fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TASK-228 Encrypt the password for authentication sources

Browse Source
This commit is contained in:
Brayan Pereyra
2025-09-19 02:54:53 +00:00
parent 4de1190e02
commit a777147d6f
4 changed files with 735 additions and 401 deletions
Download Patch File Download Diff File Expand all files Collapse all files

940
workflow/engine/classes/AuthSources.php
View File

File diff suppressed because it is too large Load Diff

80
workflow/engine/classes/LdapSource.php
View File

@@ -8,10 +8,6 @@ use ProcessMaker\BusinessModel\User;
use ProcessMaker\Model\Department;
use ProcessMaker\Model\Groupwf;
/**
* Class LdapAdvanced
*/
class LdapSource
{
public $authSourceUid;
@@ -31,19 +27,17 @@ class LdapSource
private $arrayAttributesForUser = ["dn", "uid", "samaccountname", "givenname", "sn", "cn", "mail", "userprincipalname", "useraccountcontrol", "accountexpires", "manager"];
public function ldapConnection($authSourceData) {
$pass = explode('_', $authSourceData['AUTH_SOURCE_PASSWORD']);
public function __destruct() {
if ($this->ldapcnn) {
@ldap_close($this->ldapcnn);
}
}
public function ldapConnection($authSourceData) {
// Removing sensitive data
$loggableAuthSource = $authSourceData;
unset($loggableAuthSource['AUTH_SOURCE_PASSWORD']);
foreach ($pass as $index => $value) {
if ($value == '2NnV3ujj3w') {
$authSourceData['AUTH_SOURCE_PASSWORD'] = G::decrypt($pass[0], $authSourceData['AUTH_SOURCE_SERVER_NAME']);
}
}
$ldapcnn = ldap_connect($authSourceData['AUTH_SOURCE_SERVER_NAME'], $authSourceData['AUTH_SOURCE_PORT']);
$this->stdLog($ldapcnn, 'ldap_connect', $loggableAuthSource);
@@ -74,7 +68,7 @@ class LdapSource
$message = 'Unable to bind to server: ' . $ldapServer . 'LDAP-Errno: ' . ldap_errno($ldapcnn) . ' : ' . ldap_error($ldapcnn) . " \n";
throw new Exception($message);
}
$this->ldapcnn = $ldapcnn;
return ['connection' =>$ldapcnn, 'startTLS' => $resultLDAPStartTLS];
}
@@ -82,22 +76,21 @@ class LdapSource
try {
$arrayGroup = [];
$rbac = RBAC::getSingleton();
if (is_null($rbac->authSourcesObj)) {
$rbac->authSourcesObj = new AuthenticationSource();
}
$arrayAuthenticationSourceData = $rbac->authSourcesObj->load($this->authSourceUid);
$filters = ['conditions' => ['AUTH_SOURCE_UID'=> $this->authSourceUid]];
$rbacAuthenticationSource = new RbacAuthenticationSource();
$authSourceReturn = $rbacAuthenticationSource->show($filters);
$authenticationSourceData = $authSourceReturn['data'][0];
$authenticationSourceData['AUTH_SOURCE_DATA'] = json_decode($authenticationSourceData['AUTH_SOURCE_DATA'], true);
$authenticationSourceData['AUTH_SOURCE_PASSWORD'] = G::decrypt($authenticationSourceData['AUTH_SOURCE_PASSWORD'], URL_KEY);
if (is_null($this->ldapcnn)) {
$ldapcnn = $this->ldapConnection($arrayAuthenticationSourceData);
$ldapcnn = $this->ldapConnection($authenticationSourceData);
$this->ldapcnn = $ldapcnn['connection'];
}
$ldapcnn = $this->ldapcnn;
// Get Groups
$limit = $this->getPageSizeLimitByData($arrayAuthenticationSourceData);
$limit = $this->getPageSizeLimitByData($authenticationSourceData);
$flagError = false;
$filter = '(' . $this->arrayObjectClassFilter['group'] . ')';
$this->log($ldapcnn, 'search groups with Filter: ' . $filter);
