From aef7cda678d8c804d42ee9e1f622058e7b3fb6aa Mon Sep 17 00:00:00 2001
From: Brendan Golden <git@brendan.ie>
Date: Sun, 16 Jul 2023 23:14:21 +0100
Subject: [PATCH] feat:a dd field to make the password as secure

---
 src/methods/account_new.rs    |  2 ++
 src/methods/account_update.rs | 16 +++++++++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/methods/account_new.rs b/src/methods/account_new.rs
index 0a424cd..31dca32 100644
--- a/src/methods/account_new.rs
+++ b/src/methods/account_new.rs
@@ -296,6 +296,8 @@ async fn account_verification_new_account(ldap: &mut LdapConn, user_details: &Ac
             // need to get this from wolves
             //("skID", HashSet::from(["12345678"])),
             ("skCreated", HashSet::from([sk_created.as_str()])),
+            // 1 = secure, automatic since its a new account    
+            ("skSecure", HashSet::from(["1"])),
         ],
     )?
     .success()?;
diff --git a/src/methods/account_update.rs b/src/methods/account_update.rs
index 1474f64..cb092ca 100644
--- a/src/methods/account_update.rs
+++ b/src/methods/account_update.rs
@@ -32,6 +32,7 @@ pub async fn post_update_ldap(mut req: Request<State>) -> tide::Result {
 
     // always assume insecure
     let mut pw_keep_same = false;
+    let mut pw_secure = false;
 
     // get the users current password hash
     let (rs, _res) = ldap.search(&dn, Scope::Base, "(objectClass=*)", vec!["userPassword"])?.success()?;
@@ -39,13 +40,26 @@ pub async fn post_update_ldap(mut req: Request<State>) -> tide::Result {
         let tmp = SearchEntry::construct(rs[0].clone());
         if !tmp.attrs["userPassword"].is_empty() && tmp.attrs["userPassword"][0].starts_with("{SSHA512}") {
             pw_keep_same = true;
+            pw_secure = true;
+        }
+        if !tmp.attrs["skSecure"].is_empty() && tmp.attrs["skSecure"][0] == "1" {
+            pw_secure = true;
         }
     }
 
     // check if the password field itself is being updated
     let (pass_old, pass_new) = if &field != "userPassword" {
         // if password is not being updated then just update the required field
-        let mods = vec![Mod::Replace(field, HashSet::from([value]))];
+        let mut mods = vec![
+            // main value we are updating
+            Mod::Replace(field, HashSet::from([value])),
+        ];
+        
+        // if teh password is changing then its inherentrly secure, same if its currently an empty field
+        if !pw_keep_same || !pw_secure {
+            mods.push(Mod::Replace(String::from("skSecure"), HashSet::from([String::from("1")])));
+        }
+        
         ldap.modify(&dn, mods)?.success()?;
 
         // pass back the "old" and "new" passwords