Merge branch 'release/1.3'

CHANGELOG.md

@@ -9,4 +9,10 @@
 ## 1.2 (20th May 2015)
 
   - Bug fixes for LDAP plugin
-  - Improved UI
+  - Improved UI
+
+## 1.3 (6th July 2017)
+
+  - Add config to enable/disable strict password checking
+  - use encryptionstore to retrieve/store passwords
+  - move strict password checking to client side

LICENSE → LICENSE.md

@@ -1,5 +1,5 @@
 Zarafa Webapp Password Change Plugin
-Copyright (C) 2013  Saket Patel [email protected]
+Copyright (C) 2013 - 2017  Saket Patel <[email protected]>
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU Affero General Public License as published by

README.md

@@ -7,28 +7,46 @@ This plugin is largely based on the Passwd plugin by Andreas Brodowski.
 For his original work check this [link](https://community.zarafa.com/pg/plugins/project/157/developer/dw2412/passwd-plugin)
 
 ## How to install
-1. If you want to use this plugin with production / debug version of webapp then please download package from [community](https://community.zarafa.com/pg/plugins/project/23147/developer/silentsakky/webapp-password-change)
+1. If you want to use this plugin with production / debug version of webapp then please download package from [release page](https://github.com/silentsakky/zarafa-webapp-passwd/releases)
 2. If you want to use this plugin with source copy of webapp then you can just download this whole project
-3. Extract contents of this plugin to <webapp_path>/plugins directory
+3. Extract contents of this plugin to <webapp_path>/plugins directory, in Ubuntu 16 <webapp_path> refers to /usr/share/kopano-webapp
 4. Give read permissions to apache for <webapp_path>/plugins/passwd directory
 5. If you are using LDAP plugin then change PLUGIN_PASSWD_LDAP to true and also set proper values for PLUGIN_PASSWD_LDAP_BASEDN and PLUGIN_PASSWD_LDAP_URI configurations
 6. If you are using DB plugin then no need to change anything, default configurations should be fine
 5. Restart apache, reload webapp after clearing cache
 6. If you want to enable this plugin by default for all users then edit config.php file and change PLUGIN_PASSWD_USER_DEFAULT_ENABLE setting to true
 
+
 ## How to enable
 1. Go to settings section
 2. Go to Plugins tab
 3. Enable password change plugin and reload webapp
-4. Go to Change Password tab of settings section
-5. Provide current password and new password
-6. Click on apply
+
 
 ## How to disable
 1. Go to settings section
 2. Go to Plugins tab
 3. Disable password change plugin and reload webapp
 
+
+## How to use
+1. Go to Change Password tab of settings section
+2. Provide current password and new password
+3. Click on apply
+
+
 ## Notes
 - Feedback/Bug Reports are welcome
 - thanks to h44z for adding password meter and icon for the plugin
+
+
+## Dependencies:
+- php ldap extension is required if you are using LDAP plugin
+- if you have ubuntu 16 then follow below steps (this should ideally work with all distros)
+     1) sudo apt-get install php-ldap
+     2) sudo phpenmod ldap
+     3) check if ldap extension is enabled using below command
+        php -i "(command-line 'phpinfo()')" | grep ldap
+
+
+Initially releases of this plugin were maintained in [community](https://community.zarafa.com/pg/plugins/project/23147/developer/silentsakky/webapp-password-change), but now users can download latest builds from [github release page](https://github.com/silentsakky/zarafa-webapp-passwd/releases)

build.xml

@@ -233,5 +233,13 @@
 				<exclude name="**/LC_MESSAGES/*.po"/>
 			</fileset>
 		</copy>
+
+		<!-- Create zip file for release (ant -Drelease=true) -->
+		<if>
+			<isset property="release" />
+			<then>
+				<zip destfile="${target-folder}/${plugin}.zip" update="true" basedir="${target-folder}/${plugin}" />
+			</then>
+		</if>
 	</target>
 </project>

config.php

@@ -2,7 +2,10 @@
 /** Enable the passwd plugin for all clients **/
 define('PLUGIN_PASSWD_USER_DEFAULT_ENABLE', false);
 
-/** Define zarafa installtion uses LDAP **/
+/** Enable the passwd plugin for all clients **/
+define('PLUGIN_PASSWD_STRICT_CHECK_ENABLE', true);
+
+/** Define passwd plugin installation uses LDAP **/
 define('PLUGIN_PASSWD_LDAP', false);
 
