feature: ability to change custom password fields #751
Conversation
|
It would also be great to share what you think! In config.inc.local.php, the configuration could look like this: |
|
i think it is ready for testing, it would be great if someone could have a short look on my code and say if my code meets the expectations of this project. Thanks in advance! |
Default configuration for apppwds is the one set for the main password.
|
question: I have set the default configuration with for-loops in config.inc.php. Or should I move it to changeapppwd.php? Is there a reason why |
|
Hello @markus-96,
you should not put too much logic in config.inc.php, only configuration parameters.
This attributes are present in config.inc.php, the first is commented, but not the second |
Is one for loop ok for setting the defaults for each app password?
Oh, seams like I have overseen this.. Then I am curious why And what is it about the logic in line 229, where |
I think so.
It was a new attribute, so to avoid warnings if the attribute was not defined in previous config version, we set a default value in index.php. Maybe we should indeed initialize all parameters in config.inc.php, but this is out of scope of the current PR.
There is indeed no need for the test line 229, the code can be improved. |
markus-96
changed the title
|
Do I need to add translations to every single lang file? Or is it ok to add the english translation everywhere? |
Yes, just put english everywhere |
htdocs/index.php
Outdated
| @@ -18,6 +18,12 @@ | |||
| require_once("../lib/functions.inc.php"); | |||
| if ($use_captcha) { | |||
| require_once("../lib/captcha.inc.php"); | |||
| } else if ($change_apppwd != false) { | |||
| for ($i = 0; $i < count($change_apppwd); $i++) { | |||
| if (isset($change_apppwd['use_captcha']) && $change_apppwd['use_captcha']) { | |||
There was a problem hiding this comment.
of course it has to be
if (isset($change_apppwd[i]['use_captcha']) && $change_apppwd[i]['use_captcha']) {
will fix today...
|
Hi, I have marked this as ready for review more than one month ago. Will there be any update soon? As a background: This was my first real contact with PHP and this is also my first PR to an open source project. I am ready for any criticism since I want to get better. I am excited about what the community thinks about this PR and may also be a bit impatient, sorry for that.. |
|
Hello @markus-96 sorry for the delay, I don't have too much time, but the PR is targeted for the next version (1.6), no release date for the moment... |
make it clear that the requested application is not configured
|
Are the tests in the tests folder actually used? I am asking because it seems to me like they are incompatible since about 2017 with newer versions of phpunit greater than 5. I cant run tests with phpunit, version greater than 5, without changing that the test-classes do extend With phpunit version 5.7.25, I get the following: I am running php v8.0.25 right now.. |
They should but CI has been disabled since travis changed its community approach. |
|
@markus-96 Is it ready for review or do you plan to commit other modifications? |
some functions are not compatible with php7 (type declaration) , will change that. But that is the only thing that comes to my mind right now, will wait for your review! |
I have tried a bit with github workflows in this branch: https://github.com/markus-96/self-service-password/tree/phpunit-workflow |
Thanks, I'll try to work on it next month, the goal is to include your contribution in next release. |
Thanks, I'll have a look. |
There was a problem hiding this comment.
First, thanks for your contribution.
In my opinion, I think this feature is really not common. Anyway, it can be interesting to add it if we make it more generic. (See my comments in the code)
There is still work to do as you should refactor your code on top of "master" branch and not 1.5, and adapt to the evolution that appeared in the meantime.
Thanks for your work.
conf/config.inc.php
Outdated
| @@ -399,11 +399,56 @@ | |||
| # Smarty debug mode - will popup debug information on web interface | |||
| $smarty_debug = false; | |||
|
|
|||
| ## App Passwords | |||
| # Change App Passwords | |||
| $change_apppwd = false; | |||
There was a problem hiding this comment.
the false type here is not compatible with parsing the array.
You should set a default value equal to empty array
$change_apppwd = [];
There was a problem hiding this comment.
is adopted, default is an empty array. The check if this feature is enabled is now if (!empty($change_apppwd))
conf/config.inc.php
Outdated
| if (!isset($change_apppwd[$i]['shadow_options']['shadow_expire_days'])) { $change_apppwd[$i]['shadow_options']['shadow_expire_days'] = -1; } | ||
| } | ||
| unset($i); | ||
| } |
There was a problem hiding this comment.
