forked from lix-project/hydra
hydra-init: upgrade passwords to Argon2 on startup
This commit is contained in:
Graham Christensen
parent
79b0ddc27d
commit
05636de7d2
|
|
@ -72,3 +72,12 @@ for (my $n = $schemaVersion; $n < $maxSchemaVersion; $n++) {
|
|||
};
|
||||
die "schema upgrade failed: $@\n" if $@;
|
||||
}
|
||||
|
||||
my @usersWithSha1s = $db->resultset('Users')->search(\['LENGTH(password) = 40 AND password ~ \'^[0-9a-f]{40}$\'']);
|
||||
if (scalar(@usersWithSha1s) > 0) {
|
||||
print STDERR "upgrading user passwords from sha1\n";
|
||||
for my $user (@usersWithSha1s) {
|
||||
print STDERR " * " . $user->username . "\n";
|
||||
$user->setPassword($user->password);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
68
t/scripts/hydra-init.t
Normal file
68
t/scripts/hydra-init.t
Normal file
|
|
@ -0,0 +1,68 @@
|
|||
use feature 'unicode_strings';
|
||||
use strict;
|
||||
use Setup;
|
||||
|
||||
my %ctx = test_init();
|
||||
|
||||
require Hydra::Schema;
|
||||
require Hydra::Model::DB;
|
||||
|
||||
use Test2::V0;
|
||||
|
||||
my $db = Hydra::Model::DB->new;
|
||||
hydra_setup($db);
|
||||
|
||||
subtest "hydra-init upgrades user's password hashes from sha1 to sha1 inside Argon2" => sub {
|
||||
my $alice = $db->resultset('Users')->create({
|
||||
"username" => "alice",
|
||||
"emailaddress" => 'alice@nixos.org',
|
||||
"password" => "8843d7f92416211de9ebb963ff4ce28125932878" # SHA1 of "foobar"
|
||||
});
|
||||
my $janet = $db->resultset('Users')->create({
|
||||
"username" => "janet",
|
||||
"emailaddress" => 'janet@nixos.org',
|
||||
"password" => "!"
|
||||
});
|
||||
$janet->setPassword("foobar");
|
||||
|
||||
is($alice->password, "8843d7f92416211de9ebb963ff4ce28125932878", "Alices's sha1 is stored in the database");
|
||||
my ($res, $stdout, $stderr) = captureStdoutStderr(5, ("hydra-init"));
|
||||
if ($res != 0) {
|
||||
is($stdout, "");
|
||||
is($stderr, "");
|
||||
}
|
||||
is($res, 0, "hydra-init should exit zero");
|
||||
|
||||
subtest "Alice had their password updated in place" => sub {
|
||||
my $updatedAlice = $db->resultset('Users')->find({ username => "alice" });
|
||||
isnt($updatedAlice, undef);
|
||||
isnt($updatedAlice->password, "8843d7f92416211de9ebb963ff4ce28125932878", "The password was updated in place.");
|
||||
|
||||
my $storedPassword = $updatedAlice->password;
|
||||
ok($updatedAlice->check_password("foobar"), "Their password validates");
|
||||
isnt($storedPassword, $updatedAlice->password, "The password is upgraded in place.");
|
||||
};
|
||||
|
||||
subtest "Janet did not have their password change" => sub {
|
||||
my $updatedJanet = $db->resultset('Users')->find({ username => "janet" });
|
||||
isnt($updatedJanet, undef);
|
||||
is($updatedJanet->password, $janet->password, "The password was not updated in place.");
|
||||
|
||||
ok($updatedJanet->check_password("foobar"), "Their password validates");
|
||||
is($updatedJanet->password, $janet->password, "The password is not upgraded in place.");
|
||||
};
|
||||
|
||||
subtest "Running hydra-init don't break Alice or Janet's passwords" => sub {
|
||||
my ($res, $stdout, $stderr) = captureStdoutStderr(5, ("hydra-init"));
|
||||
is($res, 0, "hydra-init should exit zero");
|
||||
|
||||
my $updatedAlice = $db->resultset('Users')->find({ username => "alice" });
|
||||
ok($updatedAlice->check_password("foobar"), "Alice's password validates");
|
||||
|
||||
my $updatedJanet = $db->resultset('Users')->find({ username => "janet" });
|
||||
ok($updatedJanet->check_password("foobar"), "Janet's password validates");
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
done_testing;
|
||||
Loading…
Reference in a new issue