From bf1d91e110a40f854e4c51a3b560cb4d38831b8c Mon Sep 17 00:00:00 2001
From: Brendan Golden <git@brendan.ie>
Date: Sun, 30 Jul 2023 21:39:32 +0100
Subject: [PATCH] feat: reduce complexity around skSecure

#5
---
 src/methods/account_update.rs | 19 ++++---------------
 1 file changed, 4 insertions(+), 15 deletions(-)

diff --git a/src/methods/account_update.rs b/src/methods/account_update.rs
index 628f5ff..db2b19d 100644
--- a/src/methods/account_update.rs
+++ b/src/methods/account_update.rs
@@ -38,7 +38,6 @@ pub async fn post_update_ldap(mut req: Request<State>) -> tide::Result {
 
     // always assume insecure
     let mut pw_keep_same = false;
-    let mut pw_secure = false;
 
     // get the users current password hash
     let (rs, _res) = ldap.search(&dn, Scope::Base, "(objectClass=*)", vec!["userPassword"])?.success()?;
@@ -46,44 +45,34 @@ pub async fn post_update_ldap(mut req: Request<State>) -> tide::Result {
         let tmp = SearchEntry::construct(rs[0].clone());
         if !tmp.attrs["userPassword"].is_empty() && tmp.attrs["userPassword"][0].starts_with("{SSHA512}") {
             pw_keep_same = true;
-            pw_secure = true;
-        }
-        if tmp.attrs.contains_key("skSecure") && !tmp.attrs["skSecure"].is_empty() && tmp.attrs["skSecure"][0] == "1" {
-            pw_secure = true;
         }
     }
 
     // check if the password field itself is being updated
     let (pass_old, pass_new) = if &field != "userPassword" {
         // if password is not being updated then just update the required field
-        let mut mods = vec![
-            // main value we are updating
+        let mods = vec![
+            // the value we are updating
             Mod::Replace(field, HashSet::from([value])),
         ];
 
-        // if teh password is changing then its inherentrly secure, same if its currently an empty field
-        if !pw_keep_same || !pw_secure {
-            mods.push(Mod::Replace(String::from("skSecure"), HashSet::from([String::from("1")])));
-        }
-
         ldap.modify(&dn, mods)?.success()?;
 
         // pass back the "old" and "new" passwords
+        // using this means we can create teh vars without them needing to be mutable
         (pass.clone(), pass.clone())
     } else {
         // password is going to be updated, even if the old value is not starting with "{SSHA512}"
-
         pw_keep_same = false;
         (pass.clone(), value)
     };
 
+    // changing teh password because of an explicit request or upgrading teh security.
     if !pw_keep_same {
         // really easy to update password once ye know how
-
         let tmp = PasswordModify {
             // none as we are staying on the same connection
             user_id: None,
-
             old_pass: Some(&pass_old),
             new_pass: Some(&pass_new),
         };