From 85467c19ce70c7c8c70caee64968a967dca2601e Mon Sep 17 00:00:00 2001
From: simon <simon@journeyman.cc>
Date: Sat, 9 Sep 2017 13:53:22 +0100
Subject: [PATCH] #23, #29: Fix. Removed sensitive information from log file.

---
 resources/public/content/stylesheet.css |  8 +++
 resources/templates/edit-user.html      |  7 ++-
 src/smeagol/authenticate.clj            | 65 ++++++++++++++-----------
 src/smeagol/layout.clj                  |  1 -
 src/smeagol/routes/admin.clj            | 61 ++++++++++++++---------
 src/smeagol/routes/wiki.clj             |  6 +--
 6 files changed, 91 insertions(+), 57 deletions(-)

diff --git a/resources/public/content/stylesheet.css b/resources/public/content/stylesheet.css
index e9accaf..59cc49b 100644
--- a/resources/public/content/stylesheet.css
+++ b/resources/public/content/stylesheet.css
@@ -236,6 +236,14 @@ th {
   color: white;
 }
 
+.pseudo-input {
+  border: inset thin;
+  background-color: white;
+  display: inline-block;
+  min-width: 7.5em;
+  padding: 0 2em 0 0;
+}
+
 .vega-bindings, .vega-actions {
   font-size: 66%;
 }
diff --git a/resources/templates/edit-user.html b/resources/templates/edit-user.html
index bb70703..1561ae1 100644
--- a/resources/templates/edit-user.html
+++ b/resources/templates/edit-user.html
@@ -6,7 +6,12 @@
                 {% csrf-field %}
                 <p class="widget">
                     <label for="target">{% i18n username-prompt %}</label>
-                    <input type="text" name="target" id="target" value="{{target}}" required {% ifunequal target "" %}disabled{% endifunequal %}/>
+                  {% ifequal target "" %}
+                    <input type="text" name="target" id="target" value="{{target}}" required/>
+                  {% else %}
+                    <span class="pseudo-input">{{target}}</span>
+                    <input type="hidden" name="target" id="target" value="{{target}}" required/>
+                  {% endifequal %}
                 </p>
                 <p class="widget">
                     <label for="pass1">{% i18n new-pass-prompt %}</label>
diff --git a/src/smeagol/authenticate.clj b/src/smeagol/authenticate.clj
index cfc3045..f4777ff 100644
--- a/src/smeagol/authenticate.clj
+++ b/src/smeagol/authenticate.clj
@@ -74,10 +74,14 @@
     (let [user ((keyword username)  (get-users))]
       (:admin user))))
 
+
 (defn evaluate-password
-  "Evaluate whether this proposed password is suitable for use."
+  "Evaluate whether this proposed password is suitable for use; return `true` is so, a keyword if not."
   ([pass1 pass2]
-   (and pass1 (>= (count pass1) 8) (.equals pass1 pass2)))
+   (cond
+     (< (count pass1) 8) :chpass-too-short
+     (.equals pass1 pass2) true
+     true :chpass-bad-match))
   ([password]
    (evaluate-password password password)))
 
@@ -129,34 +133,37 @@
 
 
 (defn add-user
-  "Add a user to the passwd file with this username, initial password and email address and admin flag."
+  "Add a user to the passwd file with this `username`, initial password and `email` address and `admin`  flag."
   [username newpass email admin]
-  (let [users (get-users)
-        user ((keyword username) users)
-        password (if
-                   (and newpass (evaluate-password newpass))
-                   (password/encrypt newpass))
-        details {:email email
-                 :admin (if
-                          (and (string? admin) (> (count admin) 0))
-                          true
-                          false)}
-        ;; if we have a valid password we want to include it in the details to update.
-        full-details (if password
-                       (merge details {:password password})
-                       details)]
-    (try
-      (locking password-file-path
-        (spit password-file-path
-              (merge users
-                     {(keyword username) (merge user full-details)}))
-        (timbre/info (str "Successfully added user " username))
-        true)
-      (catch Exception any
-        (timbre/error
-          (format "Adding user %s failed: %s (%s)"
-                  username (.getName (.getClass any)) (.getMessage any)))
-        false))))
+  (timbre/info  "Trying to add user " username)
+  (cond
+    (not (string? username)) (throw (Exception. "Username must be a string."))
+    (= (count username) 0) (throw (Exception. "Username cannot be zero length"))
+    true (let [users (get-users)
+               user ((keyword username) users)
+               password (if
+                          (and newpass (evaluate-password newpass))
+                          (password/encrypt newpass))
+               details {:email email
+                        :admin (if
+                                 (and (string? admin) (> (count admin) 0))
+                                 true
+                                 false)}
+               ;; if we have a valid password we want to include it in the details to update.
+               full-details (if password
+                              (assoc details :password password)
+                              details)]
+           (try
+             (locking password-file-path
+               (spit password-file-path
+                     (assoc users (keyword username) (merge user full-details)))
+               (timbre/info  "Successfully added user " username)
+               true)
+             (catch Exception any
+               (timbre/error
+                 (format "Adding user %s failed: %s (%s)"
+                         username (.getName (.getClass any)) (.getMessage any)))
+               false)))))
 
