Skip to content

Commit

Permalink
2.1.25
Browse files Browse the repository at this point in the history 
- #1149 log failed user authentication
- #1160 hidding user password change option if DUOSecurity
- add new item from API (for teampass-connect) (not yet tested)
- code source cosmetic changes
  • Loading branch information
@nilsteampassnet
nilsteampassnet committed Jan 19, 2016
1 parent e1724c3 commit ae1eb8e
Show file tree
Hide file tree
Showing 8 changed files with 312 additions and 156 deletions.
154 changes: 141 additions & 13 deletions api/functions.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -251,7 +251,7 @@ function rest_get () {
}
$GLOBALS['request'] = explode('/',$matches[2]);
}
if(apikey_checker($GLOBALS['apikey'])) {
global $server, $user, $pass, $database, $pre, $link;
teampass_connect();
Expand Down Expand Up @@ -629,7 +629,7 @@ function rest_get () {
$email
);
// update LOG
logEvents('user_mngt', 'at_user_added', 'api - '.$GLOBALS['apikey'], $new_user_id);
logEvents('user_mngt', 'at_user_added', 'api - '.$GLOBALS['apikey'], $new_user_id);
echo '{"status":"user added"}';
} catch(PDOException $ex) {
echo '<br />' . $ex->getMessage();
Expand Down Expand Up @@ -665,15 +665,15 @@ function rest_get () {
"SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id` FROM ".$pre."users WHERE login = %s",
$GLOBALS['request'][3]
);
// load passwordLib library
$_SESSION['settings']['cpassman_dir'] = "..";
require_once '../sources/SplClassLoader.php';
$pwdlib = new SplClassLoader('PasswordLib', '../includes/libraries');
$pwdlib->register();
$pwdlib = new PasswordLib\PasswordLib();
if ($pwdlib->verifyPasswordHash($GLOBALS['request'][4], $user['pw']) === true) {
// load passwordLib library
$_SESSION['settings']['cpassman_dir'] = "..";
require_once '../sources/SplClassLoader.php';
$pwdlib = new SplClassLoader('PasswordLib', '../includes/libraries');
$pwdlib->register();
$pwdlib = new PasswordLib\PasswordLib();
if ($pwdlib->verifyPasswordHash($GLOBALS['request'][4], $user['pw']) === true) {
// define the restriction of "id_tree" of this user
$userDef = DB::queryOneColumn('folder_id',
"SELECT DISTINCT folder_id
Expand Down Expand Up @@ -707,11 +707,11 @@ function rest_get () {
if (
empty($data['restricted_to']) ||
($data['restricted_to'] != "" && in_array($user['id'], explode(";", $data['restricted_to'])))
) {
) {
// prepare export
$json[$data['id']]['label'] = mb_convert_encoding($data['label'], mb_detect_encoding($data['label']), 'UTF-8');
$json[$data['id']]['login'] = mb_convert_encoding($data['login'], mb_detect_encoding($data['login']), 'UTF-8');
$json[$data['id']]['pw'] = cryption($data['pw'], SALT, $data['pw_iv'], "decrypt");
$json[$data['id']]['pw'] = cryption($data['pw'], SALT, $data['pw_iv'], "decrypt");
}
}
// prepare answer. If no access then inform
Expand All @@ -732,6 +732,127 @@ function rest_get () {
} else {
rest_error ('AUTH_NO_IDENTIFIER');
}
} elseif ($GLOBALS['request'][0] == "set") {
/*
* Expected call format: .../api/index.php/set/<login_to_save>/<password_to_save>/<url>/<user_login>/<user_password>?apikey=<VALID API KEY>
* Example: https://127.0.0.1/teampass/api/index.php/auth/myLogin/myPassword/USER1/test/76?apikey=chahthait5Aidood6johh6Avufieb6ohpaixain
*
* NEW ITEM WILL BE STORED IN SPECIFIC FOLDER
*/
// get user credentials
if(isset($GLOBALS['request'][4]) && isset($GLOBALS['request'][5])) {
// get url
if (isset($GLOBALS['request'][1]) && isset($GLOBALS['request'][2]) && isset($GLOBALS['request'][3])) {
// is user granted?
$user = DB::queryFirstRow(
"SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id` FROM " . $pre . "users WHERE login = %s",
$GLOBALS['request'][4]
);

// load passwordLib library
$_SESSION['settings']['cpassman_dir'] = "..";
require_once '../sources/SplClassLoader.php';
$pwdlib = new SplClassLoader('PasswordLib', '../includes/libraries');
$pwdlib->register();
$pwdlib = new PasswordLib\PasswordLib();

// is user identified?
if ($pwdlib->verifyPasswordHash($GLOBALS['request'][5], $user['pw']) === true) {
// does the personal folder of this user exists?
DB::queryFirstRow(
"SELECT `id`
FROM " . $pre . "nested_tree
WHERE title = %s AND personal_folder = 1",
$user['id']
);
if (DB::count() > 0) {
// check if "teampass-connect" folder exists
// if not create it
$folder = DB::queryFirstRow(
"SELECT `id`
FROM " . $pre . "nested_tree
WHERE title = %s",
"teampass-connect"
);
if (DB::count() == 0) {
DB::insert(
prefix_table("nested_tree"),
array(
'parent_id' => '0',
'title' => "teampass-connect"
)
);
$tpc_folder_id = DB::insertId();

//Add complexity
DB::insert(
prefix_table("misc"),
array(
'type' => 'complex',
'intitule' => $tpc_folder_id,
'valeur' => '0'
)
);

// rebuild tree
$tree = new Tree\NestedTree\NestedTree(prefix_table("nested_tree"), 'id', 'parent_id', 'title');
$tree->rebuild();
} else {
$tpc_folder_id = $folder['id'];
}

// encrypt password
$encrypt = cryption($GLOBALS['request'][2], SALT, "", "encrypt");

// add new item
DB::insert(
prefix_table("items"),
array(
'label' => "Credentials for ".urldecode($GLOBALS['request'][3].'%'),
'description' => "Imported with Teampass-Connect",
'pw' => $encrypt['string'],
'pw_iv' => $encrypt['iv'],
'email' => "",
'url' => urldecode($GLOBALS['request'][3].'%'),
'id_tree' => $tpc_folder_id,
'login' => $GLOBALS['request'][1],
'inactif' => '0',
'restricted_to' => $user['id'],
'perso' => '0',
'anyone_can_modify' => '0',
'complexity_level' => '0'
)
);
$newID = DB::insertId();

// log
logItems(
$newID,
"Credentials for ".urldecode($GLOBALS['request'][3].'%'),
$user['id'],
'at_creation',
$GLOBALS['request'][1]
);

$json['status'] = "ok";
// prepare answer. If no access then inform
if (empty($json)) {
rest_error ('AUTH_NO_DATA');
} else {
echo json_encode($json);
}
} else {
rest_error ('NO_PF_EXIST_FOR_USER');
}
} else {
rest_error ('AUTH_NOT_GRANTED');
}
} else {
rest_error ('SET_NO_DATA');
}
} else {
rest_error ('AUTH_NO_IDENTIFIER');
}
} else {
rest_error ('METHOD');
}
Expand All @@ -750,6 +871,7 @@ function rest_put() {
if(apikey_checker($GLOBALS['apikey'])) {
global $server, $user, $pass, $database, $pre, $link;
teampass_connect();

}
}

Expand Down Expand Up @@ -830,6 +952,12 @@ function rest_error ($type,$detail = 'N/A') {
case 'ITEMMISSINGDATA':
$message = Array('err' => 'Label or Password or Folder ID is missing');
break;
case 'SET_NO_DATA':
$message = Array('err' => 'No data to be stored');
break;
case 'NO_PF_EXIST_FOR_USER':
$message = Array('err' => 'No Personal Folder exists for this user');
break;
default:
$message = Array('err' => 'Something happen ... but what ?');
header('HTTP/1.1 500 Internal Server Error');
Expand Down
4 changes: 2 additions & 2 deletions api/index.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,8 @@
header('Content-Type: application/json');

if (teampass_api_enabled() != "1") {
echo '{"err":"API access not allowed."}';
exit;
echo '{"err":"API access not allowed."}';
exit;
}

teampass_whitelist();
Expand Down
21 changes: 10 additions & 11 deletions profile.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,8 +88,10 @@
<ul class="menu" style="">
<li class="menu_150" style="padding:4px; text-align:left;"><i class="fa fa-bars fa-fw"></i>&nbsp;'.$LANG['admin_actions_title'].'
<ul class="menu_250" style="text-align:left;">
<li id="but_pickfiles_photo"><i class="fa fa-camera fa-fw"></i> &nbsp;'.$LANG['upload_new_avatar'].'</li>
<li id="but_change_password"><i class="fa fa-key fa-fw"></i> &nbsp;'.$LANG['index_change_pw'].'</li>
<li id="but_pickfiles_photo"><i class="fa fa-camera fa-fw"></i> &nbsp;'.$LANG['upload_new_avatar'].'</li>';
if (!isset($_SESSION['settings']['duo']) || $_SESSION['settings']['duo'] == 0) echo '
<li id="but_change_password"><i class="fa fa-key fa-fw"></i> &nbsp;'.$LANG['index_change_pw'].'</li>';
echo '
<li id="but_change_psk"><i class="fa fa-lock fa-fw"></i> &nbsp;'.$LANG['menu_title_new_personal_saltkey'].'</li>
<li id="but_reset_psk"><i class="fa fa-eraser fa-fw"></i> &nbsp;'.$LANG['personal_saltkey_lost'].'</li>
</ul>
Expand All @@ -100,8 +102,11 @@
<div style="text-align:center;margin:5px;padding:3px;display:none;" id="profile_info_box" class="ui-widget ui-state-highlight ui-corner-all"></div>
<div style="height:20px;text-align:center;margin:2px;" id="change_pwd_error" class=""></div>
<div id="upload_container_photo" style="display:none;"></div>
<div id="filelist_photo" style="display:none;"></div>
<div id="filelist_photo" style="display:none;"></div>';

// if DUOSecurity enabled then changing PWD is not allowed
if (!isset($_SESSION['settings']['duo']) || $_SESSION['settings']['duo'] == 0)
echo '
<div id="div_change_password" style="display:none;">
<div style="text-align:center;margin:5px;padding:3px;" id="change_pwd_complexPw" class="ui-widget ui-state-active ui-corner-all"></div>
<label for="new_pw" class="form_label">'.$LANG['index_new_pw'].' :</label>
Expand All @@ -110,15 +115,9 @@
<label for="new_pw2" class="form_label">'.$LANG['index_change_pw_confirmation'].' :</label>
<input type="password" size="15" name="new_pw2" id="new_pw2" />
<div id="pw_strength" style="margin:10px 0 10px 120px;text-align:center;"></div>
<input type="hidden" id="pw_strength_value" />';

// if DUOSecurity enabled then changing PWD is not allowed
if (!isset($_SESSION['settings']['duo']) || $_SESSION['settings']['duo'] == 0)
echo '
<input type="hidden" id="pw_strength_value" />
<span class="button" id="button_change_pw">'.$LANG['index_change_pw_button'].'</span>&nbsp;
<span id="password_change_wait" style="display:none;"><i class="fa fa-cog fa-spin"></i>&nbsp;'.$LANG['please_wait'].'</span>';

echo '
<span id="password_change_wait" style="display:none;"><i class="fa fa-cog fa-spin"></i>&nbsp;'.$LANG['please_wait'].'</span>
</div>';

