309 lines
7.8 KiB
Perl
309 lines
7.8 KiB
Perl
#!/usr/bin/perl
|
|
#
|
|
use warnings;
|
|
use strict;
|
|
use POSIX;
|
|
use Lemonldap::NG::Common::Conf;
|
|
use Lemonldap::NG::Common::Apache::Session;
|
|
use Lemonldap::NG::Common::Session;
|
|
use Lemonldap::NG::Common::TOTP;
|
|
use JSON qw(from_json to_json);
|
|
use Getopt::Long qw(:config auto_help);
|
|
use Pod::Usage;
|
|
|
|
my ( $dryrun, $verbose, $force, $update, $oldkey, $newkey );
|
|
GetOptions(
|
|
"n|dry-run" => \$dryrun,
|
|
"v|verbose" => \$verbose,
|
|
"f|force" => \$force,
|
|
"u|update" => \$update,
|
|
"o|old-key=s" => \$oldkey,
|
|
"k|new-key=s" => \$newkey,
|
|
);
|
|
|
|
eval {
|
|
POSIX::setgid( scalar( getgrnam('www-data') ) );
|
|
POSIX::setuid( scalar( getpwnam('www-data') ) );
|
|
};
|
|
|
|
sub verbose {
|
|
print STDERR @_, "\n" if $verbose;
|
|
}
|
|
|
|
sub info {
|
|
print STDERR @_, "\n";
|
|
}
|
|
|
|
# Get config
|
|
my $res = Lemonldap::NG::Common::Conf->new();
|
|
die $Lemonldap::NG::Common::Conf::msg unless ($res);
|
|
my $conf = $res->getConf();
|
|
|
|
my $localconf = $res->getLocalConf()
|
|
or die "Unable to get local configuration ($!)";
|
|
|
|
if ($localconf) {
|
|
$conf->{$_} = $localconf->{$_} foreach ( keys %$localconf );
|
|
}
|
|
|
|
if ( !$conf->{totp2fEncryptSecret} ) {
|
|
if ( !$force ) {
|
|
die "Encryption of TOTP secrets is not enabled in configuration."
|
|
. " Use --force to ignore this error";
|
|
}
|
|
}
|
|
|
|
# Create TOTP object
|
|
|
|
my $decrypt_totp = Lemonldap::NG::Common::TOTP->new(
|
|
key => ( $oldkey || $conf->{totp2fKey} || $conf->{key} ),
|
|
encryptSecret => 0,
|
|
);
|
|
|
|
my $encrypt_totp = Lemonldap::NG::Common::TOTP->new(
|
|
key => ( $newkey || $conf->{totp2fKey} || $conf->{key} ),
|
|
encryptSecret => ( ( $newkey || "" ) eq "DECRYPT" ? 0 : 1 ),
|
|
);
|
|
|
|
# Search psessions
|
|
my $args;
|
|
if ( $conf->{"persistentStorage"} ) {
|
|
$args = $conf->{"persistentStorageOptions"};
|
|
$args->{backend} = $conf->{"persistentStorage"};
|
|
}
|
|
else {
|
|
$args = $conf->{"globalStorageOptions"};
|
|
$args->{backend} = $conf->{"globalStorage"};
|
|
}
|
|
|
|
verbose "Searching for persistent sessions";
|
|
$res = Lemonldap::NG::Common::Apache::Session->searchOn( $args, '_session_kind',
|
|
'Persistent', '_2fDevices', '_session_uid' );
|
|
|
|
if ( ref($res) eq "HASH" ) {
|
|
verbose "Found " . scalar( keys %{$res} ) . " persistent sessions";
|
|
|
|
# For each found psession
|
|
for my $k ( keys %{$res} ) {
|
|
my $_2fDevices = $res->{$k}->{_2fDevices};
|
|
my $uid = $res->{$k}->{_session_uid};
|
|
verbose "Processing psession $k for user $uid";
|
|
encrypt_session( $k, $uid, $_2fDevices );
|
|
}
|
|
}
|
|
else {
|
|
die "Could not find any persistent sessions";
|
|
}
|
|
|
|
sub encrypt_session {
|
|
my ( $k, $uid, $_2fDevices ) = @_;
|
|
|
|
eval {
|
|
# parse _2fDevices if found
|
|
if ($_2fDevices) {
|
|
$_2fDevices = from_json($_2fDevices);
|
|
|
|
# If the session has 2f devices
|
|
if ( ref($_2fDevices) eq "ARRAY" and @{$_2fDevices} > 0 ) {
|
|
my $changed = convert_keys_for_user( $uid, $_2fDevices );
|
|
if ( $changed and !$dryrun ) {
|
|
eval { update2fArray( $k, $_2fDevices ); };
|
|
if ($@) {
|
|
info "Error updating session for $uid: $@";
|
|
}
|
|
}
|
|
}
|
|
else {
|
|
verbose "User $uid does not have a TOTP";
|
|
}
|
|
}
|
|
else {
|
|
verbose "User $uid does not have a TOTP";
|
|
}
|
|
|
|
};
|
|
if ($@) {
|
|
verbose "Error on psession $k: $@";
|
|
}
|
|
}
|
|
|
|
sub update2fArray {
|
|
my ( $id, $_2fDevices ) = @_;
|
|
|
|
my $session = Lemonldap::NG::Common::Session->new(
|
|
storageModule => $args->{backend},
|
|
storageModuleOptions => $args,
|
|
id => $id,
|
|
);
|
|
|
|
unless ( $session->data ) {
|
|
die "Error while opening session $id";
|
|
}
|
|
|
|
unless ( $session->update( { _2fDevices => to_json($_2fDevices) } ) ) {
|
|
die "Error while updating session $id";
|
|
}
|
|
}
|
|
|
|
sub convert_device_for_user {
