[GitHub] [accumulo] keith-turner commented on a diff in pull request #2707: Cached last 16 successful ZKSecurityTool.checkCryptPass password checks

GitBox Mon, 16 May 2022 12:20:47 -0700


keith-turner commented on code in PR #2707:
URL: https://github.com/apache/accumulo/pull/2707#discussion_r874076518



##########
server/base/src/main/java/org/apache/accumulo/server/security/handler/ZKSecurityTool.java:
##########
@@ -114,16 +119,38 @@ public static byte[] createPass(byte[] password) throws 
AccumuloException {
     return cryptHash.getBytes(UTF_8);
   }
 
+  private static final Cache<String,String> CRYPT_PASSWORD_CACHE = 
Caffeine.newBuilder()
+      .scheduler(Scheduler.systemScheduler()).expireAfterWrite(3, 
TimeUnit.SECONDS).build();
+
   public static boolean checkCryptPass(byte[] password, byte[] zkData) {
     String zkDataString = new String(zkData, UTF_8);
-    String cryptHash;
-    try {
-      cryptHash = Crypt.crypt(password, zkDataString);
-    } catch (IllegalArgumentException e) {
-      log.error("Unrecognized hash format", e);
-      return false;
+    String key = new String(password, UTF_8) + zkDataString;
+    String cryptHash = CRYPT_PASSWORD_CACHE.getIfPresent(key);
+    boolean matches = false;
+    if (cryptHash != null) {
+      matches = MessageDigest.isEqual(zkData, cryptHash.getBytes(UTF_8));
+      // If matches then zkData has not changed from when it was put into the 
cache
+      if (matches) {
+        return true;
+      } else {
+        // remove the non-matching entry from the cache
+        CRYPT_PASSWORD_CACHE.invalidate(key);
+      }
+    }
+    // Either !matches or was not cached
+    if (!matches) {
+      try {
+        cryptHash = Crypt.crypt(password, zkDataString);
+      } catch (IllegalArgumentException e) {
+        log.error("Unrecognized hash format", e);
+        return false;
+      }
+    }
+    matches = MessageDigest.isEqual(zkData, cryptHash.getBytes(UTF_8));
+    if (matches) {
+      CRYPT_PASSWORD_CACHE.put(key, cryptHash);

Review Comment:
   Looking at the `if (!matches) {` case it seems like if execution got to that 
point in the code that it would always be true.  If that is the case, then 
could remove `if (!matches) {`.
   
   ```suggestion
       if (cryptHash != null) {
         // If matches then zkData has not changed from when it was put into 
the cache
         if ( MessageDigest.isEqual(zkData, cryptHash.getBytes(UTF_8))) {
           return true;
         } else {
           // remove the non-matching entry from the cache
           CRYPT_PASSWORD_CACHE.invalidate(key);
         }
       }
         try {
           cryptHash = Crypt.crypt(password, zkDataString);
         } catch (IllegalArgumentException e) {
           log.error("Unrecognized hash format", e);
           return false;
         }
       boolean matches = MessageDigest.isEqual(zkData, 
cryptHash.getBytes(UTF_8));
       if (matches) {
         CRYPT_PASSWORD_CACHE.put(key, cryptHash);
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

[GitHub] [accumulo] keith-turner commented on a diff in pull request #2707: Cached last 16 successful ZKSecurityTool.checkCryptPass password checks

Reply via email to