* Mail/Filemanager: admin can allow users to store a password to pass to mail- and file-servers in case they use (password-less) SingleSignOn

2025-01-03 04:29:28 +01:00 · 2024-09-03 09:58:47 +02:00 · 2024-09-03 09:58:47 +02:00 · fd216b07f2
commit fd216b07f2
parent 5dafe00c95
9 changed files with 118 additions and 14 deletions
--- a/admin/lang/egw_de.lang
+++ b/admin/lang/egw_de.lang
@ -115,6 +115,7 @@ all records and account information will be lost!	admin	de	Alle Datensätze und
 all users	admin	de	Alle Benutzer
 allow anonymous access to this app	admin	de	Anonymen Zugriff auf diese Anwendung zulassen
 allow remote administration from following install id's (comma separated)	admin	de	Erlaube die Remote-Verwaltung durch folgende (Komma separierte) Installation-IDs.
 allow the user to store his password under 'security & passwords' for singlesignon.	admin	de	Erlaubt dem Benutzer sein Passwort unter 'Sicherheit & Passwort' für SingleSignOn zu speichern.
 allow user to set 'remember me' token	admin	de	Erlaube Benutzer ein "An mich erinnern" Token zu setzen
 allow users to change forwards	admin	de	Anwender dürfen Weiterleitung bearbeiten
 allow users to create identities for aliases	admin	de	Anwender dürfen Identitäten für Aliase anlegen
--- a/admin/lang/egw_en.lang
+++ b/admin/lang/egw_en.lang
@ -115,6 +115,7 @@ all records and account information will be lost!	admin	en	All records and accou
 all users	admin	en	All users
 allow anonymous access to this app	admin	en	Allow anonymous access to this app
 allow remote administration from following install id's (comma separated)	admin	en	Allow remote administration from following install ID's, comma separated.
 allow the user to store his password under 'security & passwords' for singlesignon.	admin	en	Allow the user to store his password under 'Security & Passwords' for SingleSignOn.
 allow user to set 'remember me' token	admin	en	Allow user to set 'Remember me' token
 allow users to change forwards	admin	en	Allow users to change forwards
 allow users to create identities for aliases	admin	en	Allow users to create identities for aliases
--- a/admin/templates/default/config.xet
+++ b/admin/templates/default/config.xet
@ -330,6 +330,13 @@
 						<option value="yes">Yes</option>
 					</et2-select>
 				</row>
 				<row>
 					<et2-vbox>
 						<et2-description value="Logging in via SingleSignOn does not provide a password to pass it on to mail- or file-servers."></et2-description>
 						<et2-description value="Allow the user to store his password under 'Security &amp; Passwords' for SingleSignOn."></et2-description>
 					</et2-vbox>
 					<et2-checkbox id="newsettings[store_password_for_sso]" label="Store password retrievable for SingleSignOn"></et2-checkbox>
 				</row>
 				<row>
 					<et2-description  value="Other security configuration" span="all" class="subHeader"></et2-description>
--- a/api/setup/setup.inc.php
+++ b/api/setup/setup.inc.php
@ -63,6 +63,7 @@ $setup_info['api']['hooks']['addgroup'] = 'EGroupware\\Api\\Vfs\\Hooks::addGroup
 $setup_info['api']['hooks']['deletegroup'] = array('EGroupware\\Api\\Vfs\\Hooks::deleteGroup', 'EGroupware\\Api\\Mail\\Hooks::deletegroup');
 $setup_info['api']['hooks']['editgroup'] = 'EGroupware\\Api\\Vfs\\Hooks::editGroup';
 $setup_info['api']['hooks']['changepassword'] = 'EGroupware\\Api\\Mail\\Hooks::changepassword';
 $setup_info['api']['hooks']['session_created'] = 'EGroupware\Api\Mail\Credentials::ssoPassword';
 // Hooks to delete shares when file is deleted
 $setup_info['api']['hooks']['vfs_unlink'] = 'EGroupware\\Api\\Vfs\\Sharing::vfsUpdate';
--- a/api/src/Mail/Credentials.php
+++ b/api/src/Mail/Credentials.php
@ -15,6 +15,7 @@
 namespace EGroupware\Api\Mail;
 use EGroupware\Api;
 use EGroupware\Api\Cache;
 use Jumbojett\OpenIDConnectClientException;
 /**
@ -85,10 +86,15 @@ class Credentials
 	 */
 	const OAUTH_REFRESH_TOKEN = 256;
 	/**
 	 * Password to use, if none provided due to SSO login
 	 */
 	const SSO_PASSWORD = 512;
 	/**
 	 * All credentials
 	 */
-	const ALL = self::IMAP|self::SMTP|self::ADMIN|self::SMIME|self::TWOFA|self::SPAMTITAN|self::OAUTH_REFRESH_TOKEN;
+	const ALL = self::IMAP|self::SMTP|self::ADMIN|self::SMIME|self::TWOFA|self::SPAMTITAN|self::OAUTH_REFRESH_TOKEN|self::SSO_PASSWORD;
 	/**
 	 * Password in cleartext
@ -138,7 +144,8 @@ class Credentials
 		self::SMIME => 'acc_smime_',
 		self::TWOFA => '2fa_',
 		self::SPAMTITAN => 'acc_spam_',
-		self::OAUTH_REFRESH_TOKEN => 'acc_oauth_'
+		self::OAUTH_REFRESH_TOKEN => 'acc_oauth_',
 		self::SSO_PASSWORD => 'sso_',
 	);
 	/**
@ -213,7 +220,7 @@ class Credentials
 				self::$cache[$acc_id][$row['account_id']][$row['cred_type']] = $row;
 				//error_log(__METHOD__."($acc_id, $type, ".array2string($account_id).") stored to cache ".array2string($row));
-				if (!isset($on_login) && self::needMigration($row['cred_pw_enc']))
+				if (!isset($on_login) && self::needMigration($row['cred_pw_enc'], $row['cred_type']))
 				{
 					$on_login = array(__CLASS__.'::migrate', $acc_id);
 				}
@ -266,6 +273,38 @@ class Credentials
 		return $results;
 	}
 	/**
 	 * Get password to use for current user, if he has one stored for SSO AND store it in session like the regular password
 	 *
 	 * @return string|null
 	 */
 	public static function ssoPassword() : ?string
 	{
 		// check if we have a regular, non-anonymous session
 		if (!isset($GLOBALS['egw']->session) ||
 			!empty($GLOBALS['egw']->session->cd_reason) ||
 			$GLOBALS['egw']->session->session_flags !== 'N')
 		{
 			return null;
 		}
 		if (!empty($GLOBALS['egw']->session->passwd))
 		{
 			return $GLOBALS['egw']->session->passwd;
 		}
 		$data = self::read(0, self::SSO_PASSWORD, $GLOBALS['egw_info']['user']['account_id']);
 		if (isset($data[self::$type2prefix[self::SSO_PASSWORD].'password']))
 		{
 			Api\Cache::setSession('phpgwapi', 'password',
 				base64_encode($GLOBALS['egw']->session->passwd = $data[self::$type2prefix[self::SSO_PASSWORD].'password']));
 			return $data[self::$type2prefix[self::SSO_PASSWORD].'password'];
 		}
 		return null;
 	}
 	/**
 	 * Get cached access-token, or use refresh-token to get a new one
 	 *
@ -388,9 +427,10 @@ class Credentials
 	 * @param int $type self::IMAP, self::SMTP, self::ADMIN or self::SMIME
 	 * @param int $account_id if of user-account for whom credentials are
 	 * @param int $cred_id =null id of existing credentials to update
 	 * @param bool $use_system =null true: use system-secret/SYSTEM_AES, false: use user-password/USER_AES, null: determine automatic
 	 * @return int cred_id
 	 */
-	public static function write($acc_id, $username, $password, $type, $account_id=0, $cred_id=null)
+	public static function write($acc_id, $username, $password, $type, $account_id=0, $cred_id=null, ?bool $use_system=null)
 	{
 		//error_log(__METHOD__."(acc_id=$acc_id, '$username', \$password, type=$type, account_id=$account_id, cred_id=$cred_id)");
 		if (!empty($cred_id) && !is_numeric($cred_id) || !is_numeric($account_id))
@ -415,7 +455,7 @@ class Credentials
 			'account_id' => $account_id,
 			'cred_username' => $username,
 			'cred_password' => (string)$password === '' ? '' :
-				self::encrypt($password, $account_id, $pw_enc),
+				self::encrypt($password, $account_id, $pw_enc, $use_system ?? ($type == self::SSO_PASSWORD ? true : null)),
 			'cred_type' => $type,
 			'cred_pw_enc' => $pw_enc,
 		);
@ -490,12 +530,13 @@ class Credentials
 	 * @param string $password cleartext password
 	 * @param int $account_id user-account password is for
 	 * @param int& $pw_enc on return encryption used
