holm/egroupware
1
1
Fork 0
forked from extern/egroupware
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* API/CheckPasswordAge: new approach to the issue, as we have to take into account that the timestamp of the last password change may not be provided by the auth system. We fetch the timestamp from the authsystem if the method is implemented for the auth method configured (instead of juggling with account_lastpasswd_change or account_lastpwd_change)

Browse Source
This commit is contained in:
Klaus Leithoff 2011-09-22 15:29:41 +00:00
parent c26fcffda7
commit afb4dff864
3 changed files with 166 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
phpgwapi/inc/class.auth.inc.php
View File

@ -69,14 +69,39 @@ class auth
{
// dont check anything for anonymous sessions/ users that are flagged as anonymous
if (is_object($GLOBALS['egw']->session) && $GLOBALS['egw']->session->session_flags == 'A') return true;
// some statics (and initialisation to make information and timecalculation a) more readable in conditions b) persistent per request
// if user has to be warned about an upcomming passwordchange, remember for the session, that he was informed
static $UserKnowsAboutPwdChange;
if (is_null($UserKnowsAboutPwdChange)) $UserKnowsAboutPwdChange =& egw_cache::getSession('phpgwapi','auth_UserKnowsAboutPwdChange');
// some statics to make information and timecalculation a) more readable in conditions b) persistent per request
// retrieve the timestamp regarding the last change of the password from auth system and store it with the session
static $alpwchange_val;
static $pwdTsChecked;
if (is_null($pwdTsChecked) && is_null($alpwchange_val))
{
$alpwchange_val =& egw_cache::getSession('phpgwapi','auth_alpwchange_val'); // set that one with the session stored value
// initalize statics - better readability of conditions
if (is_null($alpwchange_val))
{
$backend_class = 'auth_'.$GLOBALS['egw_info']['server']['auth_type'];
$backend = new $backend_class;
// this may change behavior, as it should detect forced PasswordChanges from your Authentication System too.
// on the other side, if your auth system does not require an forcedPasswordChange, you will not be asked.
if (method_exists($backend,'getLastPwdChange'))
{
$alpwchange_val = $backend->getLastPwdChange($GLOBALS['egw_info']['user']['account_lid']);
$pwdTsChecked = true;
}
// if your authsystem does not provide that information, its likely, that you cannot change your password there,
// thus checking for expiration, is not needed
if ($alpwchange_val === false)
{
$alpwchange_val = null;
}
//error_log(__METHOD__.__LINE__.'#'.$alpwchange_val.'# is null:'.is_null($alpwchange_val).'# is empty:'.empty($alpwchange_val).'# is set:'.isset($alpwchange_val));
}
}
static $passwordAgeBorder;
static $daysLeftUntilChangeReq;
// current style name for account last password change timestamp
$alpwchange='account_lastpwd_change';
// some debug output and develop options to move the horizons and warn levels around
//$GLOBALS['egw_info']['server']['change_pwd_every_x_days'] =35;
//$GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change']=5;
@ -84,28 +109,12 @@ class auth
//echo "User changed password at:".egw_time::to($GLOBALS['egw_info']['user'][$alpwchange]).'<br>';
//echo "User password is ".((egw_time::to('now','ts')-$GLOBALS['egw_info']['user'][$alpwchange])/86400)." days old<br>";
//echo "Users must change passwords every ".$GLOBALS['egw_info']['server']['change_pwd_every_x_days'].' days ('.($GLOBALS['egw_info']['server']['change_pwd_every_x_days']*86400).') seconds.<br>';
//error_log(__METHOD__.__LINE__.'#'.$alpwchange_val.'# is null:'.is_null($alpwchange_val).'# is empty:'.empty($alpwchange_val).'# is set:'.isset($alpwchange_val));
//echo egw_time::to('now','ts')-($GLOBALS['egw_info']['server']['change_pwd_every_x_days']*86400).'<br>';
// if neither timestamp isset return true, nothing to do (exept this means the password is too old)
if (!isset($GLOBALS['egw_info']['user']['account_lastpasswd_change']) &&
!isset($GLOBALS['egw_info']['user'][$alpwchange]) &&
if (is_null($alpwchange_val) &&
empty($GLOBALS['egw_info']['server']['change_pwd_every_x_days'])
) return true;
if ($GLOBALS['egw_info']['user']['account_lastpasswd_change'] && !$GLOBALS['egw_info']['user'][$alpwchange])
{
// use old style names, as the current one seems not to be set.
$alpwchange = 'account_lastpasswd_change';
}
// initalize statics - better readability of conditions
if (is_null($alpwchange_val))
{
