password can be decrypted

Author: tianxiaoliang

server/service/rbac/rbac.go

@@ -48,6 +48,7 @@ var (
 	ErrNoPermChangeAccount  = errors.New("can not change other account password")
 	ErrWrongPassword        = errors.New("current pwd is wrong")
 	ErrSamePassword         = errors.New("the password can not be same as old one")
+	ErrEmptyPassword        = errors.New("empty password")
 )
 
 //Init decide whether enable rbac function and save root account to db
@@ -116,16 +117,16 @@ func readPublicKey() {
 }
 func initFirstTime(admin string) {
 	//handle root account
-	pwd := archaius.GetString(InitPassword, "")
-	if pwd == "" {
+	pwd, err := getPassword()
+	if err != nil {
 		log.Fatal("can not enable rbac, password is empty", nil)
 	}
 	a := &rbacframe.Account{
 		Name:     admin,
 		Password: pwd,
 		Role:     rbacframe.RoleAdmin,
 	}
-	err := service.ValidateCreateAccount(a)
+	err = service.ValidateCreateAccount(a)
 	if err != nil {
 		log.Fatal("invalid pwd", err)
 		return
@@ -140,6 +141,20 @@ func initFirstTime(admin string) {
 	log.Info("root account init success")
 }
 
+func getPassword() (string, error) {
+	p := archaius.GetString(InitPassword, "")
+	if p == "" {
+		log.Fatal("can not enable rbac, password is empty", nil)
+		return "", ErrEmptyPassword
+	}
+	d, err := cipher.Decrypt(p)
+	if err != nil {
+		log.Warn("cipher fallback: " + err.Error())
+		return p, nil
+	}
+	return d, nil
+}
+
 func Enabled() bool {
 	return beego.AppConfig.DefaultBool("rbac_enabled", false)
 }
@@ -154,6 +169,7 @@ func privateKey() string {
 	ep := archaius.GetString("rbac_private_key", "")
 	p, err := cipher.Decrypt(ep)
 	if err != nil {
+		log.Warn("cipher fallback: " + err.Error())
 		return ep
 	}
 	return p