From da7c39263cd9fb2104501bac5b545b28c25d9df4 Mon Sep 17 00:00:00 2001
From: Daniel Trnka <daniel.trnka@gmail.com>
Date: Sat, 2 Sep 2017 17:36:22 +0200
Subject: [PATCH] Configurable default password scheme used for passwords

---
 .env.dist                   | 4 ++++
 admin/mailu/__init__.py     | 3 ++-
 admin/mailu/admin/models.py | 4 ++--
 admin/manage.py             | 6 +++---
 4 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/.env.dist b/.env.dist
index 1a1f3b67..add937bd 100644
--- a/.env.dist
+++ b/.env.dist
@@ -32,6 +32,10 @@ POSTMASTER=admin
 # Docker-compose project name, this will prepended to containers names.
 COMPOSE_PROJECT_NAME=mailu
 
+# Default password scheme used for newly created accounts and changed passwords
+# (value: SHA512-CRYPT, SHA256-CRYPT, MD5-CRYPT, CRYPT)
+PASSWORD_SCHEME=SHA512-CRYPT
+
 ###################################
 # Optional features
 ###################################
diff --git a/admin/mailu/__init__.py b/admin/mailu/__init__.py
index 9e33e065..ff98ece0 100644
--- a/admin/mailu/__init__.py
+++ b/admin/mailu/__init__.py
@@ -30,7 +30,8 @@ default_config = {
     'BABEL_DEFAULT_LOCALE': 'en',
     'BABEL_DEFAULT_TIMEZONE': 'UTC',
     'ENABLE_CERTBOT': False,
-    'CERTS_PATH': '/certs'
+    'CERTS_PATH': '/certs',
+    'PASSWORD_SCHEME': 'SHA512-CRYPT'
 }
 
 # Load configuration from the environment if available
diff --git a/admin/mailu/admin/models.py b/admin/mailu/admin/models.py
index e8085d98..54405745 100644
--- a/admin/mailu/admin/models.py
+++ b/admin/mailu/admin/models.py
@@ -169,14 +169,14 @@ class User(Base, Email):
                    'CRYPT': "des_crypt"}
     pw_context = context.CryptContext(
         schemes = scheme_dict.values(),
-        default='sha512_crypt',
+        default=scheme_dict[app.config['PASSWORD_SCHEME']],
     )
 
     def check_password(self, password):
         reference = re.match('({[^}]+})?(.*)', self.password).group(2)
         return User.pw_context.verify(password, reference)
 
-    def set_password(self, password, hash_scheme='SHA512-CRYPT', raw=False):
+    def set_password(self, password, hash_scheme=app.config['PASSWORD_SCHEME'], raw=False):
         """Set password for user with specified encryption scheme
            @password: plain text password to encrypt (if raw == True the hash itself)
         """
diff --git a/admin/manage.py b/admin/manage.py
index dfe3012f..2ac18e5d 100644
--- a/admin/manage.py
+++ b/admin/manage.py
@@ -1,4 +1,4 @@
-from mailu import manager, db
+from mailu import app, manager, db
 from mailu.admin import models
 
 
@@ -35,7 +35,7 @@ def admin(localpart, domain_name, password):
 
 
 @manager.command
-def user(localpart, domain_name, password, hash_scheme='SHA512-CRYPT'):
+def user(localpart, domain_name, password, hash_scheme=app.config['PASSWORD_SCHEME']):
     """ Create a user
     """
     domain = models.Domain.query.get(domain_name)
@@ -52,7 +52,7 @@ def user(localpart, domain_name, password, hash_scheme='SHA512-CRYPT'):
     db.session.commit()
 
 @manager.command
-def user_import(localpart, domain_name, password_hash, hash_scheme='SHA512-CRYPT'):
+def user_import(localpart, domain_name, password_hash, hash_scheme=app.config['PASSWORD_SCHEME']):
     """ Import a user along with password hash. Available hashes:
                    'SHA512-CRYPT'
                    'SHA256-CRYPT'