#!/usr/bin/perl
# BEGIN BPS TAGGED BLOCK {{{
#
# COPYRIGHT:
#
# This software is Copyright (c) 1996-2017 Best Practical Solutions, LLC
#                                          <sales@bestpractical.com>
#
# (Except where explicitly superseded by other copyright notices)
#
#
# LICENSE:
#
# This work is made available to you under the terms of Version 2 of
# the GNU General Public License. A copy of that license should have
# been provided with this software, but in any event can be snarfed
# from www.gnu.org.
#
# This work is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301 or visit their web page on the internet at
# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html.
#
#
# CONTRIBUTION SUBMISSION POLICY:
#
# (The following paragraph is not intended to limit the rights granted
# to you to modify and distribute this software under the terms of
# the GNU General Public License and is only of importance to you if
# you choose to contribute your changes and enhancements to the
# community by submitting them to Best Practical Solutions, LLC.)
#
# By intentionally submitting any modifications, corrections or
# derivatives to this work, or any other work intended for use with
# Request Tracker, to Best Practical Solutions, LLC, you confirm that
# you are the copyright holder for those contributions and you grant
# Best Practical Solutions,  LLC a nonexclusive, worldwide, irrevocable,
# royalty-free, perpetual, license to use, copy, create derivative
# works based on those contributions, and sublicense and distribute
# those contributions and any derivatives thereof.
#
# END BPS TAGGED BLOCK }}}
use 5.10.1;
use strict;
use warnings;

use lib "local/lib";
use lib "lib";

use RT -init;

$| = 1;

use Getopt::Long;
use Digest::SHA;
my $fix;
GetOptions("fix!" => \$fix);

use RT::Users;
my $users = RT::Users->new( $RT::SystemUser );
$users->Limit(
    FIELD => 'Password',
    OPERATOR => 'IS NOT',
    VALUE => 'NULL',
    ENTRYAGGREGATOR => 'AND',
);
$users->Limit(
    FIELD => 'Password',
    OPERATOR => '!=',
    VALUE => '*NO-PASSWORD*',
    ENTRYAGGREGATOR => 'AND',
);
$users->Limit(
    FIELD => 'Password',
    OPERATOR => 'NOT STARTSWITH',
    VALUE => '!',
    ENTRYAGGREGATOR => 'AND',
);
push @{$users->{'restrictions'}{ "main.Password" }}, "AND", {
    field => 'LENGTH(main.Password)',
    op => '<',
    value => '40',
};

# we want to update passwords on disabled users
$users->{'find_disabled_rows'} = 1;

my $count = $users->Count;
if ($count == 0) {
    print "No users with unsalted or weak cryptography found.\n";
    exit 0;
}

if ($fix) {
    print "Upgrading $count users...\n";
    while (my $u = $users->Next) {
        my $stored = $u->__Value("Password");
        my $raw;
        if (length $stored == 32) {
            $raw = pack("H*",$stored);
        } elsif (length $stored == 22) {
            $raw = MIME::Base64::decode_base64($stored);
        } elsif (length $stored == 13) {
            printf "%20s => Old crypt() format, cannot upgrade\n", $u->Name;
        } else {
            printf "%20s => Unknown password format!\n", $u->Name;
        }
        next unless $raw;

        my $salt = pack("C4",map{int rand(256)} 1..4);
        my $sha = Digest::SHA::sha256(
            $salt . $raw
        );
        $u->_Set(
            Field => "Password",
            Value => MIME::Base64::encode_base64(
                $salt . substr($sha,0,26), ""),
        );
    }
    print "Done.\n";
    exit 0;
} else {
    if ($count < 20) {
        print "$count users found with unsalted or weak-cryptography passwords:\n";
        print "      Id | Name\n", "-"x9, "+", "-"x9, "\n";
        while (my $u = $users->Next) {
            printf "%8d | %s\n", $u->Id, $u->Name;
        }
    } else {
        print "$count users found with unsalted or weak-cryptography passwords\n";
    }

    print "\n", "Run again with --fix to upgrade.\n";
    exit 1;
}
