Commit fe13ec68 authored by Côme Chilliet's avatar Côme Chilliet

🚑 fix(core) Fix locking password in user template

Also cleaned up a bit password methods

issue #5990
parent 9417cb6b
......@@ -42,22 +42,15 @@ class passwordMethodClear extends passwordMethod
{
}
/*!
* \brief Is available
*
* \return TRUE
*/
function is_available ()
{
return TRUE;
}
/*!
* \brief Generate template hash
*
* \param string $pwd Password
* \param bool $locked Should the password be locked
*
* \return string the password hash
*/
function generate_hash ($pwd, $locked = FALSE)
public function generate_hash (string $pwd, bool $locked = FALSE): string
{
return $pwd;
}
......
......@@ -44,7 +44,7 @@ class passwordMethodCrypt extends passwordMethod
*
* \return TRUE if is avaibable, otherwise return false
*/
function is_available ()
public function is_available (): bool
{
return function_exists('crypt');
}
......@@ -53,8 +53,11 @@ class passwordMethodCrypt extends passwordMethod
* \brief Generate template hash
*
* \param string $pwd Password
* \param bool $locked Should the password be locked
*
* \return string the password hash
*/
function generate_hash ($pwd, $locked = FALSE)
public function generate_hash (string $pwd, bool $locked = FALSE): string
{
if ($this->hash == "crypt/standard-des") {
$salt = "";
......@@ -105,7 +108,7 @@ class passwordMethodCrypt extends passwordMethod
return '{CRYPT}'.($locked ? '!' : '').crypt($pwd, $salt);
}
function checkPassword ($pwd, $hash)
function checkPassword ($pwd, $hash): bool
{
// Not implemented
return FALSE;
......@@ -151,7 +154,7 @@ class passwordMethodCrypt extends passwordMethod
*
* \param string $password_hash
*/
static function _extract_method ($password_hash)
static function _extract_method ($password_hash): string
{
if (!preg_match('/^{crypt}/i', $password_hash)) {
return "";
......
......@@ -43,22 +43,15 @@ class passwordMethodEmpty extends passwordMethod
{
}
/*!
* \brief Is available
*
* \return TRUE
*/
function is_available ()
{
return TRUE;
}
/*!
* \brief Generate template hash
*
* \param string $pwd Password
* \param bool $locked Should the password be locked
*
* \return string the password hash
*/
function generate_hash ($pwd, $locked = FALSE)
public function generate_hash (string $pwd, bool $locked = FALSE): string
{
return ($locked ? static::LOCKVALUE : '');
}
......@@ -76,12 +69,12 @@ class passwordMethodEmpty extends passwordMethod
*
* \return boolean FALSE
*/
function need_password ()
function need_password (): bool
{
return FALSE;
}
static function _extract_method ($password_hash)
static function _extract_method ($password_hash): string
{
if (empty($password_hash) || ($password_hash == static::LOCKVALUE)) {
return static::get_hash_name();
......
......@@ -42,9 +42,9 @@ class passwordMethodMd5 extends passwordMethod
/*!
* \brief Is available
*
* \return TRUE if is avaibable, otherwise return false
* \return TRUE if is available, otherwise return false
*/
function is_available ()
public function is_available (): bool
{
return function_exists('md5');
}
......@@ -53,8 +53,11 @@ class passwordMethodMd5 extends passwordMethod
* \brief Generate template hash
*
* \param string $pwd Password
* \param bool $locked Should the password be locked
*
* \return string the password hash
*/
function generate_hash ($pwd, $locked = FALSE)
public function generate_hash (string $pwd, bool $locked = FALSE): string
{
return '{MD5}'.($locked ? '!' : '').base64_encode(pack('H*', md5($pwd)));
}
......
......@@ -72,7 +72,7 @@ class passwordMethodsasl extends passwordMethod
*
* \return TRUE if is avaibable
*/
function is_available ()
public function is_available (): bool
{
if (empty($this->realm) && empty($this->exop)) {
return FALSE;
......@@ -84,8 +84,11 @@ class passwordMethodsasl extends passwordMethod
* \brief Generate template hash
*
* \param string $pwd Password
* \param bool $locked Should the password be locked
*
* \return string the password hash
*/
function generate_hash ($pwd, $locked = FALSE)
public function generate_hash (string $pwd, bool $locked = FALSE): string
{
if (empty($this->exop)) {
if (empty($this->realm)) {
......@@ -98,7 +101,7 @@ class passwordMethodsasl extends passwordMethod
}
}
function checkPassword ($pwd, $hash)
function checkPassword ($pwd, $hash): bool
{
// We do not store passwords, can’t know if they’re the same
return FALSE;
......@@ -115,9 +118,9 @@ class passwordMethodsasl extends passwordMethod
/*!
* \brief Password needed
*
* \return boolean FALSE
* \return boolean
*/
function need_password ()
function need_password (): bool
{
global $config;
return ($config->get_cfg_value('forceSaslPasswordAsk', 'FALSE') == 'TRUE');
......
......@@ -43,7 +43,7 @@ class passwordMethodsha extends passwordMethod
*
* \return TRUE if is avaibable, otherwise return false
*/
function is_available ()
public function is_available (): bool
{
return (function_exists('sha1') || function_exists('mhash'));
}
......@@ -51,17 +51,19 @@ class passwordMethodsha extends passwordMethod
/*!
* \brief Generate template hash
*
* \param string $password Password
* \param string $pwd Password
* \param bool $locked Should the password be locked
*
* \return string the password hash
*/
function generate_hash ($password, $locked = FALSE)
public function generate_hash (string $pwd, bool $locked = FALSE): string
{
if (function_exists('sha1')) {
$hash = '{SHA}'.($locked ? '!' : '').base64_encode(pack('H*', sha1($password)));
$hash = '{SHA}'.($locked ? '!' : '').base64_encode(pack('H*', sha1($pwd)));
} elseif (function_exists('mhash')) {
$hash = '{SHA}'.($locked ? '!' : '').base64_encode(mHash(MHASH_SHA1, $password));
$hash = '{SHA}'.($locked ? '!' : '').base64_encode(mHash(MHASH_SHA1, $pwd));
} else {
msg_dialog::display(_('Configuration error'), msgPool::missingext('mhash'), ERROR_DIALOG);
return FALSE;
throw new FusionDirectoryException(msgPool::missingext('mhash'));
}
return $hash;
......
......@@ -43,7 +43,7 @@ class passwordMethodsmd5 extends passwordMethod
*
* \return TRUE if is avaibable, otherwise return false
*/
function is_available ()
public function is_available (): bool
{
return function_exists('md5');
}
......@@ -52,15 +52,18 @@ class passwordMethodsmd5 extends passwordMethod
* \brief Generate template hash
*
* \param string $pwd Password
* \param bool $locked Should the password be locked
*
* \return string the password hash
*/
function generate_hash ($pwd, $locked = FALSE)
public function generate_hash (string $pwd, bool $locked = FALSE): string
{
$salt0 = substr(pack('h*', md5(random_int(0, PHP_INT_MAX))), 0, 8);
$salt = substr(pack('H*', md5($salt0 . $pwd)), 0, 4);
return '{SMD5}'.($locked ? '!' : '').base64_encode(pack('H*', md5($pwd . $salt)) . $salt);
}
function checkPassword ($pwd, $hash)
function checkPassword ($pwd, $hash): bool
{
$hash = base64_decode(substr($hash, 6));
$salt = substr($hash, 16);
......
......@@ -43,7 +43,7 @@ class passwordMethodssha extends passwordMethod
*
* \return TRUE if is avaibable, otherwise return false
*/
function is_available ()
public function is_available (): bool
{
return (function_exists('sha1') || function_exists('mhash'));
}
......@@ -52,8 +52,11 @@ class passwordMethodssha extends passwordMethod
* \brief Generate template hash
*
* \param string $pwd Password
* \param bool $locked Should the password be locked
*
* \return string the password hash
*/
function generate_hash ($pwd, $locked = FALSE)
public function generate_hash (string $pwd, bool $locked = FALSE): string
{
if (function_exists('sha1')) {
$salt = substr(pack('h*', md5(random_int(0, PHP_INT_MAX))), 0, 8);
......@@ -63,13 +66,12 @@ class passwordMethodssha extends passwordMethod
$salt = mhash_keygen_s2k(MHASH_SHA1, $pwd, substr(pack('h*', md5(random_int(0, PHP_INT_MAX))), 0, 8), 4);
$pwd = '{SSHA}'.($locked ? '!' : '').base64_encode(mhash(MHASH_SHA1, $pwd.$salt).$salt);
} else {
msg_dialog::display(_('Configuration error'), msgPool::missingext('mhash'), ERROR_DIALOG);
return FALSE;
throw new FusionDirectoryException(msgPool::missingext('mhash'));
}
return $pwd;
}
function checkPassword ($pwd, $hash)
function checkPassword ($pwd, $hash): bool
{
$hash = base64_decode(substr($hash, 6));
$salt = substr($hash, 20);
......
......@@ -27,7 +27,7 @@
/*!
* \brief This class contains all the basic function for password methods
*/
class passwordMethod
abstract class passwordMethod
{
var $display = FALSE;
var $hash = '';
......@@ -47,9 +47,26 @@ class passwordMethod
/*!
* \brief Get the Hash name
*/
static function get_hash_name ()
abstract static function get_hash_name ();
/*!
* \brief Generate template hash
*
* \param string $pwd Password
* \param bool $locked Should the password be locked
*
* \return string the password hash
*/
abstract public function generate_hash (string $pwd, bool $locked = FALSE): string;
/*!
* \brief Is available
*
* \return TRUE
*/
public function is_available (): bool
{
trigger_error("get_hash_name can't be called on main class");
return TRUE;
}
/*!
......@@ -57,7 +74,7 @@ class passwordMethod
*
* \return boolean TRUE
*/
function need_password ()
public function need_password (): bool
{
return TRUE;
}
......@@ -67,7 +84,7 @@ class passwordMethod
*
* \return boolean
*/
function is_lockable ()
public function is_lockable (): bool
{
return $this->lockable;
}
......@@ -77,7 +94,7 @@ class passwordMethod
*
* \param string $dn The DN
*/
function is_locked ($dn = '', $pwd = '')
function is_locked ($dn = '', $pwd = ''): bool
{
global $config;
if (!$this->lockable) {
......@@ -105,7 +122,7 @@ class passwordMethod
*
* \param string $dn
*/
function lock_account ($dn = "")
function lock_account ($dn = '')
{
return $this->generic_modify_account($dn, 'LOCK');
}
......@@ -114,7 +131,7 @@ class passwordMethod
* \brief Unlocks an account which was locked by 'lock_account()'.
* For details about the locking mechanism see 'lock_account()'.
*/
function unlock_account ($dn = "")
function unlock_account ($dn = '')
{
return $this->generic_modify_account($dn, 'UNLOCK');
}
......@@ -123,7 +140,7 @@ class passwordMethod
* \brief Unlocks an account which was locked by 'lock_account()'.
* For details about the locking mechanism see 'lock_account()'.
*/
private function generic_modify_account ($dn, $mode)
private function generic_modify_account ($dn, string $mode)
{
global $config;
if (!$this->lockable) {
......@@ -203,7 +220,7 @@ class passwordMethod
/*!
* \brief This function returns all loaded classes for password encryption
*/
static function get_available_methods ()
static function get_available_methods (): array
{
global $class_mapping;
$ret = FALSE;
......@@ -247,15 +264,15 @@ class passwordMethod
/*!
* \brief Get desciption
*/
function get_description ()
function get_description (): string
{
return "";
return '';
}
/*!
* \brief Method to check if a password matches a hash
*/
function checkPassword ($pwd, $hash)
function checkPassword ($pwd, $hash): bool
{
return ($hash == $this->generate_hash($pwd));
}
......@@ -264,7 +281,7 @@ class passwordMethod
/*!
* \brief Return true if this password method provides a configuration dialog
*/
function is_configurable ()
function is_configurable (): bool
{
return FALSE;
}
......@@ -272,9 +289,9 @@ class passwordMethod
/*!
* \brief Provide a subdialog to configure a password method
*/
function configure ()
function configure (): string
{
return "";
return '';
}
......@@ -295,7 +312,7 @@ class passwordMethod
*
* \param string $dn The DN
*/
static function get_method ($password_hash, $dn = "")
static function get_method ($password_hash, $dn = ''): passwordMethod
{
$methods = passwordMethod::get_available_methods();
......@@ -325,14 +342,14 @@ class passwordMethod
*
* \param string $password_hash
*/
static function _extract_method ($password_hash)
static function _extract_method ($password_hash): string
{
$hash = static::get_hash_name();
if (preg_match("/^\{$hash\}/i", $password_hash)) {
return $hash;
}
return "";
return '';
}
/*!
......@@ -342,7 +359,7 @@ class passwordMethod
*
* \param string $hash
*/
static function make_hash ($password, $hash)
static function make_hash ($password, $hash): string
{
$methods = passwordMethod::get_available_methods();
$tmp = new $methods[$hash]();
......@@ -376,10 +393,10 @@ class passwordMethod
*
* \param string $password The password
*/
static function is_harmless ($password)
static function is_harmless ($password): bool
{
global $config;
if ($config->get_cfg_value("strictPasswordRules") == "TRUE") {
if ($config->get_cfg_value('strictPasswordRules') == 'TRUE') {
// Do we have UTF8 characters in the password?
return ($password == utf8_decode($password));
}
......
......@@ -219,7 +219,7 @@ class UserPasswordAttribute extends CompositeAttribute
$test = new $temp[$values[0]]($this->plugin->dn, $this->plugin);
$test->set_hash($values[0]);
if ($this->plugin->is_template) {
return $test->generate_hash($values[1], $values[4]).'|'.$values[1];
return $test->generate_hash($values[1], ($values[4] == 'TRUE')).'|'.$values[1];
} else {
return $test->generate_hash($values[1]);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment