From 87a5759ca427c5e80ddc58d5d53fdb9eb8ecb91e Mon Sep 17 00:00:00 2001
From: Laurent Peuch <cortex@worlddomination.be>
Date: Thu, 21 Sep 2017 06:56:11 +0200
Subject: [PATCH] [enh] automatically migrate tsig done using md5 to sha512
 when doing a dyndns update

---
 src/yunohost/dyndns.py | 46 ++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 44 insertions(+), 2 deletions(-)

diff --git a/src/yunohost/dyndns.py b/src/yunohost/dyndns.py
index c3e216071..be37072f9 100644
--- a/src/yunohost/dyndns.py
+++ b/src/yunohost/dyndns.py
@@ -182,9 +182,11 @@ def dyndns_update(dyn_host="dyndns.yunohost.org", domain=None, key=None,
     if domain is None:
         # Retrieve the first registered domain
         for path in glob.iglob('/etc/yunohost/dyndns/K*.private'):
-            match = RE_DYNDNS_PRIVATE_KEY_MD5.match(path)
+            match = RE_DYNDNS_PRIVATE_KEY_SHA512.match(path)
             if not match:
-                continue
+                match = RE_DYNDNS_PRIVATE_KEY_MD5.match(path)
+                if not match:
+                    continue
             _domain = match.group('domain')
 
             try:
@@ -213,6 +215,11 @@ def dyndns_update(dyn_host="dyndns.yunohost.org", domain=None, key=None,
 
         key = keys[0]
 
+    # this mean that hmac-md5 is used
+    if "+157" in key:
+        print "detecting md5 key"
+        key = _migrate_from_md5_tsig_to_sha512_tsig(key, domain, dyn_host)
+
     host = domain.split('.')[1:]
     host = '.'.join(host)
 
@@ -269,6 +276,41 @@ def dyndns_update(dyn_host="dyndns.yunohost.org", domain=None, key=None,
             f.write(ipv6)
 
 
+def _migrate_from_md5_tsig_to_sha512_tsig(private_key_path, domain, dyn_host):
+    public_key_path = private_key_path.rsplit(".private", 1)[0] + ".key"
+    public_key_md5 = open(public_key_path).read().strip().split(' ')[-1]
+
+    os.system('cd /etc/yunohost/dyndns && '
+              'dnssec-keygen -a hmac-sha512 -b 512 -r /dev/urandom -n USER %s' % domain)
+    os.system('chmod 600 /etc/yunohost/dyndns/*.key /etc/yunohost/dyndns/*.private')
+
+    # +165 means that this file store a hmac-sha512 key
+    new_key_path = glob.glob('/etc/yunohost/dyndns/*+165*.key')[0]
+    public_key_sha512 = open(new_key_path).read().strip().split(' ', 6)[-1]
+
+    try:
+        r = requests.put('https://%s/migrate_key_to_sha512/' % (dyn_host),
+                         data={
+                               'public_key_md5': base64.b64encode(public_key_md5),
+                               'public_key_sha512': base64.b64encode(public_key_sha512),
+                         })
+    except requests.ConnectionError:
+        raise MoulinetteError(errno.ENETUNREACH, m18n.n('no_internet_connection'))
+
+    if r.status_code != 201:
+        print r.text
+        error = json.loads(r.text)['error']
+        print "ERROR:", error
+        # raise MoulinetteError(errno.EPERM,
+        #                       m18n.n('dyndns_registration_failed', error=error))
+        # XXX print warning
+        os.system("mv /etc/yunohost/dyndns/*+165* /tmp")
+        return public_key_path
+
+    os.system("mv /etc/yunohost/dyndns/*+157* /tmp")
+    return new_key_path.rsplit(".key", 1)[0] + ".private"
+
+
 def dyndns_installcron():
     """
     Install IP update cron