diff options
author | blizzz <blizzz@arthur-schiwon.de> | 2017-04-24 12:17:04 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-04-24 12:17:04 +0200 |
commit | 42e805f0578b95206fdddabfe6234b0880c27b1e (patch) | |
tree | d9dc2870f2727ac0b35e95681ebc320222c5cc17 /apps/user_ldap/lib | |
parent | 3d671cc536b1b472c746fd4ea8f60135f4935a44 (diff) | |
parent | 5fa218051bb7cafe9acfdc223fe6a6d4605dacdc (diff) | |
download | nextcloud-server-42e805f0578b95206fdddabfe6234b0880c27b1e.tar.gz nextcloud-server-42e805f0578b95206fdddabfe6234b0880c27b1e.zip |
Merge pull request #1023 from GitHubUser4234/ldap_password_renew_pr
Handle password expiry in user_ldap
Diffstat (limited to 'apps/user_ldap/lib')
-rw-r--r-- | apps/user_ldap/lib/Access.php | 2 | ||||
-rw-r--r-- | apps/user_ldap/lib/AppInfo/Application.php | 52 | ||||
-rw-r--r-- | apps/user_ldap/lib/Command/Search.php | 2 | ||||
-rw-r--r-- | apps/user_ldap/lib/Configuration.php | 3 | ||||
-rw-r--r-- | apps/user_ldap/lib/Controller/RenewPasswordController.php | 180 | ||||
-rw-r--r-- | apps/user_ldap/lib/Exceptions/ConstraintViolationException.php | 2 | ||||
-rw-r--r-- | apps/user_ldap/lib/Helper.php | 3 | ||||
-rw-r--r-- | apps/user_ldap/lib/Jobs/CleanUp.php | 3 | ||||
-rw-r--r-- | apps/user_ldap/lib/Jobs/UpdateGroups.php | 3 | ||||
-rw-r--r-- | apps/user_ldap/lib/Migration/UUIDFixGroup.php | 3 | ||||
-rw-r--r-- | apps/user_ldap/lib/Notification/Notifier.php | 71 | ||||
-rw-r--r-- | apps/user_ldap/lib/Proxy.php | 5 | ||||
-rw-r--r-- | apps/user_ldap/lib/User/Manager.php | 34 | ||||
-rw-r--r-- | apps/user_ldap/lib/User/User.php | 129 | ||||
-rw-r--r-- | apps/user_ldap/lib/User_LDAP.php | 23 | ||||
-rw-r--r-- | apps/user_ldap/lib/User_Proxy.php | 6 |
16 files changed, 484 insertions, 37 deletions
diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php index 959a8dd2b8e..973b23e81cc 100644 --- a/apps/user_ldap/lib/Access.php +++ b/apps/user_ldap/lib/Access.php @@ -1096,7 +1096,7 @@ class Access extends LDAPUtility implements IUserTools { * @param bool $skipHandling * @return array with the search result */ - private function search($filter, $base, $attr = null, $limit = null, $offset = null, $skipHandling = false) { + public function search($filter, $base, $attr = null, $limit = null, $offset = null, $skipHandling = false) { if($limit <= 0) { //otherwise search will fail $limit = null; diff --git a/apps/user_ldap/lib/AppInfo/Application.php b/apps/user_ldap/lib/AppInfo/Application.php new file mode 100644 index 00000000000..c3fa1ce9f94 --- /dev/null +++ b/apps/user_ldap/lib/AppInfo/Application.php @@ -0,0 +1,52 @@ +<?php +/** + * @copyright Copyright (c) 2017 Roger Szabo <roger.szabo@web.de> + * + * @author Roger Szabo <roger.szabo@web.de> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCA\User_LDAP\AppInfo; + +use OCA\User_LDAP\Controller\RenewPasswordController; +use OCP\AppFramework\App; +use OCP\AppFramework\IAppContainer; + +class Application extends App { + public function __construct () { + parent::__construct('user_ldap'); + $container = $this->getContainer(); + + /** + * Controller + */ + $container->registerService('RenewPasswordController', function(IAppContainer $c) { + /** @var \OC\Server $server */ + $server = $c->query('ServerContainer'); + + return new RenewPasswordController( + $c->getAppName(), + $server->getRequest(), + $c->query('UserManager'), + $server->getConfig(), + $c->query('OCP\IL10N'), + $server->getURLGenerator() + ); + }); + } +} diff --git a/apps/user_ldap/lib/Command/Search.php b/apps/user_ldap/lib/Command/Search.php index 57970b1ac5d..463ad2eaeb4 100644 --- a/apps/user_ldap/lib/Command/Search.php +++ b/apps/user_ldap/lib/Command/Search.php @@ -120,7 +120,7 @@ class Search extends Command { $limit = null; } } else { - $proxy = new User_Proxy($configPrefixes, $ldapWrapper, $this->ocConfig); + $proxy = new User_Proxy($configPrefixes, $ldapWrapper, $this->ocConfig, \OC::$server->getNotificationManager()); $getMethod = 'getDisplayNames'; $printID = true; } diff --git a/apps/user_ldap/lib/Configuration.php b/apps/user_ldap/lib/Configuration.php index 65ee9c70807..654a63cdc73 100644 --- a/apps/user_ldap/lib/Configuration.php +++ b/apps/user_ldap/lib/Configuration.php @@ -93,6 +93,7 @@ class Configuration { 'ldapPagingSize' => null, 'turnOnPasswordChange' => false, 'ldapDynamicGroupMemberURL' => null, + 'ldapDefaultPPolicyDN' => null, ); /** @@ -457,6 +458,7 @@ class Configuration { 'ldap_turn_on_pwd_change' => 0, 'ldap_experienced_admin' => 0, 'ldap_dynamic_group_member_url' => '', + 'ldap_default_ppolicy_dn' => '', ); } @@ -514,6 +516,7 @@ class Configuration { 'ldap_turn_on_pwd_change' => 'turnOnPasswordChange', 'ldap_experienced_admin' => 'ldapExperiencedAdmin', 'ldap_dynamic_group_member_url' => 'ldapDynamicGroupMemberURL', + 'ldap_default_ppolicy_dn' => 'ldapDefaultPPolicyDN', ); return $array; } diff --git a/apps/user_ldap/lib/Controller/RenewPasswordController.php b/apps/user_ldap/lib/Controller/RenewPasswordController.php new file mode 100644 index 00000000000..4714c0646cd --- /dev/null +++ b/apps/user_ldap/lib/Controller/RenewPasswordController.php @@ -0,0 +1,180 @@ +<?php +/** + * @copyright Copyright (c) 2017 Roger Szabo <roger.szabo@web.de> + * + * @author Roger Szabo <roger.szabo@web.de> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCA\User_LDAP\Controller; + +use OC\HintException; +use OC_Util; +use OCP\AppFramework\Controller; +use OCP\AppFramework\Http\RedirectResponse; +use OCP\AppFramework\Http\TemplateResponse; +use OCP\IConfig; +use OCP\IL10N; +use OCP\IRequest; +use OCP\ISession; +use OCP\IURLGenerator; +use OCP\IUser; +use OCP\IUserManager; + +class RenewPasswordController extends Controller { + /** @var IUserManager */ + private $userManager; + /** @var IConfig */ + private $config; + /** @var IL10N */ + protected $l10n; + /** @var ISession */ + private $session; + /** @var IURLGenerator */ + private $urlGenerator; + + /** + * @param string $appName + * @param IRequest $request + * @param IUserManager $userManager + * @param IConfig $config + * @param IURLGenerator $urlGenerator + */ + function __construct($appName, IRequest $request, IUserManager $userManager, + IConfig $config, IL10N $l10n, ISession $session, IURLGenerator $urlGenerator) { + parent::__construct($appName, $request); + $this->userManager = $userManager; + $this->config = $config; + $this->l10n = $l10n; + $this->session = $session; + $this->urlGenerator = $urlGenerator; + } + + /** + * @PublicPage + * @NoCSRFRequired + * + * @return RedirectResponse + */ + public function cancel() { + return new RedirectResponse($this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm')); + } + + /** + * @PublicPage + * @NoCSRFRequired + * @UseSession + * + * @param string $user + * + * @return TemplateResponse|RedirectResponse + */ + public function showRenewPasswordForm($user) { + if($this->config->getUserValue($user, 'user_ldap', 'needsPasswordReset') !