summaryrefslogtreecommitdiffstats
path: root/apps/user_ldap/lib
diff options
context:
space:
mode:
authorblizzz <blizzz@arthur-schiwon.de>2017-04-24 12:17:04 +0200
committerGitHub <noreply@github.com>2017-04-24 12:17:04 +0200
commit42e805f0578b95206fdddabfe6234b0880c27b1e (patch)
treed9dc2870f2727ac0b35e95681ebc320222c5cc17 /apps/user_ldap/lib
parent3d671cc536b1b472c746fd4ea8f60135f4935a44 (diff)
parent5fa218051bb7cafe9acfdc223fe6a6d4605dacdc (diff)
downloadnextcloud-server-42e805f0578b95206fdddabfe6234b0880c27b1e.tar.gz
nextcloud-server-42e805f0578b95206fdddabfe6234b0880c27b1e.zip
Merge pull request #1023 from GitHubUser4234/ldap_password_renew_pr
Handle password expiry in user_ldap
Diffstat (limited to 'apps/user_ldap/lib')
-rw-r--r--apps/user_ldap/lib/Access.php2
-rw-r--r--apps/user_ldap/lib/AppInfo/Application.php52
-rw-r--r--apps/user_ldap/lib/Command/Search.php2
-rw-r--r--apps/user_ldap/lib/Configuration.php3
-rw-r--r--apps/user_ldap/lib/Controller/RenewPasswordController.php180
-rw-r--r--apps/user_ldap/lib/Exceptions/ConstraintViolationException.php2
-rw-r--r--apps/user_ldap/lib/Helper.php3
-rw-r--r--apps/user_ldap/lib/Jobs/CleanUp.php3
-rw-r--r--apps/user_ldap/lib/Jobs/UpdateGroups.php3
-rw-r--r--apps/user_ldap/lib/Migration/UUIDFixGroup.php3
-rw-r--r--apps/user_ldap/lib/Notification/Notifier.php71
-rw-r--r--apps/user_ldap/lib/Proxy.php5
-rw-r--r--apps/user_ldap/lib/User/Manager.php34
-rw-r--r--apps/user_ldap/lib/User/User.php129
-rw-r--r--apps/user_ldap/lib/User_LDAP.php23
-rw-r--r--apps/user_ldap/lib/User_Proxy.php6
16 files changed, 484 insertions, 37 deletions
diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php
index 959a8dd2b8e..973b23e81cc 100644
--- a/apps/user_ldap/lib/Access.php
+++ b/apps/user_ldap/lib/Access.php
@@ -1096,7 +1096,7 @@ class Access extends LDAPUtility implements IUserTools {
* @param bool $skipHandling
* @return array with the search result
*/
- private function search($filter, $base, $attr = null, $limit = null, $offset = null, $skipHandling = false) {
+ public function search($filter, $base, $attr = null, $limit = null, $offset = null, $skipHandling = false) {
if($limit <= 0) {
//otherwise search will fail
$limit = null;
diff --git a/apps/user_ldap/lib/AppInfo/Application.php b/apps/user_ldap/lib/AppInfo/Application.php
new file mode 100644
index 00000000000..c3fa1ce9f94
--- /dev/null
+++ b/apps/user_ldap/lib/AppInfo/Application.php
@@ -0,0 +1,52 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Roger Szabo <roger.szabo@web.de>
+ *
+ * @author Roger Szabo <roger.szabo@web.de>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\User_LDAP\AppInfo;
+
+use OCA\User_LDAP\Controller\RenewPasswordController;
+use OCP\AppFramework\App;
+use OCP\AppFramework\IAppContainer;
+
+class Application extends App {
+ public function __construct () {
+ parent::__construct('user_ldap');
+ $container = $this->getContainer();
+
+ /**
+ * Controller
+ */
+ $container->registerService('RenewPasswordController', function(IAppContainer $c) {
+ /** @var \OC\Server $server */
+ $server = $c->query('ServerContainer');
+
+ return new RenewPasswordController(
+ $c->getAppName(),
+ $server->getRequest(),
+ $c->query('UserManager'),
+ $server->getConfig(),
+ $c->query('OCP\IL10N'),
+ $server->getURLGenerator()
+ );
+ });
+ }
+}
diff --git a/apps/user_ldap/lib/Command/Search.php b/apps/user_ldap/lib/Command/Search.php
index 57970b1ac5d..463ad2eaeb4 100644
