2021-03-01 07:52:46 +08:00
|
|
|
<?php
|
|
|
|
|
2024-03-17 21:50:32 +08:00
|
|
|
use RainLoop\Exceptions\ClientException;
|
|
|
|
use SnappyMail\SensitiveString;
|
2021-03-01 07:52:46 +08:00
|
|
|
|
|
|
|
class ChangePasswordPlugin extends \RainLoop\Plugins\AbstractPlugin
|
|
|
|
{
|
|
|
|
const
|
|
|
|
NAME = 'Change Password',
|
2024-03-17 21:50:32 +08:00
|
|
|
VERSION = '2.36',
|
|
|
|
RELEASE = '2024-03-17',
|
|
|
|
REQUIRED = '2.36.0',
|
2021-03-01 07:52:46 +08:00
|
|
|
CATEGORY = 'Security',
|
2021-08-28 05:49:03 +08:00
|
|
|
DESCRIPTION = 'Extension to allow users to change their passwords';
|
2021-03-01 07:52:46 +08:00
|
|
|
|
|
|
|
// \RainLoop\Notifications\
|
2021-03-08 19:21:58 +08:00
|
|
|
const
|
|
|
|
CouldNotSaveNewPassword = 130,
|
|
|
|
CurrentPasswordIncorrect = 131,
|
|
|
|
NewPasswordShort = 132,
|
|
|
|
NewPasswordWeak = 133;
|
2021-03-01 07:52:46 +08:00
|
|
|
|
|
|
|
public function Init() : void
|
|
|
|
{
|
|
|
|
$this->UseLangs(true); // start use langs folder
|
|
|
|
|
2021-08-30 15:43:18 +08:00
|
|
|
// $this->addCss('style.css');
|
2021-03-01 07:52:46 +08:00
|
|
|
$this->addJs('js/ChangePasswordUserSettings.js'); // add js file
|
|
|
|
$this->addJsonHook('ChangePassword', 'ChangePassword');
|
|
|
|
$this->addTemplate('templates/SettingsChangePassword.html');
|
2021-03-02 19:23:50 +08:00
|
|
|
}
|
2021-03-01 07:52:46 +08:00
|
|
|
|
2021-03-02 21:23:45 +08:00
|
|
|
protected function getSupportedDrivers(bool $all = false) : iterable
|
2021-03-02 19:35:41 +08:00
|
|
|
{
|
2021-03-04 18:56:26 +08:00
|
|
|
if ($phar_file = \Phar::running()) {
|
|
|
|
$phar = new \Phar($phar_file, \FilesystemIterator::CURRENT_AS_FILEINFO | \FilesystemIterator::KEY_AS_FILENAME);
|
|
|
|
foreach (new \RecursiveIteratorIterator($phar) as $file) {
|
|
|
|
if (\preg_match('#/drivers/([a-z]+)\\.php$#Di', $file, $m)) {
|
2021-03-08 19:21:58 +08:00
|
|
|
$class = 'ChangePasswordDriver' . $m[1];
|
2021-03-04 18:56:26 +08:00
|
|
|
try
|
|
|
|
{
|
|
|
|
if ($all || $this->Config()->Get('plugin', "driver_{$m[1]}_enabled", false)) {
|
|
|
|
require_once $file;
|
|
|
|
if ($class::isSupported()) {
|
|
|
|
yield $m[1] => $class;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
catch (\Throwable $oException)
|
|
|
|
{
|
2021-03-08 19:21:58 +08:00
|
|
|
\trigger_error("ERROR {$class}: " . $oException->getMessage());
|
2021-03-02 19:35:41 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2021-03-04 18:56:26 +08:00
|
|
|
} else {
|
|
|
|
foreach (\glob(__DIR__ . '/drivers/*.php') as $file) {
|
2021-03-08 19:21:58 +08:00
|
|
|
$name = \basename($file, '.php');
|
|
|
|
$class = 'ChangePasswordDriver' . $name;
|
2021-03-04 18:56:26 +08:00
|
|
|
try
|
|
|
|
{
|
|
|
|
if ($all || $this->Config()->Get('plugin', "driver_{$name}_enabled", false)) {
|
|
|
|
require_once $file;
|
|
|
|
if ($class::isSupported()) {
|
|
|
|
yield $name => $class;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
catch (\Throwable $oException)
|
|
|
|
{
|
2021-03-08 19:21:58 +08:00
|
|
|
\trigger_error("ERROR {$class}: " . $oException->getMessage());
