Changeset 1314 for trunk

Timestamp:

04/03/15 18:36:34 (9 years ago)

Author:

nanardon

Message:

Improve la-sql-crypt-passwd:

• don't set the password, only the RSA encrypted one
• ask password two time before setting new key
• add --delkey option to reset the features (but loosing password)

Location:

trunk/LATMOS-Accounts

Files:

• bin/la-sql-crypt-passwd (modified) (6 diffs)
• lib/LATMOS/Accounts/Bases/Sql/objects.pm (modified) (2 diffs)

trunk/LATMOS-Accounts/bin/la-sql-crypt-passwd

@@ -24 +24 @@
     'genkey'     => \my $genkey,
     'regen'      => \my $regen,
+    'delkey'     => \my $delkey,
     'set=s'      => \my $set,
     'base=s'     => \my $base,
@@ -47 +48 @@
 Like --genkey but a new key will replace the current one if already present.
 Stored password will be read and encrypted again using the new key.
+
+=item --delkey
+
+Delete the current peer key and all encrypted password stored.
 
 =item --base base
@@ -81 +86 @@
     ReadMode 0;
     print "\n";
+    printf "Trying to get current stored password (%d)\n", scalar(keys %encpasswd);
     my $private_key = $labase->private_key($password) or
         die "Cannot get private key\n";
@@ -94 +100 @@
             $clear_passwd{$_} = $clearp;
         } else {
-            die "Cannot get password for $_, crypt module said :" . $rsa->errstr();
+            die "Cannot get password for $_, crypt module said :" . $rsa->errstr() .
+                "Was the password correct ?\n";
         }
     }
@@ -129 +136 @@
 
     my $clearpasswd = get_clear_password();
-    ReadMode('noecho');
-    print "Enter password for new key: ";
-    my $password = ReadLine(0);
-    ReadMode 0;
-    print "\n";
+
+    my $password;
+    while (1) {
+        ReadMode('noecho');
+        print "Enter password for new key: ";
+        $password = ReadLine(0);
+        print "\n";
+        print "Enter password again for new key: ";
+        my $password2 = ReadLine(0);
+        ReadMode 0;
+        print "\n";
+        if ($password eq $password2) {
+            last;
+        } else {
+            print "Password mismatch, try again:\n";
+        }
+    }
+
+    print "Generating new RSA key...\n";
     my ($public, $private) = $labase->generate_rsa_key($password);
 
@@ -139 +160 @@
     foreach (keys %$clearpasswd) {
         my $obj = $labase->get_object('user', $_);
-        $obj->set_password($clearpasswd->{$_});
+        $obj->setCryptPassword($clearpasswd->{$_});
     }
+    $labase->commit;
+} elsif ($delkey) {
+    if (! $labase->get_global_value('rsa_public_key')) {
+        die "There is no key in this base, not deleting nothing\n";
+    }
+    my %encpasswd = $labase->get_rsa_password;
+    print "Deleting password...\n";
+    foreach my $user (keys %encpasswd) {
+        my $ouser = $labase->get_object('user', $user) or next;
+        $ouser->set_c_fields('encryptedPassword' => undef) or
+            die "Cannot delete encryptedPassword attribute for $user\n";
+    }
+    $labase->set_global_value('rsa_public_key', undef);
+    $labase->set_global_value('rsa_private_key', undef);
     $labase->commit;
 } else {

trunk/LATMOS-Accounts/lib/LATMOS/Accounts/Bases/Sql/objects.pm

@@ -522 +522 @@
         my $asymencrypted = 0;
         if ($res) {
-
-            if (my $serialize = $self->base->get_global_value('rsa_public_key')) {
-                my $public = Crypt::RSA::Key::Public->new;
-                $public = $public->deserialize(String => [ $serialize ]);
-                my $rsa = new Crypt::RSA ES => 'PKCS1v15';
-                my $rsa_password = $rsa->encrypt (
-                    Message    => $clear_pass,
-                    Key        => $public,
-                    Armour     => 1,
-                ) || die $rsa->errstr();
-                if (!$self->_set_c_fields('encryptedPassword', $rsa_password)) {
-                    $self->log(LA_ERR,
-                        "Cannot set 'encryptedPassword' attribute for object %s/%s",
-                        $self->type, $self->id,
-                    );
-                    return;
-                }
-                $asymencrypted = 1;
+            if ($self->base->get_global_value('rsa_public_key')) {
+                $self->setCryptPassword($clear_pass) or return;
             }
-            $self->base->log(LA_NOTICE,
-                'Mot de passe changé pour %s',
-                $self->id
-            );
-            $self->ReportChange('Password', 'Password stored using internal key');
-            return 1;
-        }
+        }
+
+        $self->base->log(LA_NOTICE,
+            'Mot de passe changé pour %s',
+            $self->id
+        );
+        return $res;
     } else {
         $self->log(LA_WARN,
@@ -553 +537 @@
     }
 }
+
+=head2 setCryptPassword($clear_pass)
+
+Store password encrypted using RSA encryption.
+
+=cut
+
+sub setCryptPassword {
+    my ($self, $clear_pass) = @_;
+    if (my $serialize = $self->base->get_global_value('rsa_public_key')) {
+        my $public = Crypt::RSA::Key::Public->new;
+        $public = $public->deserialize(String => [ $serialize ]);
+        my $rsa = new Crypt::RSA ES => 'PKCS1v15';
+        my $rsa_password = $rsa->encrypt (
+            Message    => $clear_pass,
+            Key        => $public,
+            Armour     => 1,
+        ) || die $rsa->errstr();
+        if (!$self->_set_c_fields('encryptedPassword', $rsa_password)) {
+            $self->log(LA_ERR,
+                "Cannot set 'encryptedPassword' attribute for object %s/%s",
+                $self->type, $self->id,
+            );
+            return;
+        }
+    }
+    $self->ReportChange('Password', 'Password stored using internal key');
+    return 1;
+}
+
 
 sub search {