BasicAuth: Tutorial Refactoring (#2735)

* Add security enhancements and improve utility handling in authentication workflow

- Introduced `AlgoSalt` record for streamlined password hashing and salt handling.
- Refactored `JdbcUserDataProvider` and `StaticUserDataProvider` to utilize enhanced hashing mechanisms.
- Added comprehensive unit tests for new password hashing, salt extraction, and validation logic in `SecurityUtilsTest`.
- Included a new tutorial class `BasicAuthenticationTutorialTest` for basic authentication scenarios with YAML configuration.

* Refactor `JdbcUserDataProvider`: streamline SQL handling and improve logging

* Add tests for `FileUserDataProvider` and refine user verification logic

- Introduced comprehensive unit tests for `FileUserDataProvider` covering initialization, malformed inputs, empty files, and user verification.
- Refactored user splitting logic to limit splits, fixing issues with passwords containing colons.
- Improved exception handling for invalid file paths and malformed user entries.
- Documented current behavior for handling colon usage in hashed passwords.

* Enhance authentication handling: refine input sanitization, fix hash splitting, and add tests

- Improved sanitization logic in `JdbcUserDataProvider` for table/column names using regex validation.
- Fixed hash handling in `SecurityUtils` to enforce correct format and refine error messages.
- Resolved colon splitting issue in `FileUserDataProviderTest` for hashed passwords.
- Added extensive unit tests for `JdbcUserDataProvider` to verify initialization, input sanitization, and user verification scenarios.
- Refactored `StaticUserDataProvider` to prevent redundant map population in `init` method.

* Remove redundant `throws SQLException` declarations and streamline SQL handling in `JdbcUserDataProviderTest`.

* Enhance authentication workflow: add `BasicAuthenticationUtil`, streamline user attribute filtering, and improve test coverage

- Introduced `BasicAuthenticationUtil` for extracting and handling Basic authentication credentials.
- Refactored `StaticUserDataProvider` to use a common `filterPassword` method for secure user attribute handling.
- Enhanced `JdbcUserDataProvider` for safer bean initialization with null checks and better error messages.
- Expanded test coverage with detailed tests for `BasicAuthenticationUtil` and user attribute filtering.
- Improved robustness and maintainability of authentication components.

* Refactor authentication workflow: replace `User` with `UserConfig`, centralize user attribute handling, and update tests

* Refactor authentication workflow: remove redundant code, improve initialization and error handling, and update tests

* Enhance `BasicAuthenticationInterceptor`: remove `Authorization` header by default after authentication, add configurability, and update tests

* Refactor `StaticUserDataProvider`: simplify `usersByName` population logic and remove redundant `getUsersByName` calls

* Fix JavaDoc formatting in `BasicAuthenticationInterceptor`: close `<p>` tag correctly

* Enhance `BasicAuthenticationInterceptor`: improve logging, update user count display, and refine response headers for compliance

* Enhance `BasicAuthenticationInterceptor`: improve logging, update user count display, and refine response headers for compliance

* Update `BasicAuthenticationUtilTest`: mask sensitive information in `toString` and add assertion to verify it's not exposed

* Refactor OAuth2 and authentication session logic: improve code readability by using `var`, remove unnecessary password filtering, update test methods, and streamline imports.

* Remove redundant password assertion in `FileUserDataProviderTest`

* resolved a few comments

* add comment

* added support for argon2id

* fixed merge error

* Refactor `FileUserDataProvider` to rename `htpasswdPath` methods to `location`. Update related test cases accordingly.

* Rename `location` methods to `htpasswdPath` in `FileUserDataProviderElement` and update test case.

* fix

---------

Co-authored-by: Tobias Polley <mail@tobias-polley.de>
Co-authored-by: Tobias Polley <polley@predic8.de>
Co-authored-by: Christian Gördes <christian.goerdes@outlook.de>
Co-authored-by: Christian Gördes <118011644+christiangoerdes@users.noreply.github.com>

Author: 3 people

annot/src/main/java/com/predic8/membrane/annot/generator/Schemas.java

@@ -167,6 +167,7 @@ private void assembleDocumentation(Writer w, AbstractJavadocedInfo aji) throws I
 		Doc doc = aji.getDoc(processingEnv);
 
 		String id = null;
+
 		if (aji instanceof ElementInfo ei) id = ei.getId();
 
 		if (doc == null && id == null) return;

core/src/main/java/com/predic8/membrane/core/cli/MembraneCommandLine.java

@@ -69,6 +69,15 @@ private static Options getRootOptions() {
                 addOption(builder("o").longOpt("output").argName("file").hasArg().desc("Output file (JWK, public).").build());
             }});
 
