lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-15 17:14:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

User management: add button to request a new TOTP seed on system_usermanager_passwordmg.php for https://github.com/opnsense/core/issues/4474

Browse Source
This commit is contained in:
Ad Schellevis 2020-11-24 14:18:09 +01:00
parent 8fb1a11e33
commit e162f07797
1 changed files with 130 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

172
src/www/system_usermanager_passwordmg.php
View File

@ -30,6 +30,7 @@
require_once("guiconfig.inc");
require_once("system.inc");
require_once("base32/Base32.php");
$username = $_SESSION['Username'];
@ -42,6 +43,18 @@ foreach ($config['system']['user'] as $user) {
}
}
/* determine if the user is allowed to request a new OTP seed */
$user_allow_gen_token = false;
if (isset($config['system']['user_allow_gen_token'])) {
$usergroups = getUserGroups($username);
foreach(explode(",", $config['system']['user_allow_gen_token']) as $groupname) {
if (in_array($groupname, $usergroups)) {
$user_allow_gen_token = true;
break;
}
}
}
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig = array();
@ -56,49 +69,68 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$input_errors = array();
$pconfig = $_POST;
/* we can continue without a password if nothing was provided */
if ($pconfig['passwordfld1'] !== '' || $pconfig['passwordfld2'] !== '') {
if ($pconfig['passwordfld1'] != $pconfig['passwordfld2'] ||
!password_verify($pconfig['passwordfld0'], $config['system']['user'][$userindex[$username]]['password'])) {
$input_errors[] = gettext("The passwords do not match.");
if (!empty($pconfig['request_otp_seed'])) {
if ($user_allow_gen_token && $userFound) {
$new_seed = Base32\Base32::encode(openssl_random_pseudo_bytes(20));
$config['system']['user'][$userindex[$username]]['otp_seed'] = $new_seed;
write_config();
$otp_url = "otpauth://totp/";
$otp_url .= $username."@".htmlspecialchars($config['system']['hostname'])."?secret=";
$otp_url .= $new_seed;
echo json_encode([
"otp_seed" => $new_seed ,
"otp_seed_url" => $otp_url,
"status" => "ok"
]);
} else {
echo json_encode(["status" => "failed"]);
}
if (!$userFound) {
$input_errors[] = gettext("Sorry, you cannot change settings for a non-local user.");
} elseif (count($input_errors) == 0) {
$authenticator = get_authenticator();
$input_errors = $authenticator->checkPolicy($username, $pconfig['passwordfld0'], $pconfig['passwordfld1']);
}
}
if (count($input_errors) == 0) {
if (!empty($pconfig['language'])) {
$config['system']['user'][$userindex[$username]]['language'] = $pconfig['language'];
} elseif (isset($config['system']['user'][$userindex[$username]]['language'])) {
unset($config['system']['user'][$userindex[$username]]['language']);
}
// only update password change date if there is a policy constraint
if (!empty($config['system']['webgui']['enable_password_policy_constraints']) &&
!empty($config['system']['webgui']['password_policy_length'])
) {
$config['system']['user'][$userindex[$username]]['pwd_changed_at'] = microtime(true);
}
if (!empty($_SESSION['user_shouldChangePassword'])) {
session_start();
unset($_SESSION['user_shouldChangePassword']);
session_write_close();
}
if ($pconfig['passwordfld1'] !== '' || $pconfig['passwordfld2'] !== '') {
local_user_set_password($config['system']['user'][$userindex[$username]], $pconfig['passwordfld1']);
local_user_set($config['system']['user'][$userindex[$username]]);
}
write_config();
$unused_but_needed_for_translation = gettext('Saved settings for user "%s"');
header(url_safe('Location: /system_usermanager_passwordmg.php?savemsg=%s', array('Saved settings for user "%s"')));
exit;
} else {
/* we can continue without a password if nothing was provided */
if ($pconfig['passwordfld1'] !== '' || $pconfig['passwordfld2'] !== '') {
if ($pconfig['passwordfld1'] != $pconfig['passwordfld2'] ||
!password_verify($pconfig['passwordfld0'], $config['system']['user'][$userindex[$username]]['password'])) {
$input_errors[] = gettext("The passwords do not match.");
}
if (!$userFound) {
$input_errors[] = gettext("Sorry, you cannot change settings for a non-local user.");
} elseif (count($input_errors) == 0) {
$authenticator = get_authenticator();
$input_errors = $authenticator->checkPolicy($username, $pconfig['passwordfld0'], $pconfig['passwordfld1']);
}
}
if (count($input_errors) == 0) {
if (!empty($pconfig['language'])) {
$config['system']['user'][$userindex[$username]]['language'] = $pconfig['language'];
} elseif (isset($config['system']['user'][$userindex[$username]]['language'])) {
unset($config['system']['user'][$userindex[$username]]['language']);
}
// only update password change date if there is a policy constraint
if (!empty($config['system']['webgui']['enable_password_policy_constraints']) &&
!empty($config['system']['webgui']['password_policy_length'])
) {
$config['system']['user'][$userindex[$username]]['pwd_changed_at'] = microtime(true);
}
if (!empty($_SESSION['user_shouldChangePassword'])) {
session_start();
unset($_SESSION['user_shouldChangePassword']);
session_write_close();
}
if ($pconfig['passwordfld1'] !== '' || $pconfig['passwordfld2'] !== '') {
local_user_set_password($config['system']['user'][$userindex[$username]], $pconfig['passwordfld1']);
local_user_set($config['system']['user'][$userindex[$username]]);
}
write_config();
$unused_but_needed_for_translation = gettext('Saved settings for user "%s"');
header(url_safe('Location: /system_usermanager_passwordmg.php?savemsg=%s', array('Saved settings for user "%s"')));
exit;
}
}
}
@ -107,6 +139,43 @@ legacy_html_escape_form_data($pconfig);
include("head.inc");
?>
<script>
$( document ).ready(function() {
$("#btn_new_otp_seed").click(function(){
BootstrapDialog.show({
type:BootstrapDialog.TYPE_DANGER,
title: "<?= gettext("OTP");?>",
message: "<?= gettext("Are you sure you want to request a new OTP token? The previous token will not be valid after this action.");?>",
buttons: [{
label: "<?= gettext("No");?>",
action: function(dialogRef) {
dialogRef.close();
}}, {
label: "<?= gettext("Yes");?>",
action: function(dialogRef) {
$.post(window.location, {request_otp_seed: '1'}, function(data) {
if (data.status && data.status === "ok") {
$('#otp_qrcode').qrcode(data.otp_seed_url);
} else {
$('#otp_qrcode').append(
$("<i/>").addClass("fa fa-4x fa-close")
);
}
$("#btn_new_otp_seed").hide();
$('#otp_qrcode').show();
}, "json");
dialogRef.close();
}
}]
});
});
});
</script>
<script src="<?= cache_safe('/ui/js/jquery.qrcode.js') ?>"></script>
<script src="<?= cache_safe('/ui/js/qrcode.js') ?>"></script>
<body>
<?php include("fbegin.inc"); ?>
<section class="page-content-main">
@ -121,7 +190,7 @@ include("head.inc");
}
?>
<section class="col-xs-12">
<div class="content-box">
<div class="tab-content content-box col-xs-12 __mb">
<form method="post" name="iform" id="iform">
<div class="table-responsive">
<table class="table table-striped">
@ -174,6 +243,25 @@ include("head.inc");
</div>
</form>
</div>
<?php if ($user_allow_gen_token):?>
<div class="tab-content content-box col-xs-12 __mb">
<div class="table-responsive">
<table class="table table-striped">
<tr>
<td style="width:22%"><strong><?= gettext('OTP') ?></strong></td>
<td style="width:78%; text-align:right">
</tr>
<tr>
<td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Request new OTP seed");?></td>
<td>
<button class="btn btn-primary" id="btn_new_otp_seed"><i class="fa fa-ticket fa-fw"></i></button>
<div style="display:none;" id="otp_qrcode"></div>
</td>
</tr>
</table>
</div>
</div>
<?php endif; ?>
</section>
</div>
</div>