#!@perlbin@

#

# Licensed to the Apache Software Foundation (ASF) under one or more

# contributor license agreements.  See the NOTICE file distributed with

# this work for additional information regarding copyright ownership.

# The ASF licenses this file to You under the Apache License, Version 2.0

# (the "License"); you may not use this file except in compliance with

# the License.  You may obtain a copy of the License at

#

#     http://www.apache.org/licenses/LICENSE-2.0

#

# Unless required by applicable law or agreed to in writing, software

# distributed under the License is distributed on an "AS IS" BASIS,

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

# See the License for the specific language governing permissions and

# limitations under the License.

#for more functionality see the HTTPD::UserAdmin module:

# http://www.perl.com/CPAN/modules/by-module/HTTPD/HTTPD-Tools-x.xx.tar.gz

#

# usage: dbmmanage <DBMfile> <command> <user> <password> <groups> <comment>

package dbmmanage;

#                               -ldb    -lndbm    -lgdbm    -lsdbm

BEGIN { @AnyDBM_File::ISA = qw(DB_File NDBM_File GDBM_File SDBM_File) }

use strict;

use Fcntl;

use AnyDBM_File ();

sub usage {

    my $cmds = join "|", sort keys %dbmc::;

    die <

Usage: dbmmanage [enc] dbname command [username [pw [group[,group] [comment]]]]

    where enc is  -d for crypt encryption (default except on Win32, Netware)

                  -m for MD5 encryption (default on Win32, Netware)

                  -s for SHA1 encryption

                  -p for plaintext

    command is one of: $cmds

    pw of . for update command retains the old password

    pw of - (or blank) for update command prompts for the password

    groups or comment of . (or blank) for update command retains old values

    groups or comment of - for update command clears the existing value

    groups or comment of - for add and adduser commands is the empty value

SYNTAX

}

sub need_sha1_crypt {

    if (!eval ('require "Digest/SHA1.pm";')) {

        print STDERR <

dbmmanage SHA1 passwords require the interface or the module Digest::SHA1

available from CPAN:

    http://www.cpan.org/modules/by-module/Digest/Digest-MD5-2.12.tar.gz

Please install Digest::SHA1 and try again, or use a different crypt option:

SHAERR

        usage();

    }

}

sub need_md5_crypt {

    if (!eval ('require "Crypt/PasswdMD5.pm";')) {

        print STDERR <

dbmmanage MD5 passwords require the module Crypt::PasswdMD5 available from CPAN

    http://www.cpan.org/modules/by-module/Crypt/Crypt-PasswdMD5-1.1.tar.gz

Please install Crypt::PasswdMD5 and try again, or use a different crypt option:

MD5ERR

        usage();

    }

}

# if your osname is in $newstyle_salt, then use new style salt (starts with '_' and contains

# four bytes of iteration count and four bytes of salt).  Otherwise, just use

# the traditional two-byte salt.

# see the man page on your system to decide if you have a newer crypt() lib.

# I believe that 4.4BSD derived systems do (at least BSD/OS 2.0 does).

# The new style crypt() allows up to 20 characters of the password to be

# significant rather than only 8.

#

my $newstyle_salt_platforms = join '|', qw{bsdos}; #others?

my $newstyle_salt = $^O =~ /(?:$newstyle_salt_platforms)/;

# Some platforms just can't crypt() for Apache

#

my $crypt_not_supported_platforms = join '|', qw{MSWin32 NetWare}; #others?

my $crypt_not_supported = $^O =~ /(?:$crypt_not_supported_platforms)/;

my $crypt_method = "crypt";

if ($crypt_not_supported) {

    $crypt_method = "md5";

}

# Some platforms won't jump through our favorite hoops

#

my $not_unix_platforms = join '|', qw{MSWin32 NetWare}; #others?

my $not_unix = $^O =~ /(?:$not_unix_platforms)/;

if ($crypt_not_supported) {

    $crypt_method = "md5";

}

if (@ARGV[0] eq "-d") {

    shift @ARGV;

    if ($crypt_not_supported) {

        print STDERR

              "Warning: Apache/$^O does not support crypt()ed passwords!\n\n";

    }

    $crypt_method = "crypt";

}

if (@ARGV[0] eq "-m") {

    shift @ARGV;

    $crypt_method = "md5";

}

if (@ARGV[0] eq "-p") {

    shift @ARGV;

    if (!$crypt_not_supported) {

        print STDERR

              "Warning: Apache/$^O does not support plaintext passwords!\n\n";

    }

    $crypt_method = "plain";

}

if (@ARGV[0] eq "-s") {

    shift @ARGV;

    need_sha1_crypt();

    $crypt_method = "sha1";

}

if ($crypt_method eq "md5") {

    need_md5_crypt();

}

my($file,$command,$key,$crypted_pwd,$groups,$comment) = @ARGV;

usage() unless $file and $command and defined &{$dbmc::{$command}};

# remove extension if any

my $chop = join '|', qw{db.? pag dir};

