From 2953aec0ed571cec2879351b19a11fda727d37fc Mon Sep 17 00:00:00 2001
From: cajus <cajus@594d385d-05f5-0310-b6e9-bd551577e9d8>
Date: Mon, 5 May 2008 15:27:23 +0000
Subject: [PATCH] Added gosa encrypted password migration utility

git-svn-id: https://oss.gonicus.de/repositories/gosa/trunk@10768 594d385d-05f5-0310-b6e9-bd551577e9d8
---
 gosa-core/bin/gosa-encrypt-passwords | 114 +++++++++++++++++++++++++++
 gosa-core/debian/gosa.install        |   1 +
 2 files changed, 115 insertions(+)
 create mode 100755 gosa-core/bin/gosa-encrypt-passwords

diff --git a/gosa-core/bin/gosa-encrypt-passwords b/gosa-core/bin/gosa-encrypt-passwords
new file mode 100755
index 000000000..0f8c5ada1
--- /dev/null
+++ b/gosa-core/bin/gosa-encrypt-passwords
@@ -0,0 +1,114 @@
+#!/usr/bin/php
+<?php
+
+function cred_encrypt($input, $password) {
+
+  $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
+  $iv = mcrypt_create_iv($size, MCRYPT_DEV_RANDOM);
+
+  return bin2hex(mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $password, $input, MCRYPT_MODE_ECB, $iv));
+}
+
+
+function get_random_char() {
+  $randno = rand (0, 63);
+  if ($randno < 12) {
+    return (chr ($randno + 46)); // Digits, '/' and '.'
+  } else if ($randno < 38) {
+    return (chr ($randno + 53)); // Uppercase
+  } else {
+    return (chr ($randno + 59)); // Lowercase
+  }
+}
+
+
+function get_random_string($size= 32){
+  $str= "";
+  for ($i = 0; $i < $size; $i++) {
+    $str .= get_random_char();
+  }
+  return $str;
+}
+
+
+# We need to have access to gosa.secrets
+if (posix_getuid() != 0){
+  die ("This program needs to be called by root!\n");
+}
+
+# Do we have a valid gosa.conf?
+if (!file_exists("/etc/gosa/gosa.conf")){
+  die ("Cannot find a valid /etc/gosa/gosa.conf!\n");
+}
+
+echo "Starting password encryption\n";
+echo "* generating random master key\n";
+$master_key= get_random_string();
+
+# Do we have a valid gosa.secrets, already? 
+if (file_exists("/etc/gosa/gosa.secrets")){
+  die ("There's already a /etc/gosa/gosa.secrets. Cannot convert your existing gosa.conf - aborted\n");
+} else {
+  echo "* creating /etc/gosa/gosa.secrets\n";
+  $fp = fopen("/etc/gosa/gosa.secrets", 'w') or die("Cannot open /etc/gosa/gosa.secrets for writing - aborted");
+  fwrite($fp, "RequestHeader set GOSA_KEY $master_key\n");
+  fclose($fp);
+  chmod ("/etc/gosa/gosa.secrets", 0600);
+  chown ("/etc/gosa/gosa.secrets", "root");
+  chgrp ("/etc/gosa/gosa.secrets", "root");
+}
+
+# Locate all passwords inside the gosa.conf
+echo "* loading /etc/gosa/gosa.conf\n";
+$conf = new DOMDocument();
+$conf->load("/etc/gosa/gosa.conf") or die ("Cannot read /etc/gosa/gosa.conf - aborted\n");
+$conf->encoding = 'UTF-8';
+$referrals= $conf->getElementsByTagName("referral");
+echo "* encrypting existent passwords with master key\n";
+foreach($referrals as $referral){
+  $pw= $referral->attributes->getNamedItem("password");
+  $pw->nodeValue= cred_encrypt($pw->nodeValue, $master_key);
+}
+
+# Move original gosa.conf out of the way and make it unreadable for the web user
+echo "* creating backup in /etc/gosa/gosa.conf.orig\n";
+rename("/etc/gosa/gosa.conf", "/etc/gosa/gosa.conf.orig");
+chmod("/etc/gosa/gosa.conf.orig", 0600);
+chown ("/etc/gosa/gosa.conf.orig", "root");
+chgrp ("/etc/gosa/gosa.conf.orig", "root");
+
+# Save new passwords
+echo "* saving modified /etc/gosa/gosa.conf\n";
+$conf->save("/etc/gosa/gosa.conf") or die("Cannot write modified /etc/gosa/gosa.conf - aborted\n");
+chmod("/etc/gosa/gosa.conf", 0640);
+chown ("/etc/gosa/gosa.conf", "root");
+chgrp ("/etc/gosa/gosa.conf", "www-data");
+echo "OK\n\n";
+
+# Print reminder
+echo<<<EOF
+Please adapt your http gosa location declaration to include the newly
+created "/etc/gosa/gosa.secrets".
+
+Example:
+
+Alias /gosa /usr/share/gosa/html
+
+<Location /gosa-loc>
+  php_admin_flag engine on
+  php_admin_value open_basedir "/etc/gosa/:/usr/share/gosa/:/var/cache/gosa/:/var/spool/gosa/"
+  php_admin_flag register_globals off
+  php_admin_flag allow_call_time_pass_reference off
+  php_admin_flag expose_php off
+  php_admin_flag zend.ze1_compatibility_mode off
+  php_admin_flag register_long_arrays off
+  php_admin_flag magic_quotes_gpc on
+  include /etc/gosa/gosa.secrets
+</Location>
+
+
+Please reload your httpd configuration after you've modified anything.
+
+
+EOF;
+?>
diff --git a/gosa-core/debian/gosa.install b/gosa-core/debian/gosa.install
index fc1a0cfb7..a1a1bc9fb 100644
--- a/gosa-core/debian/gosa.install
+++ b/gosa-core/debian/gosa.install
@@ -1,4 +1,5 @@
 update-gosa			/usr/sbin
+bin/gosa-encrypt-passwords	/usr/sbin
 html				/usr/share/gosa
 ihtml				/usr/share/gosa
 include				/usr/share/gosa
-- 
2.30.2