From 3cde9f1078c1ea9d3d05a33347587a35ba58aaf5 Mon Sep 17 00:00:00 2001
From: Julia Luna <julia@julialuna.dev>
Date: Sun, 6 Jun 2021 18:03:24 +0200
Subject: [PATCH 1/5] chore: clean up code

---
 src/main.py | 36 +++++++++++++++++++-----------------
 1 file changed, 19 insertions(+), 17 deletions(-)

diff --git a/src/main.py b/src/main.py
index a563027..47ff126 100644
--- a/src/main.py
+++ b/src/main.py
@@ -1,31 +1,33 @@
 import ldap
-
 from fastapi import FastAPI, HTTPException, Response
 from pydantic import BaseModel
-from ldap import modlist
 
-from config import LDAP_URI, LDAP_BASE_DN
+from config import LDAP_BASE_DN, LDAP_URI
 
 app = FastAPI()
 
+
 class PasswordUpdate(BaseModel):
-  bind_pw: str
-  userPassword: str
+    bind_pw: str
+    userPassword: str
+
 
 @app.post("/users/{rdn}/updatePassword", status_code=204, response_class=Response)
-def change_password(rdn: str, updateRequest: PasswordUpdate):
-  try:
-    ldap_conn = _connect_ldap_simple_bind(LDAP_URI, f"{rdn},{LDAP_BASE_DN}", updateRequest.bind_pw)
-  except ldap.INVALID_CREDENTIALS as e:
-    raise HTTPException(status_code=401, detail=str(e))
-  _update_ldap_userPassword(ldap_conn, f"{rdn},{LDAP_BASE_DN}", updateRequest.userPassword)
+def change_password(rdn: str, update_request: PasswordUpdate):
+    try:
+        ldap_conn = _connect_ldap_simple_bind(LDAP_URI, f"{rdn},{LDAP_BASE_DN}", update_request.bind_pw)
+    except ldap.INVALID_CREDENTIALS as e:
+        raise HTTPException(status_code=401, detail=str(e))
+    _update_ldap_userPassword(ldap_conn, f"{rdn},{LDAP_BASE_DN}", update_request.userPassword)
+
 
 def _connect_ldap_simple_bind(server_uri: str, bind_dn: str, bind_pw: str):
-  ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
-  conn = ldap.initialize(server_uri)
-  conn.simple_bind_s(bind_dn, bind_pw)
-  return conn
+    ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
+    conn = ldap.initialize(server_uri)
+    conn.simple_bind_s(bind_dn, bind_pw)
+    return conn
+
 
 def _update_ldap_userPassword(conn, dn: str, new_pass: str):
-  changes = [( ldap.MOD_REPLACE, 'userPassword', bytes(str(new_pass), 'utf-8') )]
-  result = conn.modify_ext_s(dn, changes)
+    changes = [( ldap.MOD_REPLACE, 'userPassword', bytes(str(new_pass), 'utf-8') )]
+    result = conn.modify_ext_s(dn, changes)
-- 
2.45.2


From 782e0f7b9757b2d8e3fc1978a0f119de0e10f991 Mon Sep 17 00:00:00 2001
From: Julia Luna <julia@julialuna.dev>
Date: Sun, 6 Jun 2021 18:04:15 +0200
Subject: [PATCH 2/5] feat: store bcrypt encoded passwords

