source: LATMOS-Accounts/bin/la-crypt-passwd @ 664

#!/usr/bin/perl

use strict;
use warnings;
use LATMOS::Accounts::Maintenance;
use Getopt::Long;
use Pod::Usage;
use Term::ReadKey;
use Crypt::RSA;

=head1 NAME

    la-crypt-passwd - Tools to managed rsa crypted password in LATMOS Account system

=head1 SYNOPSIS

    la-crypt-passwd [options] [--genkey|--regen] [--set BASE]

=cut

GetOptions(
    'c|config=s' => \my $config,
    'help'       => sub { pod2usage(0) },
    'genkey'     => \my $genkey,
    'regen'      => \my $regen,
    'set=s'      => \my $set,
) or pod2usage();

=head1 OPTIONS

=over 4

=item -c|--config configfile

Use this configuration file instead of the default one.

=item --genkey

Generate a RSA key and store it into database

If one is already present, use regen to force generation of a new one

=item --regen

Like --genkey but a new key will replace the current one if already present.
Stored password will be read and encrypted again using the new key.

=item --set BASE

Read password from database, decrypt it and then set it in BASE given as
argument.

=back

=cut

my $LA = LATMOS::Accounts::Maintenance->new($config);
$LA->wexported(1);

my $clear;

sub get_clear_password {
    $clear and return $clear;
    my %encpasswd = $LA->get_rsa_password;
    scalar(keys %encpasswd) or return {};
    ReadMode('noecho');
    print "Enter password for current passphrase: ";
    my $password = ReadLine(0);
    ReadMode 0;
    print "\n";
    my $private_key = $LA->private_key($password) or
        die "Cannot get private key\n";
    my $rsa = new Crypt::RSA ES => 'PKCS1v15';
    my %clear_passwd;
    foreach (keys %encpasswd) {
        my $clearp = $rsa->decrypt (
                Cyphertext => $encpasswd{$_},
                Key        => $private_key,
                Armour     => 1,
        );
        if (defined $clearp) {
            $clear_passwd{$_} = $clearp;
        } else {
            warn "$_ :" . $rsa->errstr();
        }
    }
    return \%clear_passwd;
}

if ($set) {
    if (!$LA->_base->get_global_value('rsa_private_key')) {
        warn "No rsa key found in database\n";
    }
    my $destbase = $LA->base($set) or die "Cannot get base $set\n";
    my $clearpasswd = get_clear_password();
    foreach (keys %$clearpasswd) {
        my $obj = $destbase->get_object('user', $_) or do {
            warn "Cannot find user $_ in destination base, need sync ?\n";
            next;
        };
        $obj->set_password($clearpasswd->{$_}) and
            print "Password set for $_\n";
    }
    $destbase->commit;
} elsif ($regen || $genkey) {
    if ($LA->_base->get_global_value('rsa_private_key') && !$regen) {
        die <<EOF;
A rsa key were found in database please use --regen to force a new key
generation. Notice thiss will force decrypt current stored password to encypted
it again
EOF
    }

    my $clearpasswd = get_clear_password();
    ReadMode('noecho');
    print "Enter password for new passphrase: ";
    my $password = ReadLine(0);
    ReadMode 0;
    print "\n";
    my ($public, $private) = $LA->generate_rsa_key($password);

    $LA->store_rsa_key($public, $private);
    my $base = $LA->_base;
    $base->wexported(1);
    foreach (keys %$clearpasswd) {
        my $obj = $base->get_object('user', $_);
        $obj->set_password($clearpasswd->{$_});
    }
    $base->commit;
} else {
    if ($LA->_base->get_global_value('rsa_private_key')) {
        my $clearpasswd = get_clear_password();
        foreach (keys %$clearpasswd) {
            printf("%s: %s\n", $_, $clearpasswd->{$_});
        }
    } else {
        warn "No rsa key found in database\n";
    }
}