2024-03-22 14:54:28 +11:00
package SrvMngr::Controller::Userpassword;
# heading : Current User
# description : Change password
# navigation : 1000 250
# menu : U
# routes : end
use strict;
use warnings;
use Mojo::Base 'Mojolicious::Controller';
use esmith::util;
use esmith::ConfigDB;
use esmith::AccountsDB;
use Locale::gettext;
use SrvMngr::I18N;
use SrvMngr qw( theme_list init_session is_normal_password );
our $cdb = esmith::ConfigDB->open_ro || die "Couldn't open configuration db";
sub main {
2025-01-14 12:49:31 +00:00
my $c = shift;
2024-03-22 14:54:28 +11:00
my %pwd_datas = ();
2025-01-14 12:49:31 +00:00
if ($c->is_logged_in) {
$pwd_datas{Account} = $c->session->{username};
$pwd_datas{trt} = 'NORM';
2024-03-22 14:54:28 +11:00
} else {
2025-01-14 12:49:31 +00:00
my $rt = $c->current_route;
my $mess = '';
my $jwt = $c->param('jwt') || '';
my $name = $c->jwt->decode($jwt)->{username} || '';
$mess = 'Invalid state' unless ($jwt and $name and $rt eq 'upwdreset');
2024-03-22 14:54:28 +11:00
# request already treated or outdated
2025-01-14 12:49:31 +00:00
if ($c->pwdrst->{$name}{confirmed} != 1 or $c->pwdrst->{$name}{date} < time()) {
$mess = $c->l('use_INVALID_REQUEST') . ' -step 1-';
2024-03-22 14:54:28 +11:00
2025-01-14 12:49:31 +00:00
if ($mess) {
$c->stash(error => $mess);
return $c->redirect_to($c->home_page);
2024-03-22 14:54:28 +11:00
2025-01-14 12:49:31 +00:00
# ok for reset password for this account - step 2
$c->pwdrst->{$name}{confirmed} = 2;
$pwd_datas{Account} = $name;
$pwd_datas{trt} = 'RESET';
$pwd_datas{jwt} = $jwt;
$c->flash(success => $c->l('use_OK_FOR_RESET'));
} ## end else [ if ($c->is_logged_in) ]
$c->stash(pwd_datas => \%pwd_datas);
} ## end sub main
2024-03-22 14:54:28 +11:00
sub change_password {
my $c = shift;
my $result;
my $res;
2025-01-14 12:49:31 +00:00
my %pwd_datas = ();
my $trt = $c->param('Trt');
my $acctName = $c->param('User');
my $oldPass = $c->param('Oldpass') || '';
my $pass = $c->param('Pass');
2024-03-22 14:54:28 +11:00
my $passVerify = $c->param('Passverify');
2025-01-14 12:49:31 +00:00
my $jwt = $c->param('jwt') || '';
my $rt = $c->current_route;
my $mess = '';
my $name = '';
2024-03-22 14:54:28 +11:00
$name = $c->jwt->decode($jwt)->{username} if $jwt;
2025-01-14 12:49:31 +00:00
if ($trt eq 'RESET') {
$mess = 'Invalid state' unless ($jwt and $name and ($rt eq 'upwdreset2'));
# request already treated or outdated
if ($c->pwdrst->{$name}{confirmed} != 2 or $c->pwdrst->{$name}{date} < time()) {
$mess = $c->l('use_INVALID_REQUEST') . ' -step 2-';
if (!$name or $c->is_logged_in or $name ne $acctName) {
$mess = 'Invalid reset state';
2024-03-22 14:54:28 +11:00
} else {
2025-01-14 12:49:31 +00:00
if ($name or $jwt or !$c->is_logged_in) {
$mess = 'Invalid update state';
} ## end else [ if ($trt eq 'RESET') ]
2024-03-22 14:54:28 +11:00
2025-01-14 12:49:31 +00:00
if ($mess) {
$c->stash(error => $mess);
return $c->redirect_to($c->home_page);
2024-03-22 14:54:28 +11:00
$pwd_datas{Account} = $acctName;
2025-01-14 12:49:31 +00:00
$pwd_datas{trt} = $trt;
2024-03-22 14:54:28 +11:00
# common controls
2025-01-14 12:49:31 +00:00
if ($acctName eq 'admin') {
2024-03-22 14:54:28 +11:00
$result .= "Admin password should not be reset here !";
} else {
2025-01-14 12:49:31 +00:00
unless ($pass && $passVerify) {
$result .= $c->l('pwd_FIELDS_REQUIRED') . "<br>";
2024-03-22 14:54:28 +11:00
} else {
2025-01-14 12:49:31 +00:00
$result .= $c->l('pwd_PASSWORD_INVALID_CHARS') . "<br>" unless (($pass) = ($pass =~ /^([ -~]+)$/));
$result .= $c->l('pwd_PASSWORD_VERIFY_ERROR') . "<br>" unless ($pass eq $passVerify);
2024-03-22 14:54:28 +11:00
2025-01-14 12:49:31 +00:00
} ## end else [ if ($acctName eq 'admin')]
2024-03-22 14:54:28 +11:00
2025-01-14 12:49:31 +00:00
if ($result ne '') {
$c->stash(error => $result, pwd_datas => \%pwd_datas);
return $c->render('userpassword');
2024-03-22 14:54:28 +11:00
# validate new password
2025-01-14 12:49:31 +00:00
$res = $c->check_password($pass);
$result .= $res . "<br>" unless ($res eq 'OK');
2024-03-22 14:54:28 +11:00
# controls old password
2025-01-14 12:49:31 +00:00
if ($trt ne 'RESET') {
