 //add comment method here

OlympusServices/app/src/main/java/com/uottawa/olympus/olympusservices/UserType.java

@@ -13,12 +13,14 @@ public abstract class UserType {
 
     //field for the username attached to the userType.
     String username;
-    //field for the password attached to the userType.
+    //field for the password hash attached to the userType.
-    String password;
+    String hash;
     //field for the firstname attached to the userType.
     String firstname;
     //field for the lastname attached to the userType.
     String lastname;
+    //field for the salt attached to the userType.
+    String salt;
 
 
     /**
@@ -32,9 +34,30 @@ public abstract class UserType {
      */
     UserType(String username, String password, String firstname, String lastname){
         this.username = username;
-        this.password = password;
         this.firstname = firstname;
         this.lastname = lastname;
+
+        this.salt = PasswordEncryption.generateSalt();
+        this.hash = PasswordEncryption.encrypt(password, salt);
+    }
+
+    /**
+     * Constructor filling out all the field values with given parameters
+     * entered by a new user for the app.
+     *
+     * @param username String object containing the username.
+     * @param hash String object containing the password hash.
+     * @param firstname String object containing the firstname.
+     * @param lastname String object containing the lastname.
+     * @param salt String object containing the salt.
+     */
+    UserType(String username, String hash, String salt, String firstname, String lastname){
+        this.username = username;
+        this.firstname = firstname;
+        this.lastname = lastname;
+
+        this.salt = salt;
+        this.hash = hash;
     }
 
     /**
@@ -54,12 +77,12 @@ public abstract class UserType {
     }
 
     /**
-     * Gets the password field of userType.
+     * Gets the hash field of userType.
      *
-     * @return String of the password.
+     * @return String of the hash.
      */
-    public String getPassword() {
+    public String getHash() {
-        return password;
+        return hash;
     }
 
     /**
@@ -80,6 +103,15 @@ public abstract class UserType {
         return lastname;
     }
 
+    /**
+     * Gets the salt field of userType.
+     *
+     * @return String of salt
+     */
+    public String getSalt() {
+        return salt;
+    }
+
     /**
      * Sets the username field with given parameters.
      *
@@ -102,7 +134,8 @@ public abstract class UserType {
         //remember to call updateUser(String username, String password, String firstname, String lastname)
         //in activity whenever a setter is called. DBHelper requires a Context (Activity) to be initialized
         //so cannot be initialized in this class
-        this.password = password;
+        this.salt = PasswordEncryption.generateSalt();
+        this.hash = PasswordEncryption.encrypt(password, salt);
     }
 
     /**
@@ -130,8 +163,9 @@ public abstract class UserType {
      * @param other Usertype object that is compared to this userType.
      */
     public boolean equals(UserType other){
-        if(this.username.equals(other.username)&&this.password.equals(other.password)&&
+        if(this.username.equals(other.username)&&this.hash.equals(other.hash)&&
-                this.firstname.equals(other.firstname)&&this.lastname.equals(other.lastname)){
+                this.firstname.equals(other.firstname)&&this.lastname.equals(other.lastname)
+                &&this.salt.equals(other.salt)){
             return true;
         }
         return false;

OlympusServices/app/src/test/java/com/uottawa/olympus/olympusservices/AdminTest.java

@@ -14,13 +14,12 @@ public class AdminTest {
     public void testAdmin() {
         Admin admin = new Admin();
         String username = admin.getUsername();
-        String password = admin.getPassword();
         String firstname = admin.getFirstname();
         String lastname = admin.getLastname();
         String role = admin.getRole();
         assertEquals("Admin", role);
         assertEquals("admin", username);
-        assertEquals("admin", password);
+        assertEquals(PasswordEncryption.encrypt("admin", admin.getSalt()), admin.getHash());
         assertEquals("Admin", firstname);
         assertEquals("Admin", lastname);
     }

OlympusServices/app/src/test/java/com/uottawa/olympus/olympusservices/DBIntegrationTest.java

@@ -38,9 +38,9 @@ public class DBIntegrationTest {
         UserType dbUser = dbHelper.findUserByUsername("admin");
         assertEquals("Admin", dbUser.getClass().getSimpleName());
         assertEquals("admin", dbUser.getUsername());
-        assertEquals("admin", dbUser.getPassword());
         assertEquals("Admin", dbUser.getFirstname());
         assertEquals("Admin", dbUser.getLastname());
+        assertEquals(PasswordEncryption.encrypt("admin", dbUser.getSalt()), dbUser.getHash());
     }
 
     @Test
@@ -56,7 +56,8 @@ public class DBIntegrationTest {
         dbUser = dbHelper.findUserByUsername("mgarzon");
         assertEquals("HomeOwner", dbUser.getClass().getSimpleName());
         assertEquals("mgarzon", dbUser.getUsername());
-        assertEquals("soccer", dbUser.getPassword());
+        assertEquals(originalUser.getHash(), dbUser.getHash());
+        assertEquals(originalUser.getSalt(), dbUser.getSalt());
         assertEquals("Miguel", dbUser.getFirstname());
         assertEquals("Garzon", dbUser.getLastname());
 
@@ -69,7 +70,8 @@ public class DBIntegrationTest {
         dbUser = dbHelper.findUserByUsername("jbO4aBF4dC");
         assertEquals("ServiceProvider", dbUser.getClass().getSimpleName());
         assertEquals("jbO4aBF4dC", dbUser.getUsername());
-        assertEquals("seg2105", dbUser.getPassword());
+        assertEquals(originalUser.getHash(), dbUser.getHash());
+        assertEquals(originalUser.getSalt(), dbUser.getSalt());
         assertEquals("Juan", dbUser.getFirstname());
         assertEquals("Guzman", dbUser.getLastname());
 