$file =~ s/\.($chop)$//;

my $is_update = $command eq "update";

my %DB = ();

my @range = ();

my($mode, $flags) = $command =~

    /^(?:view|check)$/ ? (0644, O_RDONLY) : (0644, O_RDWR|O_CREAT);

tie (%DB, "AnyDBM_File", $file, $flags, $mode) || die "Can't tie $file: $!";

dbmc->$command();

untie %DB;

my $x;

sub genseed {

    my $psf;

    if ($not_unix) {

        srand (time ^ $$ or time ^ ($$ + ($$ << 15)));

    }

    else {

        for (qw(-xlwwa -le)) {

            `ps $_ 2>/dev/null`;

            $psf = $_, last unless $?;

        }

        srand (time ^ $$ ^ unpack("%L*", `ps $psf | gzip -f`));

    }

    @range = (qw(. /), '0'..'9','a'..'z','A'..'Z');

    $x = int scalar @range;

}

sub randchar {

    join '', map $range[rand $x], 1..shift||1;

}

sub saltpw_crypt {

    genseed() unless @range;

    return $newstyle_salt ?

        join '', "_", randchar, "a..", randchar(4) :

        randchar(2);

}

sub cryptpw_crypt {

    my ($pw, $salt) = @_;

    $salt = saltpw_crypt unless $salt;

    crypt $pw, $salt;

}

sub saltpw_md5 {

    genseed() unless @range;

    randchar(8);

}

sub cryptpw_md5 {

    my($pw, $salt) = @_;

    $salt = saltpw_md5 unless $salt;

    Crypt::PasswdMD5::apache_md5_crypt($pw, $salt);

}

sub cryptpw_sha1 {

    my($pw, $salt) = @_;

    '{SHA}' . Digest::SHA1::sha1_base64($pw) . "=";

}

sub cryptpw {

    if ($crypt_method eq "md5") {

        return cryptpw_md5(@_);

    } elsif ($crypt_method eq "sha1") {

        return cryptpw_sha1(@_);

    } elsif ($crypt_method eq "crypt") {

        return cryptpw_crypt(@_);

    }

    @_[0]; # otherwise return plaintext

}

sub getpass {

    my $prompt = shift || "Enter password:";

    unless($not_unix) {

        open STDIN, "/dev/tty" or warn "couldn't open /dev/tty $!\n";

        system "stty -echo;";

    }

    my($c,$pwd);

    print STDERR $prompt;

    while (($c = getc(STDIN)) ne '' and $c ne "\n" and $c ne "\r") {

        $pwd .= $c;

    }

    system "stty echo" unless $not_unix;

    print STDERR "\n";

    die "Can't use empty password!\n" unless length $pwd;

    return $pwd;

}

sub dbmc::update {

    die "Sorry, user `$key' doesn't exist!\n" unless $DB{$key};

    $crypted_pwd = (split /:/, $DB{$key}, 3)[0] if $crypted_pwd eq '.';

    $groups = (split /:/, $DB{$key}, 3)[1] if !$groups || $groups eq '.';

    $comment = (split /:/, $DB{$key}, 3)[2] if !$comment || $comment eq '.';

    if (!$crypted_pwd || $crypted_pwd eq '-') {

        dbmc->adduser;

    }

    else {

        dbmc->add;

    }

}

sub dbmc::add {

    die "Can't use empty password!\n" unless $crypted_pwd;

    unless($is_update) {

        die "Sorry, user `$key' already exists!\n" if $DB{$key};

    }

    $groups = '' if $groups eq '-';

    $comment = '' if $comment eq '-';

    $groups .= ":" . $comment if $comment;

    $crypted_pwd .= ":" . $groups if $groups;

    $DB{$key} = $crypted_pwd;

    my $action = $is_update ? "updated" : "added";

    print "User $key $action with password encrypted to $DB{$key} using $crypt_method\n";

}

sub dbmc::adduser {

    my $value = getpass "New password:";

    die "They don't match, sorry.\n" unless getpass("Re-type new password:") eq $value;

    $crypted_pwd = cryptpw $value;

    dbmc->add;

}

sub dbmc::delete {

    die "Sorry, user `$key' doesn't exist!\n" unless $DB{$key};

    delete $DB{$key}, print "`$key' deleted\n";

}

sub dbmc::view {

    print $key ? "$key:$DB{$key}\n" : map { "$_:$DB{$_}\n" if $DB{$_} } keys %DB;

}

sub dbmc::check {

    die "Sorry, user `$key' doesn't exist!\n" unless $DB{$key};

    my $chkpass = (split /:/, $DB{$key}, 3)[0];

    my $testpass = getpass();

    if (substr($chkpass, 0, 6) eq '$apr1$') {

        need_md5_crypt;

        $crypt_method = "md5";

    } elsif (substr($chkpass, 0, 5) eq '{SHA}') {

        need_sha1_crypt;

        $crypt_method = "sha1";

    } elsif (length($chkpass) == 13 && $chkpass ne $testpass) {

        $crypt_method = "crypt";

    } else {

        $crypt_method = "plain";

    }

    print $crypt_method . (cryptpw($testpass, $chkpass) eq $chkpass

                           ? " password ok\n" : " password mismatch\n");

}

sub dbmc::import {

    while(defined($_ = <STDIN>) and chomp) {

        ($key,$crypted_pwd,$groups,$comment) = split /:/, $_, 4;

        dbmc->add;

    }

}