== 'true') { + return new RedirectResponse($this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm')); + } + $parameters = []; + $renewPasswordMessages = $this->session->get('renewPasswordMessages'); + $errors = []; + $messages = []; + if (is_array($renewPasswordMessages)) { + list($errors, $messages) = $renewPasswordMessages; + } + $this->session->remove('renewPasswordMessages'); + foreach ($errors as $value) { + $parameters[$value] = true; + } + + $parameters['messages'] = $messages; + $parameters['user'] = $user; + + $parameters['canResetPassword'] = true; + $parameters['resetPasswordLink'] = $this->config->getSystemValue('lost_password_link', ''); + if (!$parameters['resetPasswordLink']) { + $userObj = $this->userManager->get($user); + if ($userObj instanceof IUser) { + $parameters['canResetPassword'] = $userObj->canChangePassword(); + } + } + $parameters['cancelLink'] = $this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm'); + + return new TemplateResponse( + $this->appName, 'renewpassword', $parameters, 'guest' + ); + } + + /** + * @PublicPage + * @UseSession + * + * @param string $user + * @param string $oldPassword + * @param string $newPassword + * + * @return RedirectResponse + */ + public function tryRenewPassword($user, $oldPassword, $newPassword) { + if($this->config->getUserValue($user, 'user_ldap', 'needsPasswordReset') !== 'true') { + return new RedirectResponse($this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm')); + } + $args = !is_null($user) ? ['user' => $user] : []; + $loginResult = $this->userManager->checkPassword($user, $oldPassword); + if ($loginResult === false) { + $this->session->set('renewPasswordMessages', [ + ['invalidpassword'], [] + ]); + return new RedirectResponse($this->urlGenerator->linkToRoute('user_ldap.renewPassword.showRenewPasswordForm', $args)); + } + + try { + if (!is_null($newPassword) && \OC_User::setPassword($user, $newPassword)) { + $this->session->set('loginMessages', [ + [], [$this->l10n->t("Please login with the new password")] + ]); + $this->session->remove('needPasswordRenewal'); + return new RedirectResponse($this->urlGenerator->linkToRoute('core.login.showLoginForm', $args)); + } else { + $this->session->set('renewPasswordMessages', [ + ['internalexception'], [] + ]); + } + } catch (HintException $e) { + $this->session->set('renewPasswordMessages', [ + [], [$e->getHint()] + ]); + } + + return new RedirectResponse($this->urlGenerator->linkToRoute('user_ldap.renewPassword.showRenewPasswordForm', $args)); + } + + /** + * @PublicPage + * @NoCSRFRequired + * @UseSession + * + * @return RedirectResponse + */ + public function showLoginFormInvalidPassword($user) { + $args = !is_null($user) ? ['user' => $user] : []; + $this->session->set('loginMessages', [ + ['invalidpassword'], [] + ]); + return new RedirectResponse($this->urlGenerator->linkToRoute('core.login.showLoginForm', $args)); + } + +} diff --git a/apps/user_ldap/lib/Exceptions/ConstraintViolationException.php b/apps/user_ldap/lib/Exceptions/ConstraintViolationException.php index 997b01b2d4e..586a80b9ebe 100644 --- a/apps/user_ldap/lib/Exceptions/ConstraintViolationException.php +++ b/apps/user_ldap/lib/Exceptions/ConstraintViolationException.php @@ -1,6 +1,6 @@ <?php /** - * @copyright Copyright (c) 2016 Roger Szabo <roger.szabo@web.de> + * @copyright Copyright (c) 2017 Roger Szabo <roger.szabo@web.de> * * @author Roger Szabo <roger.szabo@web.de> * diff --git a/apps/user_ldap/lib/Helper.php b/apps/user_ldap/lib/Helper.php index f1186ffa310..83b2f05f1d2 100644 --- a/apps/user_ldap/lib/Helper.php +++ b/apps/user_ldap/lib/Helper.php @@ -293,9 +293,10 @@ class Helper { $configPrefixes = $helper->getServerConfigurationPrefixes(true); $ldapWrapper = new LDAP(); $ocConfig = \OC::$server->getConfig(); + $notificationManager = \OC::$server->getNotificationManager(); $userBackend = new User_Proxy( - $configPrefixes, $ldapWrapper, $ocConfig + $configPrefixes, $ldapWrapper, $ocConfig, $notificationManager ); $uid = $userBackend->loginName2UserName($param['uid'] ); if($uid !== false) { diff --git a/apps/user_ldap/lib/Jobs/CleanUp.php b/apps/user_ldap/lib/Jobs/CleanUp.php index e69d24dfd06..a4dd4ba32ad 100644 --- a/apps/user_ldap/lib/Jobs/CleanUp.php +++ b/apps/user_ldap/lib/Jobs/CleanUp.php @@ -98,7 +98,8 @@ class CleanUp extends TimedJob { $this->userBackend = new User_Proxy( $this->ldapHelper->getServerConfigurationPrefixes(true), new LDAP(), - $this->ocConfig + $this->ocConfig, + \OC::$server->getNotificationManager() ); } diff --git a/apps/user_ldap/lib/Jobs/UpdateGroups.php b/apps/user_ldap/lib/Jobs/UpdateGroups.php index b4259425fcc..4c9a06a5f68 100644 --- a/apps/user_ldap/lib/Jobs/UpdateGroups.php +++ b/apps/user_ldap/lib/Jobs/UpdateGroups.php @@ -185,7 +185,8 @@ class UpdateGroups extends \OC\BackgroundJob\TimedJob { \OC::$server->getAvatarManager(), new \OCP\Image(), $dbc, - \OC::$server->getUserManager()); + \OC::$server->getUserManager(), + \OC::$server->getNotificationManager()); $connector = new Connection($ldapWrapper, $configPrefixes[0]); $ldapAccess = new Access($connector, $ldapWrapper, $userManager, $helper); $groupMapper = new GroupMapping($dbc); diff --git a/apps/user_ldap/lib/Migration/UUIDFixGroup.php b/apps/user_ldap/lib/Migration/UUIDFixGroup.php index cbc38366984..6aacb37257e 100644 --- a/apps/user_ldap/lib/Migration/UUIDFixGroup.php +++ b/apps/user_ldap/lib/Migration/UUIDFixGroup.php @@ -32,6 +32,7 @@ use OCP\IConfig; class UUIDFixGroup extends UUIDFix { public function __construct(GroupMapping $mapper, LDAP $ldap, IConfig $config, Helper $helper) { $this->mapper = $mapper; - $this->proxy = new User_Proxy($helper->getServerConfigurationPrefixes(true), $ldap, $config); + $this->proxy = new User_Proxy($helper->getServerConfigurationPrefixes(true), $ldap, $config, + \OC::$server->getNotificationManager()); } } diff --git a/apps/user_ldap/lib/Notification/Notifier.php b/apps/user_ldap/lib/Notification/Notifier.php new file mode 100644 index 00000000000..a6053cfcb19 --- /dev/null +++ b/apps/user_ldap/lib/Notification/Notifier.php @@ -0,0 +1,71 @@ +<?php +/** + * @copyright Copyright (c) 2017 Roger Szabo <roger.szabo@web.de> + * + * @author Roger Szabo <roger.szabo@web.de> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCA\User_LDAP\Notification; + + +use OCP\IUser; +use OCP\IUserManager; +use OCP\L10N\IFactory; +use OCP\Notification\INotification; +use OCP\Notification\INotifier; + +class Notifier implements INotifier { + + /** @var IFactory */ + protected $l10nFactory; + + /** + * @param IFactory $l10nFactory + */ + public function __construct(\OCP\L10N\IFactory $l10nFactory) { + $this->l10nFactory = $l10nFactory; + } + + /** + * @param INotification $notification + * @param string $languageCode The code of the language that should be used to prepare the notification + * @return INotification + * @throws \InvalidArgumentException When the notification was not prepared by a notifier + */ + public function prepare(INotification $notification, $languageCode) { + if ($notification->getApp() !