feat: 平台中创建的用户密码默认使用ssha加密策略 (#208)

Author: eryajf

.pre-commit-config.yaml

@@ -6,7 +6,7 @@ repos:
     - id: trailing-whitespace
     - id: check-added-large-files
 -   repo: https://github.com/golangci/golangci-lint # golangci-lint hook repo
-    rev: v1.47.3 # golangci-lint hook repo revision
+    rev: v1.52.2 # golangci-lint hook repo revision
     hooks:
     - id: golangci-lint
       name: golangci-lint

README.md

@@ -161,7 +161,7 @@
         <a href="https://github.com/ckyoung123421">
             <img src="https://avatars.githubusercontent.com/u/16368382?v=4" width="100;" alt="ckyoung123421"/>
             <br />
-            <sub><b>Null</b></sub>
+            <sub><b>ckyoung123421</b></sub>
         </a>
     </td></tr>
 <tr>

public/tools/ssha.go

@@ -0,0 +1,53 @@
+package tools
+
+import (
+	"bytes"
+	"crypto/sha1"
+	"encoding/base64"
+	"fmt"
+	"math/rand"
+)
+
+// code from https://gist.github.com/newm4n/ce9ac4308ae1beb4250efddad28e3f85
+
+// Encode encodes the []byte of raw password
+func EncodePass(rawPassPhrase []byte) string {
+	hash := makeSSHAHash(rawPassPhrase, makeSalt())
+	b64 := base64.StdEncoding.EncodeToString(hash)
+	return string([]byte(fmt.Sprintf("{SSHA}%s", b64)))
+}
+
+// makeSalt make a 4 byte array containing random bytes.
+func makeSalt() []byte {
+	sbytes := make([]byte, 4)
+	rand.Read(sbytes)
+	return sbytes
+}
+
+// makeSSHAHash make hasing using SHA-1 with salt. This is not the final output though. You need to append {SSHA} string with base64 of this hash.
+func makeSSHAHash(passphrase, salt []byte) []byte {
+	sha := sha1.New()
+	sha.Write(passphrase)
+	sha.Write(salt)
+
+	h := sha.Sum(nil)
+	return append(h, salt...)
+}
+
+// Matches matches the encoded password and the raw password
+func Matches(encodedPassPhrase, rawPassPhrase []byte) bool {
+	//strip the {SSHA}
+	eppS := string(encodedPassPhrase)[6:]
+	hash, err := base64.StdEncoding.DecodeString(eppS)
+	if err != nil {
+		return false
+	}
+	salt := hash[len(hash)-4:]
+
+	sha := sha1.New()
+	sha.Write(rawPassPhrase)
+	sha.Write(salt)
+	sum := sha.Sum(nil)
+
+	return bytes.Equal(sum, hash[:len(hash)-4])
+}

public/tools/util_test.go

@@ -25,3 +25,15 @@ func TestSliceToString(t *testing.T) {
 	a := []uint{1}
 	fmt.Printf("%s\n", SliceToString(a, ","))
 }
+
+func TestEncodePass(t *testing.T) {
+	// to encode a password into ssha
+	hashed := EncodePass([]byte("testpass"))
+	fmt.Println(string(hashed))
+	// to validate a password against saved hash.
+	if Matches([]byte(hashed), []byte("testpass")) {
+		fmt.Println("Its a match.")
+	} else {
+		fmt.Println("its not match")
+	}
+}

service/ildap/user_ildap.go

@@ -29,7 +29,7 @@ func (x UserService) Add(user *model.User) error {
 	add.Attribute("postalAddress", []string{user.PostalAddress})
 	add.Attribute("mobile", []string{user.Mobile})
 	add.Attribute("uid", []string{user.Username})
-	add.Attribute("userPassword", []string{tools.NewParPasswd(user.Password)})
+	add.Attribute("userPassword", []string{tools.EncodePass([]byte(tools.NewParPasswd(user.Password)))})
 
 	// 获取 LDAP 连接
 	conn, err := common.GetLDAPConn()