+            addSubcommand(new CliCommand("argon2id", "Computes an Argon2id hash value.") {{
+                addOption(builder("pass").longOpt("password").argName("password").hasArg().desc("Password to hash.").build());
+                addOption(builder("v").longOpt("version").argName("version").hasArg().desc("Version (decimal, default: 19).").build());
+                addOption(builder("s").longOpt("salt").argName("salt").hasArg().desc("Salt to hash with (hex string, default: random 16 bytes).").build());
+                addOption(builder("i").longOpt("iterations").argName("iterations").hasArg().desc("Number of iterations (default: 3).").build());
+                addOption(builder("m").longOpt("memory").argName("memory").hasArg().desc("Memory in KiB (default: 65536).").build());
+                addOption(builder("p").longOpt("parallelism").argName("parallelism").hasArg().desc("Parallelism (default: 1).").build());
+            }});
+
         }};
     }
 

core/src/main/java/com/predic8/membrane/core/cli/RouterCLI.java

@@ -23,24 +23,29 @@
 import com.predic8.membrane.core.resolver.*;
 import com.predic8.membrane.core.router.*;
 import org.apache.commons.cli.*;
+import org.apache.commons.codec.binary.Hex;
 import org.jetbrains.annotations.*;
 import org.slf4j.*;
 import org.springframework.beans.factory.xml.*;
 
 import java.io.*;
+import java.nio.charset.StandardCharsets;
+import java.security.SecureRandom;
 import java.util.*;
 
 import static com.predic8.membrane.core.Constants.*;
 import static com.predic8.membrane.core.cli.util.JwkGenerator.*;
 import static com.predic8.membrane.core.config.spring.CheckableBeanFactory.*;
 import static com.predic8.membrane.core.config.spring.TrackingFileSystemXmlApplicationContext.*;
+import static com.predic8.membrane.core.interceptor.authentication.SecurityUtils.buildArgon2idPCH;
 import static com.predic8.membrane.core.openapi.serviceproxy.OpenAPISpec.YesNoOpenAPIOption.*;
 import static com.predic8.membrane.core.openapi.util.OpenAPIUtil.*;
 import static com.predic8.membrane.core.util.ExceptionUtil.*;
 import static com.predic8.membrane.core.util.OSUtil.*;
 import static com.predic8.membrane.core.util.URIUtil.*;
 import static com.predic8.membrane.core.util.text.TerminalColors.*;
 import static java.lang.Integer.*;
+import static org.apache.commons.cli.Option.builder;
 import static org.apache.commons.lang3.exception.ExceptionUtils.*;
 
 public class RouterCLI {
@@ -78,6 +83,11 @@ private static void start(String[] args) {
         if (commandLine.getCommand().getName().equals("private-jwk-to-public")) {
             privateJwkToPublic(commandLine);
         }
+
+        if (commandLine.getCommand().getName().equals("argon2id")) {
+            argon2id(commandLine);
+        }
+
         if (getRouter(commandLine) instanceof DefaultRouter dr)
             dr.waitFor();
     }
@@ -95,6 +105,39 @@ private static void privateJwkToPublic(MembraneCommandLine commandLine) {
         System.exit(0);
     }
 
+    private static void argon2id(MembraneCommandLine commandLine) {
+        try {
+            String password = commandLine.getCommand().getOptionValue("pass");
+            String version = commandLine.getCommand().getOptionValue("v");
+            String salt = commandLine.getCommand().getOptionValue("s");
+            String iterations = commandLine.getCommand().getOptionValue("i");
+            String memory = commandLine.getCommand().getOptionValue("m");
+            String parallelism = commandLine.getCommand().getOptionValue("p");
+
+            int v = version == null ? 19 : Integer.parseInt(version);
+            int i = iterations == null ? 3 : Integer.parseInt(iterations);
+            int m = memory == null ? 65536 : Integer.parseInt(memory);
+            int p = parallelism == null ? 1 : Integer.parseInt(parallelism);
+            if (password == null) {
+                System.out.println("Enter password to hash:");
+                Scanner s = new Scanner(System.in);
+                password = s.nextLine();
+            }
+            byte[] s = salt == null ? null : Hex.decodeHex(salt.toCharArray());
+            if (s == null) {
+                SecureRandom random = new SecureRandom();
+                s = new byte[16];
+                random.nextBytes(s);
+            }
+
+            System.out.println(buildArgon2idPCH(password.getBytes(StandardCharsets.UTF_8), s, v, i, m, p));
+        } catch (Exception e) {
+            System.err.println(getExceptionMessageWithCauses(e));
+            System.exit(1);
+        }
+        System.exit(0);
+    }
+
     private static void dryRun(MembraneCommandLine commandLine) {
         try {
             new TrackingFileSystemXmlApplicationContext(new String[]{getRulesFile(commandLine)}, false).refresh();

core/src/main/java/com/predic8/membrane/core/exceptions/ProblemDetails.java

@@ -35,7 +35,7 @@
  */
 public class ProblemDetails {
 
-    private static final Logger log = LoggerFactory.getLogger(ProblemDetails.class.getName());
+    private static final Logger log = LoggerFactory.getLogger(ProblemDetails.class);
 
     private static final ObjectMapper om = new ObjectMapper();
     private static final ObjectWriter ow = om.writerWithDefaultPrettyPrinter();

core/src/main/java/com/predic8/membrane/core/http/Header.java

@@ -377,6 +377,10 @@ public void setConnection(String connection) {
         setValue(CONNECTION, connection);
     }
 
+    public void setWwwAuthenticate(String realm) {
+        setValue(WWW_AUTHENTICATE, "Basic realm=\""+realm +"\"");
+    }
+
     public String getProxyConnection() {
         return getFirstValue(PROXY_CONNECTION);
     }