From e98fc3556e0b02c6447e645908c41c59bf7d113b Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@users.noreply.github.com>
Date: Sun, 22 Oct 2017 23:10:20 -0500
Subject: [PATCH] Remove Md5PasswordEncoder from core

Issue: gh-4674
---
 .../authentication/PasswordEncoderParser.java |  3 -
 .../security/config/spring-security-5.0.rnc   |  2 +-
 .../security/config/spring-security-5.0.xsd   |  3 -
 ...tionProviderBeanDefinitionParserTests.java | 60 ++++++--------
 .../encoding/Md5PasswordEncoder.java          | 42 ----------
 .../encoding/Md5PasswordEncoderTests.java     | 80 -------------------
 6 files changed, 25 insertions(+), 165 deletions(-)
 delete mode 100644 core/src/main/java/org/springframework/security/authentication/encoding/Md5PasswordEncoder.java
 delete mode 100644 core/src/test/java/org/springframework/security/authentication/encoding/Md5PasswordEncoderTests.java

diff --git a/config/src/main/java/org/springframework/security/config/authentication/PasswordEncoderParser.java b/config/src/main/java/org/springframework/security/config/authentication/PasswordEncoderParser.java
index 19f761688b..da63914cfc 100644
--- a/config/src/main/java/org/springframework/security/config/authentication/PasswordEncoderParser.java
+++ b/config/src/main/java/org/springframework/security/config/authentication/PasswordEncoderParser.java
@@ -29,7 +29,6 @@ import org.springframework.beans.factory.xml.ParserContext;
 import org.springframework.security.authentication.encoding.BaseDigestPasswordEncoder;
 import org.springframework.security.authentication.encoding.LdapShaPasswordEncoder;
 import org.springframework.security.authentication.encoding.Md4PasswordEncoder;
-import org.springframework.security.authentication.encoding.Md5PasswordEncoder;
 import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder;
 import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
 import org.springframework.security.config.Elements;
@@ -54,7 +53,6 @@ public class PasswordEncoderParser {
 	static final String OPT_HASH_SHA = "sha";
 	static final String OPT_HASH_SHA256 = "sha-256";
 	static final String OPT_HASH_MD4 = "md4";
-	static final String OPT_HASH_MD5 = "md5";
 	static final String OPT_HASH_LDAP_SHA = "{sha}";
 	static final String OPT_HASH_LDAP_SSHA = "{ssha}";
 
@@ -67,7 +65,6 @@ public class PasswordEncoderParser {
 		ENCODER_CLASSES.put(OPT_HASH_SHA, ShaPasswordEncoder.class);
 		ENCODER_CLASSES.put(OPT_HASH_SHA256, ShaPasswordEncoder.class);
 		ENCODER_CLASSES.put(OPT_HASH_MD4, Md4PasswordEncoder.class);
-		ENCODER_CLASSES.put(OPT_HASH_MD5, Md5PasswordEncoder.class);
 		ENCODER_CLASSES.put(OPT_HASH_LDAP_SHA, LdapShaPasswordEncoder.class);
 		ENCODER_CLASSES.put(OPT_HASH_LDAP_SSHA, LdapShaPasswordEncoder.class);
 	}
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-5.0.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-5.0.rnc
index 3c7896cda2..5a31059303 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-5.0.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.0.rnc
@@ -7,7 +7,7 @@ start = http | ldap-server | authentication-provider | ldap-authentication-provi
 
 hash =
 	## Defines the hashing algorithm used on user passwords. Bcrypt is recommended.
-	attribute hash {"bcrypt" | "plaintext" | "sha" | "sha-256" | "md5" | "md4" | "{sha}" | "{ssha}"}
+	attribute hash {"bcrypt" | "plaintext" | "sha" | "sha-256" | "md4" | "{sha}" | "{ssha}"}
 base64 =
 	## Whether a string should be base64 encoded
 	attribute base64 {xsd:boolean}
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd
index 5c1d4700c2..4419de3aa6 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd
@@ -15,7 +15,6 @@
                <xs:enumeration value="plaintext"/>
                <xs:enumeration value="sha"/>
                <xs:enumeration value="sha-256"/>
-               <xs:enumeration value="md5"/>
                <xs:enumeration value="md4"/>
                <xs:enumeration value="{sha}"/>
                <xs:enumeration value="{ssha}"/>
@@ -150,7 +149,6 @@
                <xs:enumeration value="plaintext"/>
                <xs:enumeration value="sha"/>
                <xs:enumeration value="sha-256"/>
-               <xs:enumeration value="md5"/>
                <xs:enumeration value="md4"/>
                <xs:enumeration value="{sha}"/>
                <xs:enumeration value="{ssha}"/>
@@ -533,7 +531,6 @@
                <xs:enumeration value="plaintext"/>
                <xs:enumeration value="sha"/>
                <xs:enumeration value="sha-256"/>
-               <xs:enumeration value="md5"/>
                <xs:enumeration value="md4"/>
                <xs:enumeration value="{sha}"/>
                <xs:enumeration value="{ssha}"/>
diff --git a/config/src/test/java/org/springframework/security/config/authentication/AuthenticationProviderBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/authentication/AuthenticationProviderBeanDefinitionParserTests.java
index 5d95c65acd..2a86f6dd6b 100644
--- a/config/src/test/java/org/springframework/security/config/authentication/AuthenticationProviderBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/authentication/AuthenticationProviderBeanDefinitionParserTests.java
@@ -24,6 +24,7 @@ import org.springframework.security.authentication.dao.ReflectionSaltSource;
 import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
 import org.springframework.security.config.BeanIds;
 import org.springframework.security.config.util.InMemoryXmlApplicationContext;
+import org.springframework.security.crypto.password.MessageDigestPasswordEncoder;
 import org.springframework.security.util.FieldUtils;
 import org.springframework.beans.factory.parsing.BeanDefinitionParsingException;
 import org.springframework.context.support.AbstractXmlApplicationContext;
@@ -103,11 +104,19 @@ public class AuthenticationProviderBeanDefinitionParserTests {
 