 /** Base DN to access LDAP users **/
@@ -23,4 +26,4 @@
 /** Set to true if you login with username@tenantname **/
 define('PLUGIN_PASSWD_LOGIN_WITH_TENANT', false);
 
-?>
+?>

js/ABOUT.js

@@ -6,7 +6,7 @@ Ext.namespace('Zarafa.plugins.passwd');
  * The copyright string holding the copyright notice for the Zarafa passwd Plugin.
  */
 Zarafa.plugins.passwd.ABOUT = ""
-	+ "<p>Copyright (C) 2013  Saket Patel &lt;[email protected]&gt;</p>"
+	+ "<p>Copyright (C) 2013 - 2017  Saket Patel &lt;[email protected]&gt;</p>"
 
 	+ "<p>This program is free software: you can redistribute it and/or modify "
 	+ "it under the terms of the GNU Affero General Public License as "

js/external/PasswordMeter.js

@@ -62,7 +62,8 @@ Ext.ux.form.field.PasswordMeter = Ext.extend(Ext.form.TextField, {
 
 
 		var width = this.getEl().getWidth();
-		this.strengthMeterID = newID = Ext.id();
+		var newID = Ext.id();
+		this.strengthMeterID = newID;
 		this.scoreBarID = Ext.id();
 		var objMeter = Ext.DomHelper.insertAfter(this.getEl(), {
 			tag: "div",

js/settings/SettingsPasswdWidget.js

@@ -72,14 +72,15 @@ Zarafa.plugins.passwd.settings.SettingsPasswdWidget = Ext.extend(Zarafa.settings
 		} else if(!this.passwdPanel.getForm().isValid()) {
 			Ext.MessageBox.alert(dgettext("plugin_passwd", 'Error'), dgettext("plugin_passwd", 'One or more fields does contain errors.'));
 			return false;
-		} else {
+		} else if (container.getSettingsModel().get("zarafa/v1/plugins/passwd/enable_strict_check")) {
 			// do a quick score check:
 			if(this.passwdPanel.new_password.getScore() < 70) {
 				Ext.MessageBox.alert(dgettext("plugin_passwd", 'Error'), dgettext("plugin_passwd", 'Password is weak. Password should contain capital, non-capital letters and numbers. Password should have 8 to 20 characters.'));
 				return false;
 			}
-			return true;
 		}
+
+		return true;
 	},
 
 	/**

manifest.xml

@@ -2,12 +2,12 @@
 <!DOCTYPE plugin SYSTEM "manifest.dtd">
 <plugin version="2">
 	<info>
-		<version>1.2</version>
+		<version>1.3</version>
 		<name>Passwd</name>
 		<title>Password Change Plugin</title>
 		<author>Saket Patel</author>
 		<authorURL>https://github.com/silentsakky</authorURL>
-		<description>Change your password from zarafa webapp</description>
+		<description>Change your password from webapp</description>
 	</info>
 	<config>
 		<configfile>config.php</configfile>
@@ -16,7 +16,6 @@
 		<translationsdir>language</translationsdir>
 	</translations>
 
-
 	<components>
 		<component>
 			<files>

php/class.passwdmodule.php

@@ -83,6 +83,9 @@ public function save($data)
 	public function saveInLDAP($data)
 	{
 		$errorMessage = '';
+		$userName = $data['username'];
+		$newPassword = $data['new_password'];
+		$sessionPass = '';
 
 		// connect to LDAP server
 		$ldapconn = ldap_connect(PLUGIN_PASSWD_LDAP_URI);
@@ -91,10 +94,10 @@ public function saveInLDAP($data)
 		if(ldap_errno($ldapconn) === 0) {
 			// get the users uid, if we have a multi tenant installation then remove company name from user name
 			if (PLUGIN_PASSWD_LOGIN_WITH_TENANT){
-				$parts = explode('@', $data['username']);
+				$parts = explode('@', $userName);
 				$uid = $parts[0];
 			} else {
-				$uid = $data['username'];
+				$uid = $userName;
 			}
 
