Passman 2.2.21

Merge remote-tracking branch 'origin/master' into master16.3 Signed-off-by: Marcos Zuriaga <marcos@wolfi.es>
2025-09-14 08:54:26 +08:00 · 2019-05-12 17:16:48 +00:00 · 2019-05-12 17:16:48 +00:00 · d4b711c817
commit d4b711c817
parent e71d870cce
9 changed files with 122 additions and 117 deletions
--- a/README.md
+++ b/README.md
@ -8,28 +8,21 @@ Passman is a full featured password manager.
 [![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/nextcloud/passman/badges/quality-score.png?b=master)](https://scrutinizer-ci.com/g/nextcloud/passman/?branch=master)

 ## Join us!
-There is a Telegram-Group:
-* [Passman General](https://t.me/passman_general)
-
-Those are mainly used to discuss all sorts of topics for Passman and it's apps!
-
+Visit the [“Passman General Talk” Telegram Group](https://t.me/passman_general) to participate in all sorts of topical discussions about Passman and its apps!

 ## Contents
-* [Screenshots](https://github.com/nextcloud/passman#Screenshots) 
-* [Features](https://github.com/nextcloud/passman#features) 
-* [External apps](https://github.com/nextcloud/passman#external-apps)
-* [Security](https://github.com/nextcloud/passman#security)
-  * [Password generation](https://github.com/nextcloud/passman#password-generation)
-  * [Storing credentials](https://github.com/nextcloud/passman#storing-credentials)
-* [Support passman](https://github.com/nextcloud/passman#support-passman)
-* [Development](https://github.com/nextcloud/passman#development)
-* [API](https://github.com/nextcloud/passman#api)
-* [Docker](https://github.com/nextcloud/passman#docker)
-* [Maintainers](https://github.com/nextcloud/passman#main-developers)
-* [Contributors](https://github.com/nextcloud/passman#contributors)
-
-
-
+  * [Screenshots](https://github.com/nextcloud/passman#Screenshots) 
+  * [Features](https://github.com/nextcloud/passman#features) 
+  * [External apps](https://github.com/nextcloud/passman#external-apps)
+  * [Security](https://github.com/nextcloud/passman#security)
+    * [Password generation](https://github.com/nextcloud/passman#password-generation)
+    * [Storing credentials](https://github.com/nextcloud/passman#storing-credentials)
+  * [Support passman](https://github.com/nextcloud/passman#support-passman)
+  * [Development](https://github.com/nextcloud/passman#development)
+  * [API](https://github.com/nextcloud/passman#api)
+  * [Docker](https://github.com/nextcloud/passman#docker)
+  * [Maintainers](https://github.com/nextcloud/passman#main-developers)
+  * [Contributors](https://github.com/nextcloud/passman#contributors)

 ## Screenshots
 ![Logged in to vault](http://i.imgur.com/ciShQZg.png)   
@ -42,133 +35,115 @@ Those are mainly used to discuss all sorts of topics for Passman and it's apps!

 For more screenshots: [Click here](http://imgur.com/a/giKVt)

-
 ## Features:
- Vaults
- Vault key is never sent to the server
- Credentials are stored with 256 bit AES (see [security](https://github.com/nextcloud/passman#security))
- Ability to add custom fields to credentials
- Built-in OTP(One Time Password) generator
- Password analyzer
- Share passwords internally and via link in a secure manner.
- Import from various password managers:
-  - KeePass
-  - LastPass
-  - DashLane
-  - ZOHO
-  - Clipperz.is
-  - EnPass
-  - [ocPasswords](https://github.com/fcturner/passwords)
+  * Multiple vaults
+  * Vault keys are never sent to the server
+  * 256-bit AES-encrypted credentials (see [security](https://github.com/nextcloud/passman#security))
+  * User-defined custom credentials fields
+  * Built-in OTP (One Time Password) generator
+  * Password analyzer
+  * Securely share passwords internally and via link
+  * Import from various password managers:
+    - KeePass
+    - LastPass
+    - DashLane
+    - ZOHO
+    - Clipperz.is
+    - EnPass
+    - [ocPasswords](https://github.com/fcturner/passwords)
  
-
-For a demo of this app visit [https://demo.passman.cc](https://demo.passman.cc)
+Try a Passman demo [here](https://demo.passman.cc).

