1 <?php
2 /*
3 * This code is part of GOsa (http://www.gosa-project.org)
4 * Copyright (C) 2003-2008 GONICUS GmbH
5 *
6 * ID: $$Id$$
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 */
23 class password extends plugin
24 {
25 /* Definitions */
26 var $plHeadline = "Change password";
27 var $plDescription = "Change user password";
29 var $proposal = "";
30 var $proposalEnabled = FALSE;
31 var $proposalSelected = TRUE;
33 var $forcedHash = NULL;
35 function password(&$config, $dn= NULL, $parent= NULL)
36 {
37 plugin::plugin($config, $dn, $parent);
39 // Try to generate a password proposal, if this is successfull
40 // then preselect the proposal usage.
41 $this->refreshProposal();
42 if($this->proposal != ""){
43 $this->proposalSelected = TRUE;
44 }
45 }
48 function forceHash($hash)
49 {
50 $this->forcedHash = $hash;
51 }
54 function refreshProposal()
55 {
56 $this->proposal = passwordMethod::getPasswordProposal($this->config);
57 $this->proposalEnabled = (!empty($this->proposal));
58 }
61 function execute()
62 {
63 plugin::execute();
64 $smarty = get_smarty();
65 $ui = get_userinfo();
67 /* Get acls */
68 $password_ACLS = $ui->get_permissions($ui->dn,"users/password");
69 $smarty->assign("ChangeACL" , $password_ACLS);
70 $smarty->assign("NotAllowed" , !preg_match("/w/i",$password_ACLS));
72 /* Display expiration template */
73 $smarty->assign("passwordExpired", FALSE);
74 if ($this->config->boolValueIsTrue("core","handleExpiredAccounts")){
75 $expired= ldap_expired_account($this->config, $ui->dn, $ui->username);
76 $smarty->assign("passwordExpired", $expired & POSIX_FORCE_PASSWORD_CHANGE);
77 if($expired == POSIX_DISALLOW_PASSWORD_CHANGE){
78 return($smarty->fetch(get_template_path("nochange.tpl", TRUE)));
79 }
80 }
82 // Refresh proposal if requested
83 if(isset($_POST['refreshProposal'])) $this->refreshProposal();
84 if(isset($_POST['proposalSelected'])) $this->proposalSelected = get_post('proposalSelected') == 1;
85 $smarty->assign("proposal" , set_post($this->proposal));
86 $smarty->assign("proposalEnabled" , $this->proposalEnabled);
87 $smarty->assign("proposalSelected" , $this->proposalSelected);
89 /* Pwd change requested */
90 if (isset($_POST['password_finish'])){
92 if($this->proposalSelected){
93 $current_password = get_post('current_password');
94 $new_password = $this->proposal;
95 $repeated_password = $this->proposal;
96 }else{
97 $current_password = get_post('current_password');
98 $new_password = get_post('new_password');
99 $repeated_password = get_post('repeated_password');
100 }
103 // Get configuration flags for further input checks.
104 $check_differ = $this->config->get_cfg_value("core","passwordMinDiffer") != "";
105 $differ = $this->config->get_cfg_value("core","passwordMinDiffer");
106 $check_length = $this->config->get_cfg_value("core","passwordMinLength") != "";
107 $length = $this->config->get_cfg_value("core","passwordMinLength");
109 // Once an error has occured it is stored here.
110 $message = array();
112 // Call the check hook
113 $attrs = array();
114 $attrs['current_password'] = escapeshellarg($current_password);
115 $attrs['new_password'] = escapeshellarg($new_password);
117 // Depricated but execute for backward compability
118 $check_hook = $this->config->get_cfg_value("core","passwordHook") != "";
119 $cmd = $this->config->get_cfg_value("core","passwordHook");
120 if(!empty($cmd)){
121 $cmd = preg_replace("/%current_password/",escapeshellarg($current_password), $cmd);
122 $cmd = preg_replace("/%new_password/",escapeshellarg($new_password), $cmd);
123 $cmd = preg_replace("/%uid/",escapeshellarg($ui->username), $cmd);
124 $cmd = preg_replace("/%dn/",escapeshellarg($ui->dn), $cmd);
125 if($check_hook){
126 exec($cmd,$resarr);
127 $check_hook_output = "";
128 if(count($resarr) > 0) {
129 $check_hook_output= join('\n', $resarr);
130 $message[] = sprintf(_("Password hook reported a problem: %s. Password change canceled!"),
131 $check_hook_output);
132 }
133 }
134 }
136 // Perform GOsa password policy checks
137 if(empty($current_password)){
138 $message[] = _("You need to specify your current password in order to proceed.");
139 }elseif($new_password != $repeated_password){
140 $message[] = _("The passwords you've entered as 'New password' and 'Repeated new password' do not match.");
141 }elseif($new_password == ""){
142 $message[] = _("The password you've entered as 'New password' is empty.");
143 }elseif($check_differ && (substr($current_password, 0, $differ) == substr($new_password, 0, $differ))){
144 $message[] = _("The password used as new and current are too similar.");
145 }elseif($check_length && (strlen($new_password) < $length)){
146 $message[] = _("The password used as new is to short.");
147 }elseif(!passwordMethod::is_harmless($new_password)){
148 $message[] = _("The password contains possibly problematic Unicode characters!");
149 }
151 // Call external check hook to validate the password change
152 if(!count($message)){
153 $checkRes = $this->callCheckHook($attrs);
154 if(count($checkRes)){
155 $message[] = sprintf(_("Check-hook reported a problem: %s. Password change canceled!"),implode($checkRes));
156 }
157 }
159 // Call the pre-event command and check its return code
160 if(!count($message)){
161 plugin::callHook($this, 'PREMODIFY', $attrs, $output,$retCode,$error, $directlyPrintError = FALSE);
162 if($retCode === 0 && count($output)){
163 $message[] = sprintf(_("Pre-event hook reported a problem: %s. Password change canceled!"),implode($output));
164 }
165 }
168 // Some errors/warning occured, display them and abort password change.
