feat: 平台中创建的用户密码默认使用ssha加密策略 (#208)

2023-05-09 18:06:59 +08:00 · 2023-05-09 18:06:59 +08:00 · fad5f11d5d
parent 1699abac3b
commit fad5f11d5d
5 changed files with 68 additions and 3 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -6,7 +6,7 @@ repos:
    - id: trailing-whitespace
    - id: check-added-large-files
 -   repo: https://github.com/golangci/golangci-lint # golangci-lint hook repo
-    rev: v1.47.3 # golangci-lint hook repo revision
+    rev: v1.52.2 # golangci-lint hook repo revision
    hooks:
    - id: golangci-lint
      name: golangci-lint
--- a/README.md
+++ b/README.md
@ -161,7 +161,7 @@
        <a href="https://github.com/ckyoung123421">
            <img src="https://avatars.githubusercontent.com/u/16368382?v=4" width="100;" alt="ckyoung123421"/>
            <br />
-            <sub><b>Null</b></sub>
+            <sub><b>ckyoung123421</b></sub>
        </a>
    </td></tr>
 <tr>
--- a/public/tools/ssha.go
+++ b/public/tools/ssha.go
@ -0,0 +1,53 @@
+package tools
+
+import (
+	"bytes"
+	"crypto/sha1"
+	"encoding/base64"
+	"fmt"
+	"math/rand"
+)
+
+// code from https://gist.github.com/newm4n/ce9ac4308ae1beb4250efddad28e3f85
+
+// Encode encodes the []byte of raw password
+func EncodePass(rawPassPhrase []byte) string {
+	hash := makeSSHAHash(rawPassPhrase, makeSalt())
+	b64 := base64.StdEncoding.EncodeToString(hash)
+	return string([]byte(fmt.Sprintf("{SSHA}%s", b64)))
+}
+
+// makeSalt make a 4 byte array containing random bytes.
+func makeSalt() []byte {
+	sbytes := make([]byte, 4)
+	rand.Read(sbytes)
+	return sbytes
+}
+
+// makeSSHAHash make hasing using SHA-1 with salt. This is not the final output though. You need to append {SSHA} string with base64 of this hash.
+func makeSSHAHash(passphrase, salt []byte) []byte {
+	sha := sha1.New()
+	sha.Write(passphrase)
+	sha.Write(salt)
+
+	h := sha.Sum(nil)
+	return append(h, salt...)
+}
+
+// Matches matches the encoded password and the raw password
+func Matches(encodedPassPhrase, rawPassPhrase []byte) bool {
+	//strip the {SSHA}
+	eppS := string(encodedPassPhrase)[6:]
+	hash, err := base64.StdEncoding.DecodeString(eppS)
+	if err != nil {
+		return false
+	}
+	salt := hash[len(hash)-4:]
+
+	sha := sha1.New()
+	sha.Write(rawPassPhrase)
+	sha.Write(salt)
+	sum := sha.Sum(nil)
+
+	return bytes.Equal(sum, hash[:len(hash)-4])
+}
--- a/public/tools/util_test.go
+++ b/public/tools/util_test.go
@ -25,3 +25,15 @@ func TestSliceToString(t *testing.T) {
 	a := []uint{1}
 	fmt.Printf("%s\n", SliceToString(a, ","))
 }
+
+func TestEncodePass(t *testing.T) {
+	// to encode a password into ssha
+	hashed := EncodePass([]byte("testpass"))
+	fmt.Println(string(hashed))
+	// to validate a password against saved hash.
+	if Matches([]byte(hashed), []byte("testpass")) {
+		fmt.Println("Its a match.")
+	} else {
+		fmt.Println("its not match")
+	}
+}
--- a/service/ildap/user_ildap.go
+++ b/service/ildap/user_ildap.go
@ -29,7 +29,7 @@ func (x UserService) Add(user *model.User) error {
 	add.Attribute("postalAddress", []string{user.PostalAddress})
 	add.Attribute("mobile", []string{user.Mobile})
 	add.Attribute("uid", []string{user.Username})
-	add.Attribute("userPassword", []string{tools.NewParPasswd(user.Password)})
+	add.Attribute("userPassword", []string{tools.EncodePass([]byte(tools.NewParPasswd(user.Password)))})

 	// 获取 LDAP 连接
 	conn, err := common.GetLDAPConn()