[GitHub] [accumulo] dlmarion commented on a diff in pull request #2707: Cached last 16 successful ZKSecurityTool.checkCryptPass password checks

Mon, 16 May 2022 12:25:57 -0700 


dlmarion commented on code in PR #2707:
URL: https://github.com/apache/accumulo/pull/2707#discussion_r874081618


##########
server/base/src/main/java/org/apache/accumulo/server/security/handler/ZKSecurityTool.java:
##########
@@ -114,16 +119,38 @@ public static byte[] createPass(byte[] password) throws 
AccumuloException {
     return cryptHash.getBytes(UTF_8);
   }
 
+  private static final Cache<String,String> CRYPT_PASSWORD_CACHE = 
Caffeine.newBuilder()
+      .scheduler(Scheduler.systemScheduler()).expireAfterWrite(3, 
TimeUnit.SECONDS).build();
+
   public static boolean checkCryptPass(byte[] password, byte[] zkData) {
     String zkDataString = new String(zkData, UTF_8);
-    String cryptHash;
-    try {
-      cryptHash = Crypt.crypt(password, zkDataString);
-    } catch (IllegalArgumentException e) {
-      log.error("Unrecognized hash format", e);
-      return false;
+    String key = new String(password, UTF_8) + zkDataString;
+    String cryptHash = CRYPT_PASSWORD_CACHE.getIfPresent(key);
+    boolean matches = false;
+    if (cryptHash != null) {
+      matches = MessageDigest.isEqual(zkData, cryptHash.getBytes(UTF_8));
+      // If matches then zkData has not changed from when it was put into the 
cache
+      if (matches) {
+        return true;
+      } else {
+        // remove the non-matching entry from the cache
+        CRYPT_PASSWORD_CACHE.invalidate(key);
+      }
+    }
+    // Either !matches or was not cached
+    if (!matches) {
+      try {
+        cryptHash = Crypt.crypt(password, zkDataString);
+      } catch (IllegalArgumentException e) {
+        log.error("Unrecognized hash format", e);
+        return false;
+      }
+    }
+    matches = MessageDigest.isEqual(zkData, cryptHash.getBytes(UTF_8));
+    if (matches) {
+      CRYPT_PASSWORD_CACHE.put(key, cryptHash);

Review Comment:
   I think that's true. I'll apply your changes manually, it doesn't look like 
it will pass the formatter check
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to