#!@PERL@ # BEGIN BPS TAGGED BLOCK {{{ # # COPYRIGHT: # # This software is Copyright (c) 1996-2016 Best Practical Solutions, LLC # # # (Except where explicitly superseded by other copyright notices) # # # LICENSE: # # This work is made available to you under the terms of Version 2 of # the GNU General Public License. A copy of that license should have # been provided with this software, but in any event can be snarfed # from www.gnu.org. # # This work is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA # 02110-1301 or visit their web page on the internet at # http://www.gnu.org/licenses/old-licenses/gpl-2.0.html. # # # CONTRIBUTION SUBMISSION POLICY: # # (The following paragraph is not intended to limit the rights granted # to you to modify and distribute this software under the terms of # the GNU General Public License and is only of importance to you if # you choose to contribute your changes and enhancements to the # community by submitting them to Best Practical Solutions, LLC.) # # By intentionally submitting any modifications, corrections or # derivatives to this work, or any other work intended for use with # Request Tracker, to Best Practical Solutions, LLC, you confirm that # you are the copyright holder for those contributions and you grant # Best Practical Solutions, LLC a nonexclusive, worldwide, irrevocable, # royalty-free, perpetual, license to use, copy, create derivative # works based on those contributions, and sublicense and distribute # those contributions and any derivatives thereof. # # END BPS TAGGED BLOCK }}} use 5.10.1; use strict; use warnings; use lib "@LOCAL_LIB_PATH@"; use lib "@RT_LIB_PATH@"; use RT -init; $| = 1; use Getopt::Long; use Digest::SHA; my $fix; GetOptions("fix!" => \$fix); use RT::Users; my $users = RT::Users->new( $RT::SystemUser ); $users->Limit( FIELD => 'Password', OPERATOR => 'IS NOT', VALUE => 'NULL', ENTRYAGGREGATOR => 'AND', ); $users->Limit( FIELD => 'Password', OPERATOR => '!=', VALUE => '*NO-PASSWORD*', ENTRYAGGREGATOR => 'AND', ); $users->Limit( FIELD => 'Password', OPERATOR => 'NOT STARTSWITH', VALUE => '!', ENTRYAGGREGATOR => 'AND', ); push @{$users->{'restrictions'}{ "main.Password" }}, "AND", { field => 'LENGTH(main.Password)', op => '<', value => '40', }; # we want to update passwords on disabled users $users->{'find_disabled_rows'} = 1; my $count = $users->Count; if ($count == 0) { print "No users with unsalted or weak cryptography found.\n"; exit 0; } if ($fix) { print "Upgrading $count users...\n"; while (my $u = $users->Next) { my $stored = $u->__Value("Password"); my $raw; if (length $stored == 32) { $raw = pack("H*",$stored); } elsif (length $stored == 22) { $raw = MIME::Base64::decode_base64($stored); } elsif (length $stored == 13) { printf "%20s => Old crypt() format, cannot upgrade\n", $u->Name; } else { printf "%20s => Unknown password format!\n", $u->Name; } next unless $raw; my $salt = pack("C4",map{int rand(256)} 1..4); my $sha = Digest::SHA::sha256( $salt . $raw ); $u->_Set( Field => "Password", Value => MIME::Base64::encode_base64( $salt . substr($sha,0,26), ""), ); } print "Done.\n"; exit 0; } else { if ($count < 20) { print "$count users found with unsalted or weak-cryptography passwords:\n"; print " Id | Name\n", "-"x9, "+", "-"x9, "\n"; while (my $u = $users->Next) { printf "%8d | %s\n", $u->Id, $u->Name; } } else { print "$count users found with unsalted or weak-cryptography passwords\n"; } print "\n", "Run again with --fix to upgrade.\n"; exit 1; }