Commit fc44f96d authored by Côme Chilliet's avatar Côme Chilliet
Browse files

Merge branch '5970-allow-templates-to-easily-take-part-in-the-user-locking-process' into '1.4-dev'

Resolve "Allow plugins to easily take part in the user locking process"

See merge request fusiondirectory/fd!555
parents ddcb07b3 91fb7f10
......@@ -1835,54 +1835,6 @@ function change_password ($dn, $password, $hash = "")
return TRUE;
}
/* Lock or unlock samba account */
function lock_samba_account ($mode, array $attrs)
{
global $config;
if (!isset($attrs['sambaNTPassword'][0])) {
return [];
}
$modify = ['sambaNTPassword' => $attrs['sambaNTPassword'][0]];
if ($config->get_cfg_value("sambaGenLMPassword", "FALSE") == "TRUE") {
$modify['sambaLMPassword'] = $attrs['sambaLMPassword'][0];
} else {
$modify['sambaLMPassword'] = [];
}
foreach ($modify as &$pwd) {
if (is_array($pwd)) {
continue;
}
if ($mode == 'LOCK') {
/* Lock entry */
if (!preg_match('/^\!/', $pwd)) {
$pwd = '!'.$pwd;
}
} else {
/* Unlock entry */
$pwd = preg_replace("/^\!/", "", $pwd);
}
}
unset($pwd);
return $modify;
}
/* Lock or unlock ssh account */
function lock_ssh_account ($mode, array $attrs, &$modify)
{
if (!isset($attrs['sshPublicKey'])) {
return;
}
$modify['sshPublicKey'] = [];
for ($i = 0; $i < $attrs['sshPublicKey']['count']; ++$i) {
if ($mode == 'LOCK') {
$modify['sshPublicKey'][] = preg_replace('/^/', 'disabled-', $attrs['sshPublicKey'][$i]);
} else {
$modify['sshPublicKey'][] = preg_replace('/^disabled-/', '', $attrs['sshPublicKey'][$i]);
}
}
}
/*!
* \brief Get the Change Sequence Number of a certain DN
*
......
<?php
/*
This code is part of FusionDirectory (http://www.fusiondirectory.org/)
Copyright (C) 2018-2019 FusionDirectory
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*/
/*!
* \file interface_UserTabLockingAction.inc
* Source code for the interface userTabLockingAction
*/
/*! \brief This interface is implemented when a user tabs needs to alter the locking LDAP modification for users
*/
interface UserTabLockingAction
{
/*! \brief Fills the $modify array with needed modifications for (un)locking this user
*
* This method is called after loading the object, so $this->attrs should
* contain information identical to the one in the LDAP
*
* \param string $mode LOCK or UNLOCK
* \param array &$modify LDAP modification to execute for (un)locking
* */
public function fillLockingLDAPAttrs (string $mode, array &$modify);
}
......@@ -133,42 +133,37 @@ class passwordMethod
throw new FusionDirectoryException('Invalid mode "'.$mode.'"');
}
/* Get current password hash */
$pwd = '';
$ldap = $config->get_ldap_link();
$ldap->cd($config->current['BASE']);
if (!empty($dn)) {
$ldap->cat($dn);
$attrs = $ldap->fetch();
if (isset($attrs['userPassword'][0])) {
$pwd = $attrs['userPassword'][0];
$dn = $attrs['dn'];
}
}
/* Open the user */
$userObject = objects::open($dn, 'user');
$userMainTab = $userObject->getBaseObject();
/* Check if this entry is already locked. */
if (!preg_match("/^[^\}]*+\}!/", $pwd)) {
if ($mode == 'UNLOCK') {
/* Check if this entry is already (un)locked. */
if ($userMainTab->attributesAccess['userPassword']->isLocked()) {
if ($mode == 'LOCK') {
return TRUE;
}
} elseif ($mode == 'LOCK') {
} elseif ($mode == 'UNLOCK') {
return TRUE;
}
// (Un)lock the samba account
$modify = lock_samba_account($mode, $attrs);
// (Un)lock SSH keys
lock_ssh_account($mode, $attrs, $modify);
/* Fill modification array */
$modify = [];
foreach ($userObject->by_object as $tab) {
if ($tab instanceof userTabLockingAction) {
$tab->fillLockingLDAPAttrs($mode, $modify);
}
}
// Call pre hooks
$userClass = new user($dn);
$errors = $userClass->callHook('PRE'.$mode, [], $ret);
$errors = $userMainTab->callHook('PRE'.$mode, [], $ret);
if (!empty($errors)) {
msg_dialog::displayChecks($errors);
return FALSE;
}
/* Get current password hash */
$pwd = $userMainTab->attributesAccess['userPassword']->computeLdapValue();
// (Un)lock the account by modifying the password hash.
if ($mode == 'LOCK') {
/* Lock entry */
......
......@@ -91,36 +91,47 @@ class userManagement extends management
$entry = $this->listing->getEntry($dn);
// Detect the password method and try to lock/unlock.
$pwd = $entry['userPassword'];
$method = passwordMethod::get_method($pwd, $dn);
$success = TRUE;
if ($method instanceOf passwordMethod) {
if (!$method->is_lockable()) {
$hn = $method->get_hash_name();
if (is_array($hn)) {
$hn = $hn[0];
}
msg_dialog::display(_('Account locking'),
sprintf(_('Password method "%s" does not support locking. Account "%s" has not been locked!'),
$hn, $dn), ERROR_DIALOG);
return;
}
if (($action['subaction'] == 'lock') && !$method->is_locked($dn)) {
$success = $method->lock_account($dn);
} elseif (($action['subaction'] == 'unlock') && $method->is_locked($dn)) {
$success = $method->unlock_account($dn);
static::lockUser($action['subaction'], $entry['userPassword'], $dn);
}
}
/* !\brief Lock/unlock a user
*
* \param string $action 'lock' or 'unlock'
* \param string $pwd userPassword value
* \param string $dn dn of the LDAP node
*/
static function lockUser (string $action, string $pwd, string $dn)
{
$method = passwordMethod::get_method($pwd, $dn);
if ($method instanceOf passwordMethod) {
if (!$method->is_lockable()) {
$hn = $method->get_hash_name();
if (is_array($hn)) {
$hn = $hn[0];
}
msg_dialog::display(_('Account locking'),
sprintf(_('Password method "%s" does not support locking. Account "%s" has not been locked!'),
$hn, $dn), ERROR_DIALOG);
return;
}
$success = TRUE;
if (($action == 'lock') && !$method->is_locked($dn)) {
$success = $method->lock_account($dn);
} elseif (($action == 'unlock') && $method->is_locked($dn)) {
$success = $method->unlock_account($dn);
}
// Check if everything went fine.
if (!$success) {
$hn = $method->get_hash_name();
if (is_array($hn)) {
$hn = $hn[0];
}
msg_dialog::display(_('Account locking'),
sprintf(_('Locking failed using password method "%s". Account "%s" has not been locked!'),
$hn, $dn), ERROR_DIALOG);
// Check if everything went fine.
if (!$success) {
$hn = $method->get_hash_name();
if (is_array($hn)) {
$hn = $hn[0];
}
msg_dialog::display(_('Account locking'),
sprintf(_('Locking failed using password method "%s". Account "%s" has not been locked!'),
$hn, $dn), ERROR_DIALOG);
}
}
}
......
  • SonarQube analysis indicates that quality gate is failed.

    • Security Rating on New Code is passed: Actual value 1
    • Reliability Rating on New Code is failed: Actual value 3 > 1
    • Maintainability Rating on New Code is passed: Actual value 1
    • Duplicated Lines on New Code (%) is passed: Actual value 4.660957461743648

    SonarQube analysis reported no issues.

Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment