Platform security

Password hashing
Now all passwords are stored in platform as a SHA1 hashes with salt. Idea is next:

hash = SHA1( login + password + salt)

where salt is defined as PASSWORD_SALT constant in src/common/defines.h.

Not hashed passwords exsits in platform only in this methods:

QByteArray DbObjectsCollection::processAddUserQuery(const QByteArray &data)

QByteArray DbObjectsCollection::processRegisterUserQuery(const QByteArray &data)

until QueryExecutor->insertNewUser or QueryExecutor->insertNewTmpUser method is called. When this methods executed passwords are already replaced by hashes and in this form they arrive to DB.

For hash generation following method of DbObjectsCollection is used:

const QString DbObjectsCollection::getPasswordHash(const QSharedPointer & user) const

Password quality check
Password quality check was added into AddUser and RegisterUser queries. It can be turned on|off (default off) by setting parameter in /opt/geo2tag/geo2tag.conf :

[Security_Settings] password_quality_check=true

If check is off no password check performed (all passwords are considered as strong).

If check is on then password of new user are checked during execution of AddUser and RegisterUser queries. For check bool DbObjectsCollection::checkPasswordQuality(const QString& password) fuction is used. This function checks password by the following criteria:
 * Length - password length should be equal or more than MINIMAL_PASSWORD_LENGTH (defined in src/common/defines.h)
 * Used symbol groups - password should contain all groups:

[-=+_*&^%$#@a-z] [A-Z] [0-9]

If at least one criterion is not met - password is considered as weak and WEAK_PASSWORD_ERROR is returned.