diff options
| author | varac <varacanero@zeromail.org> | 2015-06-11 14:48:31 +0200 |
|---|---|---|
| committer | varac <varacanero@zeromail.org> | 2015-06-11 14:48:31 +0200 |
| commit | dfc0b76f2c4db0f470010519a9cd47bcb6a974b9 (patch) | |
| tree | c2ee454b548c63b6f738e9e4df0a33f637f90d52 | |
| parent | 23b557c6fb07929a9b04e5fb75375a85a4734370 (diff) | |
Use pbkdf2 instead of sha1 as hashing algorithm for newer couchdb versions
couchdb v1.3 changed the default pw hashing algorithm from
sha1 to pbkdf2, see http://docs.couchdb.org/en/1.4.x/configuring.html
| -rw-r--r-- | manifests/base.pp | 35 | ||||
| -rw-r--r-- | manifests/init.pp | 3 |
2 files changed, 20 insertions, 18 deletions
diff --git a/manifests/base.pp b/manifests/base.pp index 356fefb..9f87565 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,3 +1,4 @@ +# configure couchdb class couchdb::base { if $::couchdb::bigcouch == true { @@ -66,24 +67,26 @@ class couchdb::base { require => Package['couchdb']; } - if $::couchdb::admin_salt == '' { - # unhashed, plaintext pw, no salt. For couchdb >= 1.2 - $sha1_and_salt = str2sha1_and_salt($::couchdb::admin_pw) - $sha1 = $sha1_and_salt[0] - $salt = $sha1_and_salt[1] - } else { - # prehashed pw with salt, for couchdb < 1.2 - # salt and encrypt pw - # str_and_salt2sha1 is a function from leap's stdlib module - $salt = $::couchdb::admin_salt - $pw_and_salt = [ $::couchdb::admin_pw, $salt ] - $sha1 = str_and_salt2sha1($pw_and_salt) + $alg = $::couchdb::pwhash_alg + $salt = $::couchdb::admin_salt + notice ($salt) + case $alg { + 'sha1': { + # str_and_salt2sha1 is a function from leap's stdlib module + $pw_and_salt = [ $::couchdb::admin_pw, $salt ] + $sha1 = str_and_salt2sha1($pw_and_salt) + $admin_hash = "-hashed-${sha1},${salt}" + } + 'pbkdf2': { + $pbkdf2 = pbkdf2($::couchdb::admin_pw, $::couchdb::admin_salt, 10) + $sha1 = $pbkdf2['sha1'] + $admin_hash = "-pbkdf2-${sha1},${salt},10" + } + default: { fail ("Unknown fact couchdb_pwhash_alg ${::couchdb_pwhash_alg} - Exiting.") } } file { '/etc/couchdb/local.d/admin.ini': - content => "[admins] -admin = -hashed-${sha1},${salt} -", + content => "[admins]\nadmin = ${admin_hash}\n", mode => '0600', owner => $couchdb_user, group => $couchdb_user, @@ -103,6 +106,4 @@ admin = -hashed-${sha1},${salt} '/etc/couchdb/local.ini'], refreshonly => true } - - } diff --git a/manifests/init.pp b/manifests/init.pp index dbd75f8..066f429 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -4,7 +4,8 @@ class couchdb ( $bigcouch = false, $bigcouch_cookie = '', $ednp_port = '9001', - $chttpd_bind_address = '0.0.0.0' ) + $chttpd_bind_address = '0.0.0.0', + $pwhash_alg = 'sha1' ) { if $admin_pw == '' { |