169 if(count($message)){
170 msg_dialog::displayChecks($message);
171 }else{
173 /* Try to connect via current password */
174 $tldap = new LDAP(
175 $ui->dn,
176 $current_password,
177 $this->config->current['SERVER'],
178 $this->config->get_cfg_value("core","ldapFollowReferrals") == "true",
179 $this->config->get_cfg_value("core","ldapTLS") == "true");
181 /* connection Successfull ? */
182 if (!$tldap->success()){
183 msg_dialog::display(_("Password change"),
184 _("The password you've entered as your current password doesn't match the real one."),WARNING_DIALOG);
185 }else{
187 /* Check GOsa permissions */
188 if (!preg_match("/w/i",$password_ACLS)){
189 msg_dialog::display(_("Password change"),
190 _("You have no permission to change your password."),WARNING_DIALOG);
191 }else{
192 $this->change_password($ui->dn, $new_password, $this->forcedHash);
193 gosa_log ("User/password has been changed");
194 $ui->password= $new_password;
195 session::set('ui',$ui);
196 return($smarty->fetch(get_template_path("changed.tpl", TRUE)));
197 }
198 }
199 }
200 }
201 return($smarty->fetch(get_template_path("password.tpl", TRUE)));
202 }
204 function change_password($dn, $pwd, $hash)
205 {
206 if(!$hash){
207 change_password ($dn, $pwd);
208 }else{
209 change_password ($dn, $pwd,0, $hash);
210 }
211 }
213 function remove_from_parent()
214 {
215 $this->handle_post_events("remove");
216 }
218 function save()
219 {
220 }
222 function callCheckHook($attrs = array())
223 {
224 $command = $this->config->configRegistry->getPropertyValue(get_class($this),"check");
225 if (!empty($command)){
227 // Build up ldif to send to the check hook
228 $ldif= "dn: $this->dn\n";
229 foreach ($attrs as $name => $value){
230 $ldif.= "{$name}: {$value}\n";
231 }
232 $ldif.= "\n";
234 /* Feed "ldif" into hook and retrieve result*/
235 $descriptorspec = array( 0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w"));
236 $fh= proc_open($command, $descriptorspec, $pipes);
237 if (is_resource($fh)) {
238 fwrite ($pipes[0], $ldif);
239 fclose($pipes[0]);
240 $arr= stream_get_contents($pipes[1]);
241 $err = stream_get_contents($pipes[2]);
242 fclose($pipes[1]);
243 fclose($pipes[2]);
244 $returnCode = proc_close($fh);
246 if($returnCode !== 0){
247 @DEBUG (DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $command, "Execution failed code: ".$returnCode);
248 @DEBUG (DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $command, "Result: ".$err);
249 if($displayErrors){
250 $message= msgPool::cmdexecfailed($cmd,$command, get_class($plugin));
251 msg_dialog::display(_("Error"), $message, ERROR_DIALOG);
252 }
253 }else{
254 @DEBUG (DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $command, "Result: ".$arr);
255 return(preg_split("/\n/", $arr,0,PREG_SPLIT_NO_EMPTY));
256 }
257 }
258 }
259 return(array());
260 }
262 static function plInfo()
263 {
264 return (array(
265 "plDescription" => _("User password"),
266 "plSelfModify" => TRUE,
267 "plDepends" => array("user"),
268 "plPriority" => 10,
269 "plSection" => array("personal" => _("My account")),
270 "plCategory" => array("users"),
271 "plOptions" => array(),
273 "plProvidedAcls" => array())
274 );
275 }
277 }
278 // vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler:
279 ?>