* API/CheckPasswordAge: new approach to the issue, as we have to take into account that the timestamp of the last password change may not be provided by the auth system. We fetch the timestamp from the authsystem if the method is implemented for the auth method configured (instead of juggling with account_lastpasswd_change or account_lastpwd_change)

This commit is contained in:
Klaus Leithoff 2011-09-26 08:51:48 +00:00
parent bfd686bbac
commit f7a50ec383
5 changed files with 178 additions and 53 deletions

View File

@ -69,14 +69,39 @@ class auth
{
// dont check anything for anonymous sessions/ users that are flagged as anonymous
if (is_object($GLOBALS['egw']->session) && $GLOBALS['egw']->session->session_flags == 'A') return true;
// some statics (and initialisation to make information and timecalculation a) more readable in conditions b) persistent per request
// if user has to be warned about an upcomming passwordchange, remember for the session, that he was informed
static $UserKnowsAboutPwdChange;
if (is_null($UserKnowsAboutPwdChange)) $UserKnowsAboutPwdChange =& egw_cache::getSession('phpgwapi','auth_UserKnowsAboutPwdChange');
// some statics to make information and timecalculation a) more readable in conditions b) persistent per request
// retrieve the timestamp regarding the last change of the password from auth system and store it with the session
static $alpwchange_val;
static $pwdTsChecked;
if (is_null($pwdTsChecked) && is_null($alpwchange_val))
{
$alpwchange_val =& egw_cache::getSession('phpgwapi','auth_alpwchange_val'); // set that one with the session stored value
// initalize statics - better readability of conditions
if (is_null($alpwchange_val))
{
$backend_class = 'auth_'.$GLOBALS['egw_info']['server']['auth_type'];
$backend = new $backend_class;
// this may change behavior, as it should detect forced PasswordChanges from your Authentication System too.
// on the other side, if your auth system does not require an forcedPasswordChange, you will not be asked.
if (method_exists($backend,'getLastPwdChange'))
{
$alpwchange_val = $backend->getLastPwdChange($GLOBALS['egw_info']['user']['account_lid']);
$pwdTsChecked = true;
}
// if your authsystem does not provide that information, its likely, that you cannot change your password there,
// thus checking for expiration, is not needed
if ($alpwchange_val === false)
{
$alpwchange_val = null;
}
//error_log(__METHOD__.__LINE__.'#'.$alpwchange_val.'# is null:'.is_null($alpwchange_val).'# is empty:'.empty($alpwchange_val).'# is set:'.isset($alpwchange_val));
}
}
static $passwordAgeBorder;
static $daysLeftUntilChangeReq;
// current style name for account last password change timestamp
$alpwchange='account_lastpwd_change';
// some debug output and develop options to move the horizons and warn levels around
//$GLOBALS['egw_info']['server']['change_pwd_every_x_days'] =35;
//$GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change']=5;
@ -84,28 +109,12 @@ class auth
//echo "User changed password at:".egw_time::to($GLOBALS['egw_info']['user'][$alpwchange]).'<br>';
//echo "User password is ".((egw_time::to('now','ts')-$GLOBALS['egw_info']['user'][$alpwchange])/86400)." days old<br>";
//echo "Users must change passwords every ".$GLOBALS['egw_info']['server']['change_pwd_every_x_days'].' days ('.($GLOBALS['egw_info']['server']['change_pwd_every_x_days']*86400).') seconds.<br>';
//error_log(__METHOD__.__LINE__.'#'.$alpwchange_val.'# is null:'.is_null($alpwchange_val).'# is empty:'.empty($alpwchange_val).'# is set:'.isset($alpwchange_val));
//echo egw_time::to('now','ts')-($GLOBALS['egw_info']['server']['change_pwd_every_x_days']*86400).'<br>';
// if neither timestamp isset return true, nothing to do (exept this means the password is too old)
if (!isset($GLOBALS['egw_info']['user']['account_lastpasswd_change']) &&
!isset($GLOBALS['egw_info']['user'][$alpwchange]) &&
if (is_null($alpwchange_val) &&
empty($GLOBALS['egw_info']['server']['change_pwd_every_x_days'])
) return true;
if ($GLOBALS['egw_info']['user']['account_lastpasswd_change'] && !$GLOBALS['egw_info']['user'][$alpwchange])
{
// use old style names, as the current one seems not to be set.
$alpwchange = 'account_lastpasswd_change';
}
// initalize statics - better readability of conditions
if (is_null($alpwchange_val))
{
$backend_class = 'auth_'.$GLOBALS['egw_info']['server']['auth_type'];