$backend_class = 'auth_'.$GLOBALS['egw_info']['server']['auth_type'];
$backend = new $backend_class;
// this may change behavior, as it should detect forced PasswordChanges from your Authentication System too.
// on the other side, if your auth system does not require an forcedPasswordChange, you will not be asked.
if (method_exists($backend,'getLastPwdChange')) $alpwchange_val = $backend->getLastPwdChange($GLOBALS['egw_info']['user']['account_lid']);
if (is_null($alpwchange_val) || $alpwchange_val === false) $alpwchange_val = $GLOBALS['egw_info']['user'][$alpwchange];
}
if (is_null($passwordAgeBorder) && $GLOBALS['egw_info']['server']['change_pwd_every_x_days'])
{
$passwordAgeBorder = (egw_time::to('now','ts')-($GLOBALS['egw_info']['server']['change_pwd_every_x_days']*86400));
@ -113,7 +122,7 @@ class auth
if (is_null($daysLeftUntilChangeReq) && $GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change'])
{
// maxage - passwordage = days left until change is required
$daysLeftUntilChangeReq = ($GLOBALS['egw_info']['server']['change_pwd_every_x_days'] - ((egw_time::to('now','ts')-$alpwchange_val)/86400));
$daysLeftUntilChangeReq = ($GLOBALS['egw_info']['server']['change_pwd_every_x_days'] - ((egw_time::to('now','ts')-($alpwchange_val?$alpwchange_val:0))/86400));
}
//echo "Warn about the upcomming change ".$GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change'].' days before that time is reached<br>';
//$result = $GLOBALS['egw_info']['server']['change_pwd_every_x_days'] - $daysLeftUntilChangeReq;
@ -135,30 +144,33 @@ class auth
{
if ($GLOBALS['egw']->acl->check('nopasswordchange', 1, 'preferences')) return true; // user has no rights to change password
if ($UserKnowsAboutPwdChange === true && !($passwordAgeBorder > $alpwchange_val || $alpwchange_val==0)) return true; // user has already been informed about the upcomming password expiration
if ($alpwchange_val == 0)
if (!is_null($alpwchange_val))
{
$message = lang('an admin required that you must change your password upon login.');
if ($alpwchange_val == 0)
{
$message = lang('an admin required that you must change your password upon login.');
}
elseif (($passwordAgeBorder < $alpwchange_val) ||
(
$GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change'] &&
$GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change'] > $daysLeftUntilChangeReq &&
$daysLeftUntilChangeReq > 0
)
)
{
$UserKnowsAboutPwdChange = true;
$message = lang('your password is about to expire in %1 days, you may change your password now',round($daysLeftUntilChangeReq));
}
elseif ($passwordAgeBorder > $alpwchange_val && $alpwchange_val > 0)
{
error_log(__METHOD__.' Password of '.$GLOBALS['egw_info']['user']['account_lid'].' ('.$GLOBALS['egw_info']['user']['account_fullname'].') is of old age.'.array2string(array(
'ts'=>$GLOBALS['egw_info']['user']['account_lastpwd_change'],
'date'=>egw_time::to($GLOBALS['egw_info']['user']['account_lastpwd_change']))));
$message = lang('it has been more then %1 days since you changed your password',$GLOBALS['egw_info']['server']['change_pwd_every_x_days']);
}
if ($GLOBALS['egw_info']['user']['apps']['password']) egw::redirect_link('/preferences/password.php',array('message'=>$message));
egw::redirect_link('/index.php',array('menuaction'=>'preferences.uipassword.change','message'=>$message));
}
elseif (($passwordAgeBorder < $alpwchange_val) ||
(
$GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change'] &&
$GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change'] > $daysLeftUntilChangeReq &&
$daysLeftUntilChangeReq > 0
)
)
{
$UserKnowsAboutPwdChange = true;
$message = lang('your password is about to expire in %1 days, you may change your password now',round($daysLeftUntilChangeReq));
}
elseif ($passwordAgeBorder > $alpwchange_val && $alpwchange_val > 0)
{
error_log(__METHOD__.' Password of '.$GLOBALS['egw_info']['user']['account_lid'].' ('.$GLOBALS['egw_info']['user']['account_fullname'].') is of old age.'.array2string(array(
'ts'=>$GLOBALS['egw_info']['user']['account_lastpwd_change'],
'date'=>egw_time::to($GLOBALS['egw_info']['user']['account_lastpwd_change']))));
$message = lang('it has been more then %1 days since you changed your password',$GLOBALS['egw_info']['server']['change_pwd_every_x_days']);
}
if ($GLOBALS['egw_info']['user']['apps']['password']) egw::redirect_link('/preferences/password.php',array('message'=>$message));
egw::redirect_link('/index.php',array('menuaction'=>'preferences.uipassword.change','message'=>$message));
}
return true;
}

