Commit 0bcf4cf7 authored by Côme Chilliet's avatar Côme Chilliet

Merge branch '5886-support-disabling-specific-password-methods' into '1.4-dev'

Resolve "Support disabling specific password methods"

See merge request fusiondirectory/fd!606
parents 9c4df519 5627399b
......@@ -643,7 +643,7 @@
#### fusiondirectory
- fd#5098 Exception should be reorganized
- fd#5267 Incompatibility between recovery password and user-reminder
- fd#5280 rewrote the pasword recovery with new RDN
- fd#5280 rewrote the password recovery with new RDN
#### fusiondirectory-plugins
- fd-plugins#5070 FAI packageSelect class should use simpleSelectManagement
......@@ -1031,21 +1031,21 @@
### Changed
#### fusiondirectory-plugins
- fd-plugins#4657 community organization membership type
### Removed
#### fusiondirectory
- fd#4621 Use of mcrypt should be removed
- fd#4652 The weird _copy fallback should be removed
#### fusiondirectory-plugins
- fd-plugins#4654 DHCP seems to use inexistant method getCn
### Fixed
#### fusiondirectory
#### fusiondirectory-plugins
- fd-plugins#4657 community organization membership type
### Removed
#### fusiondirectory
- fd#4621 Use of mcrypt should be removed
- fd#4652 The weird _copy fallback should be removed
#### fusiondirectory-plugins
- fd-plugins#4654 DHCP seems to use inexistant method getCn
### Fixed
#### fusiondirectory
- fd#4633 change requirement to php 5.4 for centos
- fd#4634 DNS PTR migration does not work
- fd#4638 UI issue, entry disappear in 'Base' dropdown
......
......@@ -202,6 +202,12 @@ attributetype ( 1.3.6.1.4.1.38414.8.13.8 NAME 'fdForcePasswordDefaultHash'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.38414.8.13.9 NAME 'fdPasswordAllowedHashes'
DESC 'FusionDirectory - Allowed password hashes'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
# Core settings
attributetype ( 1.3.6.1.4.1.38414.8.14.2 NAME 'fdListSummary'
......@@ -574,7 +580,7 @@ objectclass ( 1.3.6.1.4.1.38414.8.2.1 NAME 'fusionDirectoryConf'
fdAclRoleRDN $ fdCnPattern $ fdRestrictRoleMembers $ fdSplitPostalAddress $ fdPostalAddressPattern $
fdPasswordDefaultHash $ fdPasswordMinLength $ fdPasswordMinDiffer $
fdHandleExpiredAccounts $ fdSaslRealm $ fdSaslExop $
fdForcePasswordDefaultHash $
fdForcePasswordDefaultHash $ fdPasswordAllowedHashes $
fdListSummary $
fdModificationDetectionAttribute $ fdLogging $ fdLdapSizeLimit $ fdWildcardForeignKeys $
fdLoginAttribute $ fdForceSSL $ fdWarnSSL $ fdStoreFilterSettings $ fdSessionLifeTime $
......
<?php
/*
This code is part of FusionDirectory (http://www.fusiondirectory.org/)
Copyright (C) 2003-2010 Cajus Pollmeier
Copyright (C) 2011-2017 FusionDirectory
Copyright (C) 2011-2019 FusionDirectory
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -20,8 +21,8 @@
*/
/*
* \file class_pasword-methods.inc
* Source code for class password-methods
* \file class_passwordMethod.inc
* Source code for class passwordMethod
*/
/*!
......@@ -226,47 +227,38 @@ abstract class passwordMethod
$ret = FALSE;
$i = 0;
/* Only */
if (!session::is_set("passwordMethod::get_available_methods")) {
if (!session::is_set('passwordMethod::get_available_methods')) {
foreach (array_keys($class_mapping) as $class) {
if (preg_match('/passwordMethod/i', $class) && !preg_match("/^passwordMethod$/i", $class)) {
$test = new $class("");
if (preg_match('/^passwordMethod.+/i', $class)) {
$test = new $class('');
if ($test->is_available()) {
$plugs = $test->get_hash_name();
if (!is_array($plugs)) {
$plugs = [$plugs];
}
foreach ($plugs as $plugname) {
$cfg = $test->is_configurable();
$cfg = $test->is_configurable();
foreach ($plugs as $plugname) {
$ret['name'][$i] = $plugname;
$ret['class'][$i] = $class;
$ret['is_configurable'][$i] = $cfg;
$ret['object'][$i] = $test;
$ret['desc'][$i] = $test->get_description();
$ret[$i]['name'] = $plugname;
$ret[$i]['class'] = $class;
$ret[$i]['object'] = $test;
$ret[$i]['is_configurable'] = $cfg;
$ret[$i]['desc'] = $test->get_description();
$ret[$plugname] = $class;
$i++;
}
}
}
}
session::set("passwordMethod::get_available_methods", $ret);
session::set('passwordMethod::get_available_methods', $ret);
}
return session::get("passwordMethod::get_available_methods");
}
/*!
