feat: reduce complexity around skSecure

#5
This commit is contained in:
silver 2023-07-30 21:39:32 +01:00
parent 11b348326a
commit bf1d91e110

View file

@ -38,7 +38,6 @@ pub async fn post_update_ldap(mut req: Request<State>) -> tide::Result {
// always assume insecure // always assume insecure
let mut pw_keep_same = false; let mut pw_keep_same = false;
let mut pw_secure = false;
// get the users current password hash // get the users current password hash
let (rs, _res) = ldap.search(&dn, Scope::Base, "(objectClass=*)", vec!["userPassword"])?.success()?; let (rs, _res) = ldap.search(&dn, Scope::Base, "(objectClass=*)", vec!["userPassword"])?.success()?;
@ -46,44 +45,34 @@ pub async fn post_update_ldap(mut req: Request<State>) -> tide::Result {
let tmp = SearchEntry::construct(rs[0].clone()); let tmp = SearchEntry::construct(rs[0].clone());
if !tmp.attrs["userPassword"].is_empty() && tmp.attrs["userPassword"][0].starts_with("{SSHA512}") { if !tmp.attrs["userPassword"].is_empty() && tmp.attrs["userPassword"][0].starts_with("{SSHA512}") {
pw_keep_same = true; pw_keep_same = true;
pw_secure = true;
}
if tmp.attrs.contains_key("skSecure") && !tmp.attrs["skSecure"].is_empty() && tmp.attrs["skSecure"][0] == "1" {
pw_secure = true;
} }
} }
// check if the password field itself is being updated // check if the password field itself is being updated
let (pass_old, pass_new) = if &field != "userPassword" { let (pass_old, pass_new) = if &field != "userPassword" {
// if password is not being updated then just update the required field // if password is not being updated then just update the required field
let mut mods = vec![ let mods = vec![
// main value we are updating // the value we are updating
Mod::Replace(field, HashSet::from([value])), Mod::Replace(field, HashSet::from([value])),
]; ];
// if teh password is changing then its inherentrly secure, same if its currently an empty field
if !pw_keep_same || !pw_secure {
mods.push(Mod::Replace(String::from("skSecure"), HashSet::from([String::from("1")])));
}
ldap.modify(&dn, mods)?.success()?; ldap.modify(&dn, mods)?.success()?;
// pass back the "old" and "new" passwords // pass back the "old" and "new" passwords
// using this means we can create teh vars without them needing to be mutable
(pass.clone(), pass.clone()) (pass.clone(), pass.clone())
} else { } else {
// password is going to be updated, even if the old value is not starting with "{SSHA512}" // password is going to be updated, even if the old value is not starting with "{SSHA512}"
pw_keep_same = false; pw_keep_same = false;
(pass.clone(), value) (pass.clone(), value)
}; };
// changing teh password because of an explicit request or upgrading teh security.
if !pw_keep_same { if !pw_keep_same {
// really easy to update password once ye know how // really easy to update password once ye know how
let tmp = PasswordModify { let tmp = PasswordModify {
// none as we are staying on the same connection // none as we are staying on the same connection
user_id: None, user_id: None,
old_pass: Some(&pass_old), old_pass: Some(&pass_old),
new_pass: Some(&pass_new), new_pass: Some(&pass_new),
}; };