diff options
author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2013-09-17 02:31:25 +0300 |
---|---|---|
committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2013-09-17 02:31:25 +0300 |
commit | 3cddbe8043e3e8aad410594c7e4466e7caeb8b41 (patch) | |
tree | c2971117e1a7dfa6f9e8174d4f41cc1239e06b77 | |
parent | 5467f2ddadeaaf74dfb2109d53c4d5be9f275f20 (diff) | |
download | aconf-3cddbe8043e3e8aad410594c7e4466e7caeb8b41.tar.bz2 aconf-3cddbe8043e3e8aad410594c7e4466e7caeb8b41.tar.xz |
hashed passwords
-rw-r--r-- | acf/model/aaa.lua | 36 | ||||
-rw-r--r-- | config/aaa.json | 2 | ||||
-rwxr-xr-x | install-deps.sh | 2 |
3 files changed, 36 insertions, 4 deletions
diff --git a/acf/model/aaa.lua b/acf/model/aaa.lua index d51c10f..8dea542 100644 --- a/acf/model/aaa.lua +++ b/acf/model/aaa.lua @@ -4,18 +4,50 @@ See LICENSE file for license details --]] local M = require('acf.model') +local object = require('acf.object') + +local digest = require('crypto').digest + Role = M.new() Role.permissions = M.Set{type=M.Reference{scope='../../../permissions'}} +local function hash_password(algorithm, salt, password) + return algorithm..'$'..salt..'$'..digest(algorithm, salt..password) +end + +local hash_pattern = '^(%w+)%$(%w+)%$%x+$' + + +local Password = object.class(M.String) + +function Password:_validate(context, value) + value = object.super(self, M.String):_validate(context, value) + if value:find(hash_pattern) then return value end + + local salt = '' + for i = 1,12 do + local c = math.random(48, 109) + if c > 57 then c = c + 7 end + if c > 90 then c = c + 6 end + salt = salt..string.char(c) + end + return hash_password('sha256', salt, value) +end + + User = M.new() -User.password = M.String +User.password = Password User['real-name'] = M.String User.superuser = M.Boolean{default=false} User.roles = M.Set{type=M.Reference{scope='../../../roles'}} -function User:check_password(password) return password == self.password end +function User:check_password(password) + local _, _, algorithm, salt = self.password:find(hash_pattern) + if not salt then return false end + return hash_password(algorithm, salt, password) == self.password +end function User:check_permission(permission) -- TODO audit trail diff --git a/config/aaa.json b/config/aaa.json index 480c25d..a182371 100644 --- a/config/aaa.json +++ b/config/aaa.json @@ -1 +1 @@ -{"users":{"admin":{"password":"admin","superuser":true}}}
\ No newline at end of file +{"users":{"admin":{"password":"sha256$MVxudi8b1F8n$b42ec168b4bb9e893d3d666807d9fed0b0d05cfef5b0dc53984f58443531d56a","superuser":true}}}
\ No newline at end of file diff --git a/install-deps.sh b/install-deps.sh index a6f157f..b624503 100755 --- a/install-deps.sh +++ b/install-deps.sh @@ -3,7 +3,7 @@ # Copyright (c) 2012-2013 Kaarle Ritvanen # See LICENSE file for license details -PACKAGES="lua5.2-augeas lua5.2-json4 lua5.2-posix lua5.2-stringy +PACKAGES="lua5.2-augeas lua5.2-crypto lua5.2-json4 lua5.2-posix lua5.2-stringy uwsgi uwsgi-lua" [ "$1" = -d ] && PACKAGES="$PACKAGES bash curl" |