Fall 'kein Hash-Algorithmus angegeben' bei alten Passwörtern richtig behandeln

diff --git a/SL/Auth.pm b/SL/Auth.pm
index 76414e877ba01980d8ccedbc95fce8036535323b..e01af910729071e1bada1e85dae036a6c0964fef 100644 (file)
--- a/SL/Auth.pm
+++ b/SL/Auth.pm
@@ -165,8 +165,12 @@ sub authenticate {
 sub store_credentials_in_session {
   my ($self, %params) = @_;
 
-  $params{password} = SL::Auth::Password->hash_if_unhashed(login => $params{login}, password => $params{password})
-    unless $self->{authenticator}->requires_cleartext_password;
+  if (!$self->{authenticator}->requires_cleartext_password) {
+    $params{password} = SL::Auth::Password->hash_if_unhashed(login             => $params{login},
+                                                             password          => $params{password},
+                                                             look_up_algorithm => 1,
+                                                             auth              => $self);
+  }
 
   $self->set_session_value(login => $params{login}, password => $params{password});
 }
@@ -177,6 +181,19 @@ sub store_root_credentials_in_session {
   $self->set_session_value(rpw => SL::Auth::Password->hash_if_unhashed(login => 'root', password => $rpw));
 }
 
+sub get_stored_password {
+  my ($self, $login) = @_;
+
+  my $dbh            = $self->dbconnect;
+
+  return undef unless $dbh;
+
+  my $query             = qq|SELECT password FROM auth."user" WHERE login = ?|;
+  my ($stored_password) = $dbh->selectrow_array($query, undef, $login);
+
+  return $stored_password;
+}
+
 sub dbconnect {
   $main::lxdebug->enter_sub(2);
 

diff --git a/SL/Auth/DB.pm b/SL/Auth/DB.pm
index 66d23cd278646742bf88dda89b87ee1f6896b7f7..520e3e272f3b3e8bcdb9a2b4557ad904eecf8a2f 100644 (file)
--- a/SL/Auth/DB.pm
+++ b/SL/Auth/DB.pm
@@ -32,15 +32,7 @@ sub authenticate {
   my $login      = shift;
   my $password   = shift;
 
-  my $dbh        = $self->{auth}->dbconnect();
-
-  if (!$dbh) {
-    $main::lxdebug->leave_sub();
-    return ERR_BACKEND;
-  }
-
-  my $query             = qq|SELECT password FROM auth."user" WHERE login = ?|;
-  my ($stored_password) = $dbh->selectrow_array($query, undef, $login);
+  my $stored_password = $self->{auth}->get_stored_password($login);
 
   my ($algorithm, $algorithm2);
 

diff --git a/SL/Auth/Password.pm b/SL/Auth/Password.pm
index 5a17203c53c5035ecc75d461190c5c73424346cb..5f876cec33c0f6e1e231d80fb802143800bf60b4 100644 (file)
--- a/SL/Auth/Password.pm
+++ b/SL/Auth/Password.pm
@@ -40,7 +40,15 @@ sub hash_if_unhashed {
 
   my ($algorithm, $password) = $class->parse($params{password}, 'NONE');
 
-  return $algorithm eq 'NONE' ? $class->hash(%params) : $params{password};
+  return $params{password} unless $algorithm eq 'NONE';
+
+  if ($params{look_up_algorithm}) {
+    my $stored_password    = $params{auth}->get_stored_password($params{login});
+    my ($stored_algorithm) = $class->parse($stored_password);
+    $params{algorithm}     = $stored_algorithm;
+  }
+
+  return $class->hash(%params);
 }
 
 sub parse {

diff --git a/sql/Pg-upgrade2-auth/password_hashing.sql b/sql/Pg-upgrade2-auth/password_hashing.sql
new file mode 100644 (file)
index 0000000..c1db613
--- /dev/null
+++ b/sql/Pg-upgrade2-auth/password_hashing.sql
@@ -0,0 +1,9 @@
+-- @tag: password_hashing
+-- @description: Explicitely set a password hashing algorithm
+-- @depends:
+-- @charset: utf-8
+UPDATE auth."user"
+  SET password = '{CRYPT}' || password
+  WHERE NOT (password IS NULL)
+    AND (password <> '')
+    AND NOT (password LIKE '{%}%');