* Mail/Filemanager: admin can allow users to store a password to pass to mail- and file-servers in case they use (password-less) SingleSignOn

This commit is contained in:
ralf 2024-09-03 09:58:47 +02:00
parent 5dafe00c95
commit fd216b07f2
9 changed files with 118 additions and 14 deletions

View File

@ -115,6 +115,7 @@ all records and account information will be lost! admin de Alle Datensätze und
all users admin de Alle Benutzer
allow anonymous access to this app admin de Anonymen Zugriff auf diese Anwendung zulassen
allow remote administration from following install id's (comma separated) admin de Erlaube die Remote-Verwaltung durch folgende (Komma separierte) Installation-IDs.
allow the user to store his password under 'security & passwords' for singlesignon. admin de Erlaubt dem Benutzer sein Passwort unter 'Sicherheit & Passwort' für SingleSignOn zu speichern.
allow user to set 'remember me' token admin de Erlaube Benutzer ein "An mich erinnern" Token zu setzen
allow users to change forwards admin de Anwender dürfen Weiterleitung bearbeiten
allow users to create identities for aliases admin de Anwender dürfen Identitäten für Aliase anlegen

View File

@ -115,6 +115,7 @@ all records and account information will be lost! admin en All records and accou
all users admin en All users
allow anonymous access to this app admin en Allow anonymous access to this app
allow remote administration from following install id's (comma separated) admin en Allow remote administration from following install ID's, comma separated.
allow the user to store his password under 'security & passwords' for singlesignon. admin en Allow the user to store his password under 'Security & Passwords' for SingleSignOn.
allow user to set 'remember me' token admin en Allow user to set 'Remember me' token
allow users to change forwards admin en Allow users to change forwards
allow users to create identities for aliases admin en Allow users to create identities for aliases

View File

@ -330,6 +330,13 @@
<option value="yes">Yes</option>
</et2-select>
</row>
<row>
<et2-vbox>
<et2-description value="Logging in via SingleSignOn does not provide a password to pass it on to mail- or file-servers."></et2-description>
<et2-description value="Allow the user to store his password under 'Security &amp; Passwords' for SingleSignOn."></et2-description>
</et2-vbox>
<et2-checkbox id="newsettings[store_password_for_sso]" label="Store password retrievable for SingleSignOn"></et2-checkbox>
</row>
<row>
<et2-description value="Other security configuration" span="all" class="subHeader"></et2-description>

View File

@ -63,6 +63,7 @@ $setup_info['api']['hooks']['addgroup'] = 'EGroupware\\Api\\Vfs\\Hooks::addGroup
$setup_info['api']['hooks']['deletegroup'] = array('EGroupware\\Api\\Vfs\\Hooks::deleteGroup', 'EGroupware\\Api\\Mail\\Hooks::deletegroup');
$setup_info['api']['hooks']['editgroup'] = 'EGroupware\\Api\\Vfs\\Hooks::editGroup';
$setup_info['api']['hooks']['changepassword'] = 'EGroupware\\Api\\Mail\\Hooks::changepassword';
$setup_info['api']['hooks']['session_created'] = 'EGroupware\Api\Mail\Credentials::ssoPassword';
// Hooks to delete shares when file is deleted
$setup_info['api']['hooks']['vfs_unlink'] = 'EGroupware\\Api\\Vfs\\Sharing::vfsUpdate';

