Attachment #10421 for bug #51492

View | Details | Raw Unified | Return to bug 51492
Collapse All | Expand All

(-)saml/univention-saml/debian/changelog (+6 lines)

Lines 1-3	Link Here

univention-saml (6.0.3-1) unstable; urgency=medium

  * Bug #51492: add change password dialog to SAML login

 -- Florian Best <best@univention.de>  Thu, 09 Jul 2020 08:04:51 +0200

univention-saml (6.0.2-45) unstable; urgency=medium

univention-saml (6.0.2-45) unstable; urgency=medium

  * Bug #47567: Add saml serviceproviders to groups

  * Bug #47567: Add saml serviceproviders to groups

(-)saml/univention-saml/debian/control (+1 lines)

Lines 20-25 Depends:	Link Here

 memcached,

 memcached,

 openssl,

 openssl,

 php-cgi,

 php-cgi,

 php-curl,

 php-krb5,

 php-krb5,

 php-ldap,

 php-ldap,

 php-mcrypt,

 php-mcrypt,

(-)saml/univention-saml/simplesamlphp/modules/uldap/lib/Auth/Source/uLDAP.php (+39 lines)

Lines 53-58 class sspmod_uldap_Auth_Source_uLDAP extends sspmod_core_Auth_UserPassBase {	Link Here

		assert('is_string($username)');

		assert('is_string($username)');

		assert('is_string($password)');

		assert('is_string($password)');

		$password = $this->checkPasswordChange($username, $password);

		try {

		try {

			$attributes = $this->ldapConfig->login($username, $password, $sasl_args);

			$attributes = $this->ldapConfig->login($username, $password, $sasl_args);

		} catch (SimpleSAML_Error_Error $e) {

		} catch (SimpleSAML_Error_Error $e) {

Lines 69-74 class sspmod_uldap_Auth_Source_uLDAP extends sspmod_core_Auth_UserPassBase {	Link Here

	private function checkPasswordChange($username, $password) {

		if (!isset($_POST['new_password'])) {

			return $password;

		$new_password = $_POST['new_password'];

		assert('is_string($new_password)');

		$config = SimpleSAML_Configuration::getInstance();

		$language = new \SimpleSAML\Locale\Language($config);

		$url = 'https://' . $config->getValue('hostfqdn') . '/univention/auth';

		$data =  json_encode(array("options" => array("username" => $username, "password" => $password, "new_password" => $new_password)));

		$ch = curl_init();

		curl_setopt($ch, CURLOPT_URL, $url);

		curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json', sprintf('Accept-Language: %s; q=1, en; q=0.5', $language->getLanguage())));

		curl_setopt($ch, CURLOPT_USERAGENT, 'simplesamlphp');

		curl_setopt($ch, CURLOPT_REFERER, 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);

		curl_setopt($ch, CURLOPT_POST, TRUE);

		curl_setopt($ch, CURLOPT_POSTFIELDS, $data);

		curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);

		$response = curl_exec($ch);

		if ($response === FALSE) {

			SimpleSAML\Logger::debug('Error: ' . curl_error($ch));

		$httpcode = curl_getinfo($ch, CURLINFO_RESPONSE_CODE);

		SimpleSAML\Logger::debug('Password changing response: ' . var_export(array($httpcode, $response), true));

		if (FALSE !== $response && strpos(curl_getinfo($ch, CURLINFO_CONTENT_TYPE), 'application/json') >= 0) {

100

			$response = json_decode($response, TRUE);

101

		} else {

102

			$response = array('message' => $response);

103

104

		if ($httpcode !== 200) {

105

			throw new SimpleSAML_Error_Error(array('PW_CHANGE_FAILED', '%s' => $response['message']));

106

107

		curl_close($ch);

108

		return $new_password;

109

110

111

/**

112

/**

	 * Investigate login failure

113

	 * Investigate login failure

(-)saml/univention-saml/simplesamlphp/modules/univentiontheme/dictionaries/errors_static.definition.json (+6 lines)

Lines 5-10	Link Here

	"descr_WRONGUSERPASS": {

	"descr_WRONGUSERPASS": {

		"en": "Either no user with the given username could be found, or the password you gave was wrong. Please check the username and try again."

