'Prepend salt' toggle

mlojewski-me · mlojewski-me · commit 2ef7716527f1 · 2018-09-30T20:36:58.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ## [Unreleased]
 ### Added
 - Whirlpool hash algorithm
+- 'Prepend salt' toggle
 ### Fixed
 - Error when 'Display name' not set
 - Encoding of iteration for 'Extended DES (Crypt)'
diff --git a/README.md b/README.md
@@ -49,6 +49,7 @@ Name | Description | Details
 --- | --- | ---
 **Allow display name change** | With this option enabled user can change its display name. The display name change is propagated to the database. | Optional.<br/>Default: false.<br/>Requires: user *Display name* column.
 **Allow password change** | Can user change its password. The password change is propagated to the database. See [Hash algorithms](#hash-algorithms). | Optional.<br/>Default: false.
+**Prepend salt** | Prepend a salt to the password instead of appending it. See [User table](#user-table) -> **Salt**. | Optional.<br/>Default: false.
 **Use cache** | Use database query results cache. The cache can be cleared any time with the *Clear cache* button click. | Optional.<br/>Default: false.
 **Hash algorithm** | How users passwords are stored in the database. See [Hash algorithms](#hash-algorithms). | Mandatory.
 **Email sync** | Sync e-mail address with the Nextcloud.<br/>- *None* - Disables this feature. This is the default option.<br/>- *Synchronise only once* - Copy the e-mail address to the Nextcloud preferences if its not set.<br/>- *Nextcloud always wins* - Always copy the e-mail address to the database. This updates the user table.<br/>- *SQL always wins* - Always copy the e-mail address to the Nextcloud preferences. | Optional.<br/>Default: *None*.<br/>Requires: user *Email* column.
diff --git a/lib/Backend/UserBackend.php b/lib/Backend/UserBackend.php
@@ -297,9 +297,7 @@ public function checkPassword(string $uid, string $password)
             return false;
         }
 
-        if ($user->salt !== null) {
-            $password .= $user->salt;
-        }
+        $password = $this->addSalt($user, $password);
 
         $isCorrect = $passwordAlgorithm->checkPassword(
             $password, $user->password
@@ -350,6 +348,27 @@ private function getPasswordAlgorithm()
         return $passwordAlgorithm;
     }
 
+    /**
+     * Append or prepend salt from external column if available.
+     *
+     * @param User   $user     The user instance.
+     * @param string $password The password.
+     *
+     * @return string Salted password.
+     */
+    private function addSalt(User $user, string $password): string
+    {
+        if ($user->salt !== null) {
+            if (empty($this->properties[Opt::PREPEND_SALT])) {
+                return $password . $user->salt;
+            } else {
+                return $user->salt . $password;
+            }
+        }
+
+        return $password;
+    }
+
     /**
      * @inheritdoc
      */
@@ -457,9 +476,7 @@ public function setPassword(string $uid, string $password): bool
             return false;
         }
 
-        if ($user->salt !== null) {
-            $password .= $user->salt;
-        }
+        $password = $this->addSalt($user, $password);
 
         $passwordHash = $passwordAlgorithm->getPasswordHash($password);
         if ($passwordHash === false) {
diff --git a/lib/Constant/Opt.php b/lib/Constant/Opt.php
@@ -34,6 +34,7 @@ final class Opt
     const HOME_MODE = "opt.home_mode";
     const NAME_CHANGE = "opt.name_change";
     const PASSWORD_CHANGE = "opt.password_change";
+    const PREPEND_SALT = "opt.prepend_salt";
     const QUOTA_SYNC = "opt.quota_sync";
     const USE_CACHE = "opt.use_cache";
 }
diff --git a/templates/admin.php b/templates/admin.php
@@ -109,7 +109,8 @@ function print_select_options(
             <p class="settings-hint"><?php p($l->t("Here are all currently supported options.")); ?></p>
             <fieldset><?php
                 print_checkbox_input($l, "opt-name_change", "Allow display name change", $_["opt.name_change"]);
-                print_checkbox_input($l, "opt-password_change", "Allow password change", $_["opt.password_change"]); ?>
+                print_checkbox_input($l, "opt-password_change", "Allow password change", $_["opt.password_change"]);
+                print_checkbox_input($l, "opt-prepend_salt", "Prepend salt", $_["opt.prepend_salt"]); ?>
                 <div class="button-right"><?php
                     print_checkbox_input($l, "opt-use_cache", "Use cache", $_["opt.use_cache"], false); ?>
                     <input type="submit" id="user_sql-clear_cache" value="<?php p($l->t("Clear cache")); ?>">

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,7 @@ final class Opt`
`34`	`34`	`const HOME_MODE = "opt.home_mode";`
`35`	`35`	`const NAME_CHANGE = "opt.name_change";`
`36`	`36`	`const PASSWORD_CHANGE = "opt.password_change";`
	`37`	`+ const PREPEND_SALT = "opt.prepend_salt";`
`37`	`38`	`const QUOTA_SYNC = "opt.quota_sync";`
`38`	`39`	`const USE_CACHE = "opt.use_cache";`
`39`	`40`	`}`