//change the saltkey dialogbox
Expand Down
30 changes: 15 additions & 15 deletions sources/datatable/datatable.users.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,15 +76,15 @@
.mysqli_escape_string($link, $_GET['order'][0]['column']) .", ";
}
/*
for ($i=0; $i<intval($_GET['order[0][column]']); $i++) {
if (
$_GET[ 'bSortable_'.filter_var($_GET['iSortCol_'.$i], FILTER_SANITIZE_NUMBER_INT)] == "true" &&
preg_match("#^(asc|desc)\$#i", $_GET['sSortDir_'.$i])
) {
$sOrder .= "".$aColumns[ filter_var($_GET['iSortCol_'.$i], FILTER_SANITIZE_NUMBER_INT) ]." "
.mysqli_escape_string($link, $_GET['sSortDir_'.$i]) .", ";
}
}
for ($i=0; $i<intval($_GET['order[0][column]']); $i++) {
if (
$_GET[ 'bSortable_'.filter_var($_GET['iSortCol_'.$i], FILTER_SANITIZE_NUMBER_INT)] == "true" &&
preg_match("#^(asc|desc)\$#i", $_GET['sSortDir_'.$i])
) {
$sOrder .= "".$aColumns[ filter_var($_GET['iSortCol_'.$i], FILTER_SANITIZE_NUMBER_INT) ]." "
.mysqli_escape_string($link, $_GET['sSortDir_'.$i]) .", ";
}
}
*/

$sOrder = substr_replace($sOrder, "", -2);
Expand Down Expand Up @@ -115,9 +115,9 @@

// enlarge the query in case of Manager
if (!$_SESSION['is_admin']) {
if (empty($sWhere)) $sWhere = " WHERE ";
else $sWhere .= " AND ";
$sWhere .= "isAdministratedByRole IN (".implode(",", $_SESSION['user_roles']).")";
if (empty($sWhere)) $sWhere = " WHERE ";
else $sWhere .= " AND ";
$sWhere .= "isAdministratedByRole IN (".implode(",", $_SESSION['user_roles']).")";
}

DB::query("SELECT * FROM ".$pre."users");
Expand All @@ -138,7 +138,7 @@
if (DB::count() > 0) {
$sOutput = '[';
} else {
$sOutput = '';
$sOutput = '';
}

foreach ($rows as $record) {
Expand Down Expand Up @@ -288,8 +288,8 @@

//Finish the line
$sOutput .= '],';
$iFilteredTotal ++;
$iFilteredTotal ++;
}
}

Expand Down
6 changes: 3 additions & 3 deletions sources/folders.queries.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -386,9 +386,9 @@

// add new folder id in SESSION
array_push($_SESSION['groupes_visibles'], $newId);
if ($isPersonal == 1) {
array_push($_SESSION['personal_folders'], $newId);
}
if ($isPersonal == 1) {
array_push($_SESSION['personal_folders'], $newId);
}

// rebuild tree
$tree = new Tree\NestedTree\NestedTree(prefix_table("nested_tree"), 'id', 'parent_id', 'title');
Expand Down
4 changes: 2 additions & 2 deletions sources/identify.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -398,7 +398,7 @@ function identifyUser($sentData)
);
$counter = DB::count();
if ($counter == 0) {
logEvents('user_not_exists', 'connection', "", stripslashes($username));
logEvents('user_connection', 'user_not_exists', "", stripslashes($username));
echo '[{"value" : "user_not_exists", "text":""}]';
exit;
}
Expand Down Expand Up @@ -474,7 +474,7 @@ function identifyUser($sentData)
$userPasswordVerified = true;
} else {
$userPasswordVerified = false;
logEvents('user_password_not_correct', 'connection', "", stripslashes($username));
logEvents('user_connection', 'user_password_not_correct', "", stripslashes($username));
}

if ($debugDuo == 1) {
Expand Down
Loading

0 comments on commit ae1eb8e

Please sign in to comment.