 	 * @param bool $use_system =null true: use system-secret/SYSTEM_AES, false: use user-password/USER_AES, null: determine automatic
 	 * @return string encrypted password
 	 */
-	public static function encrypt($password, $account_id, &$pw_enc)
+	public static function encrypt($password, $account_id, &$pw_enc, ?bool $use_system=null)
 	{
 		try {
-			return self::encrypt_openssl_aes($password, $account_id, $pw_enc);
+			return self::encrypt_openssl_aes($password, $account_id, $pw_enc, null, null, $use_system);
 		}
 		catch (Api\Exception\AssertionFailed $ex) {
 			try {
@ -531,13 +572,14 @@ class Credentials
 	 * @param int& $pw_enc on return encryption used
 	 * @param string $key =null key/password to use, default password according to account_id
 	 * @param string $salt =null (binary) salt to use, default generate new random salt
 	 * @param bool $use_system =null true: use system-secret/SYSTEM_AES, false: use user-password/USER_AES, null: determine automatic
 	 * @return string encrypted password
 	 */
-	protected static function encrypt_openssl_aes($password, $account_id, &$pw_enc, $key=null, $salt=null)
+	protected static function encrypt_openssl_aes($password, $account_id, &$pw_enc, $key=null, $salt=null, ?bool $use_system=null)
 	{
 		if (empty($key))
 		{
-			if ($account_id > 0 && $account_id == $GLOBALS['egw_info']['user']['account_id'] &&
+			if ($use_system !== true && $account_id > 0 && $account_id == $GLOBALS['egw_info']['user']['account_id'] &&
 				($key = Api\Cache::getSession('phpgwapi', 'password')) &&
 				// do NOT encrypt password if (optional) SAML or OpenIdConnect auth is enabled
 				!array_filter(array_keys(Api\Config::read('phpgwapi')), static function($name)
@ -769,10 +811,16 @@ class Credentials
 	 * Check if credentials need migration to AES
 	 *
 	 * @param string $pw_enc
 	 * @param int|null $cred_type =null
 	 * @return boolean
 	 */
-	static public function needMigration($pw_enc)
+	static public function needMigration($pw_enc, ?int $cred_type=null)
 	{
 		// do NOT migrate/store SSO-passwords with user-credentials
 		if (isset($cred_type) && $cred_type == self::SSO_PASSWORD)
 		{
 			return false;
 		}
 		return $pw_enc == self::USER || $pw_enc == self::SYSTEM || $pw_enc == self::CLEARTEXT;
 	}
@ -790,7 +838,7 @@ class Credentials
 				{
 					foreach($rows as $cred_type => &$row)
 					{
-						if (self::needMigration($row['cred_pw_enc']) && ($row['cred_pw_enc'] != self::USER ||
+						if (self::needMigration($row['cred_pw_enc'], $cred_type) && ($row['cred_pw_enc'] != self::USER ||
 							$row['cred_pw_enc'] == self::USER && $account_id == $GLOBALS['egw_info']['user']['account_id']))
 						{
 							self::write($acc_id, $row['cred_username'], self::decrypt($row), $cred_type, $account_id, $row['cred_id']);
--- a/preferences/inc/class.preferences_password.inc.php
+++ b/preferences/inc/class.preferences_password.inc.php
@ -56,6 +56,10 @@ class preferences_password
 					'gauth_android' => self::GAUTH_ANDROID,
 					'gauth_ios' => self::GAUTH_IOS,
 				];
 				if (($content['store_password_for_sso'] = $GLOBALS['egw_info']['server']['store_password_for_sso'] ?? false))
 				{
 					$content['store-password-for-sso'] = $content['store_password_for_sso'];
 				}
 			}
 			else
 			{
@ -74,6 +78,24 @@ class preferences_password
 					switch($content['tabs'])
 					{
 						case 'change_password':
 							if (!empty($GLOBALS['egw_info']['server']['store_password_for_sso']) &&
 								$content['store-password-for-sso'] && $content['button']['save'])
 							{
 								if (!$auth->authenticate($GLOBALS['egw_info']['user']['account_lid'], $content['password']))
 								{
 									$tmpl->set_validation_error('password', lang('Password is invalid'));
 									break;
 								}