 	@Test
 	public void providerWithMd5PasswordEncoderWorks() throws Exception {
-		setContext(" <authentication-provider>"
-				+ "        <password-encoder hash='md5'/>"
+		appContext = new InMemoryXmlApplicationContext(
+				" <authentication-manager>"
+				+ " <authentication-provider>"
+				+ "        <password-encoder ref='passwordEncoder'/>"
 				+ "        <user-service>"
 				+ "            <user name='bob' password='12b141f35d58b8b3a46eea65e6ac179e' authorities='ROLE_A' />"
-				+ "        </user-service>" + "    </authentication-provider>");
+				+ "        </user-service>"
+				+ "    </authentication-provider>"
+				+ " </authentication-manager>"
+				+ " <b:bean id='passwordEncoder'  class='"
+				+ MessageDigestPasswordEncoder.class.getName() + "'>"
+				+ "     <b:constructor-arg value='MD5'/>"
+				+ " </b:bean>");
 
 		getProvider().authenticate(bob);
 	}
@@ -138,45 +147,24 @@ public class AuthenticationProviderBeanDefinitionParserTests {
 
 	@Test
 	public void passwordIsBase64EncodedWhenBase64IsEnabled() throws Exception {
-		setContext(" <authentication-provider>"
-				+ "        <password-encoder hash='md5' base64='true'/>"
+		appContext = new InMemoryXmlApplicationContext(
+				" <authentication-manager>"
+				+ " <authentication-provider>"
+				+ "        <password-encoder ref='passwordEncoder'/>"
 				+ "        <user-service>"
 				+ "            <user name='bob' password='ErFB811YuLOkbupl5qwXng==' authorities='ROLE_A' />"
-				+ "        </user-service>" + "    </authentication-provider>");
+				+ "        </user-service>"
+				+ "    </authentication-provider>"
+				+ " </authentication-manager>"
+				+ " <b:bean id='passwordEncoder'  class='"
+				+ MessageDigestPasswordEncoder.class.getName() + "'>"
+				+ "     <b:constructor-arg value='MD5'/>"
+				+ "     <b:property name='encodeHashAsBase64' value='true'/>"
+				+ " </b:bean>");
 