 ## Tested on
 - Nextcloud 14

 For older Versions see the [Releases Tab](https://github.com/nextcloud/passman/releases)

-
 ## External apps
- [Firefox / chrome extension](https://github.com/nextcloud/passman-webextension)
- [Android app](https://github.com/nextcloud/passman-android)
+  * [Firefox / chrome extension](https://github.com/nextcloud/passman-webextension)
+  * [Android app](https://github.com/nextcloud/passman-android)

+## Database Compatibility

-## Supported databases
- SQL Lite*
- MySQL / MariaDB*
-
-*Tested on travis
-
-Untested databases:
- pgsql
+|   | Supported | Tested | Untested |
+| :--- | :---: | :---: | :---: |
+| SQL Lite | • |   |   |
+| MySQL / MariaDB | • |   |   |
+| travis |   | • |   |
+| pgsql |   |   | • |

 ## Security

 ### Password generation
-Passman features a build in password generator.
-Not it only generates passwords, but it also measures their strength using [zxcvbn](https://github.com/dropbox/zxcvbn).   
+Passman can generate passwords *and* measure their strength using [zxcvbn](https://github.com/dropbox/zxcvbn).   
 ![](http://i.imgur.com/2qVBUfM.png)   

 Generate passwords as you like   
 ![](http://i.imgur.com/jcRicOV.png)   
-Passwords are generated using the random functions from `sjcl`.
-
+Passwords are generated using `sjcl` randomization.

 ### Storing credentials
-All passwords are encrypted client side using [sjcl](https://github.com/bitwiseshiftleft/sjcl) which uses AES-256 bit.
-Users supply a vault key which is feed into sjcl as encryption key.
-After the credentials are encrypted they are send to the server, there they will be encrypted again.
-This time using the following routine:
- A key is generated using `passwordsalt` and `secret` from config.php *so back those up*
- Then the key is [stretched](http://en.wikipedia.org/wiki/Key_stretching) using [Password-Based Key Derivation Function 2](http://en.wikipedia.org/wiki/PBKDF2) (PBKDF2).
- [Encrypt-then-MAC](http://en.wikipedia.org/wiki/Authenticated_encryption#Approaches_to_Authenticated_Encryption) (EtM) is used for ensuring the authenticity of the encrypted data.
- Uses openssl with the `aes-256-cbc` ciper.
- [Initialization vector](http://en.wikipedia.org/wiki/Initialization_vector) (IV) is hidden
- [Double Hash-based Message Authentication Code](http://en.wikipedia.org/wiki/Hash-based_message_authentication_code) (HMAC) is applied for verification of the source data.
+All passwords are encrypted client side with [sjcl](https://github.com/bitwiseshiftleft/sjcl) using 256-bit AES.
+You supply a vault key which sjcl uses to encrypt your credentials. Your encrypted credentials are then sent to the server and encrypted yet again using the following routine:
+  * A key is generated using `passwordsalt` and `secret` from config.php *(so back those up)*.
+  * The key is [stretched](http://en.wikipedia.org/wiki/Key_stretching) using [Password-Based Key Derivation Function 2](http://en.wikipedia.org/wiki/PBKDF2) (PBKDF2).
+  * [Encrypt-then-MAC](http://en.wikipedia.org/wiki/Authenticated_encryption#Approaches_to_Authenticated_Encryption) (EtM) is used to ensure encrypted data authenticity.
+  * Uses openssl with the `aes-256-cbc` cipher.
+  * [Initialization vector](http://en.wikipedia.org/wiki/Initialization_vector) (IV) is hidden.
+  * [Double Hash-based Message Authentication Code](http://en.wikipedia.org/wiki/Hash-based_message_authentication_code) (HMAC) is applied for source data verification.

-
-### Sharing credentials.
-Passman allows users to share passwords (this can be turned off by an administrator). 
+### Sharing credentials
+Passman allows users to share passwords. *(Administrators may disable this feature.)*

 ## API 
-For developers Passman offers an [api](https://github.com/nextcloud/passman/wiki/API).
+Passman offers a [developer API](https://github.com/nextcloud/passman/wiki/API).

 ## Support Passman
-Passman is open source, and we would gladly accept a beer (or pizza!)   
-Please consider donating
- [PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=6YS8F97PETVU2)
- [Patreon](https://www.patreon.com/user?u=4833592)
- [Flattr](https://flattr.com/@passman)
- bitcoin: 1H2c5tkGX54n48yEtM4Wm4UrAGTW85jQpe
+Passman is open source but we’ll gladly accept a beer *or pizza!* Please consider donating:
+  * [PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=6YS8F97PETVU2)
+  * [Patreon](https://www.patreon.com/user?u=4833592)
+  * [Flattr](https://flattr.com/@passman)
+  * bitcoin: 1H2c5tkGX54n48yEtM4Wm4UrAGTW85jQpe

 ## Code reviews
-If you have any improvements regarding our code.
-Please do the following
- Clone us
- Make your edits
- Add your name to the contributors 
- Send a [PR](https://github.com/nextcloud/passman/pulls)
+If you have any code improvements:
+  * Clone us
+  * Make your edits
+  * Add your name to the contributors
+  * Send a [PR](https://github.com/nextcloud/passman/pulls)

-Or if you're feeling lazy, create an issue, and we'll think about it.
+Or, if you’re feeling lazy, create an issue and we’ll think about it.