--- a/apps/user_ldap/lib/Command/Search.php
+++ b/apps/user_ldap/lib/Command/Search.php
@@ -120,7 +120,7 @@ class Search extends Command {
$limit = null;
}
} else {
- $proxy = new User_Proxy($configPrefixes, $ldapWrapper, $this->ocConfig);
+ $proxy = new User_Proxy($configPrefixes, $ldapWrapper, $this->ocConfig, \OC::$server->getNotificationManager());
$getMethod = 'getDisplayNames';
$printID = true;
}
diff --git a/apps/user_ldap/lib/Configuration.php b/apps/user_ldap/lib/Configuration.php
index 65ee9c70807..654a63cdc73 100644
--- a/apps/user_ldap/lib/Configuration.php
+++ b/apps/user_ldap/lib/Configuration.php
@@ -93,6 +93,7 @@ class Configuration {
'ldapPagingSize' => null,
'turnOnPasswordChange' => false,
'ldapDynamicGroupMemberURL' => null,
+ 'ldapDefaultPPolicyDN' => null,
);
/**
@@ -457,6 +458,7 @@ class Configuration {
'ldap_turn_on_pwd_change' => 0,
'ldap_experienced_admin' => 0,
'ldap_dynamic_group_member_url' => '',
+ 'ldap_default_ppolicy_dn' => '',
);
}
@@ -514,6 +516,7 @@ class Configuration {
'ldap_turn_on_pwd_change' => 'turnOnPasswordChange',
'ldap_experienced_admin' => 'ldapExperiencedAdmin',
'ldap_dynamic_group_member_url' => 'ldapDynamicGroupMemberURL',
+ 'ldap_default_ppolicy_dn' => 'ldapDefaultPPolicyDN',
);
return $array;
}
diff --git a/apps/user_ldap/lib/Controller/RenewPasswordController.php b/apps/user_ldap/lib/Controller/RenewPasswordController.php
new file mode 100644
index 00000000000..4714c0646cd
--- /dev/null
+++ b/apps/user_ldap/lib/Controller/RenewPasswordController.php
@@ -0,0 +1,180 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Roger Szabo <roger.szabo@web.de>
+ *
+ * @author Roger Szabo <roger.szabo@web.de>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\User_LDAP\Controller;
+
+use OC\HintException;
+use OC_Util;
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\RedirectResponse;
+use OCP\AppFramework\Http\TemplateResponse;
+use OCP\IConfig;
+use OCP\IL10N;
+use OCP\IRequest;
+use OCP\ISession;
+use OCP\IURLGenerator;
+use OCP\IUser;
+use OCP\IUserManager;
+
+class RenewPasswordController extends Controller {
+ /** @var IUserManager */
+ private $userManager;
+ /** @var IConfig */
+ private $config;
+ /** @var IL10N */
+ protected $l10n;
+ /** @var ISession */
+ private $session;
+ /** @var IURLGenerator */
+ private $urlGenerator;
+
+ /**
+ * @param string $appName
+ * @param IRequest $request
+ * @param IUserManager $userManager
+ * @param IConfig $config
+ * @param IURLGenerator $urlGenerator
+ */
+ function __construct($appName, IRequest $request, IUserManager $userManager,
+ IConfig $config, IL10N $l10n, ISession $session, IURLGenerator $urlGenerator) {
+ parent::__construct($appName, $request);
+ $this->userManager = $userManager;
+ $this->config = $config;
+ $this->l10n = $l10n;
+ $this->session = $session;
+ $this->urlGenerator = $urlGenerator;
+ }
+
+ /**
+ * @PublicPage
+ * @NoCSRFRequired
+ *
+ * @return RedirectResponse
+ */
+ public function cancel() {
+ return new RedirectResponse($this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm'));
+ }
+
+ /**
+ * @PublicPage
+ * @NoCSRFRequired
+ * @UseSession
+ *
+ * @param string $user
+ *
+ * @return TemplateResponse|RedirectResponse
+ */
+ public function showRenewPasswordForm($user) {
+ if($this->config->getUserValue($user, 'user_ldap', 'needsPasswordReset') !== 'true') {
+ return new RedirectResponse($this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm'));