---
 requirements.txt | 1 +
 src/main.py      | 9 ++++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/requirements.txt b/requirements.txt
index fce7224..8b02edc 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -8,3 +8,4 @@ python-ldap==3.3.1
 starlette==0.14.2
 typing-extensions==3.10.0.0
 uvicorn==0.13.4
+bcrypt==3.2.0
\ No newline at end of file
diff --git a/src/main.py b/src/main.py
index 47ff126..308fbec 100644
--- a/src/main.py
+++ b/src/main.py
@@ -1,3 +1,4 @@
+import bcrypt
 import ldap
 from fastapi import FastAPI, HTTPException, Response
 from pydantic import BaseModel
@@ -18,7 +19,8 @@ def change_password(rdn: str, update_request: PasswordUpdate):
         ldap_conn = _connect_ldap_simple_bind(LDAP_URI, f"{rdn},{LDAP_BASE_DN}", update_request.bind_pw)
     except ldap.INVALID_CREDENTIALS as e:
         raise HTTPException(status_code=401, detail=str(e))
-    _update_ldap_userPassword(ldap_conn, f"{rdn},{LDAP_BASE_DN}", update_request.userPassword)
+    new_pass = _hash_password(update_request.userPassword)
+    _update_ldap_userPassword(ldap_conn, f"{rdn},{LDAP_BASE_DN}", new_pass)
 
 
 def _connect_ldap_simple_bind(server_uri: str, bind_dn: str, bind_pw: str):
@@ -31,3 +33,8 @@ def _connect_ldap_simple_bind(server_uri: str, bind_dn: str, bind_pw: str):
 def _update_ldap_userPassword(conn, dn: str, new_pass: str):
     changes = [( ldap.MOD_REPLACE, 'userPassword', bytes(str(new_pass), 'utf-8') )]
     result = conn.modify_ext_s(dn, changes)
+
+
+def _hash_password(pw: str):
+    hash_b = bcrypt.hashpw(pw.encode(), bcrypt.gensalt())
+    return '{BCRYPT}' + hash_b.decode()
-- 
2.45.2


From 1786881376824abd30f945fd6bb18b51558e4876 Mon Sep 17 00:00:00 2001
From: Julia Luna <julia@julialuna.dev>
Date: Sun, 6 Jun 2021 20:07:07 +0200
Subject: [PATCH 3/5] chore: listen on all ips on port 8080

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 2e31e89..ebe79ee 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,4 +7,4 @@ RUN apk add --no-cache build-base openldap-dev python2-dev python3-dev
 RUN pip install --no-cache-dir -r requirements.txt
 
 COPY ./src ./src
-CMD ["/usr/local/bin/uvicorn", "src.main:app"]
+CMD ["/usr/local/bin/uvicorn", "--host", "'::'", "--port", "8080", "src.main:app"]
-- 
2.45.2


From b36fe5157b636db11fcb0c4e221eb3e745b31a09 Mon Sep 17 00:00:00 2001
From: Julia Luna <julia@julialuna.dev>
Date: Sun, 6 Jun 2021 20:18:57 +0200
Subject: [PATCH 4/5] chore: add required packages

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index ebe79ee..5173528 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,7 +3,7 @@ FROM python:3.9-alpine
 WORKDIR /opt/self-service
 
 COPY requirements.txt ./
-RUN apk add --no-cache build-base openldap-dev python2-dev python3-dev
+RUN apk add --no-cache build-base openldap-dev python2-dev python3-dev musl-dev gcc libffi-dev
 RUN pip install --no-cache-dir -r requirements.txt
 
 COPY ./src ./src
-- 
2.45.2


From 3bbaa1cc96ac7509e9224ddf3e8670cd953d45aa Mon Sep 17 00:00:00 2001
From: Julia Luna <julia@julialuna.dev>
Date: Sun, 6 Jun 2021 20:23:40 +0200
Subject: [PATCH 5/5] chore: fix dumb command parsing

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 5173528..a8a90ef 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,4 +7,4 @@ RUN apk add --no-cache build-base openldap-dev python2-dev python3-dev musl-dev
 RUN pip install --no-cache-dir -r requirements.txt
 
 COPY ./src ./src
-CMD ["/usr/local/bin/uvicorn", "--host", "'::'", "--port", "8080", "src.main:app"]
+CMD ["/usr/local/bin/uvicorn", "--host", "::", "--port", "8080", "src.main:app"]
-- 
2.45.2