Fixes #23208: Add a warning in the logs when using local auth with non-bcrypt passwords

webapp/sources/rudder/rudder-core/src/main/scala/com/normation/rudder/services/healthcheck/HealthcheckService.scala

@@ -1,6 +1,7 @@
 package com.normation.rudder.services.healthcheck
 
 import better.files.File.root
+import bootstrap.liftweb.AppConfigAuth
 import com.normation.errors.Inconsistency
 import com.normation.errors.IOResult
 import com.normation.rudder.domain.logger.{HealthcheckLoggerPure => logger}
@@ -169,3 +170,16 @@ final class CheckFileDescriptorLimit(val nodeInfoService: NodeInfoService) exten
     }
   }
 }
+
+final class CheckLocalAccountHashMethod(val authConfigProvider: FileUserDetailListProvider) extends Check {
+  def name: CheckName                   = CheckName("Local users password hashes")
+  def run:  IOResult[HealthcheckResult] = for {
+    hash <- authConfigProvider.authConfig.encoder
+  } yield {
+    if (PasswordEncoder.safeEncoders.contains(hash)) {
+      Ok(name, s"${hash} password hash")
+    } else {
+      Warning(name, s"Unsafe password hash method ${hash}, you should switch to bcrypt")
+    }
+  }
+}

webapp/sources/rudder/rudder-web/src/main/scala/bootstrap/liftweb/AppConfigAuth.scala

@@ -235,15 +235,10 @@ class AppConfigAuth extends ApplicationContextAware {
 
       if (login.isEmpty || password.isEmpty) {
         (defaultEncoder, Map.empty[String, RudderUserDetail])
-      } else {
-        // check if the password is in plain text (for compatibility before #19308) or bcrypt-encoded
-        val passwordEncoder = if (password.startsWith("$2y$")) {
-          PasswordEncoder.BCRYPT
-        } else {
-          PasswordEncoder.PlainText
-        }
+      } else if (password.startsWith("$2y$")) {
+        // Actual bcrypt hash
         (
-          passwordEncoder,
+          defaultEncoder,
           Map(
             login -> RudderUserDetail(
               RudderAccount.User(
@@ -255,6 +250,12 @@ class AppConfigAuth extends ApplicationContextAware {
             )
           )
         )
+      } else {
+        // Plain text, not supported anymore
+        logger.warn(
+          "Fallback admin account is configured with a plain text password. It is not supported anymore, and the account is disabled."
+        )
+        (defaultEncoder, Map.empty[String, RudderUserDetail])
       }
     } else {
       (defaultEncoder, Map.empty[String, RudderUserDetail])
@@ -414,11 +415,11 @@ object AuthenticationMethods {
       }
     }
 
-    // always add "rootAdmin" has the first method
+    // always add "rootAdmin" as the first method
     // and de-duplicate methods
     val auths = ("rootAdmin" +: names).distinct.map(AuthenticationMethods(_))
 
-    // for each methods, check that the provider file is present, or log an error and
+    // for each method, check that the provider file is present, or log an error and
     // disable that provider
     auths.flatMap { a =>
       if (a.name == "rootAdmin") {

webapp/sources/rudder/rudder-web/src/main/scala/bootstrap/liftweb/RudderConfig.scala

@@ -3267,7 +3267,8 @@ object RudderConfigInit {
       List(
         CheckCoreNumber,
         CheckFreeSpace,
-        new CheckFileDescriptorLimit(nodeInfoService)
+        new CheckFileDescriptorLimit(nodeInfoService),
+        new CheckLocalAccountHashMethod(rudderUserListProvider)
       )
     )
 

webapp/sources/rudder/rudder-web/src/main/scala/bootstrap/liftweb/RudderUserDetailsFile.scala

@@ -118,17 +118,17 @@ object PasswordEncoder {
     }
   }
 
-  val PlainText = new PasswordEncoder() {
+  val PlainText    = new PasswordEncoder() {
     override def encode(rawPassword: CharSequence):                           String  = rawPassword.toString
     override def matches(rawPassword: CharSequence, encodedPassword: String): Boolean = rawPassword.toString == encodedPassword
   }
   // Unsalted hash functions :
-  val MD5       = new DigestEncoder("MD5")
-  val SHA1      = new DigestEncoder("SHA-1")
-  val SHA256    = new DigestEncoder("SHA-256")
-  val SHA512    = new DigestEncoder("SHA-512")
+  val MD5          = new DigestEncoder("MD5")
+  val SHA1         = new DigestEncoder("SHA-1")
+  val SHA256       = new DigestEncoder("SHA-256")
+  val SHA512       = new DigestEncoder("SHA-512")
   // Salted hash functions :
-  val BCRYPT    = new PasswordEncoder() {
+  val BCRYPT       = new PasswordEncoder() {
     override def encode(rawPassword: CharSequence):                           String  = {
       val salt: Array[Byte] = new Array(16)
       random.nextBytes(salt)
@@ -147,6 +147,8 @@ object PasswordEncoder {
       }
     }
   }
+  // Encoders which are safe to use, exclude simple hashes as they are vulnerable
+  val safeEncoders = BCRYPT :: Nil
 
   def parse(name: String): Either[String, PasswordEncoder] = {
     name.toLowerCase match {
@@ -495,6 +497,11 @@ object UserFileProcessing {
       Inconsistency("Authentication file is malformed, the root tag '<authentication>' was not found").fail
     } else {
       val hash = PasswordEncoder.parse((root(0) \ "@hash").text).getOrElse(PasswordEncoder.BCRYPT)
+      if (!PasswordEncoder.safeEncoders.contains(hash)) {
+        ApplicationLoggerPure.Authz.logEffect.warn(
+          s"Local user authentication is configured with a deprecated and unsafe hash method '${hash}', you should switch to the recommended 'bcrypt' method."
+        )
+      }
 
       val isCaseSensitive: IOResult[Boolean] = (root(0) \ "@case-sensitivity").text.toLowerCase match {
         case "true"  => true.succeed