 ## Docker
-To run Passman with [Docker](https://www.docker.com/) you can use our test docker image.
-You have to supply your own SSL certs, self signed or Let's encrypt it doesn't matter.      
-Please note that the docker is only for testing purposes, as database user / password are hardcoded.   
+To run Passman with [Docker](https://www.docker.com/), use our test Docker image. Supply your own self-signed SSL certs or use [Let’s Encrypt](https://letsencrypt.org/). Please note: The Docker image is for _testing *only*_ as database user / password are hardcoded.   
    
-If you like to spiece up our docker image and make it a full fledged secure, production ready install, you're welcome to do so.   
-Please note that:
- Port 80 and 443 are used
- SSL is enabled (or disabled if certs not found)
- Startup time of container must be less than 15 seconds
+If you’d like to *spice up* our Passman Docker image into a full-fledged, production-ready install, you’re welcome to do so. Please note:
+  * Port 80 and 443 are used
+  * SSL is enabled (or disabled if no certs are found)
+  * Container startup time must be less than 15 seconds

 Example:   
 ```
 docker run -p 8080:80 -p 8443:443 -v /directory/cert.pem:/data/ssl/cert.pem -v /directory/cert.key:/data/ssl/cert.key brantje/passman
 ```
        
-If you want a production ready container you can use the [Nextcloud docker](https://hub.docker.com/_/nextcloud/), and install passman as an app.
-
-
-
+If you want a production-ready container, use the [Nextcloud Docker](https://hub.docker.com/_/nextcloud/) and install Passman as an app.

 ## Development
-Passman uses a single `.js` file for the templates. This gives the benefit that we don't need to request every template with XHR.   
-For CSS we use SASS so you need ruby and sass installed.  
-`templates.js` and the CSS are built with `grunt`.
-To watch for changes use `grunt watch`
-To run the unit tests install phpunit globally, and setup the environment variables on the `launch_phpunit.sh` script then just run that script, any arguments passed to this script will be forwarded to phpunit.
+  * Passman uses a single `.js` file for templates which minimizes XHR template requests.   
+  * CSS uses SASS, so Ruby and SASS must be installed.
+  * `templates.js` and the CSS are built with `grunt`.
+  * Watch for changes using `grunt watch`.
+  * Run unit tests — Install phpunit globally, setup environment variables in the `launch_phpunit.sh` script, and run the script. All arguments passed to `launch_phpunit.sh` are forwarded to phpunit.

 ## Main developers
- Brantje
- Animalillo
+  * Brantje
+  * Animalillo

 ## Contributors
 Add yours when creating a [pull request](https://help.github.com/articles/creating-a-pull-request/)!
- Newhinton
-
+  * Newhinton

 ## FAQ
 **Are you adding something to check if malicious code is executing on the browser?**   
-No, because malicious code could edit the functions that check for malicious code.
+No, because malicious code can edit functions that check for malicious code.
--- a/appinfo/database.xml
+++ b/appinfo/database.xml
@ -229,6 +229,10 @@
 				<type>boolean</type>
 				<default>false</default>
 			</field>
+			<field>
+				<name>compromised</name>
+				<type>clob</type>
+			</field>
 			<field>
 				<name>shared_key</name>
 				<type>clob</type>
--- a/appinfo/info.xml
+++ b/appinfo/info.xml
@ -42,8 +42,8 @@ For an demo of this app visit [https://demo.passman.cc](https://demo.passman.cc)
        <database>pgsql</database>
        <database min-version="5.5">mysql</database>
        <lib>openssl</lib>
-        <nextcloud min-version="14" max-version="15"/>
-        <owncloud min-version="14" max-version="15"/>
+        <nextcloud min-version="14" max-version="16"/>
+        <owncloud min-version="14" max-version="16"/>
    </dependencies>

    <background-jobs>
--- a/controller/credentialcontroller.php
+++ b/controller/credentialcontroller.php
@ -70,7 +70,7 @@ class CredentialController extends ApiController {
 									 $credential_id, $custom_fields, $delete_time,
 									 $description, $email, $expire_time, $favicon, $files, $guid,
 									 $hidden, $label, $otp, $password, $renew_interval,
-									 $tags, $url, $username, $vault_id) {
+									 $tags, $url, $username, $vault_id, $compromised) {
 		$credential = array(
 			'credential_id' => $credential_id,
 			'guid' => $guid,
@ -93,6 +93,7 @@ class CredentialController extends ApiController {
 			'custom_fields' => $custom_fields,
 			'otp' => $otp,
 			'hidden' => $hidden,
+			'compromised' => $compromised