 								Credentials::write(0, $GLOBALS['egw_info']['user']['account_lid'], $content['password'],
 									Credentials::SSO_PASSWORD, $GLOBALS['egw_info']['user']['account_id']);
 								// close now, if we're not changing the password
 								if ($GLOBALS['egw']->acl->check('nopasswordchange', 1) || empty($content['n_passwd']) && empty($content['n_passwd_2']))
 								{
 									Framework::refresh_opener(lang('Password stored'), 'preferences');
 									Framework::window_close();
 								}
 							}
 							if (!$GLOBALS['egw']->acl->check('nopasswordchange', 1) && $content['button']['save'])
 							{
 								if (($errors = self::do_change($content['password'], $content['n_passwd'], $content['n_passwd_2'])))
@ -158,7 +180,14 @@ class preferences_password
 		// disable password change, if user has not right to change it
 		if ($GLOBALS['egw']->acl->check('nopasswordchange', 1))
 		{
-			$readonlys['tabs']['change_password'] = true;
+			if (!empty($GLOBALS['egw_info']['server']['store_password_for_sso']))
 			{
 				$content['nopasswordchange'] = true;
 			}
 			else
 			{
 				$readonlys['tabs']['change_password'] = true;
 			}
 		}
 		$preserve = [
--- a/preferences/lang/egw_de.lang
+++ b/preferences/lang/egw_de.lang
@ -100,6 +100,7 @@ icon	preferences	de	Symbol
 icons and text	preferences	de	Symbole und Text
 icons only	preferences	de	Nur Symbole
 if a line is already selected, further lines get either selected by holding ctrl/cmd key and clicking on them (to not unselect the current selected line), or by just clicking on them as for a checkbox. if no line is selected clicking on one allways selects it. holding down shift key selects everything between current select line and the one clicked.	preferences	de	Wenn bereits eine Zeile ausgewählt ist, werden weitere Zeilen entweder durch das Halten der Strg/Cmd Taste (um die bereits ausgewählten nicht abzuwählen) und anklicken derselben, oder durch einfaches anklicken wie für eine Checkbox, ausgewählt. Wenn keine Zeile ausgewählt ist, wählt anklicken diese immer aus. Das Halten der Umschalt-Taste wählt alles zwischen der aktuell ausgewählten Zeile und der angeklickten.
 if enabled, your entered password will be stored and passed on to other server, when you login via sso.	preferences	de	Ihr eingegebenes Passwort wird gespeichert und an andere Server weiter gegeben, wenn eingeschaltet und Sie sich per SingleSignOn anmelden.
 images linked to an entry can be displayed as thumbnails.  you can turn this off to speed up page display.	preferences	de	Bilder die mit einem Eintrag verlinkt sind können als Vorschaubild angezeigt werden. Kann ausgeschaltet werden um die Geschwindigkeit der Anzeige zu erhöhen.
 in which country are you. this is used to set certain defaults for you.	preferences	de	In welchen Land befinden Sie sich? Damit werden verschiedene Voreinstellungen für Sie vorgenommen.
 interface/template selection	preferences	de	Auswahl der Benutzeroberfläche
@ -108,6 +109,7 @@ just clicking on the line, like a checkbox	preferences	de	Einfaches anklicken de
 kama theme	preferences	de	Kama-Theme
 keep list open for selecting multiple	preferences	de	Liste für die Auswahl mehrerer Optionen offen halten
 language	preferences	de	Sprache
 logging in via singlesignon does not provide a password to pass it on to mail- or file-servers.	common	de	Das Anmelden per SingleSignOn liefert kein Passwort das an Mail- oder Datei-Server weiter gegeben werden kann.
 look & feel	preferences	de	Aussehen und Handhabung
 lowercase letters	preferences	de	Kleinbuchstaben
 make applications list scrollable with up/down scroll buttons (usefull for users working with mouse with no scrollwheel)	preferences	de	Macht die Seitenleiste links mit Scroll-Button nach oben/unten scrollbar (nützlich für Benutzer auf Tablets).