View File

@ -15,6 +15,7 @@
namespace EGroupware\Api\Mail;
use EGroupware\Api;
use EGroupware\Api\Cache;
use Jumbojett\OpenIDConnectClientException;
/**
@ -85,10 +86,15 @@ class Credentials
*/
const OAUTH_REFRESH_TOKEN = 256;
/**
* Password to use, if none provided due to SSO login
*/
const SSO_PASSWORD = 512;
/**
* All credentials
*/
const ALL = self::IMAP|self::SMTP|self::ADMIN|self::SMIME|self::TWOFA|self::SPAMTITAN|self::OAUTH_REFRESH_TOKEN;
const ALL = self::IMAP|self::SMTP|self::ADMIN|self::SMIME|self::TWOFA|self::SPAMTITAN|self::OAUTH_REFRESH_TOKEN|self::SSO_PASSWORD;
/**
* Password in cleartext
@ -138,7 +144,8 @@ class Credentials
self::SMIME => 'acc_smime_',
self::TWOFA => '2fa_',
self::SPAMTITAN => 'acc_spam_',
self::OAUTH_REFRESH_TOKEN => 'acc_oauth_'
self::OAUTH_REFRESH_TOKEN => 'acc_oauth_',
self::SSO_PASSWORD => 'sso_',
);
/**
@ -213,7 +220,7 @@ class Credentials
self::$cache[$acc_id][$row['account_id']][$row['cred_type']] = $row;
//error_log(__METHOD__."($acc_id, $type, ".array2string($account_id).") stored to cache ".array2string($row));
if (!isset($on_login) && self::needMigration($row['cred_pw_enc']))
if (!isset($on_login) && self::needMigration($row['cred_pw_enc'], $row['cred_type']))
{
$on_login = array(__CLASS__.'::migrate', $acc_id);
}
@ -266,6 +273,38 @@ class Credentials
return $results;
}
/**
* Get password to use for current user, if he has one stored for SSO AND store it in session like the regular password
*
* @return string|null
*/
public static function ssoPassword() : ?string
{
// check if we have a regular, non-anonymous session
if (!isset($GLOBALS['egw']->session) ||
!empty($GLOBALS['egw']->session->cd_reason) ||
$GLOBALS['egw']->session->session_flags !== 'N')
{
return null;
}
if (!empty($GLOBALS['egw']->session->passwd))
{
return $GLOBALS['egw']->session->passwd;
}
$data = self::read(0, self::SSO_PASSWORD, $GLOBALS['egw_info']['user']['account_id']);
if (isset($data[self::$type2prefix[self::SSO_PASSWORD].'password']))
{
Api\Cache::setSession('phpgwapi', 'password',
base64_encode($GLOBALS['egw']->session->passwd = $data[self::$type2prefix[self::SSO_PASSWORD].'password']));
return $data[self::$type2prefix[self::SSO_PASSWORD].'password'];
}
return null;
}
/**
* Get cached access-token, or use refresh-token to get a new one
*
@ -388,9 +427,10 @@ class Credentials
* @param int $type self::IMAP, self::SMTP, self::ADMIN or self::SMIME
* @param int $account_id if of user-account for whom credentials are
* @param int $cred_id =null id of existing credentials to update
* @param bool $use_system =null true: use system-secret/SYSTEM_AES, false: use user-password/USER_AES, null: determine automatic
* @return int cred_id
*/
public static function write($acc_id, $username, $password, $type, $account_id=0, $cred_id=null)
public static function write($acc_id, $username, $password, $type, $account_id=0, $cred_id=null, ?bool $use_system=null)
{
//error_log(__METHOD__."(acc_id=$acc_id, '$username', \$password, type=$type, account_id=$account_id, cred_id=$cred_id)");
if (!empty($cred_id) && !is_numeric($cred_id) || !is_numeric($account_id))
@ -415,7 +455,7 @@ class Credentials
'account_id' => $account_id,
'cred_username' => $username,
'cred_password' => (string)$password === '' ? '' :
self::encrypt($password, $account_id, $pw_enc),
self::encrypt($password, $account_id, $pw_enc, $use_system ?? ($type == self::SSO_PASSWORD ? true : null)),
'cred_type' => $type,
'cred_pw_enc' => $pw_enc,
);
@ -490,12 +530,13 @@ class Credentials
* @param string $password cleartext password
* @param int $account_id user-account password is for
* @param int& $pw_enc on return encryption used
* @param bool $use_system =null true: use system-secret/SYSTEM_AES, false: use user-password/USER_AES, null: determine automatic
* @return string encrypted password
*/
public static function encrypt($password, $account_id, &$pw_enc)
public static function encrypt($password, $account_id, &$pw_enc, ?bool $use_system=null)
{
try {
return self::encrypt_openssl_aes($password, $account_id, $pw_enc);
return self::encrypt_openssl_aes($password, $account_id, $pw_enc, null, null, $use_system);
}
catch (Api\Exception\AssertionFailed $ex) {
try {
@ -531,13 +572,14 @@ class Credentials
* @param int& $pw_enc on return encryption used
* @param string $key =null key/password to use, default password according to account_id
* @param string $salt =null (binary) salt to use, default generate new random salt
* @param bool $use_system =null true: use system-secret/SYSTEM_AES, false: use user-password/USER_AES, null: determine automatic
* @return string encrypted password
*/
protected static function encrypt_openssl_aes($password, $account_id, &$pw_enc, $key=null, $salt=null)
protected static function encrypt_openssl_aes($password, $account_id, &$pw_enc, $key=null, $salt=null, ?bool $use_system=null)
{
if (empty($key))
{
if ($account_id > 0 && $account_id == $GLOBALS['egw_info']['user']['account_id'] &&
if ($use_system !== true && $account_id > 0 && $account_id == $GLOBALS['egw_info']['user']['account_id'] &&
($key = Api\Cache::getSession('phpgwapi', 'password')) &&
// do NOT encrypt password if (optional) SAML or OpenIdConnect auth is enabled
!array_filter(array_keys(Api\Config::read('phpgwapi')), static function($name)
@ -769,10 +811,16 @@ class Credentials
* Check if credentials need migration to AES
*
* @param string $pw_enc
* @param int|null $cred_type =null
* @return boolean
*/
static public function needMigration($pw_enc)
static public function needMigration($pw_enc, ?int $cred_type=null)
{
// do NOT migrate/store SSO-passwords with user-credentials
if (isset($cred_type) && $cred_type == self::SSO_PASSWORD)
{
return false;
}
return $pw_enc == self::USER || $pw_enc == self::SYSTEM || $pw_enc == self::CLEARTEXT;
}
@ -790,7 +838,7 @@ class Credentials
{
foreach($rows as $cred_type => &$row)
{
if (self::needMigration($row['cred_pw_enc']) && ($row['cred_pw_enc'] != self::USER ||
if (self::needMigration($row['cred_pw_enc'], $cred_type) && ($row['cred_pw_enc'] != self::USER ||
$row['cred_pw_enc'] == self::USER && $account_id == $GLOBALS['egw_info']['user']['account_id']))
{
self::write($acc_id, $row['cred_username'], self::decrypt($row), $cred_type, $account_id, $row['cred_id']);

