egroupware/preferences/inc/class.preferences_password.inc.php

321 lines
9.9 KiB
PHP

<?php
/**
* EGroupware preferences: Security and passwords
*
* @package preferences
* @link http://www.egroupware.org
* @author Joseph Engo <jengo@phpgroupware.org>
* @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
*/
use EGroupware\Api;
use EGroupware\Api\Framework;
use EGroupware\Api\Etemplate;
use PragmaRX\Google2FAQRCode\Google2FA;
use EGroupware\Api\Mail\Credentials;
/**
* Security and passwords
*
* Other apps can add tabs to this popup by implementing the "preferences_security" hook
* like eg. the OpenID App does to allow users to revoke tokens.
*/
class preferences_password
{
var $public_functions = array(
'change' => True
);
const GAUTH_ANDROID = 'https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2';
const GAUTH_IOS = 'https://appstore.com/googleauthenticator';
/**
* Change password, two factor auth or revoke tokens
*
* @param type $content
*/
function change($content = null)
{
if ($GLOBALS['egw']->acl->check('nopasswordchange', 1))
{
Framework::window_close('Password change is disabled!');
}
$GLOBALS['egw_info']['flags']['app_header'] = lang('Change your password');
$tmpl = new Etemplate('preferences.password');
$readonlys = $sel_options = [];
try {
// PHP 7.1+: using SVG image backend (requiring XMLWriter) and not ImageMagic extension
if (class_exists('BaconQrCode\Renderer\Image\SvgImageBackEnd'))
{
$image_backend = new \BaconQrCode\Renderer\Image\SvgImageBackEnd;
}
$google2fa = new Google2FA($image_backend);
$prefs = new Api\Preferences($GLOBALS['egw_info']['user']['account_id']);
$prefs->read_repository();
if (!is_array($content))
{
$content = [];
$content['2fa'] = $this->generateQRCode($google2fa)+[
'gauth_android' => self::GAUTH_ANDROID,
'gauth_ios' => self::GAUTH_IOS,
];
}
else
{
$secret_key = $content['2fa']['secret_key'];
unset($content['2fa']['secret_key']);
// check user password for everything but password change, where it will be checked anyway
$auth = new Api\Auth();
if ($content['tabs'] !== 'change_password' &&
!$auth->authenticate($GLOBALS['egw_info']['user']['account_lid'], $content['password']))
{
$tmpl->set_validation_error('password', lang('Password is invalid'));
}
else
{
switch($content['tabs'])
{
case 'change_password':
if ($content['button']['save'])
{
if (($errors = self::do_change($content['password'], $content['n_passwd'], $content['n_passwd_2'])))
{
Framework::message(implode("\n", $errors), 'error');
}
else
{
Framework::refresh_opener(lang('Password changed'), 'preferences');
Framework::window_close();
}
}
break;
case 'two_factor_auth':
switch(key($content['2fa']['action']))
{
case 'show':
$content['2fa'] = $this->generateQRCode($google2fa, false);
break;
case 'reset':
$content['2fa'] = $this->generateQRCode($google2fa, true);
Framework::message(lang('New secret generated, you need to save it to disable the old one!'));
break;
case 'disable':
if (Credentials::delete(0, $GLOBALS['egw_info']['user']['account_id'], Credentials::TWOFA))
{
Framework::refresh_opener(lang('Secret deleted, two factor authentication disabled.'), 'preferences');
Framework::window_close();
}
else
{
Framework::message(lang('Failed to delete secret!'), 'error');
}
break;
default: // no action, save secret
if (!$google2fa->verifyKey($secret_key, $content['2fa']['code']))
{
$tmpl->set_validation_error('code', lang('Code is invalid'), '2fa');
break 2;
}
if (($content['2fa']['cred_id'] = Credentials::write(0,
$GLOBALS['egw_info']['user']['account_lid'],
$secret_key, Credentials::TWOFA,
$GLOBALS['egw_info']['user']['account_id'],
$content['2fa']['cred_id'])))
{
Framework::refresh_opener(lang('Two Factor Auth enabled.'), 'preferences');
Framework::window_close();
}
else
{
Framework::message(lang('Failed to store secret!'), 'error');
}
break;
}
unset($content['2fa']['action']);
break;
default:
// for other tabs call their save_callback (user password is already checked!)