 			// check if we should use tls!
@@ -126,48 +129,35 @@ public function saveInLDAP($data)
 				ldap_bind($ldapconn, $userdn, $data['current_password']);
 
 				if(ldap_errno($ldapconn) === 0) {
+					$password_hash = $this->sshaEncode($newPassword);
+					$entry = array('userPassword' => $password_hash);
 
-					$passwd = $data['new_password'];
-
-					if ($this->checkPasswordStrenth($passwd)) {
-						$password_hash = $this->sshaEncode($passwd);
-						$entry = array('userPassword' => $password_hash);
-						if (in_array('sambaSamAccount', $entries[0]['objectclass'])) {
-							$nthash = strtoupper(bin2hex(mhash(MHASH_MD4, iconv("UTF-8","UTF-16LE", $passwd))));
-							$entry['sambaNTPassword'] = $nthash;
-							$entry['sambaPwdLastSet'] = strval(time());
-						}
-						ldap_modify($ldapconn, $userdn, $entry);
-						if (ldap_errno($ldapconn) === 0) {
-							// password changed successfully
-
-							// write new password to session because we don't want user to re-authenticate
-							session_start();
-							// if user has openssl module installed
-							if(function_exists("openssl_encrypt")) {
-								// In PHP 5.3.3 the iv parameter was added
-								if(version_compare(phpversion(), "5.3.3", "<")) {
-									$_SESSION['password'] = openssl_encrypt($passwd,"des-ede3-cbc",PASSWORD_KEY,0);
-								} else {
-									$_SESSION['password'] = openssl_encrypt($passwd,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
-								}
-							}
-							else {
-								$_SESSION['password'] = $passwd;
-							}
-							session_write_close();
-
-							// send feedback to client
-							$this->sendFeedback(true, array(
-								'info' => array(
-									'display_message' => dgettext("plugin_passwd", 'Password is changed successfully.')
-								)
-							));
-						} else {
-							$errorMessage = dgettext("plugin_passwd", 'Password is not changed.');
-						}
+					if (in_array('sambaSamAccount', $entries[0]['objectclass'])) {
+						$nthash = strtoupper(bin2hex(mhash(MHASH_MD4, iconv("UTF-8", "UTF-16LE", $newPassword))));
+						$entry['sambaNTPassword'] = $nthash;
+						$entry['sambaPwdLastSet'] = strval(time());
+					}
+
+					ldap_modify($ldapconn, $userdn, $entry);
+					if (ldap_errno($ldapconn) === 0) {
+						// password changed successfully
+
+						// send feedback to client
+						$this->sendFeedback(true, array(
+							'info' => array(
+								'display_message' => dgettext("plugin_passwd", 'Password is changed successfully.')
+							)
+						));
+
+						// write new password to session because we don't want user to re-authenticate
+						session_start();
+						$encryptionStore = EncryptionStore::getInstance();
+						$encryptionStore->add('password', $newPassword);
+						session_write_close();
+
+						return true;
 					} else {
-						$errorMessage = dgettext("plugin_passwd", 'Password is weak. Password should contain capital, non-capital letters and numbers. Password should have 8 to 20 characters.');
+						$errorMessage = dgettext("plugin_passwd", 'Password is not changed.');
 					}
 				} else {
 					$errorMessage = dgettext("plugin_passwd", 'Current password does not match.');
@@ -197,10 +187,11 @@ public function saveInLDAP($data)
 	public function saveInDB($data)
 	{
 		$errorMessage = '';
-		$passwd = $data['new_password'];
+		$userName = $data['username'];
+		$newPassword = $data['new_password'];
+		$sessionPass = '';
 
 		// get current session password
-		$sessionPass = $_SESSION['password'];
 		// if this plugin is used on a webapp version with EncryptionStore,
 		// $_SESSION['password'] is no longer available. User EncryptionStore
 		// in this case.
@@ -212,54 +203,31 @@ public function saveInDB($data)
 			$encryptionStore = EncryptionStore::getInstance();
 			$sessionPass = $encryptionStore->get("password");
 		}
-		// if user has openssl module installed
-		else if (function_exists("openssl_decrypt")) {
-			if (version_compare(phpversion(), "5.3.3", "<")) {
-				$sessionPass = openssl_decrypt($sessionPass, "des-ede3-cbc", PASSWORD_KEY, 0);
-			} else {
-				$sessionPass = openssl_decrypt($sessionPass, "des-ede3-cbc", PASSWORD_KEY, 0, PASSWORD_IV);
-			}
-
-			if (!$sessionPass) {
-				$sessionPass = $_SESSION['password'];
-			}
-		}
 
