From 4e0b8dda30d05dd814ee6ce509bd66a2598207ae Mon Sep 17 00:00:00 2001 From: Nicolas Schodet Date: Wed, 27 Mar 2019 23:00:47 +0100 Subject: PrivData: add password generation from salt --- src/Propellor/PrivData.hs | 20 ++++++++++++++++++++ src/Propellor/Types/PrivData.hs | 1 + 2 files changed, 21 insertions(+) diff --git a/src/Propellor/PrivData.hs b/src/Propellor/PrivData.hs index 9b62720f..cb099c87 100644 --- a/src/Propellor/PrivData.hs +++ b/src/Propellor/PrivData.hs @@ -23,6 +23,7 @@ module Propellor.PrivData ( PrivMap, PrivInfo, forceHostContext, + passwordGen, ) where import System.IO @@ -59,6 +60,7 @@ import Utility.FileMode import Utility.Env import Utility.Table import Utility.Directory +import Utility.Process -- | Allows a Property to access the value of a specific PrivDataField, -- for use in a specific Context or HostContext. @@ -293,3 +295,21 @@ forceHostContext :: String -> PrivInfo -> PrivInfo forceHostContext name i = PrivInfo $ S.map go (fromPrivInfo i) where go (f, d, HostContext ctx) = (f, d, HostContext (const $ ctx name)) + +-- | Generate a password by hashing some salt with the context and a seed. +-- +-- Salt is stored in a privdata, seed comes from the user, the service or any +-- fixed string to identify the usage. They are combined together and +-- securely hashed to generate the password. This can be used to generate +-- many specialized password from a single secret. +-- +-- This also means that if the secret privdata is leaked, all the generated +-- passwords are leaked too! +passwordGen :: PrivData -> Context -> String -> IO String +passwordGen (PrivData salt) (Context context) seed = + parseSum <$> writeReadProcessEnv "sha256sum" [] Nothing + (Just writer) Nothing + where + writer h = hPutStr h combined + combined = salt ++ ":" ++ context ++ ":" ++ seed + parseSum = Data.List.head . words diff --git a/src/Propellor/Types/PrivData.hs b/src/Propellor/Types/PrivData.hs index 32b51c4b..b66d6546 100644 --- a/src/Propellor/Types/PrivData.hs +++ b/src/Propellor/Types/PrivData.hs @@ -20,6 +20,7 @@ data PrivDataField | PrivFile FilePath | GpgKey | DnsSec DnsSecKey + | PasswordGenSalt deriving (Read, Show, Ord, Eq) -- | Combines a PrivDataField with a description of how to generate -- cgit v1.2.3