if (!empty($content['save_callbacks'][$content['tabs']]) &&
($msg = call_user_func_array($content['save_callbacks'][$content['tabs']], [&$content])))
{
Framework::message($msg, 'success');
}
break;
}
}
}
}
catch (Exception $e) {
Framework::message($e->getMessage(), 'error');
}
// disable 2FA tab, if admin disabled it
if ($GLOBALS['egw_info']['server']['2fa_required'] === 'disabled')
{
$readonlys['tabs']['two_factor_auth'] = true;
}
$preserve = [
'2fa' => $content['2fa']+[
'secret_key' => $secret_key,
]
];
$tmpl->setElementAttribute('tabs', 'add_tabs', true);
$tabs =& $tmpl->getElementAttribute('tabs', 'tabs');
if (($first_call = !isset($tabs)))
{
$tabs = array();
}
// register hooks, if openid is available, but new hook not yet registered (should be removed after 19.1)
if (!empty($GLOBALS['egw_info']['apps']['openid']) && !Api\Hooks::implemented('preferences_security'))
{
Api\Hooks::read(true);
}
$hook_data = Api\Hooks::process(array('location' => 'preferences_security')+$content, ['openid'], true);
foreach($hook_data as $extra_tabs)
{
if (!$extra_tabs) continue;
foreach(isset($extra_tabs[0]) ? $extra_tabs : [$extra_tabs] as $extra_tab)
{
if (!empty($extra_tab['data']) && is_array($extra_tab['data']))
{
$content = array_merge($content, $extra_tab['data']);
}
if (!empty($extra_tab['preserve']) && is_array($extra_tab['preserve']))
{
$preserve = array_merge($preserve, $extra_tab['preserve']);
}
if (!empty($extra_tab['sel_options']) && is_array($extra_tab['sel_options']))
{
$sel_options = array_merge($sel_options, $extra_tab['sel_options']);
}
if (!empty($extra_tab['readonlys']) && is_array($extra_tab['readonlys']))
{
$readonlys = array_merge($readonlys, $extra_tab['readonlys']);
}
if (!empty($extra_tab['save_callback']))
{
$preserve['save_callbacks'][$extra_tab['name']] = $extra_tab['save_callback'];
}
// we must NOT add tabs more then once!
if ($first_call && !empty($extra_tab['label']) && !empty($extra_tab['name']))
{
$tabs[] = array(
'label' => $extra_tab['label'],
'template' => $extra_tab['name'],
'prepend' => $extra_tab['prepend'],
);
}
//error_log(__METHOD__."() changed tabs=".array2string($tabs));
}
}
$tmpl->exec('preferences.preferences_password.change', $content, $sel_options, $readonlys, $preserve, 2);
}
/**
* Generate QRCode and optional new secret
*
* @param Google2FA $google2fa
* @param boolean|null $generate =null null: generate new qrCode/secret, if none exists
* true: allways generate new qrCode (to reset existing one)
* false: use existing secret, but generate qrCode
* @return array with keys "qrc" and "cred_id"
*/
protected function generateQRCode(Google2FA $google2fa, $generate=null)
{
$creds = Credentials::read(0, Credentials::TWOFA, $GLOBALS['egw_info']['user']['account_id']);
if (!$generate && $creds && strlen($creds['2fa_password']) >= 16)
{
$secret_key = $creds['2fa_password'];
}
else
{
$secret_key = $google2fa->generateSecretKey();//16, $GLOBALS['egw_info']['user']['account_lid']);
}
if (isset($generate) || empty($creds))
{
$image = $google2fa->getQRCodeInline(
!empty($GLOBALS['egw_info']['server']['site_title']) ?
$GLOBALS['egw_info']['server']['site_title'] : 'EGroupware',
$GLOBALS['egw_info']['user']['account_email'],
$secret_key
);
// bacon/bacon-qr-code >= 2 does not generate a data-url itself, but 1.x does :(
if (substr($image, 0, 11) !== 'data:image/')
{
$image = 'data:image/'.(substr($image, 0, 5) === '<?xml' ? 'svg+xml' : 'png').
';base64,'.base64_encode($image);
}
}
return [
'qrc' => $image,
'hide_qrc' => empty($image),
'cred_id' => !empty($creds) ? $creds['2fa_cred_id'] : null,
'secret_key' => $secret_key,
'status' => !empty($creds) ? lang('Two Factor Auth is already setup.') : '',
];
}
/**
* Do some basic checks and then change password
*
* @param string $old_passwd
* @param string $new_passwd
* @param string $new_passwd2
* @return array with already translated errors
*/
public static function do_change($old_passwd, $new_passwd, $new_passwd2)
{
if ($GLOBALS['egw_info']['flags']['currentapp'] != 'preferences')
{
Api\Translation::add_app('preferences');
}
$errors = array();
if (isset($GLOBALS['egw_info']['user']['passwd']) &&
$old_passwd !== $GLOBALS['egw_info']['user']['passwd'])
{
$errors[] = lang('The old password is not correct');
}
if ($new_passwd != $new_passwd2)
{
$errors[] = lang('The two passwords are not the same');
}
if ($old_passwd !== false && $old_passwd == $new_passwd)
{
$errors[] = lang('Old password and new password are the same. This is invalid. You must enter a new password');
}
if (!$new_passwd)
{
$errors[] = lang('You must enter a password');
}
// allow auth backends or configured password strenght to throw exceptions and display there message
if (!$errors)
{
try {
if (!$GLOBALS['egw']->auth->change_password($old_passwd, $new_passwd,
$GLOBALS['egw']->session->account_id))
{
// if we have no specific error, add general message
$errors[] = lang('Failed to change password.');
}
}
catch (Exception $e) {
$errors[] = $e->getMessage();
}
}
return $errors;
}
}