$backend = new $backend_class;
// this may change behavior, as it should detect forced PasswordChanges from your Authentication System too.
// on the other side, if your auth system does not require an forcedPasswordChange, you will not be asked.
if (method_exists($backend,'getLastPwdChange')) $alpwchange_val = $backend->getLastPwdChange($GLOBALS['egw_info']['user']['account_lid']);
if (is_null($alpwchange_val) || $alpwchange_val === false) $alpwchange_val = $GLOBALS['egw_info']['user'][$alpwchange];
}
if (is_null($passwordAgeBorder) && $GLOBALS['egw_info']['server']['change_pwd_every_x_days'])
{
$passwordAgeBorder = (egw_time::to('now','ts')-($GLOBALS['egw_info']['server']['change_pwd_every_x_days']*86400));
@ -113,7 +122,7 @@ class auth
if (is_null($daysLeftUntilChangeReq) && $GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change'])
{
// maxage - passwordage = days left until change is required
$daysLeftUntilChangeReq = ($GLOBALS['egw_info']['server']['change_pwd_every_x_days'] - ((egw_time::to('now','ts')-$alpwchange_val)/86400));
$daysLeftUntilChangeReq = ($GLOBALS['egw_info']['server']['change_pwd_every_x_days'] - ((egw_time::to('now','ts')-($alpwchange_val?$alpwchange_val:0))/86400));
}
//echo "Warn about the upcomming change ".$GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change'].' days before that time is reached<br>';
//$result = $GLOBALS['egw_info']['server']['change_pwd_every_x_days'] - $daysLeftUntilChangeReq;
@ -135,30 +144,33 @@ class auth
{
if ($GLOBALS['egw']->acl->check('nopasswordchange', 1, 'preferences')) return true; // user has no rights to change password
if ($UserKnowsAboutPwdChange === true && !($passwordAgeBorder > $alpwchange_val || $alpwchange_val==0)) return true; // user has already been informed about the upcomming password expiration
if ($alpwchange_val == 0)
if (!is_null($alpwchange_val))
{
$message = lang('an admin required that you must change your password upon login.');
if ($alpwchange_val == 0)
{
$message = lang('an admin required that you must change your password upon login.');
}
elseif (($passwordAgeBorder < $alpwchange_val) ||
(
$GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change'] &&
$GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change'] > $daysLeftUntilChangeReq &&
$daysLeftUntilChangeReq > 0
)
)
{
$UserKnowsAboutPwdChange = true;
$message = lang('your password is about to expire in %1 days, you may change your password now',round($daysLeftUntilChangeReq));
}
elseif ($passwordAgeBorder > $alpwchange_val && $alpwchange_val > 0)
{
error_log(__METHOD__.' Password of '.$GLOBALS['egw_info']['user']['account_lid'].' ('.$GLOBALS['egw_info']['user']['account_fullname'].') is of old age.'.array2string(array(
'ts'=> $alpwchange_val,
'date'=>egw_time::to($alpwchange_val))));
$message = lang('it has been more then %1 days since you changed your password',$GLOBALS['egw_info']['server']['change_pwd_every_x_days']);
}
if ($GLOBALS['egw_info']['user']['apps']['password']) egw::redirect_link('/preferences/password.php',array('message'=>$message));
egw::redirect_link('/index.php',array('menuaction'=>'preferences.uipassword.change','message'=>$message));
}
elseif (($passwordAgeBorder < $alpwchange_val) ||
(
$GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change'] &&
$GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change'] > $daysLeftUntilChangeReq &&
$daysLeftUntilChangeReq > 0
)
)
{
$UserKnowsAboutPwdChange = true;
$message = lang('your password is about to expire in %1 days, you may change your password now',round($daysLeftUntilChangeReq));
}
elseif ($passwordAgeBorder > $alpwchange_val && $alpwchange_val > 0)
{
error_log(__METHOD__.' Password of '.$GLOBALS['egw_info']['user']['account_lid'].' ('.$GLOBALS['egw_info']['user']['account_fullname'].') is of old age.'.array2string(array(
'ts'=>$GLOBALS['egw_info']['user']['account_lastpwd_change'],
'date'=>egw_time::to($GLOBALS['egw_info']['user']['account_lastpwd_change']))));
$message = lang('it has been more then %1 days since you changed your password',$GLOBALS['egw_info']['server']['change_pwd_every_x_days']);
}
if ($GLOBALS['egw_info']['user']['apps']['password']) egw::redirect_link('/preferences/password.php',array('message'=>$message));
egw::redirect_link('/index.php',array('menuaction'=>'preferences.uipassword.change','message'=>$message));
}
return true;
}