+ }
+ $parameters = [];
+ $renewPasswordMessages = $this->session->get('renewPasswordMessages');
+ $errors = [];
+ $messages = [];
+ if (is_array($renewPasswordMessages)) {
+ list($errors, $messages) = $renewPasswordMessages;
+ }
+ $this->session->remove('renewPasswordMessages');
+ foreach ($errors as $value) {
+ $parameters[$value] = true;
+ }
+
+ $parameters['messages'] = $messages;
+ $parameters['user'] = $user;
+
+ $parameters['canResetPassword'] = true;
+ $parameters['resetPasswordLink'] = $this->config->getSystemValue('lost_password_link', '');
+ if (!$parameters['resetPasswordLink']) {
+ $userObj = $this->userManager->get($user);
+ if ($userObj instanceof IUser) {
+ $parameters['canResetPassword'] = $userObj->canChangePassword();
+ }
+ }
+ $parameters['cancelLink'] = $this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm');
+
+ return new TemplateResponse(
+ $this->appName, 'renewpassword', $parameters, 'guest'
+ );
+ }
+
+ /**
+ * @PublicPage
+ * @UseSession
+ *
+ * @param string $user
+ * @param string $oldPassword
+ * @param string $newPassword
+ *
+ * @return RedirectResponse
+ */
+ public function tryRenewPassword($user, $oldPassword, $newPassword) {
+ if($this->config->getUserValue($user, 'user_ldap', 'needsPasswordReset') !== 'true') {
+ return new RedirectResponse($this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm'));
+ }
+ $args = !is_null($user) ? ['user' => $user] : [];
+ $loginResult = $this->userManager->checkPassword($user, $oldPassword);
+ if ($loginResult === false) {
+ $this->session->set('renewPasswordMessages', [
+ ['invalidpassword'], []
+ ]);
+ return new RedirectResponse($this->urlGenerator->linkToRoute('user_ldap.renewPassword.showRenewPasswordForm', $args));
+ }
+
+ try {
+ if (!is_null($newPassword) && \OC_User::setPassword($user, $newPassword)) {
+ $this->session->set('loginMessages', [
+ [], [$this->l10n->t("Please login with the new password")]
+ ]);
+ $this->session->remove('needPasswordRenewal');
+ return new RedirectResponse($this->urlGenerator->linkToRoute('core.login.showLoginForm', $args));
+ } else {
+ $this->session->set('renewPasswordMessages', [
+ ['internalexception'], []
+ ]);
+ }
+ } catch (HintException $e) {
+ $this->session->set('renewPasswordMessages', [
+ [], [$e->getHint()]
+ ]);
+ }
+
+ return new RedirectResponse($this->urlGenerator->linkToRoute('user_ldap.renewPassword.showRenewPasswordForm', $args));
+ }
+
+ /**
+ * @PublicPage
+ * @NoCSRFRequired
+ * @UseSession
+ *
+ * @return RedirectResponse
+ */
+ public function showLoginFormInvalidPassword($user) {
+ $args = !is_null($user) ? ['user' => $user] : [];
+ $this->session->set('loginMessages', [
+ ['invalidpassword'], []
+ ]);
+ return new RedirectResponse($this->urlGenerator->linkToRoute('core.login.showLoginForm', $args));
+ }
+
+}
diff --git a/apps/user_ldap/lib/Exceptions/ConstraintViolationException.php b/apps/user_ldap/lib/Exceptions/ConstraintViolationException.php
index 997b01b2d4e..586a80b9ebe 100644
--- a/apps/user_ldap/lib/Exceptions/ConstraintViolationException.php
+++ b/apps/user_ldap/lib/Exceptions/ConstraintViolationException.php
@@ -1,6 +1,6 @@
<?php
/**
- * @copyright Copyright (c) 2016 Roger Szabo <roger.szabo@web.de>
+ * @copyright Copyright (c) 2017 Roger Szabo <roger.szabo@web.de>
*
* @author Roger Szabo <roger.szabo@web.de>
*
diff --git a/apps/user_ldap/lib/Helper.php b/apps/user_ldap/lib/Helper.php
