Now storing only password hashes in DB.

SimpleSAML's 'authcrypt:Hash' module is used git-svn-id: https://svn.geant.net/GEANT/edugain_testidp_account_manager/trunk@7 047e039d-479c-447e-8a29-aa6bf4a09bab

Now storing only password hashes in DB.
aa574f40 · renater.salaun · 0de7b5e8 · aa574f40 · aa574f40 · aa574f40
Commit aa574f40 authored 10 years ago by renater.salaun
--- a/conf/create-manager-db.sql
+++ b/conf/create-manager-db.sql
@@ -2,7 +2,7 @@

 CREATE TABLE `testaccounts` (
  `id` bigint(20) NOT NULL auto_increment,
-  `user_password` varchar(50) NOT NULL,
+  `user_password_hash` varchar(50) NOT NULL,
  `creation_date` int default NULL,
  `expiration_date` int default NULL,
  `account_profile` varchar(100) NOT NULL,

--- a/lib/IdPAccountManager/Data/Testaccount.pm
+++ b/lib/IdPAccountManager/Data/Testaccount.pm
@@ -8,12 +8,12 @@ __PACKAGE__->meta->setup(
    table   => 'testaccounts',

    columns => [
-        id              => { type => 'bigserial', not_null => 1 },
-        user_password   => { type => 'varchar', length => 50, not_null => 1 },
-        creation_date   => { type => 'integer' },
-        expiration_date => { type => 'integer' },
-        account_profile => { type => 'varchar', length => 100, not_null => 1 },
-        sp_entityid     => { type => 'varchar', length => 250, not_null => 1 },
+        id                 => { type => 'bigserial', not_null => 1 },
+        user_password_hash => { type => 'varchar', length => 50, not_null => 1 },
+        creation_date      => { type => 'integer' },
+        expiration_date    => { type => 'integer' },
+        account_profile    => { type => 'varchar', length => 100, not_null => 1 },
+        sp_entityid        => { type => 'varchar', length => 250, not_null => 1 },
    ],

    primary_key_columns => [ 'id' ],

--- a/lib/IdPAccountManager/TestAccount.pm
+++ b/lib/IdPAccountManager/TestAccount.pm
@@ -43,7 +43,13 @@ sub get {
    my $self = shift;
    my $attribute_name = shift;
    
-    return $self->{'persistent'}->$attribute_name;
+    ## User password is not stored in DB
+    if ($attribute_name eq 'user_password') {
+        return $self->{$attribute_name};
+    }else {
+        return $self->{'persistent'}->$attribute_name;
+
+    }
 }

 sub save {
@@ -53,7 +59,8 @@ sub save {
    unless (defined $self->{'persistent'}->id) {
        $self->{'persistent'}->creation_date(time);
        $self->{'persistent'}->expiration_date(time + ($IdPAccountManager::Conf::global{'accounts_validity_period'} * 3600 * 24));
-        $self->{'persistent'}->user_password(&IdPAccountManager::Tools::generate_password());
+        $self->{'user_password'} = &IdPAccountManager::Tools::generate_password();
+        $self->{'persistent'}->user_password_hash(&IdPAccountManager::Tools::sha256_hash($self->{'user_password'}));
    }
    
    unless ($self->{'persistent'}->save()) {
@@ -77,8 +84,8 @@ sub print {
    my $self = shift;
    my $fd = shift || \*STDOUT;
    
-    printf $fd "Account ID=%s; password=%s; sp_entityid=%s; account_profile=%s; creation_date=%s; expiration_date=%s\n",
-            $self->get('id'), $self->get('user_password'), $self->get('sp_entityid'), $self->get('account_profile'),
+    printf $fd "Account ID=%s; password_hash=%s; sp_entityid=%s; account_profile=%s; creation_date=%s; expiration_date=%s\n",
+            $self->get('id'), $self->get('user_password_hash'), $self->get('sp_entityid'), $self->get('account_profile'),
            &POSIX::strftime('%Y:%m:%d', localtime($self->get('creation_date'))), &POSIX::strftime('%Y:%m:%d', localtime($self->get('expiration_date')));

    return 1.

--- a/lib/IdPAccountManager/Tools.pm
+++ b/lib/IdPAccountManager/Tools.pm
 package IdPAccountManager::Tools;

 use Template;
+use Digest::SHA;

 my %log_levels = ('debug' => 0, 'info' => 1, 'trace' => 1, 'notice' => 2, 'error' => 3);


+# get SHA256 hash for a string
+sub sha256_hash {
+    my $s = shift;
+    
+    return &Digest::SHA::sha256_base64($s);
+}
+
 # This function generates a random password
 sub generate_password{
        my $length_of_randomstring=10;# the length of 

--- a/templates/accountProfiles/student1.tt2
+++ b/templates/accountProfiles/student1.tt2
-'user[% account.id %]:[% account.get('user_password') %]' => array(
+'user[% account.get('id') %]:{SHA256}[% account.get('user_password_hash') %]=' => array(
 	'uid' => 'user[% account.get('id') %]',
 	'eduPersonAffiliation' => array('member', 'student'),
 	'eduPersonScopedAffiliation' => array('member@[% conf.idp_scope %]', 'student@[% conf.idp_scope %]'),

--- a/templates/accountProfiles/valid-accounts.php.tt2
+++ b/templates/accountProfiles/valid-accounts.php.tt2
 <?php
 // template for a PhP configuration file loaded in simpleSamlPhp authsources.php file
 $validTestAccounts = array (
-    'exampleauth:UserPass',
+    'authcrypt:Hash',

 [% FOREACH account IN accounts %]
  [% INCLUDE "${account.get('account_profile')}.tt2" %]