|
2021-03-04 18:56:26 +08:00
|
|
|
}
|
2021-03-02 21:23:45 +08:00
|
|
|
}
|
|
|
|
}
|
2022-04-29 17:30:11 +08:00
|
|
|
|
|
|
|
foreach (\glob(__DIR__ . '/../change-password-*', GLOB_ONLYDIR) as $file) {
|
|
|
|
$name = \str_replace('change-password-', '', \basename($file));
|
|
|
|
$class = "ChangePassword{$name}Driver";
|
|
|
|
$file .= '/driver.php';
|
|
|
|
try
|
|
|
|
{
|
|
|
|
if (\is_readable($file) && ($all || $this->Config()->Get('plugin', "driver_{$name}_enabled", false))) {
|
|
|
|
require_once $file;
|
|
|
|
if ($class::isSupported()) {
|
|
|
|
yield $name => $class;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
catch (\Throwable $oException)
|
|
|
|
{
|
|
|
|
\trigger_error("ERROR {$class}: " . $oException->getMessage());
|
|
|
|
}
|
|
|
|
}
|
2021-03-02 21:23:45 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
public function Supported() : string
|
|
|
|
{
|
|
|
|
foreach ($this->getSupportedDrivers() as $class) {
|
|
|
|
return '';
|
2021-03-02 19:35:41 +08:00
|
|
|
}
|
|
|
|
return 'There are no change-password drivers enabled';
|
|
|
|
}
|
|
|
|
|
2021-03-02 19:23:50 +08:00
|
|
|
public function configMapping() : array
|
|
|
|
{
|
2021-03-04 20:51:21 +08:00
|
|
|
$result = [
|
|
|
|
\RainLoop\Plugins\Property::NewInstance("pass_min_length")
|
|
|
|
->SetLabel('Password minimum length')
|
|
|
|
->SetType(\RainLoop\Enumerations\PluginPropertyType::INT)
|
|
|
|
->SetDescription('Minimum length of the password')
|
2022-11-09 22:28:12 +08:00
|
|
|
->SetDefaultValue(10)
|
|
|
|
->SetAllowedInJs(true),
|
2021-03-04 21:54:35 +08:00
|
|
|
\RainLoop\Plugins\Property::NewInstance("pass_min_strength")
|
|
|
|
->SetLabel('Password minimum strength')
|
|
|
|
->SetType(\RainLoop\Enumerations\PluginPropertyType::INT)
|
|
|
|
->SetDescription('Minimum strength of the password in %')
|
2022-11-09 22:28:12 +08:00
|
|
|
->SetDefaultValue(70)
|
|
|
|
->SetAllowedInJs(true),
|
2021-03-04 21:54:35 +08:00
|
|
|
];
|
2021-03-02 21:23:45 +08:00
|
|
|
foreach ($this->getSupportedDrivers(true) as $name => $class) {
|
2022-02-10 00:48:05 +08:00
|
|
|
$group = new \RainLoop\Plugins\PropertyCollection($name);
|
|
|
|
$props = [
|
|
|
|
\RainLoop\Plugins\Property::NewInstance("driver_{$name}_enabled")
|
|
|
|
->SetLabel('Enable ' . $class::NAME)
|
|
|
|
->SetType(\RainLoop\Enumerations\PluginPropertyType::BOOL)
|
|
|
|
->SetDescription($class::DESCRIPTION)
|
|
|
|
->SetDefaultValue(false),
|
|
|
|
\RainLoop\Plugins\Property::NewInstance("driver_{$name}_allowed_emails")
|
|
|
|
->SetLabel('Allowed emails')
|
|
|
|
->SetType(\RainLoop\Enumerations\PluginPropertyType::STRING_TEXT)
|
|
|
|
->SetDescription('Allowed emails, space as delimiter, wildcard supported. Example: user1@example.net user2@example1.net *@example2.net')
|
|
|
|
->SetDefaultValue('*')
|
|
|
|
];
|
|
|
|
$group->exchangeArray(\array_merge($props, \call_user_func("{$class}::configMapping")));
|
|
|
|
$result[] = $group;
|
2021-03-02 19:23:50 +08:00
|
|
|
}
|
|
|
|
return $result;
|
