From 2d4018c82c4304c6522f68469530aee69aed4a97 Mon Sep 17 00:00:00 2001
From: Laurent Peuch <cortex@worlddomination.be>
Date: Tue, 15 Aug 2017 12:40:43 +0200
Subject: [PATCH] [fix] auto upgrade admin password to sha-512 on login

---
 moulinette/authenticators/ldap.py | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/moulinette/authenticators/ldap.py b/moulinette/authenticators/ldap.py
index dc843b49..0a15c55b 100644
--- a/moulinette/authenticators/ldap.py
+++ b/moulinette/authenticators/ldap.py
@@ -4,6 +4,9 @@
 from __future__ import absolute_import
 import errno
 import logging
+import random
+import string
+import crypt
 import ldap
 import ldap.modlist as modlist
 
@@ -82,6 +85,24 @@ class Authenticator(BaseAuthenticator):
             raise MoulinetteError(169, m18n.g('ldap_server_down'))
         else:
             self.con = con
+            self._ensure_password_uses_strong_hash(password)
+
+    def _ensure_password_uses_strong_hash(self, password):
+        # XXX this has been copy pasted from YunoHost, should we put that into moulinette?
+        def _hash_user_password(password):
+            char_set = string.ascii_uppercase + string.ascii_lowercase + string.digits + "./"
+            salt = ''.join([random.SystemRandom().choice(char_set) for x in range(16)])
+            salt = '$6$' + salt + '$'
+            return '{CRYPT}' + crypt.crypt(str(password), salt)
+
+        hashed_password = self.search("cn=admin,dc=yunohost,dc=org",
+                                      attrs=["userPassword"])[0]["userPassword"][0]
+
+        # we aren't using sha-512 but something else that is weaker, proceed to upgrade
+        if not hashed_password.startswith("{CRYPT}$6$"):
+            self.update("cn=admin", {
+                "userPassword": _hash_user_password(password),
+            })
 
     # Additional LDAP methods
     # TODO: Review these methods