== 'user_ldap') { + // Not my app => throw + throw new \InvalidArgumentException(); + } + + // Read the language from the notification + $l = $this->l10nFactory->get('user_ldap', $languageCode); + + switch ($notification->getSubject()) { + // Deal with known subjects + case 'pwd_exp_warn_days': + $notification->setParsedSubject($l->t('Your password will expire within %s day(s).', $notification->getSubjectParameters())); + return $notification; + + default: + // Unknown subject => Unknown notification => throw + throw new \InvalidArgumentException(); + } + } +} diff --git a/apps/user_ldap/lib/Proxy.php b/apps/user_ldap/lib/Proxy.php index 7f998314e20..96bb670b789 100644 --- a/apps/user_ldap/lib/Proxy.php +++ b/apps/user_ldap/lib/Proxy.php @@ -64,6 +64,7 @@ abstract class Proxy { static $groupMap; static $db; static $coreUserManager; + static $coreNotificationManager; if(is_null($fs)) { $ocConfig = \OC::$server->getConfig(); $fs = new FilesystemHelper(); @@ -73,9 +74,11 @@ abstract class Proxy { $userMap = new UserMapping($db); $groupMap = new GroupMapping($db); $coreUserManager = \OC::$server->getUserManager(); + $coreNotificationManager = \OC::$server->getNotificationManager(); } $userManager = - new Manager($ocConfig, $fs, $log, $avatarM, new \OCP\Image(), $db, $coreUserManager); + new Manager($ocConfig, $fs, $log, $avatarM, new \OCP\Image(), $db, + $coreUserManager, $coreNotificationManager); $connector = new Connection($this->ldap, $configPrefix); $access = new Access($connector, $this->ldap, $userManager, new Helper(\OC::$server->getConfig())); $access->setUserMapper($userMap); diff --git a/apps/user_ldap/lib/User/Manager.php b/apps/user_ldap/lib/User/Manager.php index 18430a90cc7..ea4d071b646 100644 --- a/apps/user_ldap/lib/User/Manager.php +++ b/apps/user_ldap/lib/User/Manager.php @@ -34,6 +34,7 @@ use OCP\IConfig; use OCP\IDBConnection; use OCP\Image; use OCP\IUserManager; +use OCP\Notification\IManager as INotificationManager; /** * Manager @@ -51,6 +52,12 @@ class Manager { /** @var IDBConnection */ protected $db; + /** @var IUserManager */ + protected $userManager; + + /** @var INotificationManager */ + protected $notificationManager; + /** @var FilesystemHelper */ protected $ocFilesystem; @@ -85,17 +92,19 @@ class Manager { public function __construct(IConfig $ocConfig, FilesystemHelper $ocFilesystem, LogWrapper $ocLog, IAvatarManager $avatarManager, Image $image, - IDBConnection $db, IUserManager $userManager) { - - $this->ocConfig = $ocConfig; - $this->ocFilesystem = $ocFilesystem; - $this->ocLog = $ocLog; - $this->avatarManager = $avatarManager; - $this->image = $image; - $this->db = $db; - $this->userManager = $userManager; - $this->usersByDN = new CappedMemoryCache(); - $this->usersByUid = new CappedMemoryCache(); + IDBConnection $db, IUserManager $userManager, + INotificationManager $notificationManager) { + + $this->ocConfig = $ocConfig; + $this->ocFilesystem = $ocFilesystem; + $this->ocLog = $ocLog; + $this->avatarManager = $avatarManager; + $this->image = $image; + $this->db = $db; + $this->userManager = $userManager; + $this->notificationManager = $notificationManager; + $this->usersByDN = new CappedMemoryCache(); + $this->usersByUid = new CappedMemoryCache(); } /** @@ -118,7 +127,8 @@ class Manager { $this->checkAccess(); $user = new User($uid, $dn, $this->access, $this->ocConfig, $this->ocFilesystem, clone $this->image, $this->ocLog, - $this->avatarManager, $this->userManager); + $this->avatarManager, $this->userManager, + $this->notificationManager); $this->usersByDN[$dn] = $user; $this->usersByUid[$uid] = $user; return $user; diff --git a/apps/user_ldap/lib/User/User.php b/apps/user_ldap/lib/User/User.php index 4419c4983d4..a9e7eb6cc0c 100644 --- a/apps/user_ldap/lib/User/User.php +++ b/apps/user_ldap/lib/User/User.php @@ -7,6 +7,7 @@ * @author Morris Jobke <hey@morrisjobke.de> * @author Thomas Müller <thomas.mueller@tmit.eu> * @author Jörn Friedrich Dreyer <jfd@butonic.de> + * @author Roger Szabo <roger.szabo@web.de> * * @license AGPL-3.0 * @@ -34,6 +35,7 @@ use OCP\IConfig; use OCP\Image; use OCP\IUserManager; use OCP\Util; +use OCP\Notification\IManager as INotificationManager; /** * User @@ -74,6 +76,10 @@ class User { */ protected $userManager; /** + * @var INotificationManager + */ + protected $notificationManager; + /** * @var string */ protected $dn; @@ -108,11 +114,13 @@ class User { * @param LogWrapper $log * @param IAvatarManager $avatarManager * @param IUserManager $userManager + * @param INotificationManager $notificationManager */ public function __construct($username, $dn, IUserTools $access, IConfig $config, FilesystemHelper $fs, Image $image, - LogWrapper $log, IAvatarManager $avatarManager, IUserManager $userManager) { - + LogWrapper $log, IAvatarManager $avatarManager, IUserManager $userManager, + INotificationManager $notificationManager) { + if ($username === null) { $log->log("uid for '$dn' must not be null!", Util::ERROR); throw new \InvalidArgumentException('uid must not be null!'); @@ -121,16 +129,19 @@ class User { throw new \InvalidArgumentException('uid must not be an empty string!'); } - $this->access = $access; - $this->connection = $access->getConnection(); - $this->config = $config; - $this->fs = $fs; - $this->dn = $dn; - $this->uid = $username; - $this->image = $image; - $this->log = $log; - $this->avatarManager = $avatarManager; - $this->userManager = $userManager; + $this->access = $access; + $this->connection = $access->getConnection(); + $this->config = $config; + $this->fs = $fs; + $this->dn = $dn; + $this->uid = $username; + $this->image = $image; + $this->log = $log; + $this->avatarManager = $avatarManager; + $this->userManager = $userManager; + $this->notificationManager = $notificationManager; + + \OCP\Util::connectHook('OC_User', 'post_login', $this, 'handlePasswordExpiry'); } /** @@ -587,4 +598,98 @@ class User { } } + /** + * called by a post_login hook to handle password expiry + * + * @param array $params + */ + public function handlePasswordExpiry($params) { + $ppolicyDN = $this->connection->ldapDefaultPPolicyDN; + if (empty($ppolicyDN) || (intval($this->connection->turnOnPasswordChange) !