Merge branch 'main' into next-rc

2025-08-13 07:27:34 +00:00 · 2024-06-25 13:10:35 -07:00
parent 2c93bcbf24 1b0e773ceb
commit 12ac53df1a
36 changed files with 181 additions and 220 deletions
--- a/internal/crypto/passwap.go
+++ b/internal/crypto/passwap.go
@@ -1,7 +1,9 @@
 package crypto

 import (
+	"encoding/hex"
 	"fmt"
+	"slices"
 	"strings"

 	"github.com/mitchellh/mapstructure"
@@ -9,6 +11,7 @@ import (
 	"github.com/zitadel/passwap/argon2"
 	"github.com/zitadel/passwap/bcrypt"
 	"github.com/zitadel/passwap/md5"
+	"github.com/zitadel/passwap/md5plain"
 	"github.com/zitadel/passwap/pbkdf2"
 	"github.com/zitadel/passwap/scrypt"
 	"github.com/zitadel/passwap/verifier"
@@ -18,7 +21,8 @@ import (

 type Hasher struct {
 	*passwap.Swapper
-	Prefixes []string
+	Prefixes     []string
+	HexSupported bool
 }

 func (h *Hasher) EncodingSupported(encodedHash string) bool {
@@ -27,6 +31,12 @@ func (h *Hasher) EncodingSupported(encodedHash string) bool {
 			return true
 		}
 	}
+	if h.HexSupported {
+		_, err := hex.DecodeString(encodedHash)
+		if err == nil {
+			return true
+		}
+	}
 	return false
 }

@@ -38,6 +48,7 @@ const (
 	HashNameArgon2id HashName = "argon2id" // hash only
 	HashNameBcrypt   HashName = "bcrypt"   // hash and verify
 	HashNameMd5      HashName = "md5"      // verify only, as hashing with md5 is insecure and deprecated
+	HashNameMd5Plain HashName = "md5plain" // verify only, as hashing with md5 is insecure and deprecated
 	HashNameScrypt   HashName = "scrypt"   // hash and verify
 	HashNamePBKDF2   HashName = "pbkdf2"   // hash and verify
 )
@@ -69,8 +80,9 @@ func (c *HashConfig) NewHasher() (*Hasher, error) {
 		return nil, zerrors.ThrowInvalidArgument(err, "CRYPT-Que4r", "password hash config invalid")
 	}
 	return &Hasher{
-		Swapper:  passwap.NewSwapper(hasher, verifiers...),
-		Prefixes: append(hPrefixes, vPrefixes...),
+		Swapper:      passwap.NewSwapper(hasher, verifiers...),
+		Prefixes:     append(hPrefixes, vPrefixes...),
+		HexSupported: slices.Contains(c.Verifiers, HashNameMd5Plain),
 	}, nil
 }

@@ -95,6 +107,10 @@ var knowVerifiers = map[HashName]prefixVerifier{
 		prefixes: []string{md5.Prefix},
 		verifier: md5.Verifier,
 	},
+	HashNameMd5Plain: {
+		prefixes: nil, // hex encoded without identifier or prefix
+		verifier: md5plain.Verifier,
+	},
 	HashNameScrypt: {
 		prefixes: []string{scrypt.Prefix, scrypt.Prefix_Linux},
 		verifier: scrypt.Verifier,
--- a/internal/idp/providers/ldap/session.go
+++ b/internal/idp/providers/ldap/session.go
@@ -10,6 +10,7 @@ import (
 	"time"

 	"github.com/go-ldap/ldap/v3"
+	"github.com/zitadel/logging"
 	"golang.org/x/text/language"

 	"github.com/zitadel/zitadel/internal/domain"
@@ -172,12 +173,14 @@ func trySearchAndUserBind(
 		return nil, err
 	}
 	if len(sr.Entries) != 1 {
+		logging.WithFields("entries", len(sr.Entries)).Info("ldap: no single user found")
 		return nil, ErrNoSingleUser
 	}

 	user := sr.Entries[0]
 	// Bind as the user to verify their password
 	if err = conn.Bind(user.DN, password); err != nil {
+		logging.WithFields("userDN", user.DN).WithError(err).Info("ldap user bind failed")
 		return nil, ErrFailedLogin
 	}
 	return user, nil