index f1186ffa310..83b2f05f1d2 100644
--- a/apps/user_ldap/lib/Helper.php
+++ b/apps/user_ldap/lib/Helper.php
@@ -293,9 +293,10 @@ class Helper {
$configPrefixes = $helper->getServerConfigurationPrefixes(true);
$ldapWrapper = new LDAP();
$ocConfig = \OC::$server->getConfig();
+ $notificationManager = \OC::$server->getNotificationManager();
$userBackend = new User_Proxy(
- $configPrefixes, $ldapWrapper, $ocConfig
+ $configPrefixes, $ldapWrapper, $ocConfig, $notificationManager
);
$uid = $userBackend->loginName2UserName($param['uid'] );
if($uid !== false) {
diff --git a/apps/user_ldap/lib/Jobs/CleanUp.php b/apps/user_ldap/lib/Jobs/CleanUp.php
index e69d24dfd06..a4dd4ba32ad 100644
--- a/apps/user_ldap/lib/Jobs/CleanUp.php
+++ b/apps/user_ldap/lib/Jobs/CleanUp.php
@@ -98,7 +98,8 @@ class CleanUp extends TimedJob {
$this->userBackend = new User_Proxy(
$this->ldapHelper->getServerConfigurationPrefixes(true),
new LDAP(),
- $this->ocConfig
+ $this->ocConfig,
+ \OC::$server->getNotificationManager()
);
}
diff --git a/apps/user_ldap/lib/Jobs/UpdateGroups.php b/apps/user_ldap/lib/Jobs/UpdateGroups.php
index b4259425fcc..4c9a06a5f68 100644
--- a/apps/user_ldap/lib/Jobs/UpdateGroups.php
+++ b/apps/user_ldap/lib/Jobs/UpdateGroups.php
@@ -185,7 +185,8 @@ class UpdateGroups extends \OC\BackgroundJob\TimedJob {
\OC::$server->getAvatarManager(),
new \OCP\Image(),
$dbc,
- \OC::$server->getUserManager());
+ \OC::$server->getUserManager(),
+ \OC::$server->getNotificationManager());
$connector = new Connection($ldapWrapper, $configPrefixes[0]);
$ldapAccess = new Access($connector, $ldapWrapper, $userManager, $helper);
$groupMapper = new GroupMapping($dbc);
diff --git a/apps/user_ldap/lib/Migration/UUIDFixGroup.php b/apps/user_ldap/lib/Migration/UUIDFixGroup.php
index cbc38366984..6aacb37257e 100644
--- a/apps/user_ldap/lib/Migration/UUIDFixGroup.php
+++ b/apps/user_ldap/lib/Migration/UUIDFixGroup.php
@@ -32,6 +32,7 @@ use OCP\IConfig;
class UUIDFixGroup extends UUIDFix {
public function __construct(GroupMapping $mapper, LDAP $ldap, IConfig $config, Helper $helper) {
$this->mapper = $mapper;
- $this->proxy = new User_Proxy($helper->getServerConfigurationPrefixes(true), $ldap, $config);
+ $this->proxy = new User_Proxy($helper->getServerConfigurationPrefixes(true), $ldap, $config,
+ \OC::$server->getNotificationManager());
}
}
diff --git a/apps/user_ldap/lib/Notification/Notifier.php b/apps/user_ldap/lib/Notification/Notifier.php
new file mode 100644
index 00000000000..a6053cfcb19
--- /dev/null
+++ b/apps/user_ldap/lib/Notification/Notifier.php
@@ -0,0 +1,71 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Roger Szabo <roger.szabo@web.de>
+ *
+ * @author Roger Szabo <roger.szabo@web.de>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\User_LDAP\Notification;
+
+
+use OCP\IUser;
+use OCP\IUserManager;
+use OCP\L10N\IFactory;
+use OCP\Notification\INotification;
+use OCP\Notification\INotifier;
+
+class Notifier implements INotifier {
+
+ /** @var IFactory */
+ protected $l10nFactory;
+
+ /**
+ * @param IFactory $l10nFactory
+ */
+ public function __construct(\OCP\L10N\IFactory $l10nFactory) {
+ $this->l10nFactory = $l10nFactory;
+ }
+
+ /**
+ * @param INotification $notification
+ * @param string $languageCode The code of the language that should be used to prepare the notification
+ * @return INotification
+ * @throws \InvalidArgumentException When the notification was not prepared by a notifier
+ */
+ public function prepare(INotification $notification, $languageCode) {
+ if ($notification->getApp() !== 'user_ldap') {
+ // Not my app => throw
+ throw new \InvalidArgumentException();
+ }
+
+ // Read the language from the notification
+ $l = $this->l10nFactory->get('user_ldap', $languageCode);
+
+ switch ($notification->getSubject()) {
+ // Deal with known subjects
+ case 'pwd_exp_warn_days':
+ $notification->setParsedSubject($l->t('Your password will expire within %s day(s).', $notification->getSubjectParameters()));
+ return $notification;
+
+ default:
+ // Unknown subject => Unknown notification => throw
+ throw new \InvalidArgumentException();
+ }
+ }
+}
diff --git a/apps/user_ldap/lib/Proxy.php b/apps/user_ldap/lib/Proxy.php
index 7f998314e20..96bb670b789 100644
--- a/apps/user_ldap/lib/Proxy.php
+++ b/apps/user_ldap/lib/Proxy.php
@@ -64,6 +64,7 @@ abstract class Proxy {
static $groupMap;
static $db;
static $coreUserManager;
+ static $coreNotificationManager;
if(is_null($fs)) {
$ocConfig = \OC::$server->getConfig();
$fs = new FilesystemHelper();
@@ -73,9 +74,11 @@ abstract class Proxy {
$userMap = new UserMapping($db);
$groupMap = new GroupMapping($db);
$coreUserManager = \OC::$server->getUserManager();
+ $coreNotificationManager = \OC::$server->getNotificationManager();
}
$userManager =
- new Manager($ocConfig, $fs, $log, $avatarM, new \OCP\Image(), $db, $coreUserManager);
+ new Manager($ocConfig, $fs, $log, $avatarM, new \OCP\Image(), $db,
+ $coreUserManager, $coreNotificationManager);
$connector = new Connection($this->ldap, $configPrefix);
$access = new Access($connector, $this->ldap, $userManager, new Helper(\OC::$server->getConfig()));
$access->setUserMapper($userMap);
diff --git a/apps/user_ldap/lib/User/Manager.php b/apps/user_ldap/lib/User/Manager.php
index 18430a90cc7..ea4d071b646 100644
--- a/apps/user_ldap/lib/User/Manager.php
+++ b/apps/user_ldap/lib/User/Manager.php
@@ -34,6 +34,7 @@ use OCP\IConfig;
use OCP\IDBConnection;
use OCP\Image;
use OCP\IUserManager;
+use OCP\Notification\IManager as INotificationManager;
/**
* Manager
@@ -51,6 +52,12 @@ class Manager {
/** @var IDBConnection */
protected $db;
+ /** @var IUserManager */
+ protected $userManager;
+
+ /** @var INotificationManager */
+ protected $notificationManager;
+
/** @var FilesystemHelper */
protected $ocFilesystem;
@@ -85,17 +92,19 @@ class Manager {
public function __construct(IConfig $ocConfig,
FilesystemHelper $ocFilesystem, LogWrapper $ocLog,
IAvatarManager $avatarManager, Image $image,
- IDBConnection $db, IUserManager $userManager) {
-
- $this->ocConfig = $ocConfig;
- $this->ocFilesystem = $ocFilesystem;
- $this->ocLog = $ocLog;
- $this->avatarManager = $avatarManager;
- $this->image = $image;
- $this->db = $db;
- $this->userManager = $userManager;
- $this->usersByDN = new CappedMemoryCache();
- $this->usersByUid = new CappedMemoryCache();
+ IDBConnection $db, IUserManager $userManager,
+ INotificationManager $notificationManager) {
+
+ $this->ocConfig = $ocConfig;
+ $this->ocFilesystem = $ocFilesystem;
+ $this->ocLog = $ocLog;
+ $this->avatarManager = $avatarManager;
+ $this->image = $image;
+ $this->db = $db;
+ $this->userManager = $userManager;
+ $this->notificationManager = $notificationManager;
+ $this->usersByDN = new CappedMemoryCache();
+ $this->usersByUid = new CappedMemoryCache();
}
/**