		"en": "Either no user with the given username could be found, or the password you gave was wrong. Please check the username and try again."

},

},

	"title_PW_CHANGE_FAILED": {

		"en": "Changing password failed"

},

	"descr_PW_CHANGE_FAILED": {

		"en": "%s"

},

	"title_LDAP_ACCDISABLED": {

	"title_LDAP_ACCDISABLED": {

		"en": "Account disabled"

		"en": "Account disabled"

},

},

(-)saml/univention-saml/simplesamlphp/modules/univentiontheme/dictionaries/errors_static.translation.json (+6 lines)

Lines 5-10	Link Here

	"descr_WRONGUSERPASS": {

	"descr_WRONGUSERPASS": {

		"de": "Entweder es konnte kein Nutzer mit dem angegebenen Nutzernamen gefunden werden oder das Passwort ist falsch. \u00dcberpr\u00fcfen Sie die Zugangsdaten und probieren Sie es nochmal"

		"de": "Entweder es konnte kein Nutzer mit dem angegebenen Nutzernamen gefunden werden oder das Passwort ist falsch. \u00dcberpr\u00fcfen Sie die Zugangsdaten und probieren Sie es nochmal"

},

},

	"title_PW_CHANGE_FAILED": {

		"de": "Passwort ändern fehlgeschlagen"

},

	"descr_PW_CHANGE_FAILED": {

		"de": "%s"

},

	"title_LDAP_ACCDISABLED": {

	"title_LDAP_ACCDISABLED": {

		"de": "Account deaktiviert"

		"de": "Account deaktiviert"

},

},




$this->includeAtTemplateBase('includes/header.php');

$this->data['header'] = $this->t('{login:user_pass_header}');

$PW_EXPIRED = $this->data['errorcode'] !== NULL && in_array($this->data['errorcode'], array('LDAP_PWCHANGE', 'KRB_PWCHANGE', 'SAMBA_PWCHANGE'));
// echo '<pre>'; var_dump($this->data); echo '</pre>';
?>
		<div id="umcLoginWrapper">
			<h1 style="text-align: center;"><?php echo htmlspecialchars($this->t('{univentiontheme:login:loginat}', array('%s' => $this->configuration->getValue('domainname', '')))); ?></h1>
<?php
if (isset($this->data['SPMetadata']['privacypolicy'])) {
	printf('<h3 style="text-align: center;"><a href="%s">%s</a></h3>', htmlspecialchars($this->data['SPMetadata']['privacypolicy'], ENT_QUOTES), htmlspecialchars($this->t('{consent:consent:consent_privacypolicy}')));

					<img id="umcLoginLogo" src="/univention/js/dijit/themes/umc/images/login_logo.svg"/>
				</div>
				<div class="umcLoginFormWrapper">
				<div id="umcLoginNotices" class="umcLoginNotices" style="display: <?php echo $this->data['errorcode'] !== NULL ? 'block' : 'none'; ?>;">
					<form id="umcLoginForm" name="umcLoginForm" action="?" method="post" class="umcLoginForm" autocomplete="on">
						<label for="umcLoginUsername">
							<input placeholder="<?php echo htmlspecialchars($this->t('{login:username}'), ENT_QUOTES); ?>" id="umcLoginUsername" name="username" type="text" autocomplete="username"  tabindex="1" value="<?php echo htmlspecialchars($this->data['username'], ENT_QUOTES); ?>" <?php echo $this->data['forceUsername'] ? 'readonly' : ''; ?>/>
						</label>
						<label for="umcLoginPassword">
							<input placeholder="<?php echo htmlspecialchars($this->t('{login:password}'), ENT_QUOTES); ?>" id="umcLoginPassword" name="password" type="password" tabindex="2" autocomplete="current-password"/>
						</label>
						<div id="umcLoginWarnings" class="umcLoginWarnings">
<?php
/*
if ($this->data['errorcode'] !== NULL) {
	echo('<span class="logintitle">' . $this->t('{login:help_header}') . '</span>');
	echo('<span class="logintext">' . $this->t('{login:help_text}') . '</span>');
}
*/

if ($this->data['errorcode'] !== NULL) {
?>
	<p class="umcLoginWarning" >
		<b><?php echo htmlspecialchars($this->t('{univentiontheme:errors:title_' . $this->data['errorcode'] . '}', $this->data['errorparams'])); ?>.</b><br>
<?php
if ($PW_EXPIRED) {
	$password_change_url = $this->configuration->getValue('password_change_url', '');
	$password_change_url = $password_change_url ? $password_change_url : str_replace('/univention/saml/metadata', '/univention/login/', $this->data['SPMetadata']['entityid']);
	echo '<span style="color: black;">';

<?php
}
?>
					</div>
					<form id="umcLoginForm" name="umcLoginForm" action="?" method="post" class="umcLoginForm" autocomplete="on" <?php if ($PW_EXPIRED) { echo 'style="display: none; "'; } ?>>
						<label for="umcLoginUsername">
							<input placeholder="<?php echo htmlspecialchars($this->t('{login:username}'), ENT_QUOTES); ?>" id="umcLoginUsername" name="username" type="text" autocomplete="username"  tabindex="1" value="<?php echo htmlspecialchars($this->data['username'], ENT_QUOTES); ?>" <?php echo $this->data['forceUsername'] ? 'readonly' : ''; ?>/>
						</label>
						<label for="umcLoginPassword">
							<input placeholder="<?php echo htmlspecialchars($this->t('{login:password}'), ENT_QUOTES); ?>" id="umcLoginPassword" name="password" type="password" tabindex="2" autocomplete="current-password"/>
						</label>
						<div id="umcLoginWarnings" class="umcLoginWarnings">
						</div>
<?php
foreach ($this->data['stateparams'] as $name => $value) {

<?php
}
?>
						<input id="umcLoginSubmit" type="submit" name="submit" value="<?php echo htmlspecialchars($this->t('{login:login}'), ENT_QUOTES); ?>"/>
					</form>

<?php
if ($PW_EXPIRED) {
?>
					<form id="umcNewPasswordForm" name="umcLoginForm" action="?" method="post" class="umcLoginForm" autocomplete="off" style="display: block;">
						<input name="username" type="hidden" value="<?php echo htmlspecialchars($this->data['username'], ENT_QUOTES); ?>" />
						<input name="password" type="hidden" value="<?php echo htmlspecialchars($_REQUEST['password'], ENT_QUOTES); /* TODO: store instead in the session? */ ?>" />
						<label for="umcLoginNewPassword">
							<input id="umcLoginNewPassword" name="new_password" type="password" autocomplete="new-password" placeholder="<?php echo htmlspecialchars($this->t('{login:new_password}'), ENT_QUOTES); ?>">
						</label>
						<label for="umcLoginNewPasswordRetype">
							<input id="umcLoginNewPasswordRetype" type="password" autocomplete="new-password" placeholder="<?php echo htmlspecialchars($this->t('{login:new_password_retype}'), ENT_QUOTES); ?>">
						</label>
						<input id="umcNewPasswordSubmit" type="submit" name="submit" value="<?php echo htmlspecialchars($this->t('{login:change_password}'), ENT_QUOTES); ?>">
<?php
foreach ($this->data['stateparams'] as $name => $value) {
	echo '<input type="hidden" name="' . htmlspecialchars($name, ENT_QUOTES) . '" value="' . htmlspecialchars($value, ENT_QUOTES) . '" />';
}
?>
					</form>
<?php
}
?>

				</div>
			</div>
			<div id="umcLoginLinks"></div>

Return to bug 51492