Univention Bugzilla – Attachment 10421 Details for
Bug 51492
Change the password via SAML login
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch (git:fbest/51492-saml-password-change)
51492.patch (text/plain), 11.54 KB, created by
Florian Best
on 2020-07-09 09:12 CEST
(
hide
)
Description:
patch (git:fbest/51492-saml-password-change)
Filename:
MIME Type:
Creator:
Florian Best
Created:
2020-07-09 09:12 CEST
Size:
11.54 KB
patch
obsolete
>commit 915733b8d6696997988e1b8b08a8334a18eeea7d >Author: Florian Best <best@univention.de> >Date: Thu Jul 9 08:04:55 2020 +0200 > > Bug #51492: add change password dialog to SAML login > >diff --git saml/univention-saml/debian/changelog saml/univention-saml/debian/changelog >index 1dc16b2664..4957b85dd2 100644 >--- saml/univention-saml/debian/changelog >+++ saml/univention-saml/debian/changelog >@@ -1,3 +1,9 @@ >+univention-saml (6.0.3-1) unstable; urgency=medium >+ >+ * Bug #51492: add change password dialog to SAML login >+ >+ -- Florian Best <best@univention.de> Thu, 09 Jul 2020 08:04:51 +0200 >+ > univention-saml (6.0.2-45) unstable; urgency=medium > > * Bug #47567: Add saml serviceproviders to groups >diff --git saml/univention-saml/debian/control saml/univention-saml/debian/control >index 5ca6234abf..2ef4e9055a 100644 >--- saml/univention-saml/debian/control >+++ saml/univention-saml/debian/control >@@ -20,6 +20,7 @@ Depends: > memcached, > openssl, > php-cgi, >+ php-curl, > php-krb5, > php-ldap, > php-mcrypt, >diff --git saml/univention-saml/simplesamlphp/modules/uldap/lib/Auth/Source/uLDAP.php saml/univention-saml/simplesamlphp/modules/uldap/lib/Auth/Source/uLDAP.php >index f9939fcf30..0535e880db 100644 >--- saml/univention-saml/simplesamlphp/modules/uldap/lib/Auth/Source/uLDAP.php >+++ saml/univention-saml/simplesamlphp/modules/uldap/lib/Auth/Source/uLDAP.php >@@ -53,6 +53,8 @@ class sspmod_uldap_Auth_Source_uLDAP extends sspmod_core_Auth_UserPassBase { > assert('is_string($username)'); > assert('is_string($password)'); > >+ $password = $this->checkPasswordChange($username, $password); >+ > try { > $attributes = $this->ldapConfig->login($username, $password, $sasl_args); > } catch (SimpleSAML_Error_Error $e) { >@@ -69,6 +71,43 @@ class sspmod_uldap_Auth_Source_uLDAP extends sspmod_core_Auth_UserPassBase { > > } > >+ private function checkPasswordChange($username, $password) { >+ if (!isset($_POST['new_password'])) { >+ return $password; >+ } >+ $new_password = $_POST['new_password']; >+ assert('is_string($new_password)'); >+ >+ $config = SimpleSAML_Configuration::getInstance(); >+ $language = new \SimpleSAML\Locale\Language($config); >+ $url = 'https://' . $config->getValue('hostfqdn') . '/univention/auth'; >+ $data = json_encode(array("options" => array("username" => $username, "password" => $password, "new_password" => $new_password))); >+ $ch = curl_init(); >+ curl_setopt($ch, CURLOPT_URL, $url); >+ curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json', sprintf('Accept-Language: %s; q=1, en; q=0.5', $language->getLanguage()))); >+ curl_setopt($ch, CURLOPT_USERAGENT, 'simplesamlphp'); >+ curl_setopt($ch, CURLOPT_REFERER, 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); >+ curl_setopt($ch, CURLOPT_POST, TRUE); >+ curl_setopt($ch, CURLOPT_POSTFIELDS, $data); >+ curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); >+ $response = curl_exec($ch); >+ if ($response === FALSE) { >+ SimpleSAML\Logger::debug('Error: ' . curl_error($ch)); >+ } >+ $httpcode = curl_getinfo($ch, CURLINFO_RESPONSE_CODE); >+ SimpleSAML\Logger::debug('Password changing response: ' . var_export(array($httpcode, $response), true)); >+ if (FALSE !== $response && strpos(curl_getinfo($ch, CURLINFO_CONTENT_TYPE), 'application/json') >= 0) { >+ $response = json_decode($response, TRUE); >+ } else { >+ $response = array('message' => $response); >+ } >+ if ($httpcode !