Configure bcrypt work

docs-core/src/main/java/com/sismics/docs/core/constant/Constants.java

@@ -25,6 +25,11 @@ public class Constants {
      */
     public static final String DEFAULT_ADMIN_EMAIL = "admin@localhost";
 
+    /**
+     * Bcrypt default work factor
+     */
+    public static final int DEFAULT_BCRYPT_WORK = 10;
+
     /**
      * Guest user ID.
      */
@@ -73,6 +78,11 @@ public class Constants {
      */
     public static final String ADMIN_EMAIL_INIT_ENV = "DOCS_ADMIN_EMAIL_INIT";
 
+    /**
+     * Work factor to be used by Bcrypt
+     */
+    public static final String BCRYPT_WORK_ENV = "DOCS_BCRYPT_WORK";
+
     /**
      * Expiration time of the password recovery in hours.
      */

docs-core/src/main/java/com/sismics/docs/core/dao/UserDao.java

@@ -1,8 +1,13 @@
 package com.sismics.docs.core.dao;
 
-import at.favre.lib.crypto.bcrypt.BCrypt;
 import com.google.common.base.Joiner;
+import at.favre.lib.crypto.bcrypt.BCrypt;
+import org.joda.time.DateTime;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 import com.sismics.docs.core.constant.AuditLogType;
+import com.sismics.docs.core.constant.Constants;
 import com.sismics.docs.core.dao.criteria.UserCriteria;
 import com.sismics.docs.core.dao.dto.UserDto;
 import com.sismics.docs.core.model.jpa.User;
@@ -12,7 +17,6 @@ import com.sismics.docs.core.util.jpa.QueryParam;
 import com.sismics.docs.core.util.jpa.QueryUtil;
 import com.sismics.docs.core.util.jpa.SortCriteria;
 import com.sismics.util.context.ThreadLocalContext;
-import org.joda.time.DateTime;
 
 import javax.persistence.EntityManager;
 import javax.persistence.NoResultException;
@@ -26,6 +30,11 @@ import java.util.*;
  * @author jtremeaux
  */
 public class UserDao {
+    /**
+     * Logger.
+     */
+    private static final Logger log = LoggerFactory.getLogger(UserDao.class);
+
     /**
      * Authenticates an user.
      * 
@@ -278,7 +287,21 @@ public class UserDao {
      * @return Hashed password
      */
     private String hashPassword(String password) {
-        return BCrypt.withDefaults().hashToString(10, password.toCharArray());
+        int bcryptWork = Constants.DEFAULT_BCRYPT_WORK;
+        String envBcryptWork = System.getenv(Constants.BCRYPT_WORK_ENV);
+        if (envBcryptWork != null) {
+            try {
+                int envBcryptWorkInt = Integer.parseInt(envBcryptWork);
+                if (envBcryptWorkInt >= 4 && envBcryptWorkInt <= 31) {
+                    bcryptWork = envBcryptWorkInt;
+                } else {
+                    log.warn(Constants.BCRYPT_WORK_ENV + " needs to be in range 4...31. Falling back to " + Constants.DEFAULT_BCRYPT_WORK + ".");
+                }
+            } catch (NumberFormatException e) {
+                log.warn(Constants.BCRYPT_WORK_ENV + " needs to be a number in range 4...31. Falling back to " + Constants.DEFAULT_BCRYPT_WORK + ".");
+            }
+        }
+        return BCrypt.withDefaults().hashToString(bcryptWork, password.toCharArray());
     }
     
     /**