Project

General

Profile

Patch #17368 ยป ciphered_ldap_passwords4Redmine_pm.diff

Marcus Schmid, 2014-07-02 16:44

View differences:

extra/svn/Redmine.pm (working copy)
62 62
     # RedmineDbWhereClause "and members.role_id IN (1,2)"
63 63
     ## Optional credentials cache size
64 64
     # RedmineCacheCredsMax 50
65
     ## Optional database_cipher_key
66
     # RedmineDatabaseCipherKey "SecretKeyFromConfigurationYML"
65 67
  </Location>
66 68

  
67 69
To be able to browse repository inside redmine, you must add something
......
188 190
use Digest::SHA;
189 191
# optional module for LDAP authentication
190 192
my $CanUseLDAPAuth = eval("use Authen::Simple::LDAP; 1");
193
# optional modules for decrypting ciphered LDAP bind passwords
194
my $CanUseCiphering = eval("use Crypt::CBC; use MIME::Base64; 1");
191 195

  
192 196
use Apache2::Module;
193 197
use Apache2::Access;
......
233 237
    req_override => OR_AUTHCFG,
234 238
    args_how => TAKE1,
235 239
  },
240
  {
241
    name => 'RedmineDatabaseCipherKey',
242
    req_override => OR_AUTHCFG,
243
    args_how => TAKE1,
244
  },
236 245
);
237 246

  
238 247
sub RedmineDSN {
......
486 495
              $bind_as =~ s/\$login/$redmine_user/g;
487 496
              $bind_pw = $redmine_pass
488 497
            }
498

  
499
            if((defined $cfg->{RedmineDatabaseCipherKey}) and $CanUseCiphering) {
500
                $bind_pw = decrypt_text($bind_pw, $cfg->{RedmineDatabaseCipherKey});
501
            }
502

  
489 503
            my $ldap = Authen::Simple::LDAP->new(
490 504
                host    =>      ($rowldap[2] eq "1" || $rowldap[2] eq "t") ? "ldaps://$rowldap[0]:$rowldap[1]" : $rowldap[0],
491 505
                port    =>      $rowldap[1],
......
541 555
    return DBI->connect($cfg->{RedmineDSN}, $cfg->{RedmineDbUser}, $cfg->{RedmineDbPass});
542 556
}
543 557

  
558
sub RedmineDatabaseCipherKey {
559
    my ($self, $parms, $arg) = @_;
560

  
561
    if ($arg) {
562
        $self->{RedmineDatabaseCipherKey} = $arg;
563
    }
564
}
565

  
566
sub decrypt_text {
567
    my $text = shift;
568
    my $key = shift;
569

  
570
    die "text needed" unless defined $text;
571
    die "key needed" unless defined $key;
572

  
573
    if ((length $key > 0) and ($text =~ /\Aaes-256-cbc:(.+)\Z/)) {
574
        my ($e, $iv) = split /--/, $1;
575

  
576
        $e = decode_base64($e);
577
        $iv = decode_base64($iv);
578
        $key = substr Digest::SHA::sha256_hex($key), 0, 32;
579

  
580
        my $cipher = Crypt::CBC->new(
581
                -cipher      => 'Rijndael',
582
                -key         => $key,
583
                -iv          => $iv,
584
                -literal_key => 1,
585
                -padding     => 'standard',
586
                -header      => 'none',
587
                -blocksize   => 16,
588
                -keysize     => 32
589
                );
590

  
591
        $cipher->decrypt($e);
592
    } else {
593
        $text;
594
    }
595
}
596

  
544 597
1;
    (1-1/1)