commit 915733b8d6696997988e1b8b08a8334a18eeea7d
Author: Florian Best <best@univention.de>
Date:   Thu Jul 9 08:04:55 2020 +0200

    Bug #51492: add change password dialog to SAML login

diff --git saml/univention-saml/debian/changelog saml/univention-saml/debian/changelog
index 1dc16b2664..4957b85dd2 100644
--- saml/univention-saml/debian/changelog
+++ saml/univention-saml/debian/changelog
@@ -1,3 +1,9 @@
+univention-saml (6.0.3-1) unstable; urgency=medium
+
+  * Bug #51492: add change password dialog to SAML login
+
+ -- Florian Best <best@univention.de>  Thu, 09 Jul 2020 08:04:51 +0200
+
 univention-saml (6.0.2-45) unstable; urgency=medium
 
   * Bug #47567: Add saml serviceproviders to groups
diff --git saml/univention-saml/debian/control saml/univention-saml/debian/control
index 5ca6234abf..2ef4e9055a 100644
--- saml/univention-saml/debian/control
+++ saml/univention-saml/debian/control
@@ -20,6 +20,7 @@ Depends:
  memcached,
  openssl,
  php-cgi,
+ php-curl,
  php-krb5,
  php-ldap,
  php-mcrypt,
diff --git saml/univention-saml/simplesamlphp/modules/uldap/lib/Auth/Source/uLDAP.php saml/univention-saml/simplesamlphp/modules/uldap/lib/Auth/Source/uLDAP.php
index f9939fcf30..0535e880db 100644
--- saml/univention-saml/simplesamlphp/modules/uldap/lib/Auth/Source/uLDAP.php
+++ saml/univention-saml/simplesamlphp/modules/uldap/lib/Auth/Source/uLDAP.php
@@ -53,6 +53,8 @@ class sspmod_uldap_Auth_Source_uLDAP extends sspmod_core_Auth_UserPassBase {
 		assert('is_string($username)');
 		assert('is_string($password)');
 
+		$password = $this->checkPasswordChange($username, $password);
+
 		try {
 			$attributes = $this->ldapConfig->login($username, $password, $sasl_args);
 		} catch (SimpleSAML_Error_Error $e) {
@@ -69,6 +71,43 @@ class sspmod_uldap_Auth_Source_uLDAP extends sspmod_core_Auth_UserPassBase {
 
 	}
 
+	private function checkPasswordChange($username, $password) {
+		if (!isset($_POST['new_password'])) {
+			return $password;
+		}
+		$new_password = $_POST['new_password'];
+		assert('is_string($new_password)');
+
+		$config = SimpleSAML_Configuration::getInstance();
+		$language = new \SimpleSAML\Locale\Language($config);
+		$url = 'https://' . $config->getValue('hostfqdn') . '/univention/auth';
+		$data =  json_encode(array("options" => array("username" => $username, "password" => $password, "new_password" => $new_password)));
+		$ch = curl_init();
+		curl_setopt($ch, CURLOPT_URL, $url);
+		curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json', sprintf('Accept-Language: %s; q=1, en; q=0.5', $language->getLanguage())));
+		curl_setopt($ch, CURLOPT_USERAGENT, 'simplesamlphp');
+		curl_setopt($ch, CURLOPT_REFERER, 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
+		curl_setopt($ch, CURLOPT_POST, TRUE);
+		curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
+		curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
+		$response = curl_exec($ch);
+		if ($response === FALSE) {
+			SimpleSAML\Logger::debug('Error: ' . curl_error($ch));
+		}
+		$httpcode = curl_getinfo($ch, CURLINFO_RESPONSE_CODE);
+		SimpleSAML\Logger::debug('Password changing response: ' . var_export(array($httpcode, $response), true));
+		if (FALSE !== $response && strpos(curl_getinfo($ch, CURLINFO_CONTENT_TYPE), 'application/json') >= 0) {
+			$response = json_decode($response, TRUE);
+		} else {
+			$response = array('message' => $response);
+		}
+		if ($httpcode !== 200) {
+			throw new SimpleSAML_Error_Error(array('PW_CHANGE_FAILED', '%s' => $response['message']));
+		}
+		curl_close($ch);
+		return $new_password;
+	}
+
 