View File

@ -56,6 +56,10 @@ class preferences_password
'gauth_android' => self::GAUTH_ANDROID,
'gauth_ios' => self::GAUTH_IOS,
];
if (($content['store_password_for_sso'] = $GLOBALS['egw_info']['server']['store_password_for_sso'] ?? false))
{
$content['store-password-for-sso'] = $content['store_password_for_sso'];
}
}
else
{
@ -74,6 +78,24 @@ class preferences_password
switch($content['tabs'])
{
case 'change_password':
if (!empty($GLOBALS['egw_info']['server']['store_password_for_sso']) &&
$content['store-password-for-sso'] && $content['button']['save'])
{
if (!$auth->authenticate($GLOBALS['egw_info']['user']['account_lid'], $content['password']))
{
$tmpl->set_validation_error('password', lang('Password is invalid'));
break;
}
Credentials::write(0, $GLOBALS['egw_info']['user']['account_lid'], $content['password'],
Credentials::SSO_PASSWORD, $GLOBALS['egw_info']['user']['account_id']);
// close now, if we're not changing the password
if ($GLOBALS['egw']->acl->check('nopasswordchange', 1) || empty($content['n_passwd']) && empty($content['n_passwd_2']))
{
Framework::refresh_opener(lang('Password stored'), 'preferences');
Framework::window_close();
}
}
if (!$GLOBALS['egw']->acl->check('nopasswordchange', 1) && $content['button']['save'])
{
if (($errors = self::do_change($content['password'], $content['n_passwd'], $content['n_passwd_2'])))
@ -158,7 +180,14 @@ class preferences_password
// disable password change, if user has not right to change it
if ($GLOBALS['egw']->acl->check('nopasswordchange', 1))
{
$readonlys['tabs']['change_password'] = true;
if (!empty($GLOBALS['egw_info']['server']['store_password_for_sso']))
{
$content['nopasswordchange'] = true;
}
else
{
$readonlys['tabs']['change_password'] = true;
}
}
$preserve = [

