[elbe-devel] [PATCH v3 6/7] preprocess: migrate root and user passwords

Holger Dengler holger at hdengler.de
Thu Jun 30 22:04:55 CEST 2022 

On 30.06.22 10:22, Bastian Germann wrote:
> Am 30.06.22 um 08:00 schrieb Holger Dengler:
>> Support legacy XMLs by adding a preprocessing for plain-text passwords
>> for root and users. The plain-text password elements or attributes will
>> be replaced with their hashed variants.
>>
>> XMLs with only hashed passwords will not be changed by the
>> preprocessing.
>>
>> Signed-off-by: Holger Dengler <holger at hdengler.de>
> 
> Reviewed-by: Bastian Germann <bage at linutronix.de>

Thanks a lot! PR has been sent.

I hope, I can send you the documentation patch this weekend...

> 
>> ---
>>   elbepack/xmlpreprocess.py | 20 ++++++++++++++++++++
>>   1 file changed, 20 insertions(+)
>>
>> diff --git a/elbepack/xmlpreprocess.py b/elbepack/xmlpreprocess.py
>> index f3c2f2a7f..0daa7b497 100644
>> --- a/elbepack/xmlpreprocess.py
>> +++ b/elbepack/xmlpreprocess.py
>> @@ -14,6 +14,7 @@ from optparse import OptionGroup
>>   from itertools import islice
>>   from urllib.error import HTTPError,URLError
>>   from urllib.request import urlopen
>> +from passlib.hash import sha512_crypt
>>     from lxml import etree
>>   from lxml.etree import XMLParser, parse, Element
>> @@ -251,6 +252,23 @@ def preprocess_mirrors(xml):
>>               option.text = opt
>>               options.append(option)
>>   +
>> +def preprocess_passwd(xml):
>> +    """Preprocess plain-text passwords. Plain-text passwords for root and
>> +       adduser will be replaced with their hashed values.
>> +    """
>> +
>> +    # migrate root password
>> +    for passwd in xml.iterfind(".//target/passwd"):
>> +        passwd.tag = "passwd_hashed"
>> +        passwd.text = '%s' % sha512_crypt.hash(passwd.text)
>> +
>> +    # migrate user passwords
>> +    for adduser in xml.iterfind(".//target/finetuning/adduser[@passwd]"):
>> +        passwd = adduser.attrib['passwd']
>> +        adduser.attrib['passwd_hashed'] = sha512_crypt.hash(passwd)
>> +        del adduser.attrib['passwd']
>> +
>>   def xmlpreprocess(fname, output, variants=None, proxy=None):
>>         # pylint: disable=too-many-locals
>> @@ -334,6 +352,8 @@ def xmlpreprocess(fname, output, variants=None, proxy=None):
>>             preprocess_mirrors(xml)
>>   +        preprocess_passwd(xml)
>> +
>>           if schema.validate(xml):
>>               # if validation succedes write xml file
>>               xml.write(

-- 
Gruß,
Holger Dengler
--
holger at hdengler.de

More information about the elbe-devel mailing list