@@ -106,7 +99,7 @@ class LdapSource
do {
$searchResult = @ldap_search(
$ldapcnn,
$arrayAuthenticationSourceData['AUTH_SOURCE_BASE_DN'],
$authenticationSourceData['AUTH_SOURCE_BASE_DN'],
$filter,
['dn', 'cn'],
0,
@@ -119,7 +112,7 @@ class LdapSource
$this->stdLog($ldapcnn, "ldap_search", ["filter" => $filter, "attributes" => ['dn', 'cn']]);
$context = [
"baseDN" => $arrayAuthenticationSourceData['AUTH_SOURCE_BASE_DN'],
"baseDN" => $authenticationSourceData['AUTH_SOURCE_BASE_DN'],
"filter" => $filter,
"attributes" => ['dn', 'cn']
];
@@ -172,7 +165,6 @@ class LdapSource
}
$this->log($ldapcnn, 'found ' . count($arrayGroup) . ' groups: ' . $str);
return $arrayGroup;
} catch (Exception $e) {
throw $e;
@@ -187,6 +179,8 @@ class LdapSource
$rbacAuthenticationSource = new RbacAuthenticationSource();
$authSourceReturn = $rbacAuthenticationSource->show($filters);
$authenticationSourceData = $authSourceReturn['data'][0];
$authenticationSourceData['AUTH_SOURCE_DATA'] = json_decode($authenticationSourceData['AUTH_SOURCE_DATA'], true);
$authenticationSourceData['AUTH_SOURCE_PASSWORD'] = G::decrypt($authenticationSourceData['AUTH_SOURCE_PASSWORD'], URL_KEY);
if (is_null($this->ldapcnn)) {
$ldapcnn = $this->ldapConnection($authenticationSourceData);
@@ -290,7 +284,6 @@ class LdapSource
}
$this->log($ldapcnn, 'found ' . count($arrayDepartment) . ' departments: ' . $str);
return $arrayDepartment;
} catch (Exception $e) {
throw $e;
@@ -459,6 +452,7 @@ class LdapSource
$authSourceReturn = $rbacAuthenticationSource->show($filters);
$arrayAuthenticationSourceData = $authSourceReturn['data'][0];
$arrayAuthenticationSourceData['AUTH_SOURCE_DATA'] = json_decode($arrayAuthenticationSourceData['AUTH_SOURCE_DATA'], true);
$arrayAuthenticationSourceData['AUTH_SOURCE_PASSWORD'] = G::decrypt($arrayAuthenticationSourceData['AUTH_SOURCE_PASSWORD'], URL_KEY);
$attributeUserSet = [];
$attributeSetAdd = [];
@@ -512,39 +506,6 @@ class LdapSource
if ((is_array($sUsername) && !empty($sUsername)) || trim($sUsername) != '') {
$countUser++;
/* Active Directory userAccountControl Values
Normal Day to Day Values:
512 - Enable Account
514 - Disable account
544 - Account Enabled - Require user to change password at first logon
4096 - Workstation/server
66048 - Enabled, password never expires
66050 - Disabled, password never expires
262656 - Smart Card Logon Required
532480 - Domain controller
1 - script
2 - accountdisable
8 - homedir_required
16 - lockout
32 - passwd_notreqd
64 - passwd_cant_change
128 - encrypted_text_pwd_allowed
256 - temp_duplicate_account
512 - normal_account
2048 - interdomain_trust_account
4096 - workstation_trust_account
8192 - server_trust_account
65536 - dont_expire_password
131072 - mns_logon_account
262144 - smartcard_required
524288 - trusted_for_delegation
1048576 - not_delegated
2097152 - use_des_key_only
4194304 - dont_req_preauth
8388608 - password_expired
16777216 - trusted_to_auth_for_delegation
*/
$userCountControl = '';
//Active Directory, openLdap
if (isset($aAttr['useraccountcontrol'])) {
@@ -598,7 +559,6 @@ class LdapSource
}
}
}
return ($paged) ? ['numRecTotal' => $totalUser, 'data' => $arrayUser] : $arrayUser;
}

98
workflow/engine/methods/authSources/authSourcesProxy.php
View File

@@ -1,19 +1,41 @@
<?php
/**
* Authentication Sources Proxy
*
* This script serves as a proxy handler for authentication source operations.
* It processes various AJAX requests related to LDAP/Active Directory authentication
* sources management including listing, creating, updating, deleting, testing
* connections, and importing users/groups/departments.
*
* @author Lurana System
* @version 1.0
* @package Workflow Engine
* @subpackage Authentication Sources
*/
try {
// Validate that an action parameter was provided in the request
if (isset($_REQUEST['action']) === false) {
throw new Exception('No action was sent');
}
// Ensure user is authenticated before processing any requests
if (isset($_SESSION['USER_LOGGED']) === false) {
throw new Exception('There is no logged in user');
}
// Extract request parameters and initialize response structure
$action = $_REQUEST['action'];
$userUid = $_SESSION['USER_LOGGED'];
$responseProxy = ['success' => true];
// Process the requested action using a switch statement
switch ($action) {
/**
* Retrieve a paginated list of authentication sources
* Parameters: start, limit, textFilter, orderBy, ascending
*/
case 'authSourcesList':
$start = $_REQUEST['start'] ?? 0;
$limit = $_REQUEST['limit'] ?? 25;
@@ -24,6 +46,10 @@ try {
$authSources = new AuthSources();
$responseProxy = $authSources->getListAuthSources($userUid, $start, $limit, $orderBy, $ascending, $filter);
break;
/**
* Delete an authentication source by its UID
* Required parameter: auth_uid
*/
case 'authSourcesDelete':
if (!isset($_REQUEST['auth_uid'])) {
throw new Exception('No auth source UID was sent');
@@ -32,16 +58,30 @@ try {
$authSources = new AuthSources();
$responseProxy = $authSources->removeAuthSource($authSourceUid);
break;
/**
* Verify if an authentication source name is unique/available
* Required parameter: AUTH_SOURCE_NAME
*/
case 'authSourcesVerifyName':
if (empty($_REQUEST['AUTH_SOURCE_NAME'])) {
throw new Exception('No auth source UID was sent');
throw new Exception('No auth source name was sent');
}
$authSourceName = $_REQUEST['AUTH_SOURCE_NAME'];
$authSources = new AuthSources();
$responseProxy = $authSources->verifyAuthSourceName($authSourceName);
break;
/**
* Test connection to an authentication source (LDAP/AD)
* Required parameter: AUTH_ANONYMOUS
* If anonymous auth is enabled, clears username and password
*/
case 'authSourcesTestConnection':
if (isset($_REQUEST['AUTH_ANONYMOUS']) === false) {
throw new Exception('No auth anonymous was sent');
}
// Clear credentials if anonymous authentication is enabled
if ($_REQUEST['AUTH_ANONYMOUS'] == '1') {
$_REQUEST['AUTH_SOURCE_SEARCH_USER'] = '';
$_REQUEST['AUTH_SOURCE_PASSWORD'] = '';
@@ -53,12 +93,19 @@ try {
$authSources = new AuthSources();
$responseProxy = $authSources->testConnection($authSourceData);
break;
/**
* Save (create or update) an authentication source configuration
* Processes form data, separates common fields from extra data,
* and handles grid attributes if enabled
*/
case 'authSourcesSave':
$temporalData = $_REQUEST;
// Process grid attributes if the show grid checkbox is enabled
if (isset($temporalData['AUTH_SOURCE_SHOWGRID-checkbox'])) {
if ($temporalData['AUTH_SOURCE_SHOWGRID-checkbox'] == 'on') {
$temporalData['AUTH_SOURCE_SHOWGRID'] = 'on';
// Parse JSON grid attributes and convert to array format
$attributes = G::json_decode($temporalData['AUTH_SOURCE_GRID_TEXT']);
$con = 1;
foreach ($attributes as $value) {
@@ -69,20 +116,19 @@ try {
unset($temporalData['AUTH_SOURCE_SHOWGRID-checkbox']);
}
// Clear credentials for anonymous authentication
if ($temporalData['AUTH_ANONYMOUS'] == '1') {
$temporalData['AUTH_SOURCE_SEARCH_USER'] = '';
$temporalData['AUTH_SOURCE_PASSWORD'] = '';
}
unset($temporalData['AUTH_SOURCE_GRID_TEXT']);
unset($temporalData['DELETE1']);
unset($temporalData['DELETE2']);
unset($temporalData['AUTH_SOURCE_ATTRIBUTE_IDS']);
unset($temporalData['AUTH_SOURCE_SHOWGRID_FLAG']);
unset($temporalData['AUTH_SOURCE_GRID_TEXT']);
// Define core authentication source fields
$commonFields = array('AUTH_SOURCE_UID', 'AUTH_SOURCE_NAME', 'AUTH_SOURCE_PROVIDER', 'AUTH_SOURCE_SERVER_NAME', 'AUTH_SOURCE_PORT', 'AUTH_SOURCE_ENABLED_TLS', 'AUTH_ANONYMOUS', 'AUTH_SOURCE_SEARCH_USER', 'AUTH_SOURCE_PASSWORD', 'AUTH_SOURCE_VERSION', 'AUTH_SOURCE_BASE_DN', 'AUTH_SOURCE_OBJECT_CLASSES', 'AUTH_SOURCE_ATTRIBUTES');
// Separate common fields from extra configuration data
$authSourceData = $authSourceExtraData = array();
foreach ($temporalData as $sField => $sValue) {
if (in_array($sField, $commonFields)) {
@@ -92,6 +138,7 @@ try {
