mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-10-05 09:32:08 +02:00
refactor preferences >> security & password to allow apps to hook into it
This commit is contained in:
Ralf Becker
parent
4f7eb9e700
commit
de5e560eb9
@ -1,6 +1,6 @@
|
|||||||
<?php
|
<?php
|
||||||
/**
|
/**
|
||||||
* EGroupware preferences
|
* EGroupware preferences: Security and passwords
|
||||||
*
|
*
|
||||||
* @package preferences
|
* @package preferences
|
||||||
* @link http://www.egroupware.org
|
* @link http://www.egroupware.org
|
||||||
@ -13,10 +13,13 @@ use EGroupware\Api\Framework;
|
|||||||
use EGroupware\Api\Etemplate;
|
use EGroupware\Api\Etemplate;
|
||||||
use PragmaRX\Google2FAQRCode\Google2FA;
|
use PragmaRX\Google2FAQRCode\Google2FA;
|
||||||
use EGroupware\Api\Mail\Credentials;
|
use EGroupware\Api\Mail\Credentials;
|
||||||
use EGroupware\OpenID\Repositories\AccessTokenRepository;
|
|
||||||
use EGroupware\OpenID\Repositories\ScopeRepository;
|
|
||||||
use EGroupware\OpenID\Repositories\RefreshTokenRepository;
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Security and passwords
|
||||||
|
*
|
||||||
|
* Other apps can add tabs to this popup by implementing the "preferences_security" hook
|
||||||
|
* like eg. the OpenID App does to allow users to revoke tokens.
|
||||||
|
*/
|
||||||
class preferences_password
|
class preferences_password
|
||||||
{
|
{
|
||||||
var $public_functions = array(
|
var $public_functions = array(
|
||||||
@ -63,97 +66,86 @@ class preferences_password
|
|||||||
$secret_key = $content['2fa']['secret_key'];
|
$secret_key = $content['2fa']['secret_key'];
|
||||||
unset($content['2fa']['secret_key']);
|
unset($content['2fa']['secret_key']);
|
||||||
|
|
||||||
switch($content['tabs'])
|
// check user password for everything but password change, where it will be checked anyway
|
||||||
|
$auth = new Api\Auth();
|
||||||
|
if ($content['tabs'] !== 'change_password' &&
|
||||||
|
!$auth->authenticate($GLOBALS['egw_info']['user']['account_lid'], $content['password']))
|
||||||
{
|
{
|
||||||
case 'change_password':
|
$tmpl->set_validation_error('password', lang('Password is invalid'));
|
||||||
if ($content['button']['save'])
|
}
|
||||||
{
|
else
|
||||||
if (($errors = self::do_change($content['password'], $content['n_passwd'], $content['n_passwd_2'])))
|
{
|
||||||
|
switch($content['tabs'])
|
||||||
|
{
|
||||||
|
case 'change_password':
|
||||||
|
if ($content['button']['save'])
|
||||||
{
|
{
|
||||||
Framework::message(implode("\n", $errors), 'error');
|
if (($errors = self::do_change($content['password'], $content['n_passwd'], $content['n_passwd_2'])))
|
||||||
|
{
|
||||||
|
Framework::message(implode("\n", $errors), 'error');
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
Framework::refresh_opener(lang('Password changed'), 'preferences');
|
||||||
|
Framework::window_close();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
else
|
|
||||||
{
|
|
||||||
Framework::refresh_opener(lang('Password changed'), 'preferences');
|
|
||||||
Framework::window_close();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
case 'two_factor_auth':
|
|
||||||
$auth = new Api\Auth();
|
|
||||||
if (!$auth->authenticate($GLOBALS['egw_info']['user']['account_lid'], $content['password']))
|
|
||||||
{
|
|
||||||
$tmpl->set_validation_error('password', lang('Password is invalid'), '2fa');
|
|
||||||
break;
|
break;
|
||||||
}
|
|
||||||
switch(key($content['2fa']['action']))
|
|
||||||
{
|
|
||||||
case 'show':
|
|
||||||
$content['2fa'] = $this->generateQRCode($google2fa, false);
|
|
||||||
break;
|
|
||||||
case 'reset':
|
|
||||||
$content['2fa'] = $this->generateQRCode($google2fa, true);
|
|
||||||
Framework::message(lang('New secret generated, you need to save it to disable the old one!'));
|
|
||||||
break;
|
|
||||||
case 'disable':
|
|
||||||
if (Credentials::delete(0, $GLOBALS['egw_info']['user']['account_id'], Credentials::TWOFA))
|
|
||||||
{
|
|
||||||
Framework::refresh_opener(lang('Secret deleted, two factor authentication disabled.'), 'preferences');
|
|
||||||
Framework::window_close();
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
Framework::message(lang('Failed to delete secret!'), 'error');
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
default: // no action, save secret
|
|
||||||
if (!$google2fa->verifyKey($secret_key, $content['2fa']['code']))
|
|
||||||
{
|
|
||||||
$tmpl->set_validation_error('code', lang('Code is invalid'), '2fa');
|
|
||||||
break 2;
|
|
||||||
}
|
|
||||||
if (($content['2fa']['cred_id'] = Credentials::write(0,
|
|
||||||
$GLOBALS['egw_info']['user']['account_lid'],
|
|
||||||
$secret_key, Credentials::TWOFA,
|
|
||||||
$GLOBALS['egw_info']['user']['account_id'],
|
|
||||||
$content['2fa']['cred_id'])))
|
|
||||||
{
|
|
||||||
Framework::refresh_opener(lang('Two Factor Auth enabled.'), 'preferences');
|
|
||||||
Framework::window_close();
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
Framework::message(lang('Failed to store secret!'), 'error');
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
unset($content['2fa']['action']);
|
|
||||||
break;
|
|
||||||
|
|
||||||
case 'tokens':
|
case 'two_factor_auth':
|
||||||
if (is_array($content) && $content['nm']['selected'])
|
switch(key($content['2fa']['action']))
|
||||||
{
|
{
|
||||||
try {
|
case 'show':
|
||||||
switch($content['nm']['action'])
|
$content['2fa'] = $this->generateQRCode($google2fa, false);
|
||||||
{
|
break;
|
||||||
case 'delete':
|
case 'reset':
|
||||||
$token_repo = new AccessTokenRepository();
|
$content['2fa'] = $this->generateQRCode($google2fa, true);
|
||||||
$token_repo->revokeAccessToken(['access_token_id' => $content['nm']['selected']]);
|
Framework::message(lang('New secret generated, you need to save it to disable the old one!'));
|
||||||
$refresh_token_repo = new RefreshTokenRepository();
|
break;
|
||||||
$refresh_token_repo->revokeRefreshToken(['access_token_id' => $content['nm']['selected']]);
|
case 'disable':
|
||||||
$msg = (count($content['nm']['selected']) > 1 ?
|
if (Credentials::delete(0, $GLOBALS['egw_info']['user']['account_id'], Credentials::TWOFA))
|
||||||
count($content['nm']['selected']).' ' : '').
|
{
|
||||||
lang('Access Token revoked.');
|
Framework::refresh_opener(lang('Secret deleted, two factor authentication disabled.'), 'preferences');
|
||||||
break;
|
Framework::window_close();
|
||||||
}
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
Framework::message(lang('Failed to delete secret!'), 'error');
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
default: // no action, save secret
|
||||||
|
if (!$google2fa->verifyKey($secret_key, $content['2fa']['code']))
|
||||||
|
{
|
||||||
|
$tmpl->set_validation_error('code', lang('Code is invalid'), '2fa');
|
||||||
|
break 2;
|
||||||
|
}
|
||||||
|
if (($content['2fa']['cred_id'] = Credentials::write(0,
|
||||||
|
$GLOBALS['egw_info']['user']['account_lid'],
|
||||||
|
$secret_key, Credentials::TWOFA,
|
||||||
|
$GLOBALS['egw_info']['user']['account_id'],
|
||||||
|
$content['2fa']['cred_id'])))
|
||||||
|
{
|
||||||
|
Framework::refresh_opener(lang('Two Factor Auth enabled.'), 'preferences');
|
||||||
|
Framework::window_close();
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
Framework::message(lang('Failed to store secret!'), 'error');
|
||||||
|
}
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
catch(\Exception $e) {
|
unset($content['2fa']['action']);
|
||||||
$msg = lang('Error').': '.$e->getMessage();
|
break;
|
||||||
break;
|
|
||||||
|
default:
|
||||||
|
// for other tabs call their save_callback (user password is already checked!)
|
||||||
|
if (!empty($content['save_callbacks'][$content['tabs']]) &&
|
||||||
|
($msg = call_user_func_array($content['save_callbacks'][$content['tabs']], [&$content])))
|
||||||
|
{
|
||||||
|
Framework::message($msg, 'success');
|
||||||
}
|
}
|
||||||
}
|
break;
|
||||||
break;
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -161,103 +153,70 @@ class preferences_password
|
|||||||
Framework::message($e->getMessage(), 'error');
|
Framework::message($e->getMessage(), 'error');
|
||||||
}
|
}
|
||||||
|
|
||||||
// display tokens, if we have openid installed (currently no run-rights needed!)
|
|
||||||
if ($GLOBALS['egw_info']['apps']['openid'] && class_exists(AccessTokenRepository::class))
|
|
||||||
{
|
|
||||||
$content['nm'] = [
|
|
||||||
'get_rows' => 'preferences.'.__CLASS__.'.getTokens',
|
|
||||||
'no_cat' => true,
|
|
||||||
'no_filter' => true,
|
|
||||||
'no_filter2' => true,
|
|
||||||
'filter_no_lang' => true,
|
|
||||||
'order' => 'access_token_updated',
|
|
||||||
'sort' => 'DESC',
|
|
||||||
'row_id' => 'access_token_id',
|
|
||||||
'default_cols' => '!client_id',
|
|
||||||
'actions' => self::tokenActions(),
|
|
||||||
];
|
|
||||||
$sel_options += [
|
|
||||||
'client_status' => ['Disabled', 'Active'],
|
|
||||||
'access_token_revoked' => ['Active', 'Revoked'],
|
|
||||||
'access_token_scopes' => (new ScopeRepository())->selOptions(),
|
|
||||||
];
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$readonlys['tabs']['tokens'] = true;
|
|
||||||
}
|
|
||||||
|
|
||||||
// disable 2FA tab, if admin disabled it
|
// disable 2FA tab, if admin disabled it
|
||||||
if ($GLOBALS['egw_info']['server']['2fa_required'] === 'disabled')
|
if ($GLOBALS['egw_info']['server']['2fa_required'] === 'disabled')
|
||||||
{
|
{
|
||||||
$readonlys['tabs']['two_factor_auth'] = true;
|
$readonlys['tabs']['two_factor_auth'] = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
$tmpl->exec('preferences.preferences_password.change', $content, $sel_options, $readonlys, [
|
$preserve = [
|
||||||
'2fa' => $content['2fa']+[
|
'2fa' => $content['2fa']+[
|
||||||
'secret_key' => $secret_key,
|
'secret_key' => $secret_key,
|
||||||
],
|
]
|
||||||
], 2);
|
];
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
$tmpl->setElementAttribute('tabs', 'add_tabs', true);
|
||||||
* Query tokens for nextmatch widget
|
$tabs =& $tmpl->getElementAttribute('tabs', 'tabs');
|
||||||
*
|
if (($first_call = !isset($tabs)))
|
||||||
* @param array $query with keys 'start', 'search', 'order', 'sort', 'col_filter'
|
|
||||||
* For other keys like 'filter', 'cat_id' you have to reimplement this method in a derived class.
|
|
||||||
* @param array &$rows returned rows/competitions
|
|
||||||
* @param array &$readonlys eg. to disable buttons based on acl, not use here, maybe in a derived class
|
|
||||||
* @return int number of rows found
|
|
||||||
*/
|
|
||||||
public function getTokens(array $query, array &$rows, array &$readonlys)
|
|
||||||
{
|
|
||||||
if (!class_exists(AccessTokenRepository::class)) return;
|
|
||||||
|
|
||||||
$token_repo = new AccessTokenRepository();
|
|
||||||
if (($ret = $token_repo->get_rows($query, $rows, $readonlys)))
|
|
||||||
{
|
{
|
||||||
foreach($rows as $key => &$row)
|
$tabs = array();
|
||||||
|
}
|
||||||
|
// register hooks, if openid is available, but new hook not yet registered (should be removed after 19.1)
|
||||||
|
if (!empty($GLOBALS['egw_info']['apps']['openid']) && !Api\Hooks::implemented('preferences_security'))
|
||||||
|
{
|
||||||
|
Api\Hooks::read(true);
|
||||||
|
}
|
||||||
|
$hook_data = Api\Hooks::process(array('location' => 'preferences_security')+$content, ['openid'], true);
|
||||||
|
foreach($hook_data as $extra_tabs)
|
||||||
|
{
|
||||||
|
if (!$extra_tabs) continue;
|
||||||
|
|
||||||
|
foreach(isset($extra_tabs[0]) ? $extra_tabs : [$extra_tabs] as $extra_tab)
|
||||||
{
|
{
|
||||||
if (!is_int($key)) continue;
|
if (!empty($extra_tab['data']) && is_array($extra_tab['data']))
|
||||||
|
|
||||||
// boolean does NOT work as key for select-box
|
|
||||||
$row['access_token_revoked'] = (string)(int)$row['access_token_revoked'];
|
|
||||||
$row['client_status'] = (string)(int)$row['client_status'];
|
|
||||||
|
|
||||||
// dont send token itself to UI
|
|
||||||
unset($row['access_token_identifier']);
|
|
||||||
|
|
||||||
// format user-agent as "OS Version\nBrowser Version" prefering auth-code over access-token