@ -132,6 +134,7 @@ password contains only %1 of required %2 character classes: no %3	preferences	de
 password contains with "%1" a parts of your user- or full-name (3 or more characters long)	preferences	de	Passwort enthält mit "%1" einen Teil Ihres Benutzernamens oder vollständigen Namen (3 oder mehr Zeichen lang)
 password is invalid	preferences	de	Das Passwort ist ungültig
 password must have at least %1 characters	preferences	de	Passwort muss mindestens %1 Zeichen lang sein
 password stored	preferences	de	Passwort gespeichert
 permanent time zone selection	preferences	de	Ständige Zeitzonen Auswahl
 please select timezones, you want to be able to quickly switch between. switch is not shown, if less then two are selected.	preferences	de	Zeitzonen auswählen, zwischen den schnell umgeschaltet werden soll. Der Umschalter wird NICHT angezeigt, wenn weniger als zwei ausgewählt werden.
 please select your timezone.	preferences	de	Bitte wählen Sie Ihre Zeitzone.
@ -173,11 +176,13 @@ show qrcode	preferences	de	QR-Code anzeigen
 show qrcode to enable on an additional device.	preferences	de	Zeigt den QR-Code wieder an um ihn auf weiteren Geräten einzurichten.
 show text on navigation icons	preferences	de	Text zu Icons in der Navigationsleiste anzeigen
 show_more_apps	common	de	Mehr Anwendungen anzeigen
 singlesignon and passwords	preferences	de	SingleSignOn und Passwörter
 small paragraph	preferences	de	Schmaler Absatz
 special characters	preferences	de	Sonderzeichen
 spellchecker language	addressbook	de	Sprache Rechtschreibprüfung
 stay open	preferences	de	Liste auflassen
 stay open, but not for email	preferences	de	Liste auflassen, aber nicht für E-Mail
 store password retrievable for singlesignon	common	de	Passwort wiederherstellbar für SingleSignOn speichern
 text editor settings	preferences	de	Einstellungen des Texteditors
 text only	preferences	de	Nur Text
 the default application will be started when you enter egroupware or click on the homepage icon.<br>you can also have more than one application showing up on the homepage, if you don't choose a specific application here (has to be configured in the preferences of each application).	preferences	de	Diese Anwendung wird gestartet, wenn sie EGroupware neu starten oder auf das Symbol der Startseite klicken. Sie können auch mehrere Anwendungen auf Ihrer Startseite anzeigen, dazu wählen sie keine Anwendung aus. Welche Anwendungen dann angezeigt werden, wird in den Einstellungen der jeweiligen Anwendungen konfiguriert.
--- a/preferences/lang/egw_en.lang
+++ b/preferences/lang/egw_en.lang
@ -100,6 +100,7 @@ icon	preferences	en	Icon
 icons and text	preferences	en	Icons and text
 icons only	preferences	en	Icons only
 if a line is already selected, further lines get either selected by holding ctrl/cmd key and clicking on them (to not unselect the current selected line), or by just clicking on them as for a checkbox. if no line is selected clicking on one allways selects it. holding down shift key selects everything between current select line and the one clicked.	preferences	en	If a line is already selected, further lines get either selected by holding Ctrl/Cmd key and clicking on them (to not unselect the current selected line), or by just clicking on them as for a checkbox. If no line is selected clicking on one allways selects it. Holding down Shift key selects everything between current select line and the one clicked.
 if enabled, your entered password will be stored and passed on to other server, when you login via sso.	preferences	en	If enabled, your entered password will be stored and passed on to other server, when you login via SSO.
 images linked to an entry can be displayed as thumbnails.  you can turn this off to speed up page display.	preferences	en	Images linked to an entry can be displayed as thumbnails. Turn this off to speed up page display.
