hydra-create-user: support Argon2

Co-authored-by: Graham Christensen <graham@grahamc.com>
This commit is contained in:
Graham Christensen 2021-04-15 11:14:47 -04:00 committed by Graham Christensen
parent beb5be4302
commit 1d956be61e

View file

@ -5,17 +5,16 @@ use Hydra::Schema;
use Hydra::Helper::Nix; use Hydra::Helper::Nix;
use Hydra::Model::DB; use Hydra::Model::DB;
use Getopt::Long qw(:config gnu_getopt); use Getopt::Long qw(:config gnu_getopt);
use Digest::SHA1 qw(sha1_hex);
sub showHelp { sub showHelp {
print <<EOF; print q%
Usage: $0 NAME Usage: hydra-create-user NAME
[--rename-from NAME] [--rename-from NAME]
[--type hydra|google|github] [--type hydra|google|github]
[--full-name FULLNAME] [--full-name FULLNAME]
[--email-address EMAIL-ADDRESS] [--email-address EMAIL-ADDRESS]
[--password PASSWORD] [--password PASSWORD]
[--password-hash SHA1-HASH] [--password-hash HASH]
[--wipe-roles] [--wipe-roles]
[--role ROLE]... [--role ROLE]...
@ -25,9 +24,31 @@ exists, roles are added to the existing roles unless --wipe-roles is
specified. If --rename-from is given, the specified account is specified. If --rename-from is given, the specified account is
renamed. renamed.
Example: * PASSWORD HASH
\$ hydra-create-user alice --password foobar --role admin The password hash should be an Argon2id hash, which can be generated
EOF via:
$ nix-shell -p libargon2
[nix-shell]$ argon2 "$(LC_ALL=C tr -dc '[:alnum:]' < /dev/urandom | head -c16)" -id -t 3 -k 262144 -p 1 -l 16 -e
foobar
Ctrl^D
$argon2id$v=19$m=262144,t=3,p=1$NFU1QXJRNnc4V1BhQ0NJQg$6GHqjqv5cNDDwZqrqUD0zQ
SHA1 is also accepted, but SHA1 support is deprecated and the user's
password will be upgraded to Argon2id on first login.
Examples:
Create a user with an argon2 password:
$ hydra-create-user alice --password-hash '$argon2id$v=19$m=262144,t=3,p=1$NFU1QXJRNnc4V1BhQ0NJQg$6GHqjqv5cNDDwZqrqUD0zQ' --role admin
Create a user with a password insecurely provided on the commandline:
$ hydra-create-user alice --password foobar --role admin
%;
exit 0; exit 0;
} }
@ -84,8 +105,9 @@ $db->txn_do(sub {
$user->update({ emailaddress => $userName, password => "!" }); $user->update({ emailaddress => $userName, password => "!" });
} else { } else {
$user->update({ emailaddress => $emailAddress }) if defined $emailAddress; $user->update({ emailaddress => $emailAddress }) if defined $emailAddress;
if (defined $password && !(defined $passwordHash)) { if (defined $password && !(defined $passwordHash)) {
$passwordHash = sha1_hex($password); $user->setPassword($password);
} }
$user->update({ password => $passwordHash }) if defined $passwordHash; $user->update({ password => $passwordHash }) if defined $passwordHash;
} }