TASK-228 Encrypt the password for authentication sources
This commit is contained in:
Brayan Pereyra
@@ -8,10 +8,6 @@ use ProcessMaker\BusinessModel\User;
|
||||
use ProcessMaker\Model\Department;
|
||||
use ProcessMaker\Model\Groupwf;
|
||||
|
||||
|
||||
/**
|
||||
* Class LdapAdvanced
|
||||
*/
|
||||
class LdapSource
|
||||
{
|
||||
public $authSourceUid;
|
||||
@@ -31,19 +27,17 @@ class LdapSource
|
||||
|
||||
private $arrayAttributesForUser = ["dn", "uid", "samaccountname", "givenname", "sn", "cn", "mail", "userprincipalname", "useraccountcontrol", "accountexpires", "manager"];
|
||||
|
||||
public function ldapConnection($authSourceData) {
|
||||
$pass = explode('_', $authSourceData['AUTH_SOURCE_PASSWORD']);
|
||||
public function __destruct() {
|
||||
if ($this->ldapcnn) {
|
||||
@ldap_close($this->ldapcnn);
|
||||
}
|
||||
}
|
||||
|
||||
public function ldapConnection($authSourceData) {
|
||||
// Removing sensitive data
|
||||
$loggableAuthSource = $authSourceData;
|
||||
unset($loggableAuthSource['AUTH_SOURCE_PASSWORD']);
|
||||
|
||||
foreach ($pass as $index => $value) {
|
||||
if ($value == '2NnV3ujj3w') {
|
||||
$authSourceData['AUTH_SOURCE_PASSWORD'] = G::decrypt($pass[0], $authSourceData['AUTH_SOURCE_SERVER_NAME']);
|
||||
}
|
||||
}
|
||||
|
||||
$ldapcnn = ldap_connect($authSourceData['AUTH_SOURCE_SERVER_NAME'], $authSourceData['AUTH_SOURCE_PORT']);
|
||||
$this->stdLog($ldapcnn, 'ldap_connect', $loggableAuthSource);
|
||||
|
||||
@@ -74,7 +68,7 @@ class LdapSource
|
||||
$message = 'Unable to bind to server: ' . $ldapServer . 'LDAP-Errno: ' . ldap_errno($ldapcnn) . ' : ' . ldap_error($ldapcnn) . " \n";
|
||||
throw new Exception($message);
|
||||
}
|
||||
|
||||
$this->ldapcnn = $ldapcnn;
|
||||
return ['connection' =>$ldapcnn, 'startTLS' => $resultLDAPStartTLS];
|
||||
}
|
||||
|
||||
@@ -82,22 +76,21 @@ class LdapSource
|
||||
try {
|
||||
$arrayGroup = [];
|
||||
|
||||
$rbac = RBAC::getSingleton();
|
||||
|
||||
if (is_null($rbac->authSourcesObj)) {
|
||||
$rbac->authSourcesObj = new AuthenticationSource();
|
||||
}
|
||||
|
||||
$arrayAuthenticationSourceData = $rbac->authSourcesObj->load($this->authSourceUid);
|
||||
$filters = ['conditions' => ['AUTH_SOURCE_UID'=> $this->authSourceUid]];
|
||||
$rbacAuthenticationSource = new RbacAuthenticationSource();
|
||||
$authSourceReturn = $rbacAuthenticationSource->show($filters);
|
||||
$authenticationSourceData = $authSourceReturn['data'][0];
|
||||
$authenticationSourceData['AUTH_SOURCE_DATA'] = json_decode($authenticationSourceData['AUTH_SOURCE_DATA'], true);
|
||||
$authenticationSourceData['AUTH_SOURCE_PASSWORD'] = G::decrypt($authenticationSourceData['AUTH_SOURCE_PASSWORD'], URL_KEY);
|
||||
|
||||
if (is_null($this->ldapcnn)) {
|
||||
$ldapcnn = $this->ldapConnection($arrayAuthenticationSourceData);
|
||||
$ldapcnn = $this->ldapConnection($authenticationSourceData);
|
||||
$this->ldapcnn = $ldapcnn['connection'];
|
||||
}
|
||||
|
||||
$ldapcnn = $this->ldapcnn;
|
||||
// Get Groups
|
||||
$limit = $this->getPageSizeLimitByData($arrayAuthenticationSourceData);
|
||||
$limit = $this->getPageSizeLimitByData($authenticationSourceData);
|
||||
$flagError = false;
|
||||
$filter = '(' . $this->arrayObjectClassFilter['group'] . ')';
|
||||
$this->log($ldapcnn, 'search groups with Filter: ' . $filter);
|
||||
@@ -106,7 +99,7 @@ class LdapSource
|
||||
do {
|
||||
$searchResult = @ldap_search(
|
||||
$ldapcnn,
|
||||
$arrayAuthenticationSourceData['AUTH_SOURCE_BASE_DN'],
|
||||
$authenticationSourceData['AUTH_SOURCE_BASE_DN'],
|
||||
$filter,
|
||||
['dn', 'cn'],
|
||||
0,
|
||||
@@ -119,7 +112,7 @@ class LdapSource
|
||||
$this->stdLog($ldapcnn, "ldap_search", ["filter" => $filter, "attributes" => ['dn', 'cn']]);
|
||||
|
||||
$context = [
|
||||
"baseDN" => $arrayAuthenticationSourceData['AUTH_SOURCE_BASE_DN'],
|
||||
"baseDN" => $authenticationSourceData['AUTH_SOURCE_BASE_DN'],
|
||||
"filter" => $filter,
|
||||
"attributes" => ['dn', 'cn']
|
||||
];
|
||||
@@ -172,7 +165,6 @@ class LdapSource
|
||||
}
|
||||
|
||||
$this->log($ldapcnn, 'found ' . count($arrayGroup) . ' groups: ' . $str);
|
||||
|
||||
return $arrayGroup;
|
||||
} catch (Exception $e) {
|
||||
throw $e;
|
||||
@@ -187,6 +179,8 @@ class LdapSource
|
||||
$rbacAuthenticationSource = new RbacAuthenticationSource();
|
||||
$authSourceReturn = $rbacAuthenticationSource->show($filters);
|
||||
$authenticationSourceData = $authSourceReturn['data'][0];
|
||||
$authenticationSourceData['AUTH_SOURCE_DATA'] = json_decode($authenticationSourceData['AUTH_SOURCE_DATA'], true);
|
||||
$authenticationSourceData['AUTH_SOURCE_PASSWORD'] = G::decrypt($authenticationSourceData['AUTH_SOURCE_PASSWORD'], URL_KEY);
|
||||
|
||||
if (is_null($this->ldapcnn)) {
|
||||
$ldapcnn = $this->ldapConnection($authenticationSourceData);
|
||||
@@ -290,7 +284,6 @@ class LdapSource
|
||||
}
|
||||
|
||||
$this->log($ldapcnn, 'found ' . count($arrayDepartment) . ' departments: ' . $str);
|
||||
|
||||
return $arrayDepartment;
|
||||
} catch (Exception $e) {
|
||||
throw $e;
|
||||
@@ -459,6 +452,7 @@ class LdapSource
|
||||
$authSourceReturn = $rbacAuthenticationSource->show($filters);
|
||||
$arrayAuthenticationSourceData = $authSourceReturn['data'][0];
|
||||
$arrayAuthenticationSourceData['AUTH_SOURCE_DATA'] = json_decode($arrayAuthenticationSourceData['AUTH_SOURCE_DATA'], true);
|
||||
$arrayAuthenticationSourceData['AUTH_SOURCE_PASSWORD'] = G::decrypt($arrayAuthenticationSourceData['AUTH_SOURCE_PASSWORD'], URL_KEY);
|
||||
|
||||
$attributeUserSet = [];
|
||||
$attributeSetAdd = [];
|
||||
@@ -512,39 +506,6 @@ class LdapSource
|
||||
|
||||
if ((is_array($sUsername) && !empty($sUsername)) || trim($sUsername) != '') {
|
||||
$countUser++;
|
||||
|
||||
/* Active Directory userAccountControl Values
|
||||
Normal Day to Day Values:
|
||||
512 - Enable Account
|
||||
514 - Disable account
|
||||
544 - Account Enabled - Require user to change password at first logon
|
||||
4096 - Workstation/server
|
||||
66048 - Enabled, password never expires
|
||||
66050 - Disabled, password never expires
|
||||
262656 - Smart Card Logon Required
|
||||
532480 - Domain controller
|
||||
1 - script
|
||||
2 - accountdisable
|
||||
8 - homedir_required
|
||||
16 - lockout
|
||||
32 - passwd_notreqd
|
||||
64 - passwd_cant_change
|
||||
128 - encrypted_text_pwd_allowed
|
||||
256 - temp_duplicate_account
|
||||
512 - normal_account
|
||||
2048 - interdomain_trust_account
|
||||
4096 - workstation_trust_account
|
||||
8192 - server_trust_account
|
||||
65536 - dont_expire_password
|
||||
131072 - mns_logon_account
|
||||
262144 - smartcard_required
|
||||
524288 - trusted_for_delegation
|
||||
1048576 - not_delegated
|
||||
2097152 - use_des_key_only
|
||||
4194304 - dont_req_preauth
|
||||
8388608 - password_expired
|
||||
16777216 - trusted_to_auth_for_delegation
|
||||
*/
|
||||
$userCountControl = '';
|
||||
//Active Directory, openLdap
|
||||
if (isset($aAttr['useraccountcontrol'])) {
|
||||
@@ -598,7 +559,6 @@ class LdapSource
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return ($paged) ? ['numRecTotal' => $totalUser, 'data' => $arrayUser] : $arrayUser;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user