Security Patch

payneteasy · Jun 26, 2024 · fa9ac8d · fa9ac8d
1 parent 72713a2
commit fa9ac8d
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 2 deletions.
diff --git a/pom.xml b/pom.xml
@@ -432,7 +432,7 @@
             <dependency>
                 <groupId>commons-io</groupId>
                 <artifactId>commons-io</artifactId>
-                <version>2.15.1</version>
+                <version>2.16.1</version>
             </dependency>
             <dependency>
                 <groupId>com.warrenstrange</groupId>
@@ -452,7 +452,7 @@
             <dependency>
                 <groupId>commons-codec</groupId>
                 <artifactId>commons-codec</artifactId>
-                <version>1.16.0</version>
+                <version>1.17.0</version>
             </dependency>
             <dependency>
                 <!--override googleauth's httpclient version-->

diff --git a/superfly-service/src/main/java/com/payneteasy/superfly/hotp/HOTPServiceImpl.java b/superfly-service/src/main/java/com/payneteasy/superfly/hotp/HOTPServiceImpl.java
@@ -39,6 +39,10 @@ public class HOTPServiceImpl implements HOTPService {
     private UserService userService;
     private CryptoService cryptoService;
 
+    public ThreadLocal<GoogleAuthenticator> getGoogleAuthenticator() {
+        return googleAuthenticator;
+    }
+
     @Required
     public void setEmailService(EmailService emailService) {
         this.emailService = emailService;

diff --git a/superfly-service/src/test/java/com/payneteasy/superfly/hotp/HOTPServiceImplTest.java b/superfly-service/src/test/java/com/payneteasy/superfly/hotp/HOTPServiceImplTest.java
@@ -0,0 +1,63 @@
+package com.payneteasy.superfly.hotp;
+
+import com.payneteasy.superfly.api.SsoDecryptException;
+import com.payneteasy.superfly.crypto.CryptoServiceImpl;
+import com.payneteasy.superfly.crypto.exception.EncryptException;
+import com.payneteasy.superfly.service.UserService;
+import com.payneteasy.superfly.service.impl.UserServiceImpl;
+import com.warrenstrange.googleauth.GoogleAuthenticatorKey;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+public class HOTPServiceImplTest {
+    public static final String USERNAME = "user";
+    private HOTPServiceImpl service;
+    private GoogleAuthenticatorKey credentials;
+
+    @Before
+    public void setup() {
+        service = new HOTPServiceImpl();
+        credentials = service.getGoogleAuthenticator().get().createCredentials();
+
+        CryptoServiceImpl cryptoService = new CryptoServiceImpl();
+        cryptoService.setCryptoSalt("GOOGLE_SALT");
+        cryptoService.setCryptoSecret("GOOGLE_SECRET");
+
+        UserService userService = new UserServiceImpl() {
+            @Override
+            public String getOtpMasterKeyByUsername(String username) {
+                if (USERNAME.equals(username)) {
+                    try {
+                        return cryptoService.encrypt(credentials.getKey());
+                    } catch (EncryptException e) {
+                        throw new RuntimeException(e);
+                    }
+                }
+                return null;
+            }
+        };
+        service.setCryptoService(cryptoService);
+        service.setUserService(userService);
+    }
+
+    @Test
+    public void testValidateGoogleTimePassword() throws SsoDecryptException {
+        String totpPassword = String.valueOf(
+                service.getGoogleAuthenticator().get().getTotpPassword(credentials.getKey())
+        );
+
+        boolean valid = service.validateGoogleTimePassword(USERNAME, totpPassword);
+
+        Assert.assertTrue( "Not valid code", valid);
+    }
+
+    @Test
+    public void testUnValidateGoogleTimePassword() throws SsoDecryptException {
+        String totpPassword = "123123";
+
+        boolean valid = service.validateGoogleTimePassword(USERNAME, totpPassword);
+
+        Assert.assertFalse( "Valid code", valid);
+    }
+}