View File

@ -100,6 +100,7 @@ icon preferences de Symbol
icons and text preferences de Symbole und Text
icons only preferences de Nur Symbole
if a line is already selected, further lines get either selected by holding ctrl/cmd key and clicking on them (to not unselect the current selected line), or by just clicking on them as for a checkbox. if no line is selected clicking on one allways selects it. holding down shift key selects everything between current select line and the one clicked. preferences de Wenn bereits eine Zeile ausgewählt ist, werden weitere Zeilen entweder durch das Halten der Strg/Cmd Taste (um die bereits ausgewählten nicht abzuwählen) und anklicken derselben, oder durch einfaches anklicken wie für eine Checkbox, ausgewählt. Wenn keine Zeile ausgewählt ist, wählt anklicken diese immer aus. Das Halten der Umschalt-Taste wählt alles zwischen der aktuell ausgewählten Zeile und der angeklickten.
if enabled, your entered password will be stored and passed on to other server, when you login via sso. preferences de Ihr eingegebenes Passwort wird gespeichert und an andere Server weiter gegeben, wenn eingeschaltet und Sie sich per SingleSignOn anmelden.
images linked to an entry can be displayed as thumbnails. you can turn this off to speed up page display. preferences de Bilder die mit einem Eintrag verlinkt sind können als Vorschaubild angezeigt werden. Kann ausgeschaltet werden um die Geschwindigkeit der Anzeige zu erhöhen.
in which country are you. this is used to set certain defaults for you. preferences de In welchen Land befinden Sie sich? Damit werden verschiedene Voreinstellungen für Sie vorgenommen.
interface/template selection preferences de Auswahl der Benutzeroberfläche
@ -108,6 +109,7 @@ just clicking on the line, like a checkbox preferences de Einfaches anklicken de
kama theme preferences de Kama-Theme
keep list open for selecting multiple preferences de Liste für die Auswahl mehrerer Optionen offen halten
language preferences de Sprache
logging in via singlesignon does not provide a password to pass it on to mail- or file-servers. common de Das Anmelden per SingleSignOn liefert kein Passwort das an Mail- oder Datei-Server weiter gegeben werden kann.
look & feel preferences de Aussehen und Handhabung
lowercase letters preferences de Kleinbuchstaben
make applications list scrollable with up/down scroll buttons (usefull for users working with mouse with no scrollwheel) preferences de Macht die Seitenleiste links mit Scroll-Button nach oben/unten scrollbar (nützlich für Benutzer auf Tablets).
@ -132,6 +134,7 @@ password contains only %1 of required %2 character classes: no %3 preferences de
password contains with "%1" a parts of your user- or full-name (3 or more characters long) preferences de Passwort enthält mit "%1" einen Teil Ihres Benutzernamens oder vollständigen Namen (3 oder mehr Zeichen lang)
password is invalid preferences de Das Passwort ist ungültig
password must have at least %1 characters preferences de Passwort muss mindestens %1 Zeichen lang sein
password stored preferences de Passwort gespeichert
permanent time zone selection preferences de Ständige Zeitzonen Auswahl
please select timezones, you want to be able to quickly switch between. switch is not shown, if less then two are selected. preferences de Zeitzonen auswählen, zwischen den schnell umgeschaltet werden soll. Der Umschalter wird NICHT angezeigt, wenn weniger als zwei ausgewählt werden.
please select your timezone. preferences de Bitte wählen Sie Ihre Zeitzone.
@ -173,11 +176,13 @@ show qrcode preferences de QR-Code anzeigen
show qrcode to enable on an additional device. preferences de Zeigt den QR-Code wieder an um ihn auf weiteren Geräten einzurichten.
show text on navigation icons preferences de Text zu Icons in der Navigationsleiste anzeigen
show_more_apps common de Mehr Anwendungen anzeigen
singlesignon and passwords preferences de SingleSignOn und Passwörter
small paragraph preferences de Schmaler Absatz
special characters preferences de Sonderzeichen
spellchecker language addressbook de Sprache Rechtschreibprüfung
stay open preferences de Liste auflassen
stay open, but not for email preferences de Liste auflassen, aber nicht für E-Mail
store password retrievable for singlesignon common de Passwort wiederherstellbar für SingleSignOn speichern
text editor settings preferences de Einstellungen des Texteditors
text only preferences de Nur Text
the default application will be started when you enter egroupware or click on the homepage icon.<br>you can also have more than one application showing up on the homepage, if you don't choose a specific application here (has to be configured in the preferences of each application). preferences de Diese Anwendung wird gestartet, wenn sie EGroupware neu starten oder auf das Symbol der Startseite klicken. Sie können auch mehrere Anwendungen auf Ihrer Startseite anzeigen, dazu wählen sie keine Anwendung aus. Welche Anwendungen dann angezeigt werden, wird in den Einstellungen der jeweiligen Anwendungen konfiguriert.