|
|
||||||
// as for implicit grant auth-code contains real user-agent, access-token container the server
|
|
||||||
if (!empty($row['auth_code_user_agent']))
|
|
||||||
{
|
{
|
||||||
$row['user_agent'] = Api\Header\UserAgent::osBrowser($row['auth_code_user_agent']);
|
$content = array_merge($content, $extra_tab['data']);
|
||||||
$row['user_ip'] = $row['auth_code_ip'];
|
|
||||||
$row['user_agent_tooltip'] = Api\Header\UserAgent::osBrowser($row['access_token_user_agent']);
|
|
||||||
$row['user_ip_tooltip'] = $row['access_token_ip'];
|
|
||||||
}
|
}
|
||||||
else
|
if (!empty($extra_tab['preserve']) && is_array($extra_tab['preserve']))
|
||||||
{
|
{
|
||||||
$row['user_agent'] = Api\Header\UserAgent::osBrowser($row['access_token_user_agent']);
|
$preserve = array_merge($preserve, $extra_tab['preserve']);
|
||||||
$row['user_ip'] = $row['access_token_ip'];
|
|
||||||
}
|
}
|
||||||
|
if (!empty($extra_tab['sel_options']) && is_array($extra_tab['sel_options']))
|
||||||
|
{
|
||||||
|
$sel_options = array_merge($sel_options, $extra_tab['sel_options']);
|
||||||
|
}
|
||||||
|
if (!empty($extra_tab['readonlys']) && is_array($extra_tab['readonlys']))
|
||||||
|
{
|
||||||
|
$readonlys = array_merge($readonlys, $extra_tab['readonlys']);
|
||||||
|
}
|
||||||
|
if (!empty($extra_tab['save_callback']))
|
||||||
|
{
|
||||||
|
$preserve['save_callbacks'][$extra_tab['name']] = $extra_tab['save_callback'];
|
||||||
|
}
|
||||||
|
// we must NOT add tabs more then once!
|
||||||
|
if ($first_call && !empty($extra_tab['label']) && !empty($extra_tab['name']))
|
||||||
|
{
|
||||||
|
$tabs[] = array(
|
||||||
|
'label' => $extra_tab['label'],
|
||||||
|
'template' => $extra_tab['name'],
|
||||||
|
'prepend' => $extra_tab['prepend'],
|
||||||
|
);
|
||||||
|
}
|
||||||
|
//error_log(__METHOD__."() changed tabs=".array2string($tabs));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return $ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
$tmpl->exec('preferences.preferences_password.change', $content, $sel_options, $readonlys, $preserve, 2);
|
||||||
* Get actions for tokens
|
|
||||||
*/
|
|
||||||
protected function tokenActions()
|
|
||||||
{
|
|
||||||
return [
|
|
||||||
'delete' => array(
|
|
||||||
'caption' => 'Revoke',
|
|
||||||
'allowOnMultiple' => true,
|
|
||||||
'confirm' => 'Revoke this token',
|
|
||||||
),
|
|
||||||
];
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -281,7 +240,6 @@ class preferences_password
|
|||||||
{
|
{
|
||||||
$secret_key = $google2fa->generateSecretKey();//16, $GLOBALS['egw_info']['user']['account_lid']);
|
$secret_key = $google2fa->generateSecretKey();//16, $GLOBALS['egw_info']['user']['account_lid']);
|
||||||
}
|
}
|
||||||
$qrc = '';
|
|
||||||
if (isset($generate) || empty($creds))
|
if (isset($generate) || empty($creds))
|
||||||
{
|
{
|
||||||
$image = $google2fa->getQRCodeInline(
|
$image = $google2fa->getQRCodeInline(
|
||||||
|
|||||||
@ -82,12 +82,10 @@
|
|||||||
<tabs>
|
<tabs>
|
||||||
<tab id="change_password" label="Change password"/>
|
<tab id="change_password" label="Change password"/>
|
||||||
<tab id="two_factor_auth" label="Two factor auth"/>
|
<tab id="two_factor_auth" label="Two factor auth"/>
|
||||||
<tab id="tokens" label="Revoke Acccess Tokens"/>
|
|
||||||
</tabs>
|
</tabs>
|
||||||
<tabpanels>
|
<tabpanels>
|
||||||
<template id="preferences.password.change"/>
|
<template id="preferences.password.change"/>
|
||||||
<template id="preferences.password.2fa"/>
|
<template id="preferences.password.2fa"/>
|
||||||
<template id="openid.access_tokens"/>
|
|
||||||
</tabpanels>
|
</tabpanels>
|
||||||
</tabbox>
|
</tabbox>
|
||||||
<hbox class="dialogFooterToolbar">
|
<hbox class="dialogFooterToolbar">
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user