@@ -118,7 +127,8 @@ class Manager {
$this->checkAccess();
$user = new User($uid, $dn, $this->access, $this->ocConfig,
$this->ocFilesystem, clone $this->image, $this->ocLog,
- $this->avatarManager, $this->userManager);
+ $this->avatarManager, $this->userManager,
+ $this->notificationManager);
$this->usersByDN[$dn] = $user;
$this->usersByUid[$uid] = $user;
return $user;
diff --git a/apps/user_ldap/lib/User/User.php b/apps/user_ldap/lib/User/User.php
index 4419c4983d4..a9e7eb6cc0c 100644
--- a/apps/user_ldap/lib/User/User.php
+++ b/apps/user_ldap/lib/User/User.php
@@ -7,6 +7,7 @@
* @author Morris Jobke <hey@morrisjobke.de>
* @author Thomas Müller <thomas.mueller@tmit.eu>
* @author Jörn Friedrich Dreyer <jfd@butonic.de>
+ * @author Roger Szabo <roger.szabo@web.de>
*
* @license AGPL-3.0
*
@@ -34,6 +35,7 @@ use OCP\IConfig;
use OCP\Image;
use OCP\IUserManager;
use OCP\Util;
+use OCP\Notification\IManager as INotificationManager;
/**
* User
@@ -74,6 +76,10 @@ class User {
*/
protected $userManager;
/**
+ * @var INotificationManager
+ */
+ protected $notificationManager;
+ /**
* @var string
*/
protected $dn;
@@ -108,11 +114,13 @@ class User {
* @param LogWrapper $log
* @param IAvatarManager $avatarManager
* @param IUserManager $userManager
+ * @param INotificationManager $notificationManager
*/
public function __construct($username, $dn, IUserTools $access,
IConfig $config, FilesystemHelper $fs, Image $image,
- LogWrapper $log, IAvatarManager $avatarManager, IUserManager $userManager) {
-
+ LogWrapper $log, IAvatarManager $avatarManager, IUserManager $userManager,
+ INotificationManager $notificationManager) {
+
if ($username === null) {
$log->log("uid for '$dn' must not be null!", Util::ERROR);
throw new \InvalidArgumentException('uid must not be null!');
@@ -121,16 +129,19 @@ class User {
throw new \InvalidArgumentException('uid must not be an empty string!');
}
- $this->access = $access;
- $this->connection = $access->getConnection();
- $this->config = $config;
- $this->fs = $fs;
- $this->dn = $dn;
- $this->uid = $username;
- $this->image = $image;
- $this->log = $log;
- $this->avatarManager = $avatarManager;
- $this->userManager = $userManager;
+ $this->access = $access;
+ $this->connection = $access->getConnection();
+ $this->config = $config;
+ $this->fs = $fs;
+ $this->dn = $dn;
+ $this->uid = $username;
+ $this->image = $image;
+ $this->log = $log;
+ $this->avatarManager = $avatarManager;
+ $this->userManager = $userManager;
+ $this->notificationManager = $notificationManager;
+
+ \OCP\Util::connectHook('OC_User', 'post_login', $this, 'handlePasswordExpiry');
}
/**
@@ -587,4 +598,98 @@ class User {
}
}
+ /**
+ * called by a post_login hook to handle password expiry
+ *
+ * @param array $params
+ */
+ public function handlePasswordExpiry($params) {
+ $ppolicyDN = $this->connection->ldapDefaultPPolicyDN;
+ if (empty($ppolicyDN) || (intval($this->connection->turnOnPasswordChange) !== 1)) {
+ return;//password expiry handling disabled
+ }
+ $uid = $params['uid'];
+ if(isset($uid) && $uid === $this->getUsername()) {
+ //retrieve relevant user attributes
+ $result = $this->access->search('objectclass=*', $this->dn, ['pwdpolicysubentry', 'pwdgraceusetime', 'pwdreset', 'pwdchangedtime']);
+
+ if(array_key_exists('pwdpolicysubentry', $result[0])) {
+ $pwdPolicySubentry = $result[0]['pwdpolicysubentry'];
+ if($pwdPolicySubentry && (count($pwdPolicySubentry) > 0)){