2021-03-01 07:52:46 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
public function ChangePassword()
|
|
|
|
{
|
2021-03-04 19:20:06 +08:00
|
|
|
$oActions = $this->Manager()->Actions();
|
|
|
|
$oAccount = $oActions->GetAccount();
|
|
|
|
|
2021-03-02 19:23:50 +08:00
|
|
|
if (!$oAccount->Email()) {
|
2021-03-08 19:21:58 +08:00
|
|
|
\trigger_error('ChangePassword failed: empty email address');
|
2021-03-02 19:23:50 +08:00
|
|
|
throw new ClientException(static::CouldNotSaveNewPassword);
|
|
|
|
}
|
|
|
|
|
2021-03-01 07:52:46 +08:00
|
|
|
$sPrevPassword = $this->jsonParam('PrevPassword');
|
2022-12-08 17:35:20 +08:00
|
|
|
if ($sPrevPassword !== $oAccount->IncPassword()) {
|
2021-03-01 07:52:46 +08:00
|
|
|
throw new ClientException(static::CurrentPasswordIncorrect, null, $oActions->StaticI18N('NOTIFICATIONS/CURRENT_PASSWORD_INCORRECT'));
|
|
|
|
}
|
2024-03-17 21:50:32 +08:00
|
|
|
$oPrevPassword = new \SnappyMail\SensitiveString($sPrevPassword);
|
2021-03-01 07:52:46 +08:00
|
|
|
|
2021-03-04 22:23:38 +08:00
|
|
|
$sNewPassword = $this->jsonParam('NewPassword');
|
|
|
|
if ($this->Config()->Get('plugin', 'pass_min_length', 10) > \strlen($sNewPassword)) {
|
2021-03-01 07:52:46 +08:00
|
|
|
throw new ClientException(static::NewPasswordShort, null, $oActions->StaticI18N('NOTIFICATIONS/NEW_PASSWORD_SHORT'));
|
|
|
|
}
|
2021-03-05 16:43:46 +08:00
|
|
|
if ($this->Config()->Get('plugin', 'pass_min_strength', 70) > static::PasswordStrength($sNewPassword)) {
|
2021-03-01 07:52:46 +08:00
|
|
|
throw new ClientException(static::NewPasswordWeak, null, $oActions->StaticI18N('NOTIFICATIONS/NEW_PASSWORD_WEAK'));
|
|
|
|
}
|
2024-03-17 21:50:32 +08:00
|
|
|
$oNewPassword = new \SnappyMail\SensitiveString($sNewPassword);
|
2021-03-01 19:42:34 +08:00
|
|
|
|
2021-03-02 19:23:50 +08:00
|
|
|
$bResult = false;
|
|
|
|
$oConfig = $this->Config();
|
2021-03-02 21:23:45 +08:00
|
|
|
foreach ($this->getSupportedDrivers() as $name => $class) {
|
2022-06-08 19:08:00 +08:00
|
|
|
if (\RainLoop\Plugins\Helper::ValidateWildcardValues($oAccount->Email(), $oConfig->Get('plugin', "driver_{$name}_allowed_emails"))) {
|
2021-03-02 19:23:50 +08:00
|
|
|
$name = $class::NAME;
|
2021-03-04 21:54:35 +08:00
|
|
|
$oLogger = $oActions->Logger();
|
2021-03-02 19:23:50 +08:00
|
|
|
try
|
|
|
|
{
|
2021-03-02 21:23:45 +08:00
|
|
|
$oDriver = new $class(
|
2021-03-04 22:27:07 +08:00
|
|
|
$oConfig,
|
2021-03-04 21:54:35 +08:00
|
|
|
$oLogger
|
2021-03-02 21:23:45 +08:00
|
|
|
);
|
2024-03-17 21:50:32 +08:00
|
|
|
if (!$oDriver->ChangePassword($oAccount, $oPrevPassword, $oNewPassword)) {
|
2021-03-02 21:23:45 +08:00
|
|
|
throw new ClientException(static::CouldNotSaveNewPassword);
|
|
|
|
}
|
|
|
|
$bResult = true;
|
2021-03-04 21:54:35 +08:00
|
|
|
if ($oLogger) {
|
|
|
|
$oLogger->Write("{$name} password changed for {$oAccount->Email()}");
|
2021-03-02 19:23:50 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
catch (\Throwable $oException)
|
|
|
|
{
|
2021-03-08 19:21:58 +08:00
|
|
|
\trigger_error("{$class} failed: {$oException->getMessage()}");
|
2021-03-04 21:54:35 +08:00
|
|
|
if ($oLogger) {
|
|
|
|
$oLogger->Write("ERROR: {$name} password change for {$oAccount->Email()} failed");
|
|
|
|
$oLogger->WriteException($oException);
|
2022-10-15 23:39:49 +08:00
|
|
|
// $oLogger->WriteException($oException, \LOG_WARNING, $name);
|
2021-03-02 19:23:50 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-03-04 22:23:38 +08:00
|
|
|
if (!$bResult) {
|
2021-03-08 19:21:58 +08:00
|
|
|
\trigger_error("ChangePassword failed");
|
2021-03-04 22:23:38 +08:00
|
|
|
throw new ClientException(static::CouldNotSaveNewPassword);
|
2021-03-01 07:52:46 +08:00
|
|
|
}
|
|
|
|
|
2024-03-17 21:50:32 +08:00
|
|
|
$oAccount->SetPassword($oNewPassword);
|
2022-09-20 14:59:38 +08:00
|
|
|
if ($oAccount instanceof \RainLoop\Model\MainAccount) {
|
|
|
|
$oActions->SetAuthToken($oAccount);
|
2024-03-17 21:53:45 +08:00
|
|
|
$oAccount->resealCryptKey($oPrevPassword);
|
2022-09-20 14:59:38 +08:00
|
|
|
}
|
2021-03-04 22:23:38 +08:00
|
|
|
|
2022-02-06 04:02:19 +08:00
|
|
|
return $this->jsonResponse(__FUNCTION__, $oActions->AppData(false));
|
2021-03-01 07:52:46 +08:00
|
|
|
}
|
|
|
|
|
2024-03-17 21:50:32 +08:00
|
|
|
public static function encrypt(string $algo, SensitiveString $password)
|
2021-03-01 07:52:46 +08:00
|
|
|
{
|
2021-03-02 19:23:50 +08:00
|
|
|
switch (\strtolower($algo))
|
|
|
|
{
|
|
|
|
case 'argon2i':
|
|
|
|
return \password_hash($password, PASSWORD_ARGON2I);
|
|
|
|
|
|
|
|
case 'argon2id':
|
|
|
|
return \password_hash($password, PASSWORD_ARGON2ID);
|
|
|
|
|
|
|
|
case 'bcrypt':
|
|
|
|
return \password_hash($password, PASSWORD_BCRYPT);
|
|
|
|
|
|
|
|
case 'sha256-crypt':
|
|
|
|
return \crypt($password,'$5$'.\substr(\base64_encode(\random_bytes(32)), 0, 16));
|
|
|
|
|
|
|
|
case 'sha512-crypt':
|
|
|
|
return \crypt($password,'$6$'.\substr(\base64_encode(\random_bytes(32)), 0, 16));
|
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2022-02-06 04:03:40 +08:00
|
|
|
return $password;
|
2021-03-01 07:52:46 +08:00
|
|
|
}
|
|
|
|
|
2021-03-04 21:54:35 +08:00
|
|
|
private static function PasswordStrength(string $sPassword) : int
|
2021-03-04 20:51:21 +08:00
|
|
|
{
|
2021-03-04 21:54:35 +08:00
|
|
|
$i = \strlen($sPassword);
|
2024-03-17 21:50:32 +08:00
|
|
|
$max = \min(100, $i * 8);
|
2021-03-05 16:43:46 +08:00
|
|
|
$s = 0;
|
2021-03-04 21:54:35 +08:00
|
|
|
while (--$i) {
|
2021-03-05 16:43:46 +08:00
|
|
|
$s += ($sPassword[$i] != $sPassword[$i-1] ? 1 : -0.5);
|
2021-03-04 21:54:35 +08:00
|
|
|
}
|
|
|
|
$c = 0;
|
2021-03-04 22:20:05 +08:00
|
|
|
$re = [ '/[^0-9A-Za-z]+/', '/[0-9]+/', '/[A-Z]+/', '/[a-z]+/' ];
|
2021-03-04 21:54:35 +08:00
|
|
|
foreach ($re as $regex) {
|
|
|
|
if (\preg_match_all($regex, $sPassword, $m)) {
|
|
|
|
++$c;
|
|
|
|
foreach ($m[0] as $str) {
|
|
|
|
if (5 > \strlen($str)) {
|
|
|
|
++$s;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-03-05 16:43:46 +08:00
|
|
|
return \intval(\max(0, \min($max, $s * $c * 1.5)));
|
2021-03-04 20:51:21 +08:00
|
|
|
}
|
|
|
|
|
2021-03-01 07:52:46 +08:00
|
|
|
}
|