From aa574f40c325f8e2887c5d492ae52f79fab6702c Mon Sep 17 00:00:00 2001
From: "renater.salaun" <renater.salaun@047e039d-479c-447e-8a29-aa6bf4a09bab>
Date: Mon, 15 Sep 2014 08:39:28 +0000
Subject: [PATCH] Now storing only password hashes in DB. SimpleSAML's
'authcrypt:Hash' module is used
git-svn-id: https://svn.geant.net/GEANT/edugain_testidp_account_manager/trunk@7 047e039d-479c-447e-8a29-aa6bf4a09bab
---
conf/create-manager-db.sql | 2 +-
lib/IdPAccountManager/Data/Testaccount.pm | 12 ++++++------
lib/IdPAccountManager/TestAccount.pm | 15 +++++++++++----
lib/IdPAccountManager/Tools.pm | 8 ++++++++
templates/accountProfiles/student1.tt2 | 2 +-
templates/accountProfiles/valid-accounts.php.tt2 | 2 +-
6 files changed, 28 insertions(+), 13 deletions(-)
diff --git a/conf/create-manager-db.sql b/conf/create-manager-db.sql
index e55833b..24bc246 100644
--- a/conf/create-manager-db.sql
+++ b/conf/create-manager-db.sql
@@ -2,7 +2,7 @@
CREATE TABLE `testaccounts` (
`id` bigint(20) NOT NULL auto_increment,
- `user_password` varchar(50) NOT NULL,
+ `user_password_hash` varchar(50) NOT NULL,
`creation_date` int default NULL,
`expiration_date` int default NULL,
`account_profile` varchar(100) NOT NULL,
diff --git a/lib/IdPAccountManager/Data/Testaccount.pm b/lib/IdPAccountManager/Data/Testaccount.pm
index b5b8238..8c33b1d 100644
--- a/lib/IdPAccountManager/Data/Testaccount.pm
+++ b/lib/IdPAccountManager/Data/Testaccount.pm
@@ -8,12 +8,12 @@ __PACKAGE__->meta->setup(
table => 'testaccounts',
columns => [
- id => { type => 'bigserial', not_null => 1 },
- user_password => { type => 'varchar', length => 50, not_null => 1 },
- creation_date => { type => 'integer' },
- expiration_date => { type => 'integer' },
- account_profile => { type => 'varchar', length => 100, not_null => 1 },
- sp_entityid => { type => 'varchar', length => 250, not_null => 1 },
+ id => { type => 'bigserial', not_null => 1 },
+ user_password_hash => { type => 'varchar', length => 50, not_null => 1 },
+ creation_date => { type => 'integer' },
+ expiration_date => { type => 'integer' },
+ account_profile => { type => 'varchar', length => 100, not_null => 1 },
+ sp_entityid => { type => 'varchar', length => 250, not_null => 1 },
],
primary_key_columns => [ 'id' ],
diff --git a/lib/IdPAccountManager/TestAccount.pm b/lib/IdPAccountManager/TestAccount.pm
index da9ef0e..b7d43b3 100644
--- a/lib/IdPAccountManager/TestAccount.pm
+++ b/lib/IdPAccountManager/TestAccount.pm
@@ -43,7 +43,13 @@ sub get {
my $self = shift;
my $attribute_name = shift;
- return $self->{'persistent'}->$attribute_name;
+ ## User password is not stored in DB
+ if ($attribute_name eq 'user_password') {
+ return $self->{$attribute_name};
+ }else {
+ return $self->{'persistent'}->$attribute_name;
+
+ }
}
sub save {
@@ -53,7 +59,8 @@ sub save {
unless (defined $self->{'persistent'}->id) {
$self->{'persistent'}->creation_date(time);
$self->{'persistent'}->expiration_date(time + ($IdPAccountManager::Conf::global{'accounts_validity_period'} * 3600 * 24));
- $self->{'persistent'}->user_password(&IdPAccountManager::Tools::generate_password());
+ $self->{'user_password'} = &IdPAccountManager::Tools::generate_password();
+ $self->{'persistent'}->user_password_hash(&IdPAccountManager::Tools::sha256_hash($self->{'user_password'}));
}
unless ($self->{'persistent'}->save()) {
@@ -77,8 +84,8 @@ sub print {
my $self = shift;
my $fd = shift || \*STDOUT;
- printf $fd "Account ID=%s; password=%s; sp_entityid=%s; account_profile=%s; creation_date=%s; expiration_date=%s\n",
- $self->get('id'), $self->get('user_password'), $self->get('sp_entityid'), $self->get('account_profile'),
+ printf $fd "Account ID=%s; password_hash=%s; sp_entityid=%s; account_profile=%s; creation_date=%s; expiration_date=%s\n",
+ $self->get('id'), $self->get('user_password_hash'), $self->get('sp_entityid'), $self->get('account_profile'),
&POSIX::strftime('%Y:%m:%d', localtime($self->get('creation_date'))), &POSIX::strftime('%Y:%m:%d', localtime($self->get('expiration_date')));
return 1.
diff --git a/lib/IdPAccountManager/Tools.pm b/lib/IdPAccountManager/Tools.pm
index e23e165..620d2d3 100644
--- a/lib/IdPAccountManager/Tools.pm
+++ b/lib/IdPAccountManager/Tools.pm
@@ -1,10 +1,18 @@
package IdPAccountManager::Tools;
use Template;
+use Digest::SHA;
my %log_levels = ('debug' => 0, 'info' => 1, 'trace' => 1, 'notice' => 2, 'error' => 3);
+# get SHA256 hash for a string
+sub sha256_hash {
+ my $s = shift;
+
+ return &Digest::SHA::sha256_base64($s);
+}
+
# This function generates a random password
sub generate_password{
my $length_of_randomstring=10;# the length of
diff --git a/templates/accountProfiles/student1.tt2 b/templates/accountProfiles/student1.tt2
index d4aba8c..e60a6ef 100644
--- a/templates/accountProfiles/student1.tt2
+++ b/templates/accountProfiles/student1.tt2
@@ -1,4 +1,4 @@
-'user[% account.id %]:[% account.get('user_password') %]' => array(
+'user[% account.get('id') %]:{SHA256}[% account.get('user_password_hash') %]=' => array(
'uid' => 'user[% account.get('id') %]',
'eduPersonAffiliation' => array('member', 'student'),
'eduPersonScopedAffiliation' => array('member@[% conf.idp_scope %]', 'student@[% conf.idp_scope %]'),
diff --git a/templates/accountProfiles/valid-accounts.php.tt2 b/templates/accountProfiles/valid-accounts.php.tt2
index ecb525f..84e13da 100644
--- a/templates/accountProfiles/valid-accounts.php.tt2
+++ b/templates/accountProfiles/valid-accounts.php.tt2
@@ -1,7 +1,7 @@
<?php
// template for a PhP configuration file loaded in simpleSamlPhp authsources.php file
$validTestAccounts = array (
- 'exampleauth:UserPass',
+ 'authcrypt:Hash',
[% FOREACH account IN accounts %]
[% INCLUDE "${account.get('account_profile')}.tt2" %]
--
GitLab