 		);

@ -125,7 +126,7 @@ class CredentialController extends ApiController {
 									 $credential_id, $custom_fields, $delete_time, $credential_guid,
 									 $description, $email, $expire_time, $icon, $files, $guid,
 									 $hidden, $label, $otp, $password, $renew_interval,
-									 $tags, $url, $username, $vault_id, $revision_created, $shared_key, $acl, $unshare_action, $set_share_key, $skip_revision) {
+									 $tags, $url, $username, $vault_id, $revision_created, $shared_key, $acl, $unshare_action, $set_share_key, $skip_revision, $compromised) {


 		$storedCredential = $this->credentialService->getCredentialByGUID($credential_guid);
@ -151,7 +152,8 @@ class CredentialController extends ApiController {
 			'delete_time' => $delete_time,
 			'hidden' => $hidden,
 			'otp' => $otp,
-			'user_id' => $storedCredential->getUserId()
+			'user_id' => $storedCredential->getUserId(),
+			'compromised' => $compromised
 		);


--- a/controller/translationcontroller.php
+++ b/controller/translationcontroller.php
@ -420,6 +420,24 @@ class TranslationController extends ApiController {
 			'share.page.link_loading' => $this->trans->t('Loading…'),
 			'expired.share' => $this->trans->t('Awwhh… credential not found. Maybe it expired'),

+			//compromised credentials
+			'compromised.label' => $this->trans->t('Compromise!'),
+			'compromised.warning.list' => $this->trans->t('Compromised!'),
+			'compromised.warning' => $this->trans->t('This password is compromised. You can only remove this warning with changing the password.'),
+
+			//searchboxexpanderservice
+			'search.settings.input.label' => $this->trans->t('Label'),
+			'search.settings.input.username' => $this->trans->t('Username'),
+			'search.settings.input.email' => $this->trans->t('email'),
+			'search.settings.input.custom_fields' => $this->trans->t('Custom Fields'),
+			'search.settings.input.password' => $this->trans->t('Password'),
+			'search.settings.input.description' => $this->trans->t('Description'),
+			'search.settings.input.url' => $this->trans->t('Url'),
+
+			'search.settings.title' => $this->trans->t('Custom Search:'),
+			'search.settings.defaults_button' => $this->trans->t('Revert to defaults'),
+
+
 		);
 		return new JSONResponse($translations);
 	}
--- a/css/passman.min.css
+++ b/css/passman.min.css
--- a/js/passman.min.js
+++ b/js/passman.min.js
--- a/lib/Db/Credential.php
+++ b/lib/Db/Credential.php
@ -70,6 +70,8 @@ use \OCP\AppFramework\Db\Entity;
 * @method string getHidden()
 * @method void setSharedKey(string $value)
 * @method string getSharedKey()
+ * @method void setCompromised(bool $value)
+ * @method bool getCompromised()



@ -101,6 +103,7 @@ class Credential extends Entity implements  \JsonSerializable{
 	protected $otp;
 	protected $hidden;
 	protected $sharedKey;
+	protected $compromised;

 	public function __construct() {
 		// add types in constructor
@ -142,6 +145,7 @@ class Credential extends Entity implements  \JsonSerializable{
 			'otp' => $this->getOtp(),
 			'hidden' => $this->getHidden(),
 			'shared_key' => $this->getSharedKey(),
+			'compromised' => $this->getCompromised()
 		];
 	}
 }
--- a/lib/Db/CredentialMapper.php
+++ b/lib/Db/CredentialMapper.php
@ -138,6 +138,7 @@ class CredentialMapper extends Mapper {
 		$credential->setCustomFields($raw_credential['custom_fields']);
 		$credential->setOtp($raw_credential['otp']);
 		$credential->setHidden($raw_credential['hidden']);
+		$credential->setCompromised($raw_credential['compromised']);
 		if (isset($raw_credential['shared_key'])) {
 			$credential->setSharedKey($raw_credential['shared_key']);
 		}
@ -177,6 +178,7 @@ class CredentialMapper extends Mapper {
 		$credential->setOtp($raw_credential['otp']);
 		$credential->setHidden($raw_credential['hidden']);
 		$credential->setDeleteTime($raw_credential['delete_time']);
+		$credential->setCompromised($raw_credential['compromised']);

 		if (isset($raw_credential['shared_key'])) {
 			$credential->setSharedKey($raw_credential['shared_key']);