View File

@ -52,12 +52,12 @@ class auth_fallback implements auth_backend
{
if ($this->primary_backend->authenticate($username, $passwd, $passwd_type))
{
egw_cache::setSession(__CLASS__,'backend_used','primary');
egw_cache::setInstance(__CLASS__,'backend_used-'.$username,'primary');
return true;
}
if ($this->fallback_backend->authenticate($username,$passwd, $passwd_type))
{
egw_cache::setSession(__CLASS__,'backend_used','fallback');
egw_cache::setInstance(__CLASS__,'backend_used-'.$username,'fallback');
return true;
}
return false;
@ -76,10 +76,62 @@ class auth_fallback implements auth_backend
*/
function change_password($old_passwd, $new_passwd, $account_id=0)
{
if (egw_cache::getSession(__CLASS__,'backend_used') == 'primary')
if(!$account_id || $GLOBALS['egw_info']['flags']['currentapp'] == 'login')
{
$admin = False;
$account_id = $GLOBALS['egw_info']['user']['account_id'];
$username = $GLOBALS['egw_info']['user']['account_lid'];
}
else
{
$username = $GLOBALS['egw']->accounts->id2name($account_id);
}
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
{
return $this->primary_backend->change_password($old_passwd, $new_passwd, $account_id);
}
return $this->fallback_backend->change_password($old_passwd, $new_passwd, $account_id);
}
/**
* fetch the last pwd change for the user
*
* @param string $username username of account to authenticate
* @return mixed false or account_lastpwd_change
*/
function getLastPwdChange($username)
{
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
{
return false;
}
return $this->fallback_backend->getLastPwdChange($username);
}
/**
* changes account_lastpwd_change in sql datababse
*
* @param int $account_id account id of user whose passwd should be changed
* @param string $passwd must be cleartext, usually not used, but may be used to authenticate as user to do the change -> ldap
* @param int $lastpwdchange must be a unixtimestamp
* @return boolean true if account_lastpwd_change successful changed, false otherwise
*/
function setLastPwdChange($account_id=0, $passwd=NULL, $lastpwdchange=NULL)
{
if(!$account_id || $GLOBALS['egw_info']['flags']['currentapp'] == 'login')
{
$admin = False;
$account_id = $GLOBALS['egw_info']['user']['account_id'];
$username = $GLOBALS['egw_info']['user']['account_lid'];
}
else
{
$username = $GLOBALS['egw']->accounts->id2name($account_id);
}
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
{
return false;
}
return $this->fallback_backend->setLastPwdChange($account_id, $passwd, $lastpwdchange);
}
}

