Encrypt password.

src/main/resources/update/1_0.sql

@@ -1,7 +1,7 @@
 CREATE TABLE ACCOUNT(
 		USER_NAME VARCHAR(100) NOT NULL,
 		MAIL_ADDRESS VARCHAR(100) NOT NULL,
-		PASSWORD VARCHAR(20) NOT NULL,
+		PASSWORD VARCHAR(40) NOT NULL,
 		ADMINISTRATOR BOOLEAN NOT NULL,
 		URL VARCHAR(200),
 		REGISTERED_DATE TIMESTAMP NOT NULL,
@@ -10,8 +10,8 @@ CREATE TABLE ACCOUNT(
 );
 
 CREATE TABLE REPOSITORY(
-		REPOSITORY_NAME VARCHAR(100) NOT NULL,
 		USER_NAME VARCHAR(100) NOT NULL,
+		REPOSITORY_NAME VARCHAR(100) NOT NULL,
 		PRIVATE BOOLEAN NOT NULL,
 		DESCRIPTION TEXT,
 		DEFAULT_BRANCH VARCHAR(100),
@@ -21,8 +21,8 @@ CREATE TABLE REPOSITORY(
 );
 
 CREATE TABLE COLLABORATOR(
-		REPOSITORY_NAME VARCHAR(100) NOT NULL,
 		USER_NAME VARCHAR(100) NOT NULL,
+		REPOSITORY_NAME VARCHAR(100) NOT NULL,
 		COLLABORATOR_NAME VARCHAR(100) NOT NULL
 );
 
@@ -85,11 +85,11 @@ CREATE TABLE MILESTONE(
 ALTER TABLE ACCOUNT ADD CONSTRAINT IDX_ACCOUNT_PK PRIMARY KEY (USER_NAME);
 ALTER TABLE ACCOUNT ADD CONSTRAINT IDX_ACCOUNT_1 UNIQUE (MAIL_ADDRESS);
 
-ALTER TABLE REPOSITORY ADD CONSTRAINT IDX_REPOSITORY_PK PRIMARY KEY (REPOSITORY_NAME, USER_NAME);
+ALTER TABLE REPOSITORY ADD CONSTRAINT IDX_REPOSITORY_PK PRIMARY KEY (USER_NAME, REPOSITORY_NAME);
 ALTER TABLE REPOSITORY ADD CONSTRAINT IDX_REPOSITORY_FK0 FOREIGN KEY (USER_NAME) REFERENCES ACCOUNT (USER_NAME);
 
-ALTER TABLE COLLABORATOR ADD CONSTRAINT IDX_COLLABORATOR_PK PRIMARY KEY (REPOSITORY_NAME, USER_NAME);
-ALTER TABLE COLLABORATOR ADD CONSTRAINT IDX_COLLABORATOR_FK0 FOREIGN KEY (REPOSITORY_NAME, USER_NAME) REFERENCES REPOSITORY (REPOSITORY_NAME, USER_NAME);
+ALTER TABLE COLLABORATOR ADD CONSTRAINT IDX_COLLABORATOR_PK PRIMARY KEY (USER_NAME, REPOSITORY_NAME);
+ALTER TABLE COLLABORATOR ADD CONSTRAINT IDX_COLLABORATOR_FK0 FOREIGN KEY (USER_NAME, REPOSITORY_NAME) REFERENCES REPOSITORY (USER_NAME, REPOSITORY_NAME);
 ALTER TABLE COLLABORATOR ADD CONSTRAINT IDX_COLLABORATOR_FK1 FOREIGN KEY (COLLABORATOR_NAME) REFERENCES ACCOUNT (USER_NAME);
 
 ALTER TABLE ISSUE ADD CONSTRAINT IDX_ISSUE_PK PRIMARY KEY (ISSUE_ID, USER_NAME, REPOSITORY_NAME);
@@ -125,7 +125,7 @@ INSERT INTO ACCOUNT (
 ) VALUES (
   'root',
   'root@localhost',
-  'root',
+  'dc76e9f0c0006e8f919e0c515c66dbba3982f785',
   true,
   'https://github.com/takezoe/gitbucket',
   SYSDATE,

src/main/scala/app/AccountController.scala

@@ -2,6 +2,7 @@ package app
 
 import service._
 import util.OwnerOnlyAuthenticator
+import util.StringUtil._
 import jp.sf.amateras.scalatra.forms._
 
 class AccountController extends AccountControllerBase
@@ -46,7 +47,7 @@ trait AccountControllerBase extends ControllerBase {
     val userName = params("userName")
     getAccountByUserName(userName).map { account =>
       updateAccount(account.copy(
-        password    = form.password.getOrElse(account.password),
+        password    = form.password.map(encrypt).getOrElse(account.password),
         mailAddress = form.mailAddress,
         url         = form.url))
       redirect("/%s".format(userName))
@@ -61,7 +62,7 @@ trait AccountControllerBase extends ControllerBase {
 
