From d8c2ca930673da858d63f2dea9526c259a2dd936 Mon Sep 17 00:00:00 2001
From: Vivien Kraus <vivien@planete-kraus.eu>
Date: Fri, 30 Jul 2021 21:10:21 +0200
Subject: Load the encrypted password from a file

This is more secure, because you can restrict the password file to be
only readable by the service user.
---
 src/scm/webid-oidc/program.scm | 32 +++++++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 7 deletions(-)

(limited to 'src/scm/webid-oidc/program.scm')

diff --git a/src/scm/webid-oidc/program.scm b/src/scm/webid-oidc/program.scm
index 4d469f3..2eda34c 100644
--- a/src/scm/webid-oidc/program.scm
+++ b/src/scm/webid-oidc/program.scm
@@ -34,6 +34,7 @@
   #:use-module (ice-9 control)
   #:use-module (ice-9 threads)
   #:use-module (ice-9 futures)
+  #:use-module (ice-9 textual-ports)
   #:use-module (srfi srfi-19)
   #:use-module (rnrs bytevectors)
   #:use-module (web uri)
@@ -235,6 +236,8 @@
          (string->symbol (G_ "command-line|server|issuer|subject")))
         (encrypted-password-sym
          (string->symbol (G_ "command-line|server|issuer|encrypted-password")))
+        (encrypted-password-from-file-sym
+         (string->symbol (G_ "command-line|server|issuer|encrypted-password-from-file")))
         (jwks-uri-sym
          (string->symbol (G_ "command-line|server|issuer|jwks-uri")))
         (authorization-endpoint-uri-sym
@@ -267,6 +270,7 @@
                     (,key-file-sym (single-char #\k) (value #t))
                     (,subject-sym (single-char #\s) (value #t))
                     (,encrypted-password-sym (single-char #\w) (value #t))
+                    (,encrypted-password-from-file-sym (single-char #\W) (value #t))
                     (,jwks-uri-sym (single-char #\j) (value #t))
                     (,authorization-endpoint-uri-sym (single-char #\a) (value #t))
                     (,token-endpoint-uri-sym (single-char #\t) (value #t))
@@ -386,6 +390,10 @@ Options for the identity provider:"))
       set the encrypted password to recognize the user.")
                 encrypted-password-sym)
         (format #t (G_ "
+  -W ENCRYPTED_PASSWORD_FILE, --~a=ENCRYPTED_PASSWORD_FILE:
+      load the user’s encrypted password from ENCRYPTED_PASSWORD_FILE.")
+                encrypted-password-from-file-sym)
+        (format #t (G_ "
   -j URI, --~a=URI:
       set the URI to query the key of the server.")
                 jwks-uri-sym)
@@ -507,7 +515,7 @@ invoked with the following options:"))
       --~a 'https://webid-oidc-demo.planete-kraus.eu' \\
       --~a '/var/lib/webid-oidc/issuer/key.jwk' \\
       --~a 'https://webid-oidc-demo.planete-kraus.eu/profile/card#me' \\
-      --~a \"$ENCRYPTED_PASSWORD\" \\
+      --~a '/etc/disfluid/webid-oidc-demo.planete-kraus.eu/password' \\
       --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\
       --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\
       --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\
@@ -515,7 +523,7 @@ invoked with the following options:"))
                 (car (command-line))
                 (G_ "command-line|command|identity-provider")
                 complete-corresponding-source-sym
-                server-name-sym key-file-sym subject-sym encrypted-password-sym
+                server-name-sym key-file-sym subject-sym encrypted-password-from-file-sym
                 jwks-uri-sym authorization-endpoint-uri-sym
                 token-endpoint-uri-sym port-sym)
         (format #t "\n")
@@ -554,7 +562,7 @@ options for the parts."))
       --~a 'https://data.planete-kraus.eu' \\
       --~a '/var/lib/disfluid/server/key.jwk' \\
       --~a 'https://data.planete-kraus.eu/vivien#me' \\
-      --~a '$...alg...$...salt...$...hash...' \\
+      --~a '/etc/disfluid/data.planete-kraus.eu/password' \\
       --~a 'https://data.planete-kraus.eu/keys' \\
       --~a 'https://data.planete-kraus.eu/authorize' \\
       --~a 'https://data.planete-kraus.eu/token' \\
@@ -565,7 +573,7 @@ options for the parts."))
                 server-name-sym
                 key-file-sym
                 subject-sym
-                encrypted-password-sym
+                encrypted-password-from-file-sym
                 jwks-uri-sym
                 authorization-endpoint-uri-sym
                 token-endpoint-uri-sym
@@ -650,7 +658,17 @@ Rreleased ~a\n")
               (subject
                (let ((str (option-ref options subject-sym #f)))
                  (and str (string->uri str))))
-              (encrypted-password (option-ref options encrypted-password-sym #f))
+              (encrypted-password
+               (let ((direct (option-ref options encrypted-password-sym #f))
+                     (from-file
+                      (let ((filename (option-ref options encrypted-password-from-file-sym #f)))
+                        (and filename
+                             (call-with-input-file filename get-line)))))
+                 (when (and direct from-file (not (equal? direct from-file)))
+                   (format (current-error-port)
+                           (G_ "You specified two different passwords: one directly, and one from a file. Please set only one password.\n"))
+                   (exit 1))
+                 (or direct from-file)))
               (jwks-uri
                (let ((str (option-ref options jwks-uri-sym #f)))
                  (and str (string->uri str))))
@@ -716,8 +734,8 @@ Rreleased ~a\n")
                           subject-sym)
                   (exit 1))
                 (unless encrypted-password
-                  (format (current-error-port) (G_ "You must pass --~a to set the subject’s encrypted password.\n")
-                          encrypted-password-sym)
+                  (format (current-error-port) (G_ "You must pass --~a or --~a to set the subject’s encrypted password.\n")
+                          encrypted-password-sym encrypted-password-from-file-sym)
                   (exit 1))
                 (unless jwks-uri
                   (format (current-error-port) (G_ "You must pass --~a to set the JWKS URI.\n")
-- 
cgit v1.2.3