[interchange] * Add enclair_db option to UserDB.pm. Allows logging of enclair password

Mike Heins interchange-cvs at icdevgroup.org
Fri Apr 5 13:53:34 UTC 2013


commit ed13ca36c04fac50064c2982223fcc3b70664cb0
Author: Mike Heins <heins at icdevgroup.com>
Date:   Fri Apr 5 09:52:49 2013 -0400

    * Add enclair_db option to UserDB.pm. Allows logging of enclair password
      to separate, presumably insert-only, database table. Designed to allow
      administration personnel to look at passwords, without allowing access
      to web-connected systems. Or perhaps more properly, to check prior
      MD5-encrypted password values for repeat passwords.
    
      Docs in UserDB.pm POD.

 dist/standard/catalog.cfg |   11 ++++++
 lib/Vend/UserDB.pm        |   78 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 89 insertions(+), 0 deletions(-)
---
diff --git a/dist/standard/catalog.cfg b/dist/standard/catalog.cfg
index d034e83..da24bd9 100644
--- a/dist/standard/catalog.cfg
+++ b/dist/standard/catalog.cfg
@@ -280,6 +280,17 @@ UserDB    default    logfile       logs/userdb.log
 # UserDB    default    indirect_login  email
 # UserDB    default    assign_username 1
 
+# This makes the password be inserted in an insert-only table.
+#
+# UserDB      default     enclair_db  enclair
+#
+# You can set the following, which have the defaults shown in the
+# setting. You can also insert %M, which is the MD5 of the password, or
+# %D which is a datetime localtime value in the form YYYYmmddHHMMSS.
+#UserDB   default  enclair_key_field   username
+#UserDB   default  enclair_field       password
+#UserDB   default  enclair_query_template "INSERT INTO %t (%U,%P) values (%u,%p)"
+
 # minimal login stuff for affiliate
 UserDB    affiliate  user_field    affiliate
 UserDB    affiliate  database      affiliate
diff --git a/lib/Vend/UserDB.pm b/lib/Vend/UserDB.pm
index d2a320f..ffcfbd3 100644
--- a/lib/Vend/UserDB.pm
+++ b/lib/Vend/UserDB.pm
@@ -1372,6 +1372,80 @@ sub get_hash {
 	return $self->{$name}{$nick};
 }
 
+=over 4
+
+=item enclair_db
+
+Using set_enclair() allows logging of enclair password to separate
+database table. Designed to allow administration personnel to look
+at passwords, without allowing access to web-connected systems. Or
+perhaps more properly, to check prior MD5-encrypted password values 
+for repeat passwords.
+
+Designed to log to an insert-only handle on a table, with a database
+structure such as:
+
+  create table enclair (
+    username varchar(32),
+     password varchar(32),
+     update_date timestamp
+    )
+
+Then a program on a secure behind-firewall no-select write-only
+database can access the table, logged via request and username.
+
+Configured:
+
+	UserDB   default  enclair_db   some_table
+
+You can set the following, which have the defaults shown in the
+setting. You can also insert %M, which is the MD5 of the password, or
+%D which is a datetime localtime value in the form YYYYmmddHHMMSS.
+
+	#UserDB   default  enclair_key_field   username
+	#UserDB   default  enclair_field       password
+	#UserDB   default  enclair_query_template "INSERT INTO %t (%U,%P) values (%u,%p)"
+
+String substitutions:
+
+	%u  value of username
+	%p  value of password
+	%U  field of username
+	%P  field of password
+	%t  enclair table name
+	%D  datetime value of form YYYYmmddHHMMSS
+	%M  MD5 hashed value of password
+
+=back
+
+=cut
+
+sub set_enclair {
+	my $self = shift;
+	if( my $tab = $self->{OPTIONS}{enclair_db} ) {
+		eval {
+			my $dbh = dbref($tab)->dbh();
+			my $field = $self->{OPTIONS}{enclair_field} || 'password';
+			my $key   = $self->{OPTIONS}{enclair_key_field} || 'username';
+			my $datetime = POSIX::strftime('%Y%m%d%H%M%S', localtime());
+			my $md5 = generate_key($self->{PASSWORD});
+			my $q = $self->{OPTIONS}{enclair_query_template} || "INSERT INTO %t (%U,%P) values (%u,%p)";
+			$q =~ s/\%M/$dbh->quote($md5)/eg;
+			$q =~ s/\%D/$dbh->quote($datetime)/eg;
+			$q =~ s/\%t/$tab/g;
+			$q =~ s/\%U/$key/g;
+			$q =~ s/\%P/$field/g;
+			$q =~ s/\%u/$dbh->quote($self->{USERNAME})/eg;
+			$q =~ s/\%p/$dbh->quote($self->{PASSWORD})/eg;
+			$dbh->do($q);
+		};
+		if($@) {
+			$self->log_either("Failed to set enclair password for $self->{USERNAME}: $@");
+		}
+	}
+}
+
+
 sub login {
 	my $self;
 
@@ -1776,6 +1850,8 @@ sub change_pass {
 		die errmsg("Password and check value don't match.") . "\n"
 			unless $self->{PASSWORD} eq $self->{VERIFY};
 
+		$self->{OPTIONS}{enclair_db} and $self->set_enclair();
+
 		if ( $self->{CRYPT} ) {
 			$self->{PASSWORD} = $self->do_crypt(
 				$self->{PASSWORD},
@@ -1946,6 +2022,8 @@ sub new_account {
 				or die errmsg("Database access error.");
 		}
 
+		$self->{OPTIONS}{enclair_db} and $self->set_enclair();
+
 		my $pass = $udb->set_field(
 						$self->{USERNAME},
 						$self->{LOCATION}{PASSWORD},



More information about the interchange-cvs mailing list