58
phpgwapi/inc/class.auth_fallback.inc.php
View File

@ -52,12 +52,12 @@ class auth_fallback implements auth_backend
{
if ($this->primary_backend->authenticate($username, $passwd, $passwd_type))
{
egw_cache::setSession(__CLASS__,'backend_used','primary');
egw_cache::setInstance(__CLASS__,'backend_used-'.$username,'primary');
return true;
}
if ($this->fallback_backend->authenticate($username,$passwd, $passwd_type))
{
egw_cache::setSession(__CLASS__,'backend_used','fallback');
egw_cache::setInstance(__CLASS__,'backend_used-'.$username,'fallback');
return true;
}
return false;
@ -76,10 +76,62 @@ class auth_fallback implements auth_backend
*/
function change_password($old_passwd, $new_passwd, $account_id=0)
{
if (egw_cache::getSession(__CLASS__,'backend_used') == 'primary')
if(!$account_id || $GLOBALS['egw_info']['flags']['currentapp'] == 'login')
{
$admin = False;
$account_id = $GLOBALS['egw_info']['user']['account_id'];
$username = $GLOBALS['egw_info']['user']['account_lid'];
}
else
{
$username = $GLOBALS['egw']->accounts->id2name($account_id);
}
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
{
return $this->primary_backend->change_password($old_passwd, $new_passwd, $account_id);
}
return $this->fallback_backend->change_password($old_passwd, $new_passwd, $account_id);
}
/**
* fetch the last pwd change for the user
*
* @param string $username username of account to authenticate
* @return mixed false or account_lastpwd_change
*/
function getLastPwdChange($username)
{
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
{
return false;
}
return $this->fallback_backend->getLastPwdChange($username);
}
/**
* changes account_lastpwd_change in sql datababse
*
* @param int $account_id account id of user whose passwd should be changed
* @param string $passwd must be cleartext, usually not used, but may be used to authenticate as user to do the change -> ldap
* @param int $lastpwdchange must be a unixtimestamp
* @return boolean true if account_lastpwd_change successful changed, false otherwise
*/
function setLastPwdChange($account_id=0, $passwd=NULL, $lastpwdchange=NULL)
{
if(!$account_id || $GLOBALS['egw_info']['flags']['currentapp'] == 'login')
{
$admin = False;
$account_id = $GLOBALS['egw_info']['user']['account_id'];
$username = $GLOBALS['egw_info']['user']['account_lid'];
}
else
{
$username = $GLOBALS['egw']->accounts->id2name($account_id);
}
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
{
return false;
}
return $this->fallback_backend->setLastPwdChange($account_id, $passwd, $lastpwdchange);
}
}

58
phpgwapi/inc/class.auth_fallbackmail2sql.inc.php
View File

@ -52,12 +52,12 @@ class auth_fallbackmail2sql implements auth_backend
{
if ($this->primary_backend->authenticate($username, $passwd, $passwd_type))
{
egw_cache::setSession(__CLASS__,'backend_used','primary');
egw_cache::setInstance(__CLASS__,'backend_used-'.$username,'primary');
return true;
}
if ($this->fallback_backend->authenticate($username,$passwd, $passwd_type))
{
egw_cache::setSession(__CLASS__,'backend_used','fallback');
egw_cache::setInstance(__CLASS__,'backend_used-'.$username,'fallback');
return true;
}
return false;
@ -76,10 +76,62 @@ class auth_fallbackmail2sql implements auth_backend
*/
function change_password($old_passwd, $new_passwd, $account_id=0)
{
if (egw_cache::getSession(__CLASS__,'backend_used') == 'primary')
if(!$account_id || $GLOBALS['egw_info']['flags']['currentapp'] == 'login')
{
$admin = False;
$account_id = $GLOBALS['egw_info']['user']['account_id'];
$username = $GLOBALS['egw_info']['user']['account_lid'];
}
else
{
$username = $GLOBALS['egw']->accounts->id2name($account_id);
}
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
{
return false;
}
return $this->fallback_backend->change_password($old_passwd, $new_passwd, $account_id);
}
/**
* fetch the last pwd change for the user
*
* @param string $username username of account to authenticate
* @return mixed false or account_lastpwd_change
*/
function getLastPwdChange($username)
{
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
{
return false;
}
return $this->fallback_backend->getLastPwdChange($username);
}
/**
* changes account_lastpwd_change in sql datababse
*
* @param int $account_id account id of user whose passwd should be changed
* @param string $passwd must be cleartext, usually not used, but may be used to authenticate as user to do the change -> ldap
* @param int $lastpwdchange must be a unixtimestamp
* @return boolean true if account_lastpwd_change successful changed, false otherwise
*/
function setLastPwdChange($account_id=0, $passwd=NULL, $lastpwdchange=NULL)
{
if(!$account_id || $GLOBALS['egw_info']['flags']['currentapp'] == 'login')
{
$admin = False;
$account_id = $GLOBALS['egw_info']['user']['account_id'];
$username = $GLOBALS['egw_info']['user']['account_lid'];
}
else
{
$username = $GLOBALS['egw']->accounts->id2name($account_id);
}
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
{
return false;
}
return $this->fallback_backend->setLastPwdChange($account_id, $passwd, $lastpwdchange);
}
}