 
 (defn delete-user
diff --git a/src/smeagol/layout.clj b/src/smeagol/layout.clj
index 5caeb7b..09aabd7 100644
--- a/src/smeagol/layout.clj
+++ b/src/smeagol/layout.clj
@@ -45,7 +45,6 @@
   (fn [args context-map]
     (let [messages (:i18n context-map)
           default (or (second args) (first args))]
-      (timbre/info (str "i18n: key is " (first args) " messages map is " messages))
       (if (map? messages) (or (messages (keyword (first args))) default) default))))
 
 
diff --git a/src/smeagol/routes/admin.clj b/src/smeagol/routes/admin.clj
index 3e7eeca..2ca7d40 100644
--- a/src/smeagol/routes/admin.clj
+++ b/src/smeagol/routes/admin.clj
@@ -61,26 +61,41 @@
 (defn edit-user
   "Put an individual user's details on screen for editing."
   [request]
-  (let [params (keywordize-keys (:params request))
-        target (or (:target params) "")
-        pass1 (:pass1 params)
-        password (if (and pass1 (auth/evaluate-password pass1 (:pass2 params))) pass1)
-        stored (if (:email params)
-                 (auth/add-user target password (:email params) (:admin params)))
-        message (if stored (str (:save-user-success (util/get-messages request)) " " target "."))
-        error (if (and (:email params) (not stored))
-                                    (str (:save-user-fail (util/get-messages request)) " " target "."))
-        page (if stored "edit-users.html" "edit-user.html")
-        details (auth/fetch-user-details target)]
-    (if message
-      (timbre/info message))
-    (if error
-      (timbre/warn error))
-    (layout/render page
-                   (merge (util/standard-params request)
-                          {:title (str (:edit-title-prefix (util/get-messages request)) " " target)
-                           :message message
-                           :error error
-                           :target target
-                           :details details
-                           :users (auth/list-users)}))))
+  (let [params (keywordize-keys (:params request))]
+    (try
+      (let [target (or (:target params) "")
+            pass1 (:pass1 params)
+            pass2 (:pass2 params)
+            check-pass (auth/evaluate-password pass1 pass2)
+            password (if (and pass1 (true? check-pass)) pass1)
+            stored (if
+                     (:email params)
+                     (auth/add-user target password (:email params) (:admin params)))
+            message (if stored (str (:save-user-success (util/get-messages request)) " " target "."))
+            error (if (and (:email params) (not stored))
+                    (str
+                      (:save-user-fail (util/get-messages request))
+                      " " target ". "
+                      (if (keyword? check-pass) (check-pass (util/get-messages request)))))
+            page (if stored "edit-users.html" "edit-user.html")
+            details (auth/fetch-user-details target)]
+        (if message
+          (timbre/info message))
+        (if error
+          (timbre/warn error))
+        (layout/render page
+                       (merge (util/standard-params request)
+                              {:title (str (:edit-title-prefix (util/get-messages request)) " " target)
+                               :message message
+                               :error error
+                               :target target
+                               :details details
+                               :users (auth/list-users)})))
+      (catch Exception any
+        (timbre/error (.getMessage any))
+        (layout/render "edit-user.html"
+                       (merge (util/standard-params request)
+                              {:title (str (:edit-title-prefix (util/get-messages request)) " " (:target params))
+                               :error (.getMessage any)
+                               :target (:target params)
+                               :details {:email (:email params) :admin (:admin params)}}))))))
diff --git a/src/smeagol/routes/wiki.clj b/src/smeagol/routes/wiki.clj
index d951000..810bd5d 100644
--- a/src/smeagol/routes/wiki.clj
+++ b/src/smeagol/routes/wiki.clj
@@ -233,8 +233,9 @@
         pass1 (:pass1 params)
         pass2 (:pass2 params)
         user (session/get :user)
+        check-pass (auth/evaluate-password pass1 pass2)
         changed? (and
-                   (auth/evaluate-password pass1 pass2)
+                   (true? check-pass)
                    (auth/change-pass user oldpass pass2))]
     (layout/render "passwd.html"
                    (merge (util/standard-params request)
@@ -243,8 +244,7 @@
                            :error (cond
                                     (nil? oldpass) nil
                                     changed? nil
-                                    (< (count pass1) 8) (util/get-message :chpass-too-short request)
-                                    (not (= pass1 pass2)) (util/get-message :chpass-bad-match request)
+                                    (keyword? check-pass) (util/get-message check-pass request)
                                     true (util/get-message :chpass-fail request))}))))