Merge e1754a3cef into 274a0e39d5

CMakeLists.txt

@@ -231,6 +231,9 @@ endif()
 
 if(WIN32)
   list(APPEND base_DEPS ws2_32 dbghelp shlwapi msi)
+else()
+  find_library(CRYPT_LIBRARIES NAMES crypt)
+  list(APPEND base_DEPS ${CRYPT_LIBRARIES})
 endif()
 
 set(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_RPATH};${CMAKE_INSTALL_FULL_LIBDIR}/icinga2")

lib/remote/apiuser.cpp

@@ -6,6 +6,11 @@
 #include "base/base64.hpp"
 #include "base/tlsutility.hpp"
 #include "base/utility.hpp"
+#include <mutex>
+
+#ifndef _WIN32
+#	include <unistd.h>
+#endif /* _WIN32 */
 
 using namespace icinga;
 
@@ -45,10 +50,23 @@ ApiUser::Ptr ApiUser::GetByAuthHeader(const String& auth_header)
 	 * 2) given password is empty
 	 * 2) configured password does not match.
 	 */
-	if (!user || password.IsEmpty())
-		return nullptr;
-	else if (user && !Utility::ComparePasswords(password, user->GetPassword()))
+	if (!user) {
 		return nullptr;
+	}
 
-	return user;
+#ifndef _WIN32
+	auto hash (user->GetHashedPassword());
+
+	if (!hash.IsEmpty()) {
+		static std::mutex mtx;
+		std::unique_lock lock (mtx);
+
+		auto hashed (crypt(password.CStr(), hash.CStr()));
+		return hashed == hash ? user : nullptr;
+	}
+#endif /* _WIN32 */
+
+	auto plain (user->GetPassword());
+
+	return !plain.IsEmpty() && Utility::ComparePasswords(password, plain) ? user : nullptr;
 }

lib/remote/apiuser.ti

@@ -11,7 +11,8 @@ namespace icinga
 class ApiUser : ConfigObject
 {
 	/* No show config */
-	[config, no_user_view] String password;
+	[deprecated, config, no_user_view] String password;
+	[no_user_view, no_user_modify] String hashed_password;
 	[deprecated, config, no_user_view] String password_hash;
 	[config] String client_cn (ClientCN);
 	[config] array(Value) permissions;