unless ($oldPass) {
$result .= $c->l('pwd_FIELDS_REQUIRED') . "<br>" unless $trt eq 'RESET';
2024-03-22 14:54:28 +11:00
} else {
2025-01-14 12:49:31 +00:00
$result .= $c->l('pwd_PASSWORD_OLD_INVALID_CHARS') . "<br>" unless (($oldPass) = ($oldPass =~ /^(\S+)$/));
2024-03-22 14:54:28 +11:00
2025-01-14 12:49:31 +00:00
if ($result ne '') {
$c->stash(error => $result, pwd_datas => \%pwd_datas);
return $c->render('userpassword');
2024-03-22 14:54:28 +11:00
# verify old password
2025-01-14 12:49:31 +00:00
if ($trt ne 'RESET') {
$result .= $c->l('pwd_ERROR_PASSWORD_CHANGE') . "<br>"
unless (SrvMngr::Model::Main->check_credentials($acctName, $oldPass));
} ## end if ($trt ne 'RESET')
2024-03-22 14:54:28 +11:00
# $result .= 'Blocked for test (prevents updates)<br>';
2025-01-14 12:49:31 +00:00
if (!$result) {
my $res = $c->reset_password($trt, $acctName, $pass, $oldPass);
2024-03-22 14:54:28 +11:00
$result .= $res unless $res eq 'OK';
2025-01-14 12:49:31 +00:00
if ($result) {
record_password_change_attempt($c, 'FAILED');
$c->stash(error => $result, pwd_datas => \%pwd_datas);
return $c->render('userpassword');
} ## end if ($result)
2024-03-22 14:54:28 +11:00
$c->pwdrst->{$name}{confirmed} = 9 if $trt eq 'RESET';
record_password_change_attempt($c, 'SUCCESS');
$result .= $c->l('pwd_PASSWORD_CHANGE_SUCCESS');
2025-01-14 12:49:31 +00:00
$c->flash(success => $result);
} ## end sub change_password
2024-03-22 14:54:28 +11:00
sub reset_password {
my ($c, $trt, $user, $password, $oldpassword) = @_;
my $ret;
return $c->l('usr_TAINTED_USER') unless (($user) = ($user =~ /^(\w[\-\w_\.]*)$/));
$user = $1;
2025-01-14 12:49:31 +00:00
my $adb = esmith::AccountsDB->open();
2024-03-22 14:54:28 +11:00
my $acct = $adb->get($user);
2025-01-14 12:49:31 +00:00
return $c->l('NO_SUCH_USER', $user) unless ($acct->prop('type') eq 'user');
$ret = esmith::util::setUserPasswordRequirePrevious($user, $oldpassword, $password) if $trt ne 'RESET';
$ret = esmith::util::setUserPassword($user, $password) if $trt eq 'RESET';
return $c->l('pwd_ERROR_PASSWORD_CHANGE') . ' ' . $trt unless $ret;
2024-03-22 14:54:28 +11:00
$acct->set_prop("PasswordSet", "yes");
undef $adb;
if (system("/sbin/e-smith/signal-event", "password-modify", $user)) {
$adb = esmith::AccountsDB->open();
$adb = esmith::AccountsDB->open();
return 'OK';
2025-01-14 12:49:31 +00:00
} ## end sub reset_password
2024-03-22 14:54:28 +11:00
sub record_password_change_attempt {
2025-01-14 12:49:31 +00:00
my ($c, $result) = @_;
my $user = $c->param('User');
my $ip_address = $c->tx->remote_address;
2024-03-22 14:54:28 +11:00
2025-01-14 12:49:31 +00:00
if ($result eq 'SUCCESS') {
$c->app->log->info(join "\t", "Password change succeeded: $user", $ip_address);
} else {
$c->app->log->info(join "\t", "Password change FAILED: $user", $ip_address);
} ## end sub record_password_change_attempt
2024-03-22 14:54:28 +11:00
sub check_password {
2025-01-14 12:49:31 +00:00
my $c = shift;
my $password = shift;
my $strength;
my $rec = $cdb->get('passwordstrength');
$strength = ($rec ? ($rec->prop('Users') || 'none') : 'none');
return validate_password($c, $strength, $password);
} ## end sub check_password
2024-03-22 14:54:28 +11:00
sub validate_password {
my ($c, $strength, $pass) = @_;
use Crypt::Cracklib;
if ($strength eq "none") {
2025-01-14 12:49:31 +00:00
return $c->l("Passwords must be at least 7 characters long") unless (length($pass) > 6);
2024-03-22 14:54:28 +11:00
return "OK";
my $reason = is_normal_password($c, $pass, undef);
return $reason unless ($reason eq "OK");
return "OK" unless ($strength eq "strong");
2025-01-14 12:49:31 +00:00
if (-f '/usr/lib64/cracklib_dict.pwd') {
2024-03-22 14:54:28 +11:00
$reason = fascist_check($pass, '/usr/lib64/cracklib_dict');
} else {
$reason = fascist_check($pass, '/usr/lib/cracklib_dict');
$reason ||= "Software error: password check failed";
return "OK" if ($reason eq "ok");
2025-01-14 12:49:31 +00:00
$c->l("Bad Password Choice") . ": "
. $c->l("The password you have chosen is not a good choice, because") . " "
. $c->($reason) . ".";
} ## end sub validate_password
2024-03-22 14:54:28 +11:00