View File

@ -52,12 +52,12 @@ class auth_fallbackmail2sql implements auth_backend
{
if ($this->primary_backend->authenticate($username, $passwd, $passwd_type))
{
egw_cache::setSession(__CLASS__,'backend_used','primary');
egw_cache::setInstance(__CLASS__,'backend_used-'.$username,'primary');
return true;
}
if ($this->fallback_backend->authenticate($username,$passwd, $passwd_type))
{
egw_cache::setSession(__CLASS__,'backend_used','fallback');
egw_cache::setInstance(__CLASS__,'backend_used-'.$username,'fallback');
return true;
}
return false;
@ -76,10 +76,62 @@ class auth_fallbackmail2sql implements auth_backend
*/
function change_password($old_passwd, $new_passwd, $account_id=0)
{
if (egw_cache::getSession(__CLASS__,'backend_used') == 'primary')
if(!$account_id || $GLOBALS['egw_info']['flags']['currentapp'] == 'login')
{
$admin = False;
$account_id = $GLOBALS['egw_info']['user']['account_id'];
$username = $GLOBALS['egw_info']['user']['account_lid'];
}
else
{
$username = $GLOBALS['egw']->accounts->id2name($account_id);
}
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
{
return false;
}
return $this->fallback_backend->change_password($old_passwd, $new_passwd, $account_id);
}
/**
* fetch the last pwd change for the user
*
* @param string $username username of account to authenticate
* @return mixed false or account_lastpwd_change
*/
function getLastPwdChange($username)
{
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
{
return false;
}
return $this->fallback_backend->getLastPwdChange($username);
}
/**
* changes account_lastpwd_change in sql datababse
*
* @param int $account_id account id of user whose passwd should be changed
* @param string $passwd must be cleartext, usually not used, but may be used to authenticate as user to do the change -> ldap
* @param int $lastpwdchange must be a unixtimestamp
* @return boolean true if account_lastpwd_change successful changed, false otherwise
*/
function setLastPwdChange($account_id=0, $passwd=NULL, $lastpwdchange=NULL)
{
if(!$account_id || $GLOBALS['egw_info']['flags']['currentapp'] == 'login')
{
$admin = False;
$account_id = $GLOBALS['egw_info']['user']['account_id'];
$username = $GLOBALS['egw_info']['user']['account_lid'];
}
else
{
$username = $GLOBALS['egw']->accounts->id2name($account_id);
}
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
{
return false;
}
return $this->fallback_backend->setLastPwdChange($account_id, $passwd, $lastpwdchange);
}
}

View File

@ -245,6 +245,8 @@ class auth_ldap implements auth_backend
{
return false;
}
// using time() is sufficient to represent the current time, we do not need the timestamp written to the storage
if (!$admin) egw_cache::setSession('phpgwapi','auth_alpwchange_val',(is_null($lastpwdchange) || $lastpwdchange<0 ? time():$lastpwdchange));
return true;
}
@ -281,7 +283,10 @@ class auth_ldap implements auth_backend
$allValues = ldap_get_entries($ds, $sri);
$entry['userpassword'] = auth::encrypt_password($new_passwd);
if ($update_lastchange) $entry['shadowlastchange'] = round((time()-date('Z')) / (24*3600));
if ($update_lastchange)
{
$entry['shadowlastchange'] = round((time()-date('Z')) / (24*3600));
}
$dn = $allValues[0]['dn'];
@ -296,6 +301,8 @@ class auth_ldap implements auth_backend
if($old_passwd) // if old password given (not called by admin) update the password in the session
{
$GLOBALS['egw']->session->appsession('password','phpgwapi',$new_passwd);
// using time() is sufficient to represent the current time, we do not need the timestamp written to the storage
egw_cache::setSession('phpgwapi','auth_alpwchange_val',time());
}
return $entry['userpassword'];
}

View File

@ -176,14 +176,15 @@ class auth_sql implements auth_backend
{
return false;
}
$lastpwdchange = (is_null($lastpwdchange) || $lastpwdchange<0 ? time():$lastpwdchange);
$this->db->update($this->table,array(
'account_lastpwd_change' => (is_null($lastpwdchange) || $lastpwdchange<0 ? time():$lastpwdchange),
'account_lastpwd_change' => $lastpwdchange,
),array(
'account_id' => $account_id,
),__LINE__,__FILE__);
if(!$this->db->affected_rows()) return false;
if (!$admin) egw_cache::setSession('phpgwapi','auth_alpwchange_val',$lastpwdchange);
return true;
}
@ -251,6 +252,7 @@ class auth_sql implements auth_backend
if(!$admin)
{
egw_cache::setSession('phpgwapi','auth_alpwchange_val',$update['account_lastpwd_change']);
$GLOBALS['egw']->session->appsession('password','phpgwapi',$new_passwd);
}
return $encrypted_passwd;