 	/**
 	 * Investigate login failure
diff --git saml/univention-saml/simplesamlphp/modules/univentiontheme/dictionaries/errors_static.definition.json saml/univention-saml/simplesamlphp/modules/univentiontheme/dictionaries/errors_static.definition.json
index b336079dfd..1ea4ea2450 100644
--- saml/univention-saml/simplesamlphp/modules/univentiontheme/dictionaries/errors_static.definition.json
+++ saml/univention-saml/simplesamlphp/modules/univentiontheme/dictionaries/errors_static.definition.json
@@ -5,6 +5,12 @@
 	"descr_WRONGUSERPASS": {
 		"en": "Either no user with the given username could be found, or the password you gave was wrong. Please check the username and try again."
 	},
+	"title_PW_CHANGE_FAILED": {
+		"en": "Changing password failed"
+	},
+	"descr_PW_CHANGE_FAILED": {
+		"en": "%s"
+	},
 	"title_LDAP_ACCDISABLED": {
 		"en": "Account disabled"
 	},
diff --git saml/univention-saml/simplesamlphp/modules/univentiontheme/dictionaries/errors_static.translation.json saml/univention-saml/simplesamlphp/modules/univentiontheme/dictionaries/errors_static.translation.json
index 2a38490408..999eaf0454 100644
--- saml/univention-saml/simplesamlphp/modules/univentiontheme/dictionaries/errors_static.translation.json
+++ saml/univention-saml/simplesamlphp/modules/univentiontheme/dictionaries/errors_static.translation.json
@@ -5,6 +5,12 @@
 	"descr_WRONGUSERPASS": {
 		"de": "Entweder es konnte kein Nutzer mit dem angegebenen Nutzernamen gefunden werden oder das Passwort ist falsch. \u00dcberpr\u00fcfen Sie die Zugangsdaten und probieren Sie es nochmal"
 	},
+	"title_PW_CHANGE_FAILED": {
+		"de": "Passwort ändern fehlgeschlagen"
+	},
+	"descr_PW_CHANGE_FAILED": {
+		"de": "%s"
+	},
 	"title_LDAP_ACCDISABLED": {
 		"de": "Account deaktiviert"
 	},
diff --git saml/univention-saml/simplesamlphp/modules/univentiontheme/themes/univention/core/loginuserpass.php saml/univention-saml/simplesamlphp/modules/univentiontheme/themes/univention/core/loginuserpass.php
index 014e6eca77..550d2b6011 100644
--- saml/univention-saml/simplesamlphp/modules/univentiontheme/themes/univention/core/loginuserpass.php
+++ saml/univention-saml/simplesamlphp/modules/univentiontheme/themes/univention/core/loginuserpass.php
@@ -2,9 +2,12 @@
 $this->includeAtTemplateBase('includes/header.php');
 
