hashes passwords support
This commit is contained in:
Mikaël Cluseau
@ -1,15 +1,20 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
"encoding/base32"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"log"
|
||||
"path"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
cfsslconfig "github.com/cloudflare/cfssl/config"
|
||||
"github.com/cloudflare/cfssl/csr"
|
||||
yaml "gopkg.in/yaml.v2"
|
||||
|
||||
"novit.tech/direktil/pkg/bootstrapconfig"
|
||||
"novit.tech/direktil/pkg/config"
|
||||
)
|
||||
|
||||
@ -28,16 +33,50 @@ func templateFuncs(sslCfg *cfsslconfig.Config) map[string]any {
|
||||
return getUsableKeyCert(cluster, caName, name, profile, label, certReq, sslCfg)
|
||||
}
|
||||
|
||||
hash := func(plain, seed []byte, hashAlg string) (hashed string, err error) {
|
||||
switch hashAlg {
|
||||
case "sha512crypt":
|
||||
return sha512crypt(plain, seed)
|
||||
|
||||
case "bootstrap":
|
||||
return bootstrapconfig.JoinSeedAndHash(seed, bootstrapconfig.PasswordHashFromSeed(seed, plain)), nil
|
||||
|
||||
default:
|
||||
return "", fmt.Errorf("unknown hash alg: %q", hashAlg)
|
||||
}
|
||||
}
|
||||
|
||||
return map[string]any{
|
||||
"password": func(cluster, name string) (password string, err error) {
|
||||
password, _, err = clusterPasswords.Get(cluster + "/" + name)
|
||||
"quote": strconv.Quote,
|
||||
|
||||
"password": func(cluster, name, hashAlg string) (password string, err error) {
|
||||
key := cluster + "/" + name
|
||||
|
||||
seed, err := seeds.GetOrCreate(key, func() (seed []byte, err error) {
|
||||
seed = make([]byte, 16)
|
||||
_, err = rand.Read(seed)
|
||||
return
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to get seed: %w", err)
|
||||
}
|
||||
|
||||
password, err = clusterPasswords.GetOrCreate(key, func() (password string, err error) {
|
||||
raw := make([]byte, 10)
|
||||
_, err = rand.Read(raw)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to generate password: %w", err)
|
||||
}
|
||||
|
||||
password = strings.ToLower(base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(raw))
|
||||
return
|
||||
})
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
if len(password) == 0 {
|
||||
err = fmt.Errorf("password %q not defined for cluster %q", name, cluster)
|
||||
}
|
||||
return
|
||||
|
||||
return hash([]byte(password), seed, hashAlg)
|
||||
},
|
||||
|
||||
"token": getOrCreateClusterToken,
|
||||
|
||||
Reference in New Issue
Block a user