Update to current Perl

lib/WGDev/Command/User.pm

@@ -0,0 +1,130 @@
+package WGDev::Command::User;
+# ABSTRACT: Utilities for manipulating WebGUI Users
+use strict;
+use warnings;
+use 5.008008;
+
+use parent qw(WGDev::Command::Base);
+
+use WGDev::X ();
+
+sub config_options {
+    return qw(
+        findByPassword=s
+        findByDictionary=s
+    );
+}
+
+sub process {
+    my $self = shift;
+    my $wgd  = $self->wgd;
+
+    my $session = $wgd->session();
+
+    if ( my $password = $self->option('findByPassword') ) {
+        return $self->find_by_password($password);
+    }
+
+    if ( my $dictionary = $self->option('findByDictionary') ) {
+        return $self->find_by_dictionary($dictionary);
+    }
+}
+
+sub find_by_password {
+    my $self     = shift;
+    my $password = shift;
+    my $session  = $self->wgd->session();
+
+    require Digest::MD5;
+    require Encode;
+    my $hash = Digest::MD5::md5_base64( Encode::encode_utf8($password) );
+    print "Password:\t$password\n";
+    print "Hashes to:\t$hash\n";
+    my @user_ids = $session->db->buildArray(
+        'select userId from authentication where fieldName = ? and fieldData = ?',
+        [ 'identifier', $hash ] );
+    print "Matching users:\t";
+    print @user_ids ? "\n" : "None\n";
+
+    for my $user_id (@user_ids) {
+        my $user = WebGUI::User->new( $session, $user_id );
+        my $username = $user->username;
+        print " * $user_id ($username)\n";
+    }
+    return;
+}
+
+sub find_by_dictionary {
+    my $self    = shift;
+    my $dict    = shift;
+    my $session = $self->wgd->session();
+
+    my @hashed_passwords
+        = $session->db->buildArray(
+        'select fieldData from authentication where fieldName = ?',
+        ['identifier'] );
+    my %hashed_passwords = map { $_ => 1 } @hashed_passwords;
+    open my $d, '<', $dict
+        or WGDev::X::IO::Read->throw(
+        path    => $dict,
+        message => 'Unable to open dictionary file',
+        );
+    while ( my $word = <$d> ) {
+        chomp $word;
+        my $hash = Digest::MD5::md5_base64( Encode::encode_utf8($word) );
+        if ( $hashed_passwords{$hash} ) {
+            print "\n*** HIT ***\n";
+            $self->find_by_password($word);
+        }
+    }
+    close $d
+        or WGDev::X::IO::Read->throw(
+        path    => $dict,
+        message => 'Unable to open dictionary file',
+        );
+    return;
+}
+
+1;
+
+=head1 SYNOPSIS
+
+    wgd user [--findByPassword <password>] [--findByDictionary <dictionary>]
+
+=head1 DESCRIPTION
+
+Utilities for manipulating WebGUI Users
+
+=head1 OPTIONS
+
+=over 8
+
+=item C<--findByPassword>
+
+Return a list of users that are using the given password (assumes
+WebGUI authentication module).
+
+=item C<--findByDictionary>
+
+Use a dictionary file to do a brute-force search for users using
+any password in the dictionary (assumes WebGUI authentication
+module). For example, Linux distributions typically have a dictionary
+file in C</usr/share/dict/> or C</var/lib/dict/>
+
+=back
+
+=method find_by_password
+
+Hashes the given password and sees if any user IDs in the C<authentication> table
+match. This check will become less efficient once WebGUI implements password salting.
+
+=method find_by_dictionary
+
+Search through the given dictionary file, hashing words one by one and
+checking them against all known hashed passwords.
+
+Does not try to be efficient or clever - for common dictionary files it's
+plenty fast enough.
+
+=cut
+