   post("/register", newForm){ newForm =>
     if(loadSystemSettings().allowAccountRegistration){
-      createAccount(newForm.userName, newForm.password, newForm.mailAddress, false, newForm.url)
+      createAccount(newForm.userName, encrypt(newForm.password), newForm.mailAddress, false, newForm.url)
       redirect("/signin")
     } else NotFound
   }

src/main/scala/app/SignInController.scala

@@ -1,6 +1,7 @@
 package app
 
 import service._
+import util.StringUtil._
 import jp.sf.amateras.scalatra.forms._
 
 class SignInController extends SignInControllerBase with SystemSettingsService with AccountService
@@ -16,7 +17,7 @@ trait SignInControllerBase extends ControllerBase { self: SystemSettingsService
   
   get("/signin"){
     val queryString = request.getQueryString
-    if(queryString.startsWith("/")){
+    if(queryString != null && queryString.startsWith("/")){
       session.setAttribute("REDIRECT", queryString)
     }
     html.signin(loadSystemSettings())
@@ -24,7 +25,7 @@ trait SignInControllerBase extends ControllerBase { self: SystemSettingsService
 
   post("/signin", form){ form =>
     val account = getAccountByUserName(form.userName)
-    if(account.isEmpty || account.get.password != form.password){
+    if(account.isEmpty || account.get.password != encrypt(form.password)){
       redirect("/signin")
     } else {
       session.setAttribute("LOGIN_ACCOUNT", account.get)

src/main/scala/app/UserManagementController.scala

@@ -1,31 +1,32 @@
 package app
 
-import model._
 import service._
 import util.AdminOnlyAuthenticator
+import util.StringUtil._
 import jp.sf.amateras.scalatra.forms._
 
 class UserManagementController extends UserManagementControllerBase with AccountService with AdminOnlyAuthenticator
 
 trait UserManagementControllerBase extends ControllerBase { self: AccountService with AdminOnlyAuthenticator =>
   
-  case class UserForm(userName: String, password: String, mailAddress: String, isAdmin: Boolean, url: Option[String])
-  
+  case class UserNewForm(userName: String, password: String, mailAddress: String, isAdmin: Boolean, url: Option[String])
+  case class UserEditForm(userName: String, password: Option[String], mailAddress: String, isAdmin: Boolean, url: Option[String])
+
   val newForm = mapping(
     "userName"    -> trim(label("Username"     , text(required, maxlength(100), identifier, unique))),
-    "password"    -> trim(label("Password"     , text(required, maxlength(100)))),
+    "password"    -> trim(label("Password"     , text(required, maxlength(20)))),
     "mailAddress" -> trim(label("Mail Address" , text(required, maxlength(100)))),
     "isAdmin"     -> trim(label("User Type"    , boolean())),
     "url"         -> trim(label("URL"          , optional(text(maxlength(200)))))
-  )(UserForm.apply)
+  )(UserNewForm.apply)
 
   val editForm = mapping(
     "userName"    -> trim(label("Username"     , text(required, maxlength(100), identifier))),
-    "password"    -> trim(label("Password"     , text(required, maxlength(100)))),
+    "password"    -> trim(label("Password"     , optional(text(maxlength(20))))),
     "mailAddress" -> trim(label("Mail Address" , text(required, maxlength(100)))),
     "isAdmin"     -> trim(label("User Type"    , boolean())),
     "url"         -> trim(label("URL"          , optional(text(maxlength(200)))))
-  )(UserForm.apply)
+  )(UserEditForm.apply)
   
   get("/admin/users")(adminOnly {
     admin.html.userlist(getAllUsers())
@@ -36,7 +37,7 @@ trait UserManagementControllerBase extends ControllerBase { self: AccountService
   })
   
   post("/admin/users/_new", newForm)(adminOnly { form =>
-    createAccount(form.userName, form.password, form.mailAddress, form.isAdmin, form.url)
+    createAccount(form.userName, encrypt(form.password), form.mailAddress, form.isAdmin, form.url)
     redirect("/admin/users")
   })
   
@@ -47,13 +48,15 @@ trait UserManagementControllerBase extends ControllerBase { self: AccountService
   
   post("/admin/users/:name/_edit", editForm)(adminOnly { form =>
     val userName = params("userName")
-    updateAccount(getAccountByUserName(userName).get.copy(
-        password     = form.password,
+    getAccountByUserName(userName).map { account =>
+      updateAccount(getAccountByUserName(userName).get.copy(
+        password     = form.password.map(encrypt).getOrElse(account.password),
         mailAddress  = form.mailAddress,
         isAdmin      = form.isAdmin,
         url          = form.url))
-    
-    redirect("/admin/users")
+
+      redirect("/admin/users")
+    } getOrElse NotFound
   })
 
   private def unique: Constraint = new Constraint(){

src/main/scala/util/StringUtil.scala

@@ -0,0 +1,11 @@
+package util
+
+object StringUtil {
+
+  def encrypt(value: String): String = {
+    val md = java.security.MessageDigest.getInstance("SHA-1")
+    md.update(value.getBytes)
+    md.digest.map(b => "%02x".format(b)).mkString
+  }
+
+}