|
|
my ( $uid, $device ) = @_;
|
|
my $changed = 0;
|
|
|
|
# In update mode, decrypt then encrypt
|
|
if ($update) {
|
|
my $cleartext_secret =
|
|
$decrypt_totp->get_cleartext_secret( $device->{_secret} );
|
|
if ($cleartext_secret) {
|
|
my $newsecret =
|
|
$encrypt_totp->get_storable_secret($cleartext_secret);
|
|
$device->{_secret} = $newsecret;
|
|
$changed = 1;
|
|
verbose 'Updated secret for ' . $uid;
|
|
}
|
|
else {
|
|
info 'Unable to decrypt TOTP secret for ' . $uid;
|
|
}
|
|
|
|
# In normal mode, only encrypt non-encrypted secrets
|
|
}
|
|
else {
|
|
if ( !$encrypt_totp->is_encrypted( $device->{_secret} ) ) {
|
|
$device->{_secret} =
|
|
$encrypt_totp->get_storable_secret( $device->{_secret} );
|
|
$changed = 1;
|
|
info 'Encrypted TOTP secret for ' . $uid;
|
|
}
|
|
else {
|
|
verbose 'Secret is already encrypted';
|
|
}
|
|
}
|
|
return $changed;
|
|
}
|
|
|
|
sub convert_keys_for_user {
|
|
my ( $uid, $devices ) = @_;
|
|
my $has_totp = 0;
|
|
my $changed = 0;
|
|
for my $device ( @{$devices} ) {
|
|
if ( $device->{type} eq "TOTP" ) {
|
|
$has_totp = 1;
|
|
my $epoch = $device->{epoch};
|
|
verbose "Processing device with epoch $epoch for user $uid";
|
|
my $changed_current = convert_device_for_user( $uid, $device );
|
|
$changed = 1 if $changed_current;
|
|
}
|
|
}
|
|
|
|
if ( !$has_totp ) {
|
|
verbose "User $uid does not have a TOTP";
|
|
}
|
|
return ( $has_totp, $changed );
|
|
}
|
|
|
|
__END__
|
|
|
|
=encoding utf8
|
|
|
|
=head1 NAME
|
|
|
|
encryptTotpSecret - A tool to encrypt existing TOTP secrets
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
encryptTotpSecret [options]
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
This script is a migration tool that you can use after enabling TOTP secret
|
|
encryption in the Manager. It will make sure that existing secrets are
|
|
encrypted, and not just newly registered secrets.
|
|
|
|
=head1 OPTIONS
|
|
|
|
=over 8
|
|
|
|
=item B<--help>, B<-h>
|
|
|
|
Print a brief help message and exit.
|
|
|
|
=item B<--dry-run>, B<-n>
|
|
|
|
Prevent the script from saving modifications to the session database
|
|
|
|
=item B<--update>, B<-u>
|
|
|
|
By default, secrets that are already in encrypted form are skipped by the
|
|
script. Use this option to force already encrypted secrets to be decrypted,
|
|
then re-encrypted using a different key (or decrypted)
|
|
|
|
=item B<--old-key>, B<-o>
|
|
|
|
The key used to decrypt secrets in B<--update> mode.
|
|
|
|
By default, the B<totp2fKey> or B<key> LemonLDAP::NG configuration parameters
|
|
are used.
|
|
|
|
=item B<--new-key>, B<-k>
|
|
|
|
The key used to encrypt secrets. Use B<-u -k DECRYPT> to decrypt secrets instead.
|
|
|
|
By default, the B<totp2fKey> or B<key> LemonLDAP::NG configuration parameters
|
|
are used.
|
|
|
|
=item B<--force>, B<-f>
|
|
|
|
Encrypt existing TOTP secrets even if encryption is disabled in the configuration
|
|
|
|
=item B<--verbose>, B<-v>
|
|
|
|
Increase the level of details provided by the script
|
|
|
|
=back
|
|
|
|
=head1 SEE ALSO
|
|
|
|
L<http://lemonldap-ng.org/>
|
|
|
|
=head1 AUTHORS
|
|
|
|
=over
|
|
|
|
=item Maxime Besson, E<lt>maxime.besson@worteks.comE<gt>
|
|
|
|
=back
|
|
|
|
=head1 BUG REPORT
|
|
|
|
Use OW2 system to report bug or ask for features:
|
|
L<https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues>
|
|
|
|
=head1 DOWNLOAD
|
|
|
|
Lemonldap::NG is available at
|
|
L<https://lemonldap-ng.org/download>
|
|
|
|
=head1 COPYRIGHT AND LICENSE
|
|
|
|
=over
|
|
|
|
=item Copyright (C) 2008-2016 by Xavier Guimard, E<lt>x.guimard@free.frE<gt>
|
|
|
|
=item Copyright (C) 2008-2016 by Clément Oudot, E<lt>clem.oudot@gmail.comE<gt>
|
|
|
|
=back
|
|
|
|
This library is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 2, or (at your option)
|
|
any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program. If not, see L<http://www.gnu.org/licenses/>.
|
|
|
|
=cut
|