* \brief Get desciption
*/
function get_description (): string
{
return '';
return session::get('passwordMethod::get_available_methods');
}
/*!
......
<?php
/*
This code is part of FusionDirectory (http://www.fusiondirectory.org/)
Copyright (C) 2003-2010 Cajus Pollmeier
Copyright (C) 2011-2016 FusionDirectory
Copyright (C) 2011-2019 FusionDirectory
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -21,12 +21,12 @@
*/
/*!
* \file class_password-methods-clear.inc
* \file class_passwordMethodClear.inc
* Source code for class passwordMethodClear
*/
/*!
* \brief This class contains all the functions for clear password methods
* \brief This class contains all the functions for clear password method
* \see passwordMethod
*/
class passwordMethodClear extends passwordMethod
......@@ -60,6 +60,6 @@ class passwordMethodClear extends passwordMethod
*/
static function get_hash_name ()
{
return "clear";
return 'clear';
}
}
<?php
/*
This code is part of FusionDirectory (http://www.fusiondirectory.org/)
Copyright (C) 2003-2010 Cajus Pollmeier
Copyright (C) 2011-2016 FusionDirectory
Copyright (C) 2011-2019 FusionDirectory
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -21,7 +21,7 @@
*/
/*!
* \file class_password-methods-crypt.inc
* \file class_passwordMethodCrypt.inc
* Source code for class passwordMethodCrypt
*/
......
<?php
/*
This code is part of FusionDirectory (http://www.fusiondirectory.org/)
Copyright (C) 2003-2010 Cajus Pollmeier
Copyright (C) 2011-2018 FusionDirectory
Copyright (C) 2011-2019 FusionDirectory
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -20,7 +21,7 @@
*/
/*!
* \file class_password-methods-empty.inc
* \file class_passwordMethodEmpty.inc
* Source code for class passwordMethodEmpty
*/
......@@ -37,7 +38,7 @@ class passwordMethodEmpty extends passwordMethod
const LOCKVALUE = '{CRYPT}!';
/*!
* \brief passwordMethodClear Constructor
* \brief passwordMethodEmpty Constructor
*/
function __construct ()
{
......
<?php
/*
This code is part of FusionDirectory (http://www.fusiondirectory.org/)
Copyright (C) 2003-2010 Cajus Pollmeier
Copyright (C) 2011-2016 FusionDirectory
Copyright (C) 2011-2019 FusionDirectory
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -21,12 +21,12 @@
*/
/*!
* \file class_password-methods-md5.inc
* \file class_passwordMethodMd5.inc
* Source code for class passwordMethodMd5
*/
/*!
* \brief This class contains all the functions for md5 password methods
* \brief This class contains all the functions for md5 password method
* \see passwordMethod
*/
class passwordMethodMd5 extends passwordMethod
......
<?php
/*
This code is part of FusionDirectory (http://www.fusiondirectory.org/)
Copyright (C) 2011-2017 FusionDirectory
Copyright (C) 2011-2019 FusionDirectory
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -19,15 +20,15 @@
*/
/*!
* \file class_password-methods-sasl.inc
* Source code for class passwordMethodsasl
* \file class_passwordMethodSasl.inc
* Source code for class passwordMethodSasl
*/
/*!
* \brief This class contains all the functions for sasl password methods
* \brief This class contains all the functions for sasl password method
* \see passwordMethod
*/
class passwordMethodsasl extends passwordMethod
class passwordMethodSasl extends passwordMethod
{
// uid, or exop specified field value
var $uid = '';
......@@ -35,7 +36,7 @@ class passwordMethodsasl extends passwordMethod
var $exop = '';
/*!
* \brief passwordMethodsasl Constructor
* \brief passwordMethodSasl Constructor
*
* \param string $dn The DN
* \param object $userTab The user main tab object
......
