Use crypt for password hashing

f0rthsp4ce · Aug 11, 2024 · 3c4e235 · 3c4e235
1 parent 68bae04
commit 3c4e235
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 9 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -9,7 +9,6 @@ license = "Unlicense OR MIT"
 anyhow = { version = "1.0.75", features = ["backtrace"] }
 argh = "0.1.12"
 async-openai = "0.14.3"
-base64 = "0.22.1"
 bytes = "1.7.1"
 chrono = { version = "0.4.31", features = ["serde"] }
 cron = "0.12.1"
@@ -40,7 +39,7 @@ salvo-oapi = { version = "0.58.2", features = ["chrono"] }
 serde = "1.0.188"
 serde_json = "1.0.107"
 serde_yaml = "0.9.25"
-sha2 = "0.10.8"
+sha-crypt = "0.5.0"
 similar = "2.2.1"
 structstruck = "0.4.1"
 tap = "1.0.1"

diff --git a/src/modules/ldap.rs b/src/modules/ldap.rs
@@ -36,6 +36,9 @@ pub enum Commands {
     #[command(description = "Update LDAP settings.")]
     #[custom(in_private = true, resident = true)]
     LdapUpdate(String),
+    #[command(description = "Show your LDAP groups.")]
+    #[custom(in_private = true, resident = true)]
+    LdapGroups,
 }
 
 /// Control personal configuration.
@@ -84,6 +87,7 @@ async fn start<'a>(
             ldap_reset_password(bot, env, msg).await?;
         }
         Commands::LdapUpdate(args) => ldap_update(bot, env, msg, &args).await?,
+        Commands::LdapGroups => ldap_groups(bot, env, msg).await?,
     }
     Ok(())
 }
@@ -235,3 +239,28 @@ async fn ldap_reset_password(
     .await?;
     Ok(())
 }
+
+async fn ldap_groups(bot: Bot, env: Arc<BotEnv>, msg: Message) -> Result<()> {
+    let mut ldap_conn = env.ldap_client().await;
+    let user_id =
+        msg.from.as_ref().ok_or_else(|| anyhow::anyhow!("No user ID"))?.id;
+    let Some(user) =
+        ldap::get_user(&mut ldap_conn, &env.config.services.ldap, user_id)
+            .await?
+    else {
+        ldap_not_found(bot, msg).await?;
+        return Ok(());
+    };
+
+    let groups =
+        ldap::get_user_groups(&mut ldap_conn, &env.config.services.ldap, &user)
+            .await?;
+
+    let mut text = "Your LDAP groups:\n".to_string();
+    for group in groups {
+        text.push_str(&format!("- {group}\n"));
+    }
+
+    bot.reply_message(&msg, text).await?;
+    Ok(())
+}
diff --git a/src/utils/ldap.rs b/src/utils/ldap.rs
@@ -7,7 +7,6 @@ use ldap_rs::{
     Attribute, Attributes, LdapClient, ModifyRequest, SearchEntries,
     SearchRequest,
 };
-use sha2::Digest;
 use teloxide::types::UserId;
 
 use super::ResultExt;
@@ -297,10 +296,11 @@ impl Default for Sha512PasswordHash {
 
 impl PasswordHash for Sha512PasswordHash {
     fn hash_password(&self, password: &str) -> String {
-        use base64::prelude::*;
-        let hash = sha2::Sha512::digest(password.as_bytes());
-        let encoded = BASE64_STANDARD.encode(hash);
-        format!("{{SHA512}}{encoded}")
+        use sha_crypt::{sha512_simple, Sha512Params};
+        let params = Sha512Params::new(10_000).expect("failed to create sha512 hashing params");
+        let hashed_password =
+            sha512_simple(password, &params).expect("failed to hash password");
+        format!("{{CRYPT}}{hashed_password}")
     }
 }