 in which country are you. this is used to set certain defaults for you.	preferences	en	Select the country. It sets some defaults e.g. in Calendar.
 interface/template selection	preferences	en	Interface | Template
@ -108,6 +109,7 @@ just clicking on the line, like a checkbox	preferences	en	Just clicking on the l
 kama theme	preferences	en	Kama theme
 keep list open for selecting multiple	preferences	en	Keep list open for selecting multiple
 language	preferences	en	Language
 logging in via singlesignon does not provide a password to pass it on to mail- or file-servers.	common	en	Logging in via SingleSignOn does not provide a password to pass it on to mail- or file-servers.
 look & feel	preferences	en	Look & feel
 lowercase letters	preferences	en	lowercase letters
 make applications list scrollable with up/down scroll buttons (usefull for users working with mouse with no scrollwheel)	preferences	en	Makes the sidebar on the left with scroll button scrollable up/down (useful for users on tablets).
@ -132,6 +134,7 @@ password contains only %1 of required %2 character classes: no %3	preferences	en
 password contains with "%1" a parts of your user- or full-name (3 or more characters long)	preferences	en	password contains with "%1" a parts of your user- or full-name (3 or more characters long)
 password is invalid	preferences	en	Password is invalid
 password must have at least %1 characters	preferences	en	password must have at least %1 characters
 password stored	preferences	en	Password stored
 permanent time zone selection	preferences	en	Permanent time zone
 please select timezones, you want to be able to quickly switch between. switch is not shown, if less then two are selected.	preferences	en	Select time zones to switch between. Switch is NOT shown, if less than two time zones are selected.
 please select your timezone.	preferences	en	Select your time zone.
@ -173,11 +176,13 @@ show qrcode	preferences	en	Show QRCode
 show qrcode to enable on an additional device.	preferences	en	Show QRCode to enable on an additional device.
 show text on navigation icons	preferences	en	Show text on navigation icons
 show_more_apps	common	en	Show more applications
 singlesignon and passwords	preferences	en	SingleSignOn and passwords
 small paragraph	preferences	en	Small Paragraph
 special characters	preferences	en	Special characters
 spellchecker language	addressbook	en	Spellchecker language
 stay open	preferences	en	Stay open
 stay open, but not for email	preferences	en	Stay open, but not for email
 store password retrievable for singlesignon	common	en	Store password retrievable for SingleSignOn
 text editor settings	preferences	en	Text editor settings
 text only	preferences	en	Text only
 the default application will be started when you enter egroupware or click on the homepage icon.<br>you can also have more than one application showing up on the homepage, if you don't choose a specific application here (has to be configured in the preferences of each application).	preferences	en	The default application will be started when you enter EGroupware or click on the Home icon.<br>More than one application scan be shown on the home page, if nothing is selected here. It has to be configured in the preferences of each application.
--- a/preferences/templates/default/password.xet
+++ b/preferences/templates/default/password.xet
@ -8,14 +8,21 @@
 				<column/>
 			</columns>
 			<rows>
-				<row>
+				<row disabled="@nopasswordchange">
 					<et2-description  value="Enter your new password"></et2-description>
 					<et2-password  id="n_passwd" class="et2_required" suggest="16" autocomplete="new-password"></et2-password>
 				</row>
-				<row>
+				<row disabled="@nopasswordchange">
 					<et2-description  value="Re-enter your password"></et2-description>
 					<et2-password  id="n_passwd_2" class="et2_required"></et2-password>
 				</row>
 				<row disabled="!@store_password_for_sso">
 					<et2-groupbox summary="SingleSignOn and passwords" span="all" style="padding-top: 10px">
 						<et2-checkbox id="store-password-for-sso" label="Store password retrievable for SingleSignOn" style="padding: 8px"></et2-checkbox>
 						<et2-description value="Logging in via SingleSignOn does not provide a password to pass it on to mail- or file-servers." style="padding-top: 4px; padding-bottom: 8px"></et2-description>
 						<et2-description value="If enabled, your entered password will be stored and passed on to other server, when you login via SSO."></et2-description>
 					</et2-groupbox>
 				</row>
 			</rows>
 		</grid>
 	</template>