== 200) { >+ throw new SimpleSAML_Error_Error(array('PW_CHANGE_FAILED', '%s' => $response['message'])); >+ } >+ curl_close($ch); >+ return $new_password; >+ } >+ > > /** > * Investigate login failure >diff --git saml/univention-saml/simplesamlphp/modules/univentiontheme/dictionaries/errors_static.definition.json saml/univention-saml/simplesamlphp/modules/univentiontheme/dictionaries/errors_static.definition.json >index b336079dfd..1ea4ea2450 100644 >--- saml/univention-saml/simplesamlphp/modules/univentiontheme/dictionaries/errors_static.definition.json >+++ saml/univention-saml/simplesamlphp/modules/univentiontheme/dictionaries/errors_static.definition.json >@@ -5,6 +5,12 @@ > "descr_WRONGUSERPASS": { > "en": "Either no user with the given username could be found, or the password you gave was wrong. Please check the username and try again." > }, >+ "title_PW_CHANGE_FAILED": { >+ "en": "Changing password failed" >+ }, >+ "descr_PW_CHANGE_FAILED": { >+ "en": "%s" >+ }, > "title_LDAP_ACCDISABLED": { > "en": "Account disabled" > }, >diff --git saml/univention-saml/simplesamlphp/modules/univentiontheme/dictionaries/errors_static.translation.json saml/univention-saml/simplesamlphp/modules/univentiontheme/dictionaries/errors_static.translation.json >index 2a38490408..999eaf0454 100644 >--- saml/univention-saml/simplesamlphp/modules/univentiontheme/dictionaries/errors_static.translation.json >+++ saml/univention-saml/simplesamlphp/modules/univentiontheme/dictionaries/errors_static.translation.json >@@ -5,6 +5,12 @@ > "descr_WRONGUSERPASS": { > "de": "Entweder es konnte kein Nutzer mit dem angegebenen Nutzernamen gefunden werden oder das Passwort ist falsch. \u00dcberpr\u00fcfen Sie die Zugangsdaten und probieren Sie es nochmal" > }, >+ "title_PW_CHANGE_FAILED": { >+ "de": "Passwort ändern fehlgeschlagen" >+ }, >+ "descr_PW_CHANGE_FAILED": { >+ "de": "%s" >+ }, > "title_LDAP_ACCDISABLED": { > "de": "Account deaktiviert" > }, >diff --git saml/univention-saml/simplesamlphp/modules/univentiontheme/themes/univention/core/loginuserpass.php saml/univention-saml/simplesamlphp/modules/univentiontheme/themes/univention/core/loginuserpass.php >index 014e6eca77..550d2b6011 100644 >--- saml/univention-saml/simplesamlphp/modules/univentiontheme/themes/univention/core/loginuserpass.php >+++ saml/univention-saml/simplesamlphp/modules/univentiontheme/themes/univention/core/loginuserpass.php >@@ -2,9 +2,12 @@ > $this->includeAtTemplateBase('includes/header.php'); > > $this->data['header'] = $this->t('{login:user_pass_header}'); >+ >+$PW_EXPIRED = $this->data['errorcode'] !== NULL && in_array($this->data['errorcode'], array('LDAP_PWCHANGE', 'KRB_PWCHANGE', 'SAMBA_PWCHANGE')); >+// echo '<pre>'; var_dump($this->data); echo '</pre>'; > ?> > <div id="umcLoginWrapper"> >- <h1 style="text-align: center;"><?php echo htmlspecialchars(sprintf($this->t('{univentiontheme:login:loginat}'), $this->configuration->getValue('domainname', ''))); ?></h1> >+ <h1 style="text-align: center;"><?php echo htmlspecialchars($this->t('{univentiontheme:login:loginat}', array('%s' => $this->configuration->getValue('domainname', '')))); ?></h1> > <?php > if (isset($this->data['SPMetadata']['privacypolicy'])) { > printf('<h3 style="text-align: center;"><a href="%s">%s</a></h3>', htmlspecialchars($this->data['SPMetadata']['privacypolicy'], ENT_QUOTES), htmlspecialchars($this->t('{consent:consent:consent_privacypolicy}'))); >@@ -17,29 +20,14 @@ if (isset($this->data['SPMetadata']['privacypolicy'])) { > <img id="umcLoginLogo" src="/univention/js/dijit/themes/umc/images/login_logo.svg"/> > </div> > <div class="umcLoginFormWrapper"> >- <div id="umcLoginNotices" class="umcLoginNotices" style="display: none;"></div> >- <form id="umcLoginForm" name="umcLoginForm" action="?" method="post" class="umcLoginForm" autocomplete="on"> >- <label for="umcLoginUsername"> >- <input placeholder="<?php echo htmlspecialchars($this->t('{login:username}'), ENT_QUOTES); ?>" id="umcLoginUsername" name="username" type="text" autocomplete="username" tabindex="1" value="<?php echo htmlspecialchars($this->data['username'], ENT_QUOTES); ?>" <?php echo $this->data['forceUsername'] ? 'readonly' : ''; ?>/> >- </label> >- <label for="umcLoginPassword"> >- <input placeholder="<?php echo htmlspecialchars($this->t('{login:password}'), ENT_QUOTES); ?