'Prepend salt' toggle

2018-09-30 20:36:58 +02:00
parent f0d3d170f3
commit 2ef7716527
5 changed files with 28 additions and 7 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ## [Unreleased]
 ### Added
 - Whirlpool hash algorithm
+- 'Prepend salt' toggle
 ### Fixed
 - Error when 'Display name' not set
 - Encoding of iteration for 'Extended DES (Crypt)'
--- a/README.md
+++ b/README.md
@@ -49,6 +49,7 @@ Name | Description | Details
 --- | --- | ---
 **Allow display name change** | With this option enabled user can change its display name. The display name change is propagated to the database. | Optional.<br/>Default: false.<br/>Requires: user *Display name* column.
 **Allow password change** | Can user change its password. The password change is propagated to the database. See [Hash algorithms](#hash-algorithms). | Optional.<br/>Default: false.
+**Prepend salt** | Prepend a salt to the password instead of appending it. See [User table](#user-table) -> **Salt**. | Optional.<br/>Default: false.
 **Use cache** | Use database query results cache. The cache can be cleared any time with the *Clear cache* button click. | Optional.<br/>Default: false.
 **Hash algorithm** | How users passwords are stored in the database. See [Hash algorithms](#hash-algorithms). | Mandatory.
 **Email sync** | Sync e-mail address with the Nextcloud.<br/>- *None* - Disables this feature. This is the default option.<br/>- *Synchronise only once* - Copy the e-mail address to the Nextcloud preferences if its not set.<br/>- *Nextcloud always wins* - Always copy the e-mail address to the database. This updates the user table.<br/>- *SQL always wins* - Always copy the e-mail address to the Nextcloud preferences. | Optional.<br/>Default: *None*.<br/>Requires: user *Email* column.
--- a/lib/Backend/UserBackend.php
+++ b/lib/Backend/UserBackend.php
@@ -297,9 +297,7 @@ final class UserBackend extends ABackend implements
            return false;
        }

-        if ($user->salt !== null) {
-            $password .= $user->salt;
-        }
+        $password = $this->addSalt($user, $password);

        $isCorrect = $passwordAlgorithm->checkPassword(
            $password, $user->password
@@ -350,6 +348,27 @@ final class UserBackend extends ABackend implements
        return $passwordAlgorithm;
    }

+    /**
+     * Append or prepend salt from external column if available.
+     *
+     * @param User   $user     The user instance.
+     * @param string $password The password.
+     *
+     * @return string Salted password.
+     */
+    private function addSalt(User $user, string $password): string
+    {
+        if ($user->salt !== null) {
+            if (empty($this->properties[Opt::PREPEND_SALT])) {
+                return $password . $user->salt;
+            } else {
+                return $user->salt . $password;
+            }
+        }
+
+        return $password;
+    }
+
    /**
     * @inheritdoc
     */
@@ -457,9 +476,7 @@ final class UserBackend extends ABackend implements
            return false;
        }

-        if ($user->salt !== null) {
-            $password .= $user->salt;
-        }
+        $password = $this->addSalt($user, $password);

        $passwordHash = $passwordAlgorithm->getPasswordHash($password);
        if ($passwordHash === false) {
--- a/lib/Constant/Opt.php
+++ b/lib/Constant/Opt.php
@@ -34,6 +34,7 @@ final class Opt
    const HOME_MODE = "opt.home_mode";
    const NAME_CHANGE = "opt.name_change";
    const PASSWORD_CHANGE = "opt.password_change";
+    const PREPEND_SALT = "opt.prepend_salt";
    const QUOTA_SYNC = "opt.quota_sync";
    const USE_CACHE = "opt.use_cache";
 }
--- a/templates/admin.php
+++ b/templates/admin.php
@@ -109,7 +109,8 @@ function print_select_options(
            <p class="settings-hint"><?php p($l->t("Here are all currently supported options.")); ?></p>
            <fieldset><?php
                print_checkbox_input($l, "opt-name_change", "Allow display name change", $_["opt.name_change"]);
-                print_checkbox_input($l, "opt-password_change", "Allow password change", $_["opt.password_change"]); ?>
+                print_checkbox_input($l, "opt-password_change", "Allow password change", $_["opt.password_change"]);
+                print_checkbox_input($l, "opt-prepend_salt", "Prepend salt", $_["opt.prepend_salt"]); ?>
                <div class="button-right"><?php
                    print_checkbox_input($l, "opt-use_cache", "Use cache", $_["opt.use_cache"], false); ?>
                    <input type="submit" id="user_sql-clear_cache" value="<?php p($l->t("Clear cache")); ?>">