@@ -171,7 +173,6 @@ public class DBIntegrationTest {
         dbUser = dbHelper.findUserByUsername("jbO4aBF4dC");
 
         assertEquals("jbO4aBF4dC", dbUser.getUsername());
-        assertEquals("soccer", dbUser.getPassword());
         assertEquals("Juan", dbUser.getFirstname());
         assertEquals("Guzman", dbUser.getLastname());
 
@@ -561,6 +562,11 @@ public class DBIntegrationTest {
 
     }
 
+    @Test
+    public void printUsersTable(){
+        dbHelper.printTable("user");
+    }
+
     // Ever gotten tired of adding things at the start of a test just to delete it all again?
     // I have.
     // This is a work in progress

OlympusServices/app/src/test/java/com/uottawa/olympus/olympusservices/HomeOwnerTest.java

@@ -14,9 +14,10 @@ public class HomeOwnerTest {
     public void testHomeOwner(){
         UserType user = new HomeOwner( "John123", "1234567890", "John", "Doe" );
         String role = user.getRole();
+        String salt = user.getSalt();
         assertEquals("HomeOwner", role);
         assertEquals("John123", user.getUsername());
-        assertEquals("1234567890", user.getPassword());
+        assertEquals( PasswordEncryption.encrypt("1234567890", salt), user.getHash());
         assertEquals("John", user.getFirstname());
         assertEquals("Doe", user.getLastname());
         user.setUsername( "username" );
@@ -24,7 +25,10 @@ public class HomeOwnerTest {
         user.setFirstname( "firstname" );
         user.setLastname( "lastname" );
         assertNotEquals("John123", user.getUsername());
-        assertNotEquals("1234567890", user.getPassword());
+        assertNotEquals("1234567890", user.getHash());
+        assertNotEquals("password", user.getHash());
+        assertNotEquals( PasswordEncryption.encrypt("1234567890", salt), user.getHash());
+        assertNotEquals(PasswordEncryption.encrypt("password", salt), user.getHash());
         assertNotEquals("John", user.getFirstname());
         assertNotEquals("Doe", user.getLastname());
     }

OlympusServices/app/src/test/java/com/uottawa/olympus/olympusservices/PasswordTest.java

@@ -0,0 +1,22 @@
+package com.uottawa.olympus.olympusservices;
+
+import org.junit.Test;
+import static org.junit.Assert.*;
+
+public class PasswordTest {
+
+    @Test
+    public void testHashes(){
+        String string1 = PasswordEncryption.encrypt("helloworld", "i]/S9evY\\,");
+        String string2 = PasswordEncryption.encrypt("helloworld", "i]/S9evY\\,");
+
+        assertTrue(PasswordEncryption.slowEquals(string1, string2));
+
+        String string3 = PasswordEncryption.encrypt("helloworld", "i]/S9evY\\");
+        assertTrue(!PasswordEncryption.slowEquals(string1, string3));
+
+        String string4 = PasswordEncryption.encrypt("helloworl", "i]/S9evY\\,");
+        assertTrue(!PasswordEncryption.slowEquals(string1, string4));
+
+    }
+}

OlympusServices/app/src/test/java/com/uottawa/olympus/olympusservices/ServiceProviderTest.java

@@ -17,8 +17,9 @@ public class ServiceProviderTest {
 
     @Test
     public void testServiceProvider() {
+        String salt = serviceprovider.getSalt();
         assertEquals( "John123", serviceprovider.getUsername());
-        assertEquals( "1234567890", serviceprovider.getPassword());
+        assertEquals( PasswordEncryption.encrypt("1234567890", salt), serviceprovider.getHash());
         assertEquals( "John", serviceprovider.getFirstname());
         assertEquals( "Doe", serviceprovider.getLastname());
         assertEquals( "ServiceProvider", serviceprovider.getRole());
@@ -27,7 +28,10 @@ public class ServiceProviderTest {
         serviceprovider.setFirstname("firstname");
         serviceprovider.setLastname("lastname");
         assertNotEquals("John123", serviceprovider.getUsername());
-        assertNotEquals("1234567890", serviceprovider.getPassword());
+        assertNotEquals("1234567890", serviceprovider.getHash());
+        assertNotEquals("password", serviceprovider.getHash());
+        assertNotEquals( PasswordEncryption.encrypt("1234567890", salt), serviceprovider.getHash());
+        assertNotEquals(PasswordEncryption.encrypt("password", salt), serviceprovider.getHash());
         assertNotEquals("John", serviceprovider.getFirstname());
         assertNotEquals("Doe", serviceprovider.getLastname());
     }

OlympusServices/app/src/test/java/com/uottawa/olympus/olympusservices/UserTypeTest.java

@@ -27,8 +27,8 @@ public class UserTypeTest {
         assertNotEquals( true, useradmin );
         assertNotEquals( true, serviceadmin );
         assertNotEquals( true, userservice );
-        user.setFirstname(serviceprovider.getFirstname());
+        user = new HomeOwner(serviceprovider.getUsername(), serviceprovider.getHash(), serviceprovider.getSalt(),
-        user.setUsername(serviceprovider.getUsername());
+                serviceprovider.getFirstname(), serviceprovider.getLastname());
         userservice = user.equals(serviceprovider);
         assertEquals( true, userservice );
     }