 $this->data['header'] = $this->t('{login:user_pass_header}');
+
+$PW_EXPIRED = $this->data['errorcode'] !== NULL && in_array($this->data['errorcode'], array('LDAP_PWCHANGE', 'KRB_PWCHANGE', 'SAMBA_PWCHANGE'));
+// echo '<pre>'; var_dump($this->data); echo '</pre>';
 ?>
 		<div id="umcLoginWrapper">
-			<h1 style="text-align: center;"><?php echo htmlspecialchars(sprintf($this->t('{univentiontheme:login:loginat}'), $this->configuration->getValue('domainname', ''))); ?></h1>
+			<h1 style="text-align: center;"><?php echo htmlspecialchars($this->t('{univentiontheme:login:loginat}', array('%s' => $this->configuration->getValue('domainname', '')))); ?></h1>
 <?php
 if (isset($this->data['SPMetadata']['privacypolicy'])) {
 	printf('<h3 style="text-align: center;"><a href="%s">%s</a></h3>', htmlspecialchars($this->data['SPMetadata']['privacypolicy'], ENT_QUOTES), htmlspecialchars($this->t('{consent:consent:consent_privacypolicy}')));
@@ -17,29 +20,14 @@ if (isset($this->data['SPMetadata']['privacypolicy'])) {
 					<img id="umcLoginLogo" src="/univention/js/dijit/themes/umc/images/login_logo.svg"/>
 				</div>
 				<div class="umcLoginFormWrapper">
-					<div id="umcLoginNotices" class="umcLoginNotices" style="display: none;"></div>
-					<form id="umcLoginForm" name="umcLoginForm" action="?" method="post" class="umcLoginForm" autocomplete="on">
-						<label for="umcLoginUsername">
-							<input placeholder="<?php echo htmlspecialchars($this->t('{login:username}'), ENT_QUOTES); ?>" id="umcLoginUsername" name="username" type="text" autocomplete="username"  tabindex="1" value="<?php echo htmlspecialchars($this->data['username'], ENT_QUOTES); ?>" <?php echo $this->data['forceUsername'] ? 'readonly' : ''; ?>/>
-						</label>
-						<label for="umcLoginPassword">
-							<input placeholder="<?php echo htmlspecialchars($this->t('{login:password}'), ENT_QUOTES); ?>" id="umcLoginPassword" name="password" type="password" tabindex="2" autocomplete="current-password"/>
-						</label>
-						<div id="umcLoginWarnings" class="umcLoginWarnings">
+				<div id="umcLoginNotices" class="umcLoginNotices" style="display: <?php echo $this->data['errorcode'] !== NULL ? 'block' : 'none'; ?>;">
 <?php
-/*
-if ($this->data['errorcode'] !== NULL) {
-	echo('<span class="logintitle">' . $this->t('{login:help_header}') . '</span>');
-	echo('<span class="logintext">' . $this->t('{login:help_text}') . '</span>');
-}
-*/
-
 if ($this->data['errorcode'] !== NULL) {
 ?>
 	<p class="umcLoginWarning" >
 		<b><?php echo htmlspecialchars($this->t('{univentiontheme:errors:title_' . $this->data['errorcode'] . '}', $this->data['errorparams'])); ?>.</b><br>
 <?php
-if (in_array($this->data['errorcode'], array('LDAP_PWCHANGE', 'KRB_PWCHANGE', 'SAMBA_PWCHANGE'))) {
+if ($PW_EXPIRED) {
 	$password_change_url = $this->configuration->getValue('password_change_url', '');
 	$password_change_url = $password_change_url ? $password_change_url : str_replace('/univention/saml/metadata', '/univention/login/', $this->data['SPMetadata']['entityid']);
 	echo '<span style="color: black;">';
@@ -55,6 +43,15 @@ if (in_array($this->data['errorcode'], array('LDAP_PWCHANGE', 'KRB_PWCHANGE', 'S
 <?php
 }
 ?>
+					</div>
+					<form id="umcLoginForm" name="umcLoginForm" action="?" method="post" class="umcLoginForm" autocomplete="on" <?php if ($PW_EXPIRED) { echo 'style="display: none; "'; } ?>>
+						<label for="umcLoginUsername">
+							<input placeholder="<?php echo htmlspecialchars($this->t('{login:username}'), ENT_QUOTES); ?>" id="umcLoginUsername" name="username" type="text" autocomplete="username"  tabindex="1" value="<?php echo htmlspecialchars($this->data['username'], ENT_QUOTES); ?>" <?php echo $this->data['forceUsername'] ? 'readonly' : ''; ?>/>
+						</label>
+						<label for="umcLoginPassword">
+							<input placeholder="<?php echo htmlspecialchars($this->t('{login:password}'), ENT_QUOTES); ?>" id="umcLoginPassword" name="password" type="password" tabindex="2" autocomplete="current-password"/>
+						</label>
+						<div id="umcLoginWarnings" class="umcLoginWarnings">
 						</div>
 <?php
 foreach ($this->data['stateparams'] as $name => $value) {
@@ -90,8 +87,32 @@ foreach ($this->data['organizations'] as $orgId => $orgDesc) {
 <?php
 }
 ?>
-						<input id="umcLoginSubmit" type="submit" name="submit" value="Login"/>
+						<input id="umcLoginSubmit" type="submit" name="submit" value="<?php echo htmlspecialchars($this->t('{login:login}'), ENT_QUOTES); ?>"/>
+					</form>
+
+<?php
+if ($PW_EXPIRED) {
+?>
+					<form id="umcNewPasswordForm" name="umcLoginForm" action="?" method="post" class="umcLoginForm" autocomplete="off" style="display: block;">
+						<input name="username" type="hidden" value="<?php echo htmlspecialchars($this->data['username'], ENT_QUOTES); ?>" />
+						<input name="password" type="hidden" value="<?php echo htmlspecialchars($_REQUEST['password'], ENT_QUOTES); /* TODO: store instead in the session? */ ?>" />
+						<label for="umcLoginNewPassword">
+							<input id="umcLoginNewPassword" name="new_password" type="password" autocomplete="new-password" placeholder="<?php echo htmlspecialchars($this->t('{login:new_password}'), ENT_QUOTES); ?>">
+						</label>
+						<label for="umcLoginNewPasswordRetype">
+							<input id="umcLoginNewPasswordRetype" type="password" autocomplete="new-password" placeholder="<?php echo htmlspecialchars($this->t('{login:new_password_retype}'), ENT_QUOTES); ?>">
+						</label>
+						<input id="umcNewPasswordSubmit" type="submit" name="submit" value="<?php echo htmlspecialchars($this->t('{login:change_password}'), ENT_QUOTES); ?>">
+<?php
+foreach ($this->data['stateparams'] as $name => $value) {
+	echo '<input type="hidden" name="' . htmlspecialchars($name, ENT_QUOTES) . '" value="' . htmlspecialchars($value, ENT_QUOTES) . '" />';
+}
+?>
 					</form>
+<?php
+}
+?>
+
 				</div>
 			</div>
 			<div id="umcLoginLinks"></div>