View File

@ -100,6 +100,7 @@ icon preferences en Icon
icons and text preferences en Icons and text
icons only preferences en Icons only
if a line is already selected, further lines get either selected by holding ctrl/cmd key and clicking on them (to not unselect the current selected line), or by just clicking on them as for a checkbox. if no line is selected clicking on one allways selects it. holding down shift key selects everything between current select line and the one clicked. preferences en If a line is already selected, further lines get either selected by holding Ctrl/Cmd key and clicking on them (to not unselect the current selected line), or by just clicking on them as for a checkbox. If no line is selected clicking on one allways selects it. Holding down Shift key selects everything between current select line and the one clicked.
if enabled, your entered password will be stored and passed on to other server, when you login via sso. preferences en If enabled, your entered password will be stored and passed on to other server, when you login via SSO.
images linked to an entry can be displayed as thumbnails. you can turn this off to speed up page display. preferences en Images linked to an entry can be displayed as thumbnails. Turn this off to speed up page display.
in which country are you. this is used to set certain defaults for you. preferences en Select the country. It sets some defaults e.g. in Calendar.
interface/template selection preferences en Interface | Template
@ -108,6 +109,7 @@ just clicking on the line, like a checkbox preferences en Just clicking on the l
kama theme preferences en Kama theme
keep list open for selecting multiple preferences en Keep list open for selecting multiple
language preferences en Language
logging in via singlesignon does not provide a password to pass it on to mail- or file-servers. common en Logging in via SingleSignOn does not provide a password to pass it on to mail- or file-servers.
look & feel preferences en Look & feel
lowercase letters preferences en lowercase letters
make applications list scrollable with up/down scroll buttons (usefull for users working with mouse with no scrollwheel) preferences en Makes the sidebar on the left with scroll button scrollable up/down (useful for users on tablets).
@ -132,6 +134,7 @@ password contains only %1 of required %2 character classes: no %3 preferences en
password contains with "%1" a parts of your user- or full-name (3 or more characters long) preferences en password contains with "%1" a parts of your user- or full-name (3 or more characters long)
password is invalid preferences en Password is invalid
password must have at least %1 characters preferences en password must have at least %1 characters
password stored preferences en Password stored
permanent time zone selection preferences en Permanent time zone
please select timezones, you want to be able to quickly switch between. switch is not shown, if less then two are selected. preferences en Select time zones to switch between. Switch is NOT shown, if less than two time zones are selected.
please select your timezone. preferences en Select your time zone.
@ -173,11 +176,13 @@ show qrcode preferences en Show QRCode
show qrcode to enable on an additional device. preferences en Show QRCode to enable on an additional device.
show text on navigation icons preferences en Show text on navigation icons
show_more_apps common en Show more applications
singlesignon and passwords preferences en SingleSignOn and passwords
small paragraph preferences en Small Paragraph
special characters preferences en Special characters
spellchecker language addressbook en Spellchecker language
stay open preferences en Stay open
stay open, but not for email preferences en Stay open, but not for email
store password retrievable for singlesignon common en Store password retrievable for SingleSignOn
text editor settings preferences en Text editor settings
text only preferences en Text only
the default application will be started when you enter egroupware or click on the homepage icon.<br>you can also have more than one application showing up on the homepage, if you don't choose a specific application here (has to be configured in the preferences of each application). preferences en The default application will be started when you enter EGroupware or click on the Home icon.<br>More than one application scan be shown on the home page, if nothing is selected here. It has to be configured in the preferences of each application.

View File

@ -8,14 +8,21 @@
<column/>
</columns>
<rows>
<row>
<row disabled="@nopasswordchange">
<et2-description value="Enter your new password"></et2-description>
<et2-password id="n_passwd" class="et2_required" suggest="16" autocomplete="new-password"></et2-password>
</row>
<row>
<row disabled="@nopasswordchange">
<et2-description value="Re-enter your password"></et2-description>
<et2-password id="n_passwd_2" class="et2_required"></et2-password>
</row>
<row disabled="!@store_password_for_sso">
<et2-groupbox summary="SingleSignOn and passwords" span="all" style="padding-top: 10px">
<et2-checkbox id="store-password-for-sso" label="Store password retrievable for SingleSignOn" style="padding: 8px"></et2-checkbox>
<et2-description value="Logging in via SingleSignOn does not provide a password to pass it on to mail- or file-servers." style="padding-top: 4px; padding-bottom: 8px"></et2-description>
<et2-description value="If enabled, your entered password will be stored and passed on to other server, when you login via SSO."></et2-description>
</et2-groupbox>
</row>
</rows>
</grid>
</template>