[fix] auto upgrade admin password to sha-512 on login

2024-09-03 20:06:31 +02:00 · 2017-08-15 12:40:43 +02:00 · 2017-08-15 12:40:43 +02:00 · 2d4018c82c
commit 2d4018c82c
parent 7ef42eb3aa
1 changed files with 21 additions and 0 deletions
--- a/moulinette/authenticators/ldap.py
+++ b/moulinette/authenticators/ldap.py
@ -4,6 +4,9 @@
 from __future__ import absolute_import
 import errno
 import logging
+import random
+import string
+import crypt
 import ldap
 import ldap.modlist as modlist

@ -82,6 +85,24 @@ class Authenticator(BaseAuthenticator):
            raise MoulinetteError(169, m18n.g('ldap_server_down'))
        else:
            self.con = con
+            self._ensure_password_uses_strong_hash(password)
+
+    def _ensure_password_uses_strong_hash(self, password):
+        # XXX this has been copy pasted from YunoHost, should we put that into moulinette?
+        def _hash_user_password(password):
+            char_set = string.ascii_uppercase + string.ascii_lowercase + string.digits + "./"
+            salt = ''.join([random.SystemRandom().choice(char_set) for x in range(16)])
+            salt = '$6$' + salt + '$'
+            return '{CRYPT}' + crypt.crypt(str(password), salt)
+
+        hashed_password = self.search("cn=admin,dc=yunohost,dc=org",
+                                      attrs=["userPassword"])[0]["userPassword"][0]
+
+        # we aren't using sha-512 but something else that is weaker, proceed to upgrade
+        if not hashed_password.startswith("{CRYPT}$6$"):
+            self.update("cn=admin", {
+                "userPassword": _hash_user_password(password),
+            })

    # Additional LDAP methods
    # TODO: Review these methods