}
}
// Remove grid attributes if grid display is disabled
if (!isset($authSourceExtraData['AUTH_SOURCE_SHOWGRID']) || $authSourceExtraData['AUTH_SOURCE_SHOWGRID'] == 'off') {
unset($authSourceExtraData['AUTH_SOURCE_GRID_ATTRIBUTE']);
unset($authSourceExtraData['AUTH_SOURCE_SHOWGRID']);
@@ -102,12 +149,18 @@ try {
$authSources = new AuthSources();
$responseProxy = $authSources->saveAuthSource($authSourceData);
break;
/**
* Search for users in an authentication source for import
* Required parameter: sUID (auth source UID)
* Optional parameters: start, limit/pageSize, sKeyword
*/
case 'authSourcesImportSearchUsers':
if (!isset($_REQUEST['sUID'])) {
if (!isset($_POST['sUID'])) {
throw new Exception('No auth source UID was sent');
}
$authSourceUid = $_POST['sUID'];
// Set up search filters with default values
$filters = [
'start'=> $_POST['start'] ?? 0,
'limit'=> $_POST['limit'] ?? ($_POST['pageSize'] ?? 10),
@@ -117,6 +170,10 @@ try {
$authSources = new AuthSources();
$responseProxy = $authSources->searchUsers($authSourceUid, $filters);
break;
/**
* Import selected users from an authentication source
* Required parameters: UsersImport (JSON), AUTH_SOURCE_UID
*/
case 'authSourcesImportUsers':
if (!isset($_REQUEST['UsersImport'])) {
throw new Exception('There are no users to import');
@@ -128,11 +185,16 @@ try {
$authSourceUid = $_REQUEST['AUTH_SOURCE_UID'];
$usersImport = $_REQUEST['UsersImport'];
// Decode JSON list of users to import
$usersImport = json_decode($usersImport, true);
$authSources = new AuthSources();
$responseProxy = $authSources->importUsers($authSourceUid, $usersImport);
break;
/**
* Load/search departments from an authentication source
* Required parameter: authUid (auth source UID)
*/
case 'authSourcesImportLoadDepartment':
if (!isset($_REQUEST['authUid'])) {
throw new Exception('No auth source UID was sent');
@@ -140,14 +202,22 @@ try {
$authSourceUid = $_REQUEST['authUid'];
$authSources = new AuthSources();
$responseProxy = $authSources->searchDepartaments($authSourceUid);
$responseProxy = $authSources->searchDepartments($authSourceUid);
break;
/**
* Save/import selected departments from an authentication source
* Required parameters: departmentsDN, authUid
*/
case 'authSourcesImportSaveDepartment':
$authSources = new AuthSources();
$departmentsDN = $_REQUEST['departmentsDN'];
$authSourceUid = $_REQUEST['authUid'];
$responseProxy = $authSources->saveDepartments($departmentsDN, $authSourceUid);
break;
/**
* Load/search groups from an authentication source
* Required parameter: authUid (auth source UID)
*/
case 'authSourcesImportLoadGroup':
if (!isset($_REQUEST['authUid'])) {
throw new Exception('No auth source UID was sent');
@@ -157,23 +227,31 @@ try {
$authSources = new AuthSources();
$responseProxy = $authSources->searchGroups($authSourceUid);
break;
/**
* Save/import selected groups from an authentication source
* Required parameters: groupsDN, authUid
*/
case 'authSourcesImportSaveGroup':
$authSources = new AuthSources();
$groupsDN = $_REQUEST['groupsDN'];
$authSourceUid = $_REQUEST['authUid'];
$responseProxy = $authSources->saveGroups($groupsDN, $authSourceUid);
break;
/**
* Handle invalid/unknown actions
*/
default:
throw new Exception('The action "' . $action . '" is not allowed');
break;
}
// Return successful response as JSON
header('Content-Type: application/json');
echo json_encode($responseProxy, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
} catch (Exception $exception) {
// Handle any exceptions and return error response
$responseProxy['success'] = false;
$responseProxy['message'] = htmlentities($exception->getMessage(), ENT_QUOTES, 'UTF-8');
$responseProxy['message'] = 'An error occurred while processing your request: ';
$responseProxy['message'] .= htmlentities($exception->getMessage(), ENT_QUOTES, 'UTF-8');
header('Content-Type: application/json');
echo json_encode($responseProxy, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
}

14
workflow/engine/src/ProcessMaker/Model/RbacUsers.php
View File

@@ -6,6 +6,7 @@ use App\Factories\HasFactory;
use Exception;
use Illuminate\Database\Eloquent\Model;
use ProcessMaker\Model\RbacUsersRoles;
use Illuminate\Support\Facades\DB;
class RbacUsers extends Model
{
@@ -94,4 +95,17 @@ class RbacUsers extends Model
];
return $result;
}
public static function getAllUsersByAuthSource()
{
$query = static::query();
$query->select('UID_AUTH_SOURCE', DB::raw('COUNT(*) AS CNT'));
$query->where('USR_STATUS', '!=', 'CLOSED');
$query->where('USR_USERNAME', '!=', '');
$query->groupBy('UID_AUTH_SOURCE');
$data =$query->get()->toArray();
$result = ['data' => $data];
return $result;
}
}