== 1)) { + return;//password expiry handling disabled + } + $uid = $params['uid']; + if(isset($uid) && $uid === $this->getUsername()) { + //retrieve relevant user attributes + $result = $this->access->search('objectclass=*', $this->dn, ['pwdpolicysubentry', 'pwdgraceusetime', 'pwdreset', 'pwdchangedtime']); + + if(array_key_exists('pwdpolicysubentry', $result[0])) { + $pwdPolicySubentry = $result[0]['pwdpolicysubentry']; + if($pwdPolicySubentry && (count($pwdPolicySubentry) > 0)){ + $ppolicyDN = $pwdPolicySubentry[0];//custom ppolicy DN + } + } + + $pwdGraceUseTime = array_key_exists('pwdgraceusetime', $result[0]) ? $result[0]['pwdgraceusetime'] : null; + $pwdReset = array_key_exists('pwdreset', $result[0]) ? $result[0]['pwdreset'] : null; + $pwdChangedTime = array_key_exists('pwdchangedtime', $result[0]) ? $result[0]['pwdchangedtime'] : null; + + //retrieve relevant password policy attributes + $cacheKey = 'ppolicyAttributes' . $ppolicyDN; + $result = $this->connection->getFromCache($cacheKey); + if(is_null($result)) { + $result = $this->access->search('objectclass=*', $ppolicyDN, ['pwdgraceauthnlimit', 'pwdmaxage', 'pwdexpirewarning']); + $this->connection->writeToCache($cacheKey, $result); + } + + $pwdGraceAuthNLimit = array_key_exists('pwdgraceauthnlimit', $result[0]) ? $result[0]['pwdgraceauthnlimit'] : null; + $pwdMaxAge = array_key_exists('pwdmaxage', $result[0]) ? $result[0]['pwdmaxage'] : null; + $pwdExpireWarning = array_key_exists('pwdexpirewarning', $result[0]) ? $result[0]['pwdexpirewarning'] : null; + + //handle grace login + $pwdGraceUseTimeCount = count($pwdGraceUseTime); + if($pwdGraceUseTime && $pwdGraceUseTimeCount > 0) { //was this a grace login? + if($pwdGraceAuthNLimit + && (count($pwdGraceAuthNLimit) > 0) + &&($pwdGraceUseTimeCount < intval($pwdGraceAuthNLimit[0]))) { //at least one more grace login available? + $this->config->setUserValue($uid, 'user_ldap', 'needsPasswordReset', 'true'); + header('Location: '.\OC::$server->getURLGenerator()->linkToRouteAbsolute( + 'user_ldap.renewPassword.showRenewPasswordForm', array('user' => $uid))); + } else { //no more grace login available + header('Location: '.\OC::$server->getURLGenerator()->linkToRouteAbsolute( + 'user_ldap.renewPassword.showLoginFormInvalidPassword', array('user' => $uid))); + } + exit(); + } + //handle pwdReset attribute + if($pwdReset && (count($pwdReset) > 0) && $pwdReset[0] === 'TRUE') { //user must change his password + $this->config->setUserValue($uid, 'user_ldap', 'needsPasswordReset', 'true'); + header('Location: '.\OC::$server->getURLGenerator()->linkToRouteAbsolute( + 'user_ldap.renewPassword.showRenewPasswordForm', array('user' => $uid))); + exit(); + } + //handle password expiry warning + if($pwdChangedTime && (count($pwdChangedTime) > 0)) { + if($pwdMaxAge && (count($pwdMaxAge) > 0) + && $pwdExpireWarning && (count($pwdExpireWarning) > 0)) { + $pwdMaxAgeInt = intval($pwdMaxAge[0]); + $pwdExpireWarningInt = intval($pwdExpireWarning[0]); + if($pwdMaxAgeInt > 0 && $pwdExpireWarningInt > 0){ + $pwdChangedTimeDt = \DateTime::createFromFormat('YmdHisZ', $pwdChangedTime[0]); + $pwdChangedTimeDt->add(new \DateInterval('PT'.$pwdMaxAgeInt.'S')); + $currentDateTime = new \DateTime(); + $secondsToExpiry = $pwdChangedTimeDt->getTimestamp() - $currentDateTime->getTimestamp(); + if($secondsToExpiry <= $pwdExpireWarningInt) { + //remove last password expiry warning if any + $notification = $this->notificationManager->createNotification(); + $notification->setApp('user_ldap') + ->setUser($uid) + ->setObject('pwd_exp_warn', $uid) + ; + $this->notificationManager->markProcessed($notification); + //create new password expiry warning + $notification = $this->notificationManager->createNotification(); + $notification->setApp('user_ldap') + ->setUser($uid) + ->setDateTime($currentDateTime) + ->setObject('pwd_exp_warn', $uid) + ->setSubject('pwd_exp_warn_days', [strval(ceil($secondsToExpiry / 60 / 60 / 24))]) + ; + $this->notificationManager->notify($notification); + } + } + } + } + } + } } diff --git a/apps/user_ldap/lib/User_LDAP.php b/apps/user_ldap/lib/User_LDAP.php index fa959fd9a81..75cdb3951ca 100644 --- a/apps/user_ldap/lib/User_LDAP.php +++ b/apps/user_ldap/lib/User_LDAP.php @@ -41,6 +41,7 @@ use OCA\User_LDAP\Exceptions\NotOnLDAP; use OCA\User_LDAP\User\OfflineUser; use OCA\User_LDAP\User\User; use OCP\IConfig; +use OCP\Notification\IManager as INotificationManager; use OCP\Util; class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserInterface, IUserLDAP { @@ -50,13 +51,18 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn /** @var \OCP\IConfig */ protected $ocConfig; + /** @var INotificationManager */ + protected $notificationManager; + /** * @param Access $access * @param \OCP\IConfig $ocConfig + * @param \OCP\Notification\IManager $notificationManager */ - public function __construct(Access $access, IConfig $ocConfig) { + public function __construct(Access $access, IConfig $ocConfig, INotificationManager $notificationManager) { parent::__construct($access); $this->ocConfig = $ocConfig; + $this->notificationManager = $notificationManager; } /** @@ -190,8 +196,19 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn throw new \Exception('LDAP setPassword: Could not get user object for uid ' . $uid . '. Maybe the LDAP entry has no set display name attribute?'); } - if($user->getUsername() !== false) { - return $this->access->setPassword($user->getDN(), $password); + if($user->getUsername() !== false && $this->access->setPassword($user->getDN(), $password)) { + $ldapDefaultPPolicyDN = $this->access->connection->ldapDefaultPPolicyDN; + $turnOnPasswordChange = $this->access->connection->turnOnPasswordChange; + if (!empty($ldapDefaultPPolicyDN) && (intval($turnOnPasswordChange) === 1)) { + //remove last password expiry warning if any + $notification = $this->notificationManager->createNotification(); + $notification->setApp('user_ldap') + ->setUser($uid) + ->setObject('pwd_exp_warn', $uid) + ; + $this->notificationManager->markProcessed($notification); + } + return true; } return false; diff --git a/apps/user_ldap/lib/User_Proxy.php b/apps/user_ldap/lib/User_Proxy.php index 6417841f245..8e81b10f7b3 100644 --- a/apps/user_ldap/lib/User_Proxy.php +++ b/apps/user_ldap/lib/User_Proxy.php @@ -31,6 +31,7 @@ namespace OCA\User_LDAP; use OCA\User_LDAP\User\User; use OCP\IConfig; +use OCP\Notification\IManager as INotificationManager; class User_Proxy extends Proxy implements \OCP\IUserBackend, \OCP\UserInterface, IUserLDAP { private $backends = array(); @@ -40,11 +41,12 @@ class User_Proxy extends Proxy implements \OCP\IUserBackend, \OCP\UserInterface, * Constructor * @param array $serverConfigPrefixes array containing the config Prefixes */ - public function __construct(array $serverConfigPrefixes, ILDAPWrapper $ldap, IConfig $ocConfig) { + public function __construct(array $serverConfigPrefixes, ILDAPWrapper $ldap, IConfig $ocConfig, + INotificationManager $notificationManager) { parent::__construct($ldap); foreach($serverConfigPrefixes as $configPrefix) { $this->backends[$configPrefix] = - new User_LDAP($this->getAccess($configPrefix), $ocConfig); + new User_LDAP($this->getAccess($configPrefix), $ocConfig, $notificationManager); if(is_null($this->refBackend)) { $this->refBackend = &$this->backends[$configPrefix]; } |