>" id="umcLoginPassword" name="password" type="password" tabindex="2" autocomplete="current-password"/> >- </label> >- <div id="umcLoginWarnings" class="umcLoginWarnings"> >+ <div id="umcLoginNotices" class="umcLoginNotices" style="display: <?php echo $this->data['errorcode'] !== NULL ? 'block' : 'none'; ?>;"> > <?php >-/* >-if ($this->data['errorcode'] !== NULL) { >- echo('<span class="logintitle">' . $this->t('{login:help_header}') . '</span>'); >- echo('<span class="logintext">' . $this->t('{login:help_text}') . '</span>'); >-} >-*/ >- > if ($this->data['errorcode'] !== NULL) { > ?> > <p class="umcLoginWarning" > > <b><?php echo htmlspecialchars($this->t('{univentiontheme:errors:title_' . $this->data['errorcode'] . '}', $this->data['errorparams'])); ?>.</b><br> > <?php >-if (in_array($this->data['errorcode'], array('LDAP_PWCHANGE', 'KRB_PWCHANGE', 'SAMBA_PWCHANGE'))) { >+if ($PW_EXPIRED) { > $password_change_url = $this->configuration->getValue('password_change_url', ''); > $password_change_url = $password_change_url ? $password_change_url : str_replace('/univention/saml/metadata', '/univention/login/', $this->data['SPMetadata']['entityid']); > echo '<span style="color: black;">'; >@@ -55,6 +43,15 @@ if (in_array($this->data['errorcode'], array('LDAP_PWCHANGE', 'KRB_PWCHANGE', 'S > <?php > } > ?> >+ </div> >+ <form id="umcLoginForm" name="umcLoginForm" action="?" method="post" class="umcLoginForm" autocomplete="on" <?php if ($PW_EXPIRED) { echo 'style="display: none; "'; } ?>> >+ <label for="umcLoginUsername"> >+ <input placeholder="<?php echo htmlspecialchars($this->t('{login:username}'), ENT_QUOTES); ?>" id="umcLoginUsername" name="username" type="text" autocomplete="username" tabindex="1" value="<?php echo htmlspecialchars($this->data['username'], ENT_QUOTES); ?>" <?php echo $this->data['forceUsername'] ? 'readonly' : ''; ?>/> >+ </label> >+ <label for="umcLoginPassword"> >+ <input placeholder="<?php echo htmlspecialchars($this->t('{login:password}'), ENT_QUOTES); ?>" id="umcLoginPassword" name="password" type="password" tabindex="2" autocomplete="current-password"/> >+ </label> >+ <div id="umcLoginWarnings" class="umcLoginWarnings"> > </div> > <?php > foreach ($this->data['stateparams'] as $name => $value) { >@@ -90,8 +87,32 @@ foreach ($this->data['organizations'] as $orgId => $orgDesc) { > <?php > } > ?> >- <input id="umcLoginSubmit" type="submit" name="submit" value="Login"/> >+ <input id="umcLoginSubmit" type="submit" name="submit" value="<?php echo htmlspecialchars($this->t('{login:login}'), ENT_QUOTES); ?>"/> >+ </form> >+ >+<?php >+if ($PW_EXPIRED) { >+?> >+ <form id="umcNewPasswordForm" name="umcLoginForm" action="?" method="post" class="umcLoginForm" autocomplete="off" style="display: block;"> >+ <input name="username" type="hidden" value="<?php echo htmlspecialchars($this->data['username'], ENT_QUOTES); ?>" /> >+ <input name="password" type="hidden" value="<?php echo htmlspecialchars($_REQUEST['password'], ENT_QUOTES); /* TODO: store instead in the session? */ ?>" /> >+ <label for="umcLoginNewPassword"> >+ <input id="umcLoginNewPassword" name="new_password" type="password" autocomplete="new-password" placeholder="<?php echo htmlspecialchars($this->t('{login:new_password}'), ENT_QUOTES); ?>"> >+ </label> >+ <label for="umcLoginNewPasswordRetype"> >+ <input id="umcLoginNewPasswordRetype" type="password" autocomplete="new-password" placeholder="<?php echo htmlspecialchars($this->t('{login:new_password_retype}'), ENT_QUOTES); ?>"> >+ </label> >+ <input id="umcNewPasswordSubmit" type="submit" name="submit" value="<?php echo htmlspecialchars($this->t('{login:change_password}'), ENT_QUOTES); ?>"> >+<?php >+foreach ($this->data['stateparams'] as $name => $value) { >+ echo '<input type="hidden" name="' . htmlspecialchars($name, ENT_QUOTES) . '" value="' . htmlspecialchars($value, ENT_QUOTES) . '" />'; >+} >+?> > </form> >+<?php >+} >+?> >+ > </div> > </div> > <div id="umcLoginLinks"></div>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=10421">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 51492
: 10421