1 | #!/usr/bin/perl |
---|
2 | |
---|
3 | use strict; |
---|
4 | use warnings; |
---|
5 | use LATMOS::Accounts; |
---|
6 | use Getopt::Long; |
---|
7 | use Pod::Usage; |
---|
8 | use Term::ReadKey; |
---|
9 | use Crypt::RSA; |
---|
10 | |
---|
11 | =head1 NAME |
---|
12 | |
---|
13 | la-crypt-passwd - Tools to managed rsa crypted password in LATMOS Account system |
---|
14 | |
---|
15 | =head1 SYNOPSIS |
---|
16 | |
---|
17 | la-crypt-passwd [options] [--genkey|--regen] [--set BASE] |
---|
18 | |
---|
19 | =cut |
---|
20 | |
---|
21 | GetOptions( |
---|
22 | 'c|config=s' => \my $config, |
---|
23 | 'help' => sub { pod2usage(0) }, |
---|
24 | 'genkey' => \my $genkey, |
---|
25 | 'regen' => \my $regen, |
---|
26 | 'set=s' => \my $set, |
---|
27 | 'base=s' => \my $base, |
---|
28 | ) or pod2usage(); |
---|
29 | |
---|
30 | =head1 OPTIONS |
---|
31 | |
---|
32 | =over 4 |
---|
33 | |
---|
34 | =item -c|--config configdir |
---|
35 | |
---|
36 | Use this configuration directory instead of the default one. |
---|
37 | |
---|
38 | =item --genkey |
---|
39 | |
---|
40 | Generate a RSA key and store it into database |
---|
41 | |
---|
42 | If one is already present, use regen to force generation of a new one |
---|
43 | |
---|
44 | =item --regen |
---|
45 | |
---|
46 | Like --genkey but a new key will replace the current one if already present. |
---|
47 | Stored password will be read and encrypted again using the new key. |
---|
48 | |
---|
49 | =item --base base |
---|
50 | |
---|
51 | Work on this specific base instead default one |
---|
52 | |
---|
53 | =item --set BASE |
---|
54 | |
---|
55 | Read password from database, decrypt it and then set it in BASE given as |
---|
56 | argument. |
---|
57 | |
---|
58 | =back |
---|
59 | |
---|
60 | =cut |
---|
61 | |
---|
62 | my $LA = LATMOS::Accounts->new($config, noacl => 1); |
---|
63 | my $labase = $base ? $LA->base($base) : $LA->default_base; |
---|
64 | $labase && $labase->load or die "Cannot load base"; |
---|
65 | $labase->wexported(1); |
---|
66 | |
---|
67 | my $clear; |
---|
68 | |
---|
69 | sub get_clear_password { |
---|
70 | $clear and return $clear; |
---|
71 | my %encpasswd = $labase->get_rsa_password; |
---|
72 | scalar(keys %encpasswd) or return {}; |
---|
73 | ReadMode('noecho'); |
---|
74 | print "Enter password for current passphrase: "; |
---|
75 | my $password = ReadLine(0); |
---|
76 | ReadMode 0; |
---|
77 | print "\n"; |
---|
78 | my $private_key = $labase->private_key($password) or |
---|
79 | die "Cannot get private key\n"; |
---|
80 | my $rsa = new Crypt::RSA ES => 'PKCS1v15'; |
---|
81 | my %clear_passwd; |
---|
82 | foreach (keys %encpasswd) { |
---|
83 | my $clearp = $rsa->decrypt ( |
---|
84 | Cyphertext => $encpasswd{$_}, |
---|
85 | Key => $private_key, |
---|
86 | Armour => 1, |
---|
87 | ); |
---|
88 | if (defined $clearp) { |
---|
89 | $clear_passwd{$_} = $clearp; |
---|
90 | } else { |
---|
91 | warn "$_ :" . $rsa->errstr(); |
---|
92 | } |
---|
93 | } |
---|
94 | return \%clear_passwd; |
---|
95 | } |
---|
96 | |
---|
97 | if ($set) { |
---|
98 | if (!$labase->get_global_value('rsa_private_key')) { |
---|
99 | warn "No rsa key found in database\n"; |
---|
100 | } |
---|
101 | my $destbase = $LA->base($set) or die "Cannot get base $set\n"; |
---|
102 | my $clearpasswd = get_clear_password(); |
---|
103 | foreach (keys %$clearpasswd) { |
---|
104 | my $obj = $destbase->get_object('user', $_) or do { |
---|
105 | warn "Cannot find user $_ in destination base, need sync ?\n"; |
---|
106 | next; |
---|
107 | }; |
---|
108 | $obj->set_password($clearpasswd->{$_}) and |
---|
109 | print "Password set for $_\n"; |
---|
110 | } |
---|
111 | $destbase->commit; |
---|
112 | } elsif ($regen || $genkey) { |
---|
113 | if ($labase->get_global_value('rsa_private_key') && !$regen) { |
---|
114 | die <<EOF; |
---|
115 | A rsa key were found in database please use --regen to force a new key |
---|
116 | generation. Notice thiss will force decrypt current stored password to encypted |
---|
117 | it again |
---|
118 | EOF |
---|
119 | } |
---|
120 | |
---|
121 | my $clearpasswd = get_clear_password(); |
---|
122 | ReadMode('noecho'); |
---|
123 | print "Enter password for new passphrase: "; |
---|
124 | my $password = ReadLine(0); |
---|
125 | ReadMode 0; |
---|
126 | print "\n"; |
---|
127 | my ($public, $private) = $labase->generate_rsa_key($password); |
---|
128 | |
---|
129 | $labase->store_rsa_key($public, $private); |
---|
130 | foreach (keys %$clearpasswd) { |
---|
131 | my $obj = $labase->get_object('user', $_); |
---|
132 | $obj->set_password($clearpasswd->{$_}); |
---|
133 | } |
---|
134 | $labase->commit; |
---|
135 | } else { |
---|
136 | if ($labase->get_global_value('rsa_private_key')) { |
---|
137 | my $clearpasswd = get_clear_password(); |
---|
138 | foreach (keys %$clearpasswd) { |
---|
139 | printf("%s: %s\n", $_, $clearpasswd->{$_}); |
---|
140 | } |
---|
141 | } else { |
---|
142 | warn "No rsa key found in database\n"; |
---|
143 | } |
---|
144 | } |
---|