<?php
/*
This code is part of FusionDirectory (http://www.fusiondirectory.org/)
Copyright (C) 2003-2010 Cajus Pollmeier
Copyright (C) 2011-2016 FusionDirectory
Copyright (C) 2011-2019 FusionDirectory
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -21,18 +21,18 @@
*/
/*
* \file class_pasword-methods-sha.inc
* Source code for class passwordMethodsha
* \file class_passwordMethodSha.inc
* Source code for class passwordMethodSha
*/
/*!
* \brief This class contains all the functions for sha password methods
* \brief This class contains all the functions for sha password method
* \see passwordMethod
*/
class passwordMethodsha extends passwordMethod
class passwordMethodSha extends passwordMethod
{
/*!
* \brief passwordMethodsha Constructor
* \brief passwordMethodSha Constructor
*/
function __construct ()
{
......
<?php
/*
This code is part of FusionDirectory (http://www.fusiondirectory.org/)
Copyright (C) 2003-2010 Cajus Pollmeier
Copyright (C) 2011-2016 FusionDirectory
Copyright (C) 2011-2019 FusionDirectory
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -21,18 +21,18 @@
*/
/*!
* \file class_password-methods-smd5.inc
* Source code for class passwordMethodsmd5
* \file class_passwordMethodSmd5.inc
* Source code for class passwordMethodSmd5
*/
/*!
* \brief This class contains all the functions for sdm5 password methods
* \brief This class contains all the functions for sdm5 password method
* \see passwordMethod
*/
class passwordMethodsmd5 extends passwordMethod
class passwordMethodSmd5 extends passwordMethod
{
/*!
* \brief passwordMethodsmd5 Constructor
* \brief passwordMethodSmd5 Constructor
*/
function __construct ()
{
......
<?php
/*
This code is part of FusionDirectory (http://www.fusiondirectory.org/)
Copyright (C) 2003-2010 Cajus Pollmeier
Copyright (C) 2011-2016 FusionDirectory
Copyright (C) 2011-2019 FusionDirectory
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -21,18 +21,18 @@
*/
/*!
* \file class_password-methods-ssha.inc
* Source code for class passwordMethodssha
* \file class_passwordMethodSsha.inc
* Source code for class passwordMethodSsha
*/
/*!
* \brief This class contains all the functions for ssha password methods
* \brief This class contains all the functions for ssha password method
* \see passwordMethod
*/
class passwordMethodssha extends passwordMethod
class passwordMethodSsha extends passwordMethod
{
/*!
* \brief passwordMethodssha Constructor
* \brief passwordMethodSsha Constructor
*/
function __construct ()
{
......
......@@ -54,10 +54,13 @@ class dashboardPassword extends simplePlugin
{
global $config;
$defaultMethod = $config->get_cfg_value('passwordDefaultHash', 'ssha');
$forceDefault = ($config->get_cfg_value('forcePasswordDefaultHash', 'FALSE') == 'TRUE');
$temp = passwordMethod::get_available_methods();
$allowedMethods = $config->get_cfg_value('passwordAllowedHashes', $temp['name']);
$defaultMethod = $config->get_cfg_value('passwordDefaultHash', 'ssha');
$forceDefault = ($config->get_cfg_value('forcePasswordDefaultHash', 'FALSE') == 'TRUE');
try {
$users = objects::ls('user', 'userPassword', NULL, '', TRUE);
$users = objects::ls('user', ['userPassword' => '1', 'dn' => 'raw'], NULL, '', TRUE);
} catch (LDAPFailureException $e) {
msg_dialog::display(
_('LDAP error'),
......@@ -69,30 +72,32 @@ class dashboardPassword extends simplePlugin
$nb_accounts = count($users);
$nb_locked_accounts = 0;
$methods_stats = [];
foreach ($users as $userPassword) {
if (!empty($userPassword)) {
if (preg_match("/^\{[^\}]+\}!/", $userPassword)) {
$nb_locked_accounts++;
}
$method = passwordMethod::get_method($userPassword);
$methodClass = get_class($method);
if (!isset($methods_stats[$methodClass])) {
$methods_stats[$methodClass] = [
'nb' => 0,
'name' => $method->get_hash()
];
if ($method->get_hash() == $defaultMethod) {
$methods_stats[$methodClass]['style'] = 'default';
} elseif ($method->get_hash() == 'clear') {
$methods_stats[$methodClass]['style'] = 'clear';
} elseif ($forceDefault) {
$methods_stats[$methodClass]['style'] = 'forbidden';
} else {
$methods_stats[$methodClass]['style'] = 'none';
}
foreach ($users as $attrs) {
$userPassword = '';
if (isset($attrs['userPassword'])) {
$userPassword = $attrs['userPassword'];
}
$method = passwordMethod::get_method($userPassword);
$methodName = $method->get_hash();
if ($method->is_locked('', $userPassword)) {
$nb_locked_accounts++;
}
if (!isset($methods_stats[$methodName])) {
$methods_stats[$methodName] = [
'nb' => 0,
'name' => $methodName,
];
if ($methodName == $defaultMethod) {
$methods_stats[$methodName]['style'] = 'default';
} elseif ($methodName == 'clear') {
$methods_stats[$methodName]['style'] = 'clear';
} elseif ($forceDefault || !in_array($methodName, $allowedMethods)) {
$methods_stats[$methodName]['style'] = 'forbidden';
} else {
$methods_stats[$methodName]['style'] = 'none';
}
$methods_stats[$methodClass]['nb']++;
}
$methods_stats[$methodName]['nb']++;
}
return [
......
......@@ -120,6 +120,13 @@ class configInLdap extends simplePlugin
'password' => [
'name' => _('Password settings'),
'attrs' => [
new SetAttribute(
new SelectAttribute(
_('Allowed password hashes'), _('Password hashes which may be used for user passwords'),
'fdPasswordAllowedHashes', TRUE,
['ssha']
)
),
new SelectAttribute(
_('Password default hash'), _('Default hash to be used'),
'fdPasswordDefaultHash', TRUE,
......@@ -381,7 +388,10 @@ class configInLdap extends simplePlugin
if (!in_array('sasl', $methods)) {
$methods[] = 'sasl';
}
$attributesInfo['password']['attrs'][0]->setChoices($methods);
$attributesInfo['password']['attrs'][0]->attribute->setChoices($methods);
$attributesInfo['password']['attrs'][0]->setDefaultValue($methods);
$attributesInfo['password']['attrs'][0]->resetToDefault();
$attributesInfo['password']['attrs'][1]->setChoices($methods);
/* Login methods */
$methods = LoginMethod::getMethods();
$attributesInfo['login']['attrs'][4]->setChoices(array_keys($methods), array_values($methods));
......@@ -496,6 +506,10 @@ class configInLdap extends simplePlugin
$this->fdLoginMethod = 'LoginHTTPHeader';
}
}
$this->attributesAccess['fdPasswordDefaultHash']->setChoices(
$this->attributesAccess['fdPasswordAllowedHashes']->getValue()
);
}
function compute_dn (): string
......@@ -512,6 +526,15 @@ class configInLdap extends simplePlugin
return $messages;
}
function save_object ()
{
parent::save_object();
$this->attributesAccess['fdPasswordDefaultHash']->setChoices(
$this->attributesAccess['fdPasswordAllowedHashes']->getValue()
);
}
static function get_themes ()
{
$themesdir = '../ihtml/themes/';
......
......@@ -26,17 +26,15 @@ class UserPasswordAttribute extends CompositeAttribute
function __construct ($label, $description, $ldapName, $required = FALSE, $defaultValue = "", $acl = "")
{
global $config;
$temp = passwordMethod::get_available_methods();
/* Create password methods array */
$pwd_methods = [];
$pwd_methods = $config->get_cfg_value('passwordAllowedHashes', $temp['name']);
$this->needPassword = [];
foreach ($temp['name'] as $id => $name) {
$this->needPassword[$name] = $temp[$id]['object']->need_password();
$pwd_methods[$name] = $name;
if (!empty($temp[$id]['desc'])) {
$pwd_methods[$name] .= " (".$temp[$id]['desc'].")";
}
}
parent::__construct(
......@@ -45,7 +43,7 @@ class UserPasswordAttribute extends CompositeAttribute
new SelectAttribute(
_('Password method'), _('Password hash method to use'),
$ldapName.'_pwstorage', TRUE,
array_keys($pwd_methods), '', array_values($pwd_methods)
$pwd_methods
),
new PasswordAttribute(
_('Password'), _('Password (Leave empty if you do not wish to change it)'),
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment