Development

docker/routlin-dash/app/pages/clientcredentials/action.py

@@ -1,9 +1,8 @@
-import hashlib
 import sqlite3
 import time
-from pathlib import Path
 
 import bcrypt
+from cryptography.fernet import Fernet
 from flask import Blueprint, request, redirect, flash
 import auth
 import config_utils
@@ -20,19 +19,39 @@ USER_TYPE_CAPTIVE    = 0
 USER_TYPE_SUPPLICANT = 1
 
 HASH_CLEARTEXT = 0
-HASH_NT        = 1
 HASH_BCRYPT    = 2
 
-VALID_USER_TYPES  = {USER_TYPE_CAPTIVE, USER_TYPE_SUPPLICANT}
-VALID_HASH_TYPES  = {HASH_CLEARTEXT, HASH_NT, HASH_BCRYPT}
+VALID_USER_TYPES = {USER_TYPE_CAPTIVE, USER_TYPE_SUPPLICANT}
 
-# Compatible hash types per user type
-COMPATIBLE_HASHES = {
-    USER_TYPE_CAPTIVE:    {HASH_CLEARTEXT, HASH_BCRYPT},
-    USER_TYPE_SUPPLICANT: {HASH_CLEARTEXT, HASH_NT},
+HASH_FOR_USER_TYPE = {
+    USER_TYPE_CAPTIVE:    HASH_BCRYPT,
+    USER_TYPE_SUPPLICANT: HASH_CLEARTEXT,
 }
 
 
+# ===================================================================
+# Encryption helpers (cleartext passwords only)
+# ===================================================================
+
+_credentials_key = settings.get_credentials_key()
+_FERNET = Fernet(_credentials_key) if _credentials_key else None
+
+
+def encrypt_password(plaintext):
+    if _FERNET is None:
+        return plaintext
+    return _FERNET.encrypt(plaintext.encode()).decode()
+
+
+def decrypt_password(stored):
+    if _FERNET is None:
+        return stored
+    try:
+        return _FERNET.decrypt(stored.encode()).decode()
+    except Exception:
+        return stored
+
+
 # ===================================================================
 # DB helpers
 # ===================================================================
@@ -78,12 +97,7 @@ def _get_by_index(conn, row_index):
 
 def _hash_password(plaintext, hash_type):
     if hash_type == HASH_CLEARTEXT:
-        return plaintext
-    if hash_type == HASH_NT:
-        try:
-            return hashlib.new('md4', plaintext.encode('utf-16-le')).hexdigest()
-        except ValueError:
-            raise ValueError("NT-Password requires MD4 support. It may be disabled on this system's OpenSSL build.")
+        return encrypt_password(plaintext)
     if hash_type == HASH_BCRYPT:
         return bcrypt.hashpw(plaintext.encode(), bcrypt.gensalt()).decode()
     raise ValueError(f"Unknown hash_type: {hash_type}")
@@ -144,20 +158,15 @@ def addedit():
 
     try:
         user_type = int(request.form.get('user_type', ''))
-        hash_type = int(request.form.get('hash_type', ''))
     except (ValueError, TypeError):
-        flash('Invalid user type or hash type.', 'error')
+        flash('Invalid user type.', 'error')
         return redirect(f'/{_PAGE}')
 
     if user_type not in VALID_USER_TYPES:
         flash('Invalid user type.', 'error')
         return redirect(f'/{_PAGE}')
-    if hash_type not in VALID_HASH_TYPES:
-        flash('Invalid hash type.', 'error')
-        return redirect(f'/{_PAGE}')
-    if hash_type not in COMPATIBLE_HASHES[user_type]:
-        flash('Selected hash type is not compatible with the selected user type.', 'error')
-        return redirect(f'/{_PAGE}')
+
+    hash_type = HASH_FOR_USER_TYPE[user_type]
 
     vlan = sanitize.name(request.form.get('vlan', ''))
     if not vlan: