From 23145cad28847ceb38689e26a7631be89dac4c37 Mon Sep 17 00:00:00 2001 From: link2xt Date: Sun, 15 Oct 2023 03:04:45 +0000 Subject: [PATCH] Encrypt the passwords in the database There is also no need to compare the passwords manually, dovecot does it for us. --- doveauth/src/doveauth/dictproxy.py | 23 ++++++++++++++++++----- doveauth/src/doveauth/test_doveauth.py | 1 - 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/doveauth/src/doveauth/dictproxy.py b/doveauth/src/doveauth/dictproxy.py index ac42e49d..125beedc 100644 --- a/doveauth/src/doveauth/dictproxy.py +++ b/doveauth/src/doveauth/dictproxy.py @@ -7,10 +7,25 @@ from socketserver import ( ThreadingMixIn, ) import pwd +import subprocess from .database import Database +def encrypt_password(password: str): + password = password.encode("ascii") + # https://doc.dovecot.org/configuration_manual/authentication/password_schemes/ + process = subprocess.Popen( + ["doveadm", "pw", "-s", "BLF-CRYPT"], + stdin=subprocess.PIPE, + stdout=subprocess.PIPE, + ) + stdout_data, _stderr_data = process.communicate( + input=password + b"\n" + password + b"\n" + ) + return stdout_data.decode("ascii").strip() + + def create_user(db, user, password): with db.write_transaction() as conn: conn.create_user(user, password) @@ -33,11 +48,9 @@ def lookup_userdb(db, user): def lookup_passdb(db, user, password): userdata = get_user_data(db, user) if not userdata: - return create_user(db, user, password) - if userdata.get("password") == password: - return userdata - else: - return None + return create_user(db, user, encrypt_password(password)) + userdata["password"] = userdata["password"].strip() + return userdata def handle_dovecot_request(msg, db): diff --git a/doveauth/src/doveauth/test_doveauth.py b/doveauth/src/doveauth/test_doveauth.py index 89bf1657..6db02592 100644 --- a/doveauth/src/doveauth/test_doveauth.py +++ b/doveauth/src/doveauth/test_doveauth.py @@ -1,4 +1,3 @@ -import subprocess import pytest from .dictproxy import get_user_data