 		if($data['current_password'] === $sessionPass) {
-			if ($this->checkPasswordStrenth($passwd)) {
-				// all information correct, change password
-				$store = $GLOBALS['mapisession']->getDefaultMessageStore();
-				$userinfo = mapi_zarafa_getuser_by_name($store, $data['username']);
-
-				if (mapi_zarafa_setuser($store, $userinfo['userid'], $data['username'], $userinfo['fullname'], $userinfo['emailaddress'], $passwd, 0, $userinfo['admin'])) {
-					// password changed successfully
-
-					// write new password to session because we don't want user to re-authenticate
-					session_start();
-					// if user has openssl module installed
-					if (function_exists("openssl_encrypt")) {
-						// In PHP 5.3.3 the iv parameter was added
-						if (version_compare(phpversion(), "5.3.3", "<")) {
-							$_SESSION['password'] = openssl_encrypt($passwd, "des-ede3-cbc", PASSWORD_KEY, 0);
-						} else {
-							$_SESSION['password'] = openssl_encrypt($passwd, "des-ede3-cbc", PASSWORD_KEY, 0, PASSWORD_IV);
-						}
-					} else {
-						$_SESSION['password'] = $passwd;
-					}
-					session_write_close();
-
-					// send feedback to client
-					$this->sendFeedback(true, array(
-						'info' => array(
-							'display_message' => dgettext("plugin_passwd", 'Password is changed successfully.')
-						)
-					));
-				} else {
-					$errorMessage = dgettext("plugin_passwd", 'Password is not changed.');
-				}
+			// all information correct, change password
+			$store = $GLOBALS['mapisession']->getDefaultMessageStore();
+			$userinfo = mapi_zarafa_getuser_by_name($store, $userName);
+
+			if (mapi_zarafa_setuser($store, $userinfo['userid'], $userName, $userinfo['fullname'], $userinfo['emailaddress'], $newPassword, 0, $userinfo['admin'])) {
+				// password changed successfully
+
+				// send feedback to client
+				$this->sendFeedback(true, array(
+					'info' => array(
+						'display_message' => dgettext("plugin_passwd", 'Password is changed successfully.')
+					)
+				));
+
+				// write new password to session because we don't want user to re-authenticate
+				session_start();
+				$encryptionStore = EncryptionStore::getInstance();
+				$encryptionStore->add('password', $newPassword);
+				session_write_close();
+
+				return true;
 			} else {
-				$errorMessage = dgettext("plugin_passwd", 'Password is weak. Password should contain capital, non-capital letters and numbers. Password should have 8 to 20 characters.');
+				$errorMessage = dgettext("plugin_passwd", 'Password is not changed.');
 			}
 		} else {
 			$errorMessage = dgettext("plugin_passwd", 'Current password does not match.');
@@ -275,25 +243,6 @@ public function saveInDB($data)
 		}
 	}
 
-	/**
-	 * Function will check strength of the password and if it does not meet minimum requirements then
-	 * will return false.
-	 * Password should meet the following criteria:
-	 * - min. 8 chars, max. 20
-	 * - contain caps and noncaps characters
-	 * - contain numbers
-	 * @param {String} $password password which should be checked.
-	 * @return {Boolean} true if password passes the minimum requirement else false.
-	 */
-	public function checkPasswordStrenth($password)
-	{
-		if (preg_match("#.*^(?=.{8,20})(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9]).*$#", $password)) {
-			return true;
-		} else {
-			return false;
-		}
-	}
-
 	/**
 	 * Function will generate SSHA hash to use to store user's password in LDAP.
 	 * @param {String} $text text based on which hash will be generated.

php/plugin.passwd.php

@@ -43,9 +43,9 @@ function injectPluginSettings(&$data) {
 				'v1' => Array(
 					'plugins' => Array(
 						'passwd' => Array(
-							'enable'            => PLUGIN_PASSWD_USER_DEFAULT_ENABLE,
+							'enable'                 => PLUGIN_PASSWD_USER_DEFAULT_ENABLE,
+							'enable_strict_check'    => PLUGIN_PASSWD_STRICT_CHECK_ENABLE,
 						)
-
 					)
 				)
 			)