+ $ppolicyDN = $pwdPolicySubentry[0];//custom ppolicy DN
+ }
+ }
+
+ $pwdGraceUseTime = array_key_exists('pwdgraceusetime', $result[0]) ? $result[0]['pwdgraceusetime'] : null;
+ $pwdReset = array_key_exists('pwdreset', $result[0]) ? $result[0]['pwdreset'] : null;
+ $pwdChangedTime = array_key_exists('pwdchangedtime', $result[0]) ? $result[0]['pwdchangedtime'] : null;
+
+ //retrieve relevant password policy attributes
+ $cacheKey = 'ppolicyAttributes' . $ppolicyDN;
+ $result = $this->connection->getFromCache($cacheKey);
+ if(is_null($result)) {
+ $result = $this->access->search('objectclass=*', $ppolicyDN, ['pwdgraceauthnlimit', 'pwdmaxage', 'pwdexpirewarning']);
+ $this->connection->writeToCache($cacheKey, $result);
+ }
+
+ $pwdGraceAuthNLimit = array_key_exists('pwdgraceauthnlimit', $result[0]) ? $result[0]['pwdgraceauthnlimit'] : null;
+ $pwdMaxAge = array_key_exists('pwdmaxage', $result[0]) ? $result[0]['pwdmaxage'] : null;
+ $pwdExpireWarning = array_key_exists('pwdexpirewarning', $result[0]) ? $result[0]['pwdexpirewarning'] : null;
+
+ //handle grace login
+ $pwdGraceUseTimeCount = count($pwdGraceUseTime);
+ if($pwdGraceUseTime && $pwdGraceUseTimeCount > 0) { //was this a grace login?
+ if($pwdGraceAuthNLimit
+ && (count($pwdGraceAuthNLimit) > 0)
+ &&($pwdGraceUseTimeCount < intval($pwdGraceAuthNLimit[0]))) { //at least one more grace login available?
+ $this->config->setUserValue($uid, 'user_ldap', 'needsPasswordReset', 'true');
+ header('Location: '.\OC::$server->getURLGenerator()->linkToRouteAbsolute(
+ 'user_ldap.renewPassword.showRenewPasswordForm', array('user' => $uid)));
+ } else { //no more grace login available
+ header('Location: '.\OC::$server->getURLGenerator()->linkToRouteAbsolute(
+ 'user_ldap.renewPassword.showLoginFormInvalidPassword', array('user' => $uid)));
+ }
+ exit();
+ }
+ //handle pwdReset attribute
+ if($pwdReset && (count($pwdReset) > 0) && $pwdReset[0] === 'TRUE') { //user must change his password
+ $this->config->setUserValue($uid, 'user_ldap', 'needsPasswordReset', 'true');
+ header('Location: '.\OC::$server->getURLGenerator()->linkToRouteAbsolute(
+ 'user_ldap.renewPassword.showRenewPasswordForm', array('user' => $uid)));
+ exit();
+ }
+ //handle password expiry warning
+ if($pwdChangedTime && (count($pwdChangedTime) > 0)) {
+ if($pwdMaxAge && (count($pwdMaxAge) > 0)
+ && $pwdExpireWarning && (count($pwdExpireWarning) > 0)) {
+ $pwdMaxAgeInt = intval($pwdMaxAge[0]);
+ $pwdExpireWarningInt = intval($pwdExpireWarning[0]);
+ if($pwdMaxAgeInt > 0 && $pwdExpireWarningInt > 0){
+ $pwdChangedTimeDt = \DateTime::createFromFormat('YmdHisZ', $pwdChangedTime[0]);
+ $pwdChangedTimeDt->add(new \DateInterval('PT'.$pwdMaxAgeInt.'S'));
+ $currentDateTime = new \DateTime();
+ $secondsToExpiry = $pwdChangedTimeDt->getTimestamp() - $currentDateTime->getTimestamp();
+ if($secondsToExpiry <= $pwdExpireWarningInt) {
+ //remove last password expiry warning if any
+ $notification = $this->notificationManager->createNotification();
+ $notification->setApp('user_ldap')
+ ->setUser($uid)
+ ->setObject('pwd_exp_warn', $uid)
+ ;
+ $this->notificationManager->markProcessed($notification);
+ //create new password expiry warning
+ $notification = $this->notificationManager->createNotification();
+ $notification->setApp('user_ldap')
+ ->setUser($uid)
+ ->setDateTime($currentDateTime)
+ ->setObject('pwd_exp_warn', $uid)
+ ->setSubject('pwd_exp_warn_days', [strval(ceil($secondsToExpiry / 60 / 60 / 24))])