 		getProvider().authenticate(bob);
 	}
 
-	@Test
-	public void externalUserServicePasswordEncoderAndSaltSourceWork() throws Exception {
-		appContext = new InMemoryXmlApplicationContext(
-				"    <authentication-manager>"
-						+ "      <authentication-provider user-service-ref='customUserService'>"
-						+ "        <password-encoder ref='customPasswordEncoder'>"
-						+ "            <salt-source ref='saltSource'/>"
-						+ "        </password-encoder>"
-						+ "      </authentication-provider>"
-						+ "    </authentication-manager>"
-						+
-
-						"    <b:bean id='customPasswordEncoder' "
-						+ "class='org.springframework.security.authentication.encoding.Md5PasswordEncoder'/>"
-						+ "    <b:bean id='saltSource' "
-						+ "           class='"
-						+ ReflectionSaltSource.class.getName()
-						+ "'>"
-						+ "         <b:property name='userPropertyToUse' value='username'/>"
-						+ "    </b:bean>"
-						+ "    <b:bean id='customUserService' "
-						+ "           class='org.springframework.security.provisioning.InMemoryUserDetailsManager'>"
-						+ "        <b:constructor-arg>"
-						+ "            <b:props>"
-						+ "                <b:prop key='bob'>f117f0862384e9497ff4f470e3522606,ROLE_A</b:prop>"
-						+ "            </b:props>" + "        </b:constructor-arg>"
-						+ "    </b:bean>");
-		getProvider().authenticate(bob);
-	}
-
 	// SEC-1466
 	@Test(expected = BeanDefinitionParsingException.class)
 	public void exernalProviderDoesNotSupportChildElements() throws Exception {
diff --git a/core/src/main/java/org/springframework/security/authentication/encoding/Md5PasswordEncoder.java b/core/src/main/java/org/springframework/security/authentication/encoding/Md5PasswordEncoder.java
deleted file mode 100644
index 20724dcaa3..0000000000
--- a/core/src/main/java/org/springframework/security/authentication/encoding/Md5PasswordEncoder.java
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.springframework.security.authentication.encoding;
-
-/**
- * <p>
- * MD5 implementation of PasswordEncoder.
- * </p>
- * <p>
- * If a <code>null</code> password is presented, it will be treated as an empty
- * <code>String</code> ("") password.
- * </p>
- * <P>
- * As MD5 is a one-way hash, the salt can contain any characters.
- * </p>
- *
- * This is a convenience class that extends the {@link MessageDigestPasswordEncoder} and
- * passes MD5 as the algorithm to use.
- *
- * @author Ray Krueger
- * @author colin sampaleanu
- * @author Ben Alex
- */
-public class Md5PasswordEncoder extends MessageDigestPasswordEncoder {
-
-	public Md5PasswordEncoder() {
-		super("MD5");
-	}
-}
diff --git a/core/src/test/java/org/springframework/security/authentication/encoding/Md5PasswordEncoderTests.java b/core/src/test/java/org/springframework/security/authentication/encoding/Md5PasswordEncoderTests.java
deleted file mode 100644
index 2829774508..0000000000
--- a/core/src/test/java/org/springframework/security/authentication/encoding/Md5PasswordEncoderTests.java
+++ /dev/null
@@ -1,80 +0,0 @@
-/*
- * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.authentication.encoding;
-
-import static org.assertj.core.api.Assertions.*;
-
-import org.junit.Test;
-
-/**
- * <p>
- * TestCase for Md5PasswordEncoder.
- * </p>
- *
- * @author colin sampaleanu
- * @author Ben Alex
- * @author Ray Krueger
- * @author Luke Taylor
- */
-public class Md5PasswordEncoderTests {
-	// ~ Methods
-	// ========================================================================================================
-
-	@Test
-	public void testBasicFunctionality() {
-		Md5PasswordEncoder pe = new Md5PasswordEncoder();
-		String raw = "abc123";
-		String badRaw = "abc321";
-		String salt = "THIS_IS_A_SALT";
-		String encoded = pe.encodePassword(raw, salt);
-		assertThat(pe.isPasswordValid(encoded, raw, salt)).isTrue();
-		assertThat(pe.isPasswordValid(encoded, badRaw, salt)).isFalse();
-		assertThat(encoded).isEqualTo("a68aafd90299d0b137de28fb4bb68573");
-		assertThat(pe.getAlgorithm()).isEqualTo("MD5");
-	}
-
-	@Test
-	public void nonAsciiPasswordHasCorrectHash() throws Exception {
-		Md5PasswordEncoder md5 = new Md5PasswordEncoder();
-		// $ echo -n "你好" | md5
-		// 7eca689f0d3389d9dea66ae112e5cfd7
-		String encodedPassword = md5.encodePassword("\u4F60\u597d", null);
-		assertThat(encodedPassword).isEqualTo("7eca689f0d3389d9dea66ae112e5cfd7");
-	}
-
-	@Test
-	public void testBase64() throws Exception {
-		Md5PasswordEncoder pe = new Md5PasswordEncoder();
-		pe.setEncodeHashAsBase64(true);
-		String raw = "abc123";
-		String badRaw = "abc321";
-		String salt = "THIS_IS_A_SALT";
-		String encoded = pe.encodePassword(raw, salt);
-		assertThat(pe.isPasswordValid(encoded, raw, salt)).isTrue();
-		assertThat(pe.isPasswordValid(encoded, badRaw, salt)).isFalse();
-		assertThat(encoded.length() != 32).isTrue();
-	}
-
-	@Test
-	public void stretchFactorIsProcessedCorrectly() throws Exception {
-		Md5PasswordEncoder pe = new Md5PasswordEncoder();
-		pe.setIterations(2);
-		// Calculate value using:
-		// echo -n password{salt} | openssl md5 -binary | openssl md5
-		assertThat(pe.encodePassword("password", "salt")).isEqualTo("eb753fb0c370582b4ee01b30f304b9fc");
-	}
-}