FusionDirectory
 All Data Structures Files Functions Variables
class_password-methods.inc
1 <?php
2 /*
3  This code is part of FusionDirectory (http://www.fusiondirectory.org/)
4  Copyright (C) 2003-2010 Cajus Pollmeier
5  Copyright (C) 2011-2017 FusionDirectory
6 
7  This program is free software; you can redistribute it and/or modify
8  it under the terms of the GNU General Public License as published by
9  the Free Software Foundation; either version 2 of the License, or
10  (at your option) any later version.
11 
12  This program is distributed in the hope that it will be useful,
13  but WITHOUT ANY WARRANTY; without even the implied warranty of
14  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15  GNU General Public License for more details.
16 
17  You should have received a copy of the GNU General Public License
18  along with this program; if not, write to the Free Software
19  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
20 */
21 
22 /*
23  * \file class_pasword-methods.inc
24  * Source code for class password-methods
25  */
26 
31 {
32  var $attrs = array();
33  var $display = FALSE;
34  var $hash = '';
35  var $lockable = TRUE;
36 
43  function __construct($dn = '', $userTab = NULL)
44  {
45  }
46 
50  static function get_hash_name()
51  {
52  trigger_error("get_hash_name can't be called on main class");
53  }
54 
60  function need_password()
61  {
62  return TRUE;
63  }
64 
70  function is_locked($dn = "")
71  {
72  global $config;
73  if (!$this->lockable) {
74  return FALSE;
75  }
76 
77  /* Get current password hash */
78  $pwd = "";
79  if (!empty($dn)) {
80  $ldap = $config->get_ldap_link();
81  $ldap->cd($config->current['BASE']);
82  $ldap->cat($dn);
83  $attrs = $ldap->fetch();
84  if (isset($attrs['userPassword'][0])) {
85  $pwd = $attrs['userPassword'][0];
86  }
87  } elseif (isset($this->attrs['userPassword'][0])) {
88  $pwd = $this->attrs['userPassword'][0];
89  }
90  return preg_match("/^[^\}]*+\}!/", $pwd);
91  }
92 
101  function lock_account($dn = "")
102  {
103  return $this->generic_modify_account($dn, 'LOCK');
104  }
105 
110  function unlock_account($dn = "")
111  {
112  return $this->generic_modify_account($dn, 'UNLOCK');
113  }
114 
119  private function generic_modify_account($dn, $mode)
120  {
121  global $config;
122  if (!$this->lockable) {
123  return FALSE;
124  }
125  if ($mode != 'LOCK' && $mode != 'UNLOCK') {
126  die('Invalid mode "'.$mode.'"');
127  }
128 
129  /* Get current password hash */
130  $attrs = $this->attrs;
131  $pwd = '';
132  $ldap = $config->get_ldap_link();
133  $ldap->cd($config->current['BASE']);
134  if (!empty($dn)) {
135  $ldap->cat($dn);
136  $attrs = $ldap->fetch();
137  }
138  if (isset($attrs['userPassword'][0])) {
139  $pwd = $attrs['userPassword'][0];
140  $dn = $attrs['dn'];
141  }
142 
143  /* We can only lock/unlock non-empty passwords */
144  if (!empty($pwd)) {
145 
146  /* Check if this entry is already locked. */
147  if (!preg_match("/^[^\}]*+\}!/", $pwd)) {
148  if ($mode == 'UNLOCK') {
149  return TRUE;
150  }
151  } elseif ($mode == 'LOCK') {
152  return TRUE;
153  }
154 
155  // (Un)lock the samba account
156  $modify = lock_samba_account($mode, $attrs);
157 
158  // (Un)lock SSH keys
159  lock_ssh_account($mode, $attrs, $modify);
160 
161  // Call pre hooks
162  $userClass = new user($dn);
163  $errors = $userClass->callHook('PRE'.$mode, array(), $ret);
164  if (!empty($errors)) {
165  msg_dialog::displayChecks($errors);
166  return FALSE;
167  }
168 
169  // (Un)lock the account by modifying the password hash.
170  if ($mode == 'LOCK') {
171  /* Lock entry */
172  $pwd = preg_replace("/(^[^\}]+\})(.*$)/", "\\1!\\2", $pwd);
173  } else {
174  /* Unlock entry */
175  $pwd = preg_replace("/(^[^\}]+\})!(.*$)/", "\\1\\2", $pwd);
176  }
177  $modify['userPassword'] = $pwd;
178  $ldap->cd($dn);
179  $ldap->modify($modify);
180 
181  // Call the password post-lock hook, if defined.
