X-Git-Url: http://wagnertech.de/gitweb/gitweb.cgi/mfinanz.git/blobdiff_plain/69a44d3b470358fcd7e473d38fb5dfd5c62c8b50..f7d51d3e6c5e9b16f688e2e9417f54aee64ed23a:/SL/Auth.pm diff --git a/SL/Auth.pm b/SL/Auth.pm index 9ed86d665..6652aed4b 100644 --- a/SL/Auth.pm +++ b/SL/Auth.pm @@ -23,6 +23,9 @@ use SL::DBUtils; use strict; +use constant SESSION_KEY_ROOT_AUTH => 'session_auth_status_root'; +use constant SESSION_KEY_USER_AUTH => 'session_auth_status_user'; + sub new { $main::lxdebug->enter_sub(); @@ -102,6 +105,10 @@ sub _read_auth_config { my $self = shift; map { $self->{$_} = $::lx_office_conf{authentication}->{$_} } keys %{ $::lx_office_conf{authentication} }; + + # Prevent password leakage to log files when dumping Auth instances. + $self->{admin_password} = sub { $::lx_office_conf{authentication}->{admin_password} }; + $self->{DB_config} = $::lx_office_conf{'authentication/database'}; $self->{LDAP_config} = $::lx_office_conf{'authentication/ldap'}; @@ -142,14 +149,27 @@ sub authenticate_root { my ($self, $password) = @_; - $password = SL::Auth::Password->hash_if_unhashed(login => 'root', password => $password); - my $admin_password = SL::Auth::Password->hash_if_unhashed(login => 'root', password => $self->{admin_password}); + my $session_root_auth = $self->get_session_value(SESSION_KEY_ROOT_AUTH); + if (defined $session_root_auth && $session_root_auth == OK) { + $::lxdebug->leave_sub; + return OK; + } - $main::lxdebug->leave_sub(); + if (!defined $password) { + $::lxdebug->leave_sub; + return ERR_PASSWORD; + } + + $password = SL::Auth::Password->hash(login => 'root', password => $password); + my $admin_password = SL::Auth::Password->hash_if_unhashed(login => 'root', password => $self->{admin_password}->()); + + my $result = $password eq $admin_password ? OK : ERR_PASSWORD; + $self->set_session_value(SESSION_KEY_ROOT_AUTH ,=> $result); + + sleep 5 if $result != OK; - return OK if $password eq $admin_password; - sleep 5; - return ERR_PASSWORD; + $::lxdebug->leave_sub; + return $result; } sub authenticate { @@ -157,31 +177,24 @@ sub authenticate { my ($self, $login, $password) = @_; - $main::lxdebug->leave_sub(); - - my $result = $login ? $self->{authenticator}->authenticate($login, $password) : ERR_USER; - return OK if $result eq OK; - sleep 5; - return $result; -} - -sub store_credentials_in_session { - my ($self, %params) = @_; + my $session_auth = $self->get_session_value(SESSION_KEY_USER_AUTH); + if (defined $session_auth && $session_auth == OK) { + $::lxdebug->leave_sub; + return OK; + } - if (!$self->{authenticator}->requires_cleartext_password) { - $params{password} = SL::Auth::Password->hash_if_unhashed(login => $params{login}, - password => $params{password}, - look_up_algorithm => 1, - auth => $self); + if (!defined $password) { + $::lxdebug->leave_sub; + return ERR_PASSWORD; } - $self->set_session_value(login => $params{login}, password => $params{password}); -} + my $result = $login ? $self->{authenticator}->authenticate($login, $password) : ERR_USER; + $self->set_session_value(SESSION_KEY_USER_AUTH ,=> $result, login => $login); -sub store_root_credentials_in_session { - my ($self, $rpw) = @_; + sleep 5 if $result != OK; - $self->set_session_value(rpw => SL::Auth::Password->hash_if_unhashed(login => 'root', password => $rpw)); + $::lxdebug->leave_sub; + return $result; } sub get_stored_password { @@ -400,11 +413,6 @@ sub change_password { my $result = $self->{authenticator}->change_password($login, $new_password); - $self->store_credentials_in_session(login => $login, - password => $new_password, - look_up_algorithm => 1, - auth => $self); - $main::lxdebug->leave_sub(); return $result;