#!/usr/bin/env python
"""
http://www.openldap.org/faq/data/cache/347.html

As seen working on Ubuntu 12.04 with OpenLDAP 2.4.28-1.1ubuntu4

Author: Roberto Aguilar <roberto@baremetal.io>
"""
import hashlib
import os
import base64


def check_password(tagged_digest_salt, password):
    digest_salt_b64 = tagged_digest_salt.encode('utf-8')[6:]
    digest_salt = base64.decodebytes(digest_salt_b64)
    digest = digest_salt[:20]
    salt = digest_salt[20:]
    print(len(digest))
    print(salt)

    sha = hashlib.sha1(password.encode('utf-8'))
    sha.update(salt)

    return digest == sha.digest()


def make_secret(password):
    """
    Encodes the given password as a base64 SSHA hash+salt buffer
    """
    salt = os.urandom(4)

    # hash the password and append the salt
    sha = hashlib.sha1(password.encode('utf-8'))
    sha.update(salt)

    # create a base64 encoded string of the concatenated digest + salt
    digest_salt_b64 = base64.b64encode(sha.digest() + salt).decode()

    # now tag the digest above with the {SSHA} tag
    tagged_digest_salt = '{{SSHA}}{}'.format(digest_salt_b64)

    return tagged_digest_salt


if __name__ == '__main__':
    # buffer straight out of OpenLDAP
    ldap_buf = '{SSHA}n8qRdZpyk5Ayb8PGWfFzT8vcNpGR4ebQ'
    password = "riefCutBisnumadNie"
    print( 'ldap buffer result: {}'.format(check_password(ldap_buf, password)))

    # check that make_secret() above can properly encode
    print( 'checking make_secret: {}'.format(check_password(make_secret(password), password)))