182  if ($ldap->success()) {
183  $userClass = new user($dn);
184  $errors = $userClass->callHook('POST'.$mode, array(), $ret);
185  if (!empty($errors)) {
186  msg_dialog::displayChecks($errors);
187  }
188  } else {
189  msg_dialog::display(_('LDAP error'), msgPool::ldaperror($ldap->get_error(), $dn, LDAP_MOD), LDAP_ERROR);
190  }
191  return $ldap->success();
192  }
193  return FALSE;
194  }
195 
196 
200  static function get_available_methods()
201  {
202  global $class_mapping;
203  $ret = FALSE;
204  $i = 0;
205 
206  /* Only */
207  if (!session::is_set("passwordMethod::get_available_methods")) {
208  foreach (array_keys($class_mapping) as $class) {
209  if (preg_match('/passwordMethod/i', $class) && !preg_match("/^passwordMethod$/i", $class)) {
210  $test = new $class("");
211  if ($test->is_available()) {
212  $plugs = $test->get_hash_name();
213  if (!is_array($plugs)) {
214  $plugs = array($plugs);
215  }
216 
217  foreach ($plugs as $plugname) {
218  $cfg = $test->is_configurable();
219 
220  $ret['name'][$i] = $plugname;
221  $ret['class'][$i] = $class;
222  $ret['is_configurable'][$i] = $cfg;
223  $ret['object'][$i] = $test;
224  $ret['desc'][$i] = $test->get_description();
225  $ret[$i]['name'] = $plugname;
226  $ret[$i]['class'] = $class;
227  $ret[$i]['object'] = $test;
228  $ret[$i]['is_configurable'] = $cfg;
229  $ret[$i]['desc'] = $test->get_description();
230  $ret[$plugname] = $class;
231  $i++;
232  }
233  }
234  }
235  }
236  session::set("passwordMethod::get_available_methods", $ret);
237  }
238  return session::get("passwordMethod::get_available_methods");
239  }
240 
244  function get_description()
245  {
246  return "";
247  }
248 
249 
255  {
256  }
257 
261  function checkPassword($pwd, $hash)
262  {
263  return ($hash == $this->generate_hash($pwd));
264  }
265 
266 
270  function is_configurable()
271  {
272  return FALSE;
273  }
274 
278  function configure()
279  {
280  return "";
281  }
282 
283 
289  function save($dn)
290  {
291  }
292 
293 
301  static function get_method($password_hash, $dn = "")
302  {
304 
305  foreach ($methods['class'] as $class) {
306  $method = $class::_extract_method($class, $password_hash);
307  if ($method != "") {
308  $test = new $class($dn);
309  $test->set_hash($method);
310  return $test;
311  }
312  }
313 
314  $method = new passwordMethodClear($dn);
315  $method->set_hash('clear');
316  return $method;
317  }
318 
324  static function _extract_method($classname, $password_hash)
325  {
326  $hash = $classname::get_hash_name();
327  if (preg_match("/^\{$hash\}/i", $password_hash)) {
328  return $hash;
329  }
330 
331  return "";
332  }
333 
341  static function make_hash($password, $hash)
342  {
344  $tmp = new $methods[$hash]();
345  $tmp->set_hash($hash);
346  return $tmp->generate_hash($password);
347  }
348 
354  function set_hash($hash)
355  {
356  $this->hash = $hash;
357  }
358 
359 
363  function get_hash()
364  {
365  return $this->hash;
366  }
367 
375  static function is_harmless($password)
376  {
377  global $config;
378  if ($config->get_cfg_value("strictPasswordRules") == "TRUE") {
379  // Do we have UTF8 characters in the password?
380  return ($password == utf8_decode($password));
381  }
382 
383  return TRUE;
384  }
385 }
386 ?>
static is_harmless($password)
Test for problematic unicode caracters in password This can be activated with the keyword strictPassw...
This class contains all the functions for clear password methods.
static _extract_method($classname, $password_hash)
Extract a method.
static get_hash_name()
Get the Hash name.
checkPassword($pwd, $hash)
Method to check if a password matches a hash.
__construct($dn= '', $userTab=NULL)
Password method contructor.
unlock_account($dn="")
Unlocks an account which was locked by 'lock_account()'. For details about the locking mechanism see ...
static make_hash($password, $hash)
Make a hash.
static ldaperror($error, $dn= '', $type=0, $plugin= '')
Display LDAP error.
static set($name, $value)
Set a value in a session.
is_locked($dn="")
Is locked.
configure()
Provide a subdialog to configure a password method.
static get_method($password_hash, $dn="")
Try to find out if it's our hash...
static & get($name)
Accessor of a session.
is_configurable()
Return true if this password method provides a configuration dialog.
lock_account($dn="")
Locks an account by adding a '!' as prefix to the password hashes. This makes login impossible...
get_description()
Get desciption.
static get_available_methods()
This function returns all loaded classes for password encryption.
This class contains all the basic function for password methods.
static display($s_title, $s_message, $i_type=INFO_DIALOG)
Display a message dialog.
need_password()
If we need password.
remove_from_parent()
Method to let password backends remove additional information besides the userPassword attribute...
save($dn)
Save information to LDAP.
set_hash($hash)
Set a hash.
static is_set($name)
Check if the name of the session is set.