[elbe-devel] [PATCH v3 6/7] preprocess: migrate root and user passwords
Holger Dengler
holger at hdengler.de
Thu Jun 30 08:00:06 CEST 2022
Support legacy XMLs by adding a preprocessing for plain-text passwords
for root and users. The plain-text password elements or attributes will
be replaced with their hashed variants.
XMLs with only hashed passwords will not be changed by the
preprocessing.
Signed-off-by: Holger Dengler <holger at hdengler.de>
---
elbepack/xmlpreprocess.py | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/elbepack/xmlpreprocess.py b/elbepack/xmlpreprocess.py
index f3c2f2a7f..0daa7b497 100644
--- a/elbepack/xmlpreprocess.py
+++ b/elbepack/xmlpreprocess.py
@@ -14,6 +14,7 @@ from optparse import OptionGroup
from itertools import islice
from urllib.error import HTTPError,URLError
from urllib.request import urlopen
+from passlib.hash import sha512_crypt
from lxml import etree
from lxml.etree import XMLParser, parse, Element
@@ -251,6 +252,23 @@ def preprocess_mirrors(xml):
option.text = opt
options.append(option)
+
+def preprocess_passwd(xml):
+ """Preprocess plain-text passwords. Plain-text passwords for root and
+ adduser will be replaced with their hashed values.
+ """
+
+ # migrate root password
+ for passwd in xml.iterfind(".//target/passwd"):
+ passwd.tag = "passwd_hashed"
+ passwd.text = '%s' % sha512_crypt.hash(passwd.text)
+
+ # migrate user passwords
+ for adduser in xml.iterfind(".//target/finetuning/adduser[@passwd]"):
+ passwd = adduser.attrib['passwd']
+ adduser.attrib['passwd_hashed'] = sha512_crypt.hash(passwd)
+ del adduser.attrib['passwd']
+
def xmlpreprocess(fname, output, variants=None, proxy=None):
# pylint: disable=too-many-locals
@@ -334,6 +352,8 @@ def xmlpreprocess(fname, output, variants=None, proxy=None):
preprocess_mirrors(xml)
+ preprocess_passwd(xml)
+
if schema.validate(xml):
# if validation succedes write xml file
xml.write(
--
2.36.1
More information about the elbe-devel
mailing list