+ ;
+ $this->notificationManager->notify($notification);
+ }
+ }
+ }
+ }
+ }
+ }
}
diff --git a/apps/user_ldap/lib/User_LDAP.php b/apps/user_ldap/lib/User_LDAP.php
index fa959fd9a81..75cdb3951ca 100644
--- a/apps/user_ldap/lib/User_LDAP.php
+++ b/apps/user_ldap/lib/User_LDAP.php
@@ -41,6 +41,7 @@ use OCA\User_LDAP\Exceptions\NotOnLDAP;
use OCA\User_LDAP\User\OfflineUser;
use OCA\User_LDAP\User\User;
use OCP\IConfig;
+use OCP\Notification\IManager as INotificationManager;
use OCP\Util;
class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserInterface, IUserLDAP {
@@ -50,13 +51,18 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn
/** @var \OCP\IConfig */
protected $ocConfig;
+ /** @var INotificationManager */
+ protected $notificationManager;
+
/**
* @param Access $access
* @param \OCP\IConfig $ocConfig
+ * @param \OCP\Notification\IManager $notificationManager
*/
- public function __construct(Access $access, IConfig $ocConfig) {
+ public function __construct(Access $access, IConfig $ocConfig, INotificationManager $notificationManager) {
parent::__construct($access);
$this->ocConfig = $ocConfig;
+ $this->notificationManager = $notificationManager;
}
/**
@@ -190,8 +196,19 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn
throw new \Exception('LDAP setPassword: Could not get user object for uid ' . $uid .
'. Maybe the LDAP entry has no set display name attribute?');
}
- if($user->getUsername() !== false) {
- return $this->access->setPassword($user->getDN(), $password);
+ if($user->getUsername() !== false && $this->access->setPassword($user->getDN(), $password)) {
+ $ldapDefaultPPolicyDN = $this->access->connection->ldapDefaultPPolicyDN;
+ $turnOnPasswordChange = $this->access->connection->turnOnPasswordChange;
+ if (!empty($ldapDefaultPPolicyDN) && (intval($turnOnPasswordChange) === 1)) {
+ //remove last password expiry warning if any
+ $notification = $this->notificationManager->createNotification();
+ $notification->setApp('user_ldap')
+ ->setUser($uid)
+ ->setObject('pwd_exp_warn', $uid)
+ ;
+ $this->notificationManager->markProcessed($notification);
+ }
+ return true;
}
return false;
diff --git a/apps/user_ldap/lib/User_Proxy.php b/apps/user_ldap/lib/User_Proxy.php
index 6417841f245..8e81b10f7b3 100644
--- a/apps/user_ldap/lib/User_Proxy.php
+++ b/apps/user_ldap/lib/User_Proxy.php
@@ -31,6 +31,7 @@ namespace OCA\User_LDAP;
use OCA\User_LDAP\User\User;
use OCP\IConfig;
+use OCP\Notification\IManager as INotificationManager;
class User_Proxy extends Proxy implements \OCP\IUserBackend, \OCP\UserInterface, IUserLDAP {
private $backends = array();
@@ -40,11 +41,12 @@ class User_Proxy extends Proxy implements \OCP\IUserBackend, \OCP\UserInterface,
* Constructor
* @param array $serverConfigPrefixes array containing the config Prefixes
*/
- public function __construct(array $serverConfigPrefixes, ILDAPWrapper $ldap, IConfig $ocConfig) {
+ public function __construct(array $serverConfigPrefixes, ILDAPWrapper $ldap, IConfig $ocConfig,
+ INotificationManager $notificationManager) {
parent::__construct($ldap);
foreach($serverConfigPrefixes as $configPrefix) {
$this->backends[$configPrefix] =
- new User_LDAP($this->getAccess($configPrefix), $ocConfig);
+ new User_LDAP($this->getAccess($configPrefix), $ocConfig, $notificationManager);
if(is_null($this->refBackend)) {
$this->refBackend = &$this->backends[$configPrefix];
}