You should not set these configuration parameters in config.inc.php, but rather in the code.
There was a problem hiding this comment.
I asked here: #751 (comment)
and got the answer one for-loop is ok, but of course, I can move it. But setting the label will have to be done on every request, so this has to be in index.php then.
There was a problem hiding this comment.
My answer was indeed to remove code from config, so it should be in your apppwd page code
There was a problem hiding this comment.
Is one for loop ok for setting the defaults for each app password?
I think so.
Misunderstood that, is moved now to apppwd.php, except for ['label'] and ['msg_changehelpextramessage'], this is moved to index.php.
docs/config_apppwd.rst
Outdated
| Background | ||
| ---------- | ||
|
|
||
| This Feature enables you to configure individiual Application Passwords that are |
There was a problem hiding this comment.
Some semantics here: why is this feature tagged as "application password".
If I understand the feature correctly, the goal is just to fill a custom password field.
I think we should make this feature more generic.
For example:
$change_apppwd = array(
array(
'attribute' => "customPasswordField",
'hash' => "MD5",
'label' => "Custom password"
)
)
There was a problem hiding this comment.
The feature should be this generic, as far as I can tell. If you are in need for a custom password field, the password is needed for some application, for example WLAN. You want to store the hash in the field "wlanPassword", with an NTLM hash. On the website, you want the menu to include a button "Change password for WLAN".
This results in:
$change_apppwd = array(
array(
'attribute' => "wlanPassword",
'hash' => "NTLM",
'label' => "WLAN"
)
)My PR does not provide an application called password. It is meant for changing passwords of certain applications.
There was a problem hiding this comment.
Actually, your PR allows to change a custom LDAP field of any object.
In your use case, you name the object an "application", but it could be any other object, including a user, an organization,...
Whether this field (which turns to be a password) is used by 0, 1, or more applications, SSP or LDAP should not be aware of. (moreover it can change with time)
There was a problem hiding this comment.
The object is defined by the login name, so it is bound to a user object.
The field can be any attribute, as long as the user object may include the attribute.
Of course, you can use it for changing any other attribute as well, especially when using 'hash' => 'clear'. But this is out of scope for this PR, as I said:
You can use it also for updating user information, but I do not think this would be very user friendly.
The main focus was on the case of needing hashes that are known to be insecure. It is rather odd that you are in need for them for two different use cases, but of course this can happen. But this can be clarified to the user with the label key.
If it is in general that you do not like the term "application" used in the documentation and in the coding, please tell me, I do not know what else I should call it... Maybe Custom Password Field? But how should the web form clarify for what?
These are my thinkings right now, maybe I come to a better solution.
There was a problem hiding this comment.
replaced apppwd with custompwdfield, in code and documentation.
These were some groundbreaking changes, please give me some time testing everything if everything is still working as expected.
docs/config_apppwd.rst
Outdated
| .. tip:: If you do not set an Arraykey in this configuration, the settings for the | ||
| main password will be applied! | ||
|
|
||
| For more information, follow the steps mentioned below. |
There was a problem hiding this comment.
please fix the README with more generic terms. (see comment above)
htdocs/changeapppwd.php
Outdated
| @@ -0,0 +1,225 @@ | |||
| <?php | |||
There was a problem hiding this comment.
Please refactor your PR on top of the master branch.
This requires some work.
Take care that there have been evolutions since then:
- externalize ldap function to
\Ltb\Ldaplibrary. see changes inchange.phpfile - adding translations to lang/ files
- adding some features (ppolicy criteria)
Also, there are a lot of code duplication here. Maybe we could factorize more things, but currently I don't know how.
There was a problem hiding this comment.
thanks, I know. My fork somehow has to get the code of master. It has been a long time since I was looking on this PR.
There was a problem hiding this comment.
created a local branch from ltb-project:master and merged it locally to markus-96:1.5, then resolved the conflicts.
I have to delete my fork so that I can fork from master directly, hopefully this PR is closed as soon as possible.
There was a problem hiding this comment.
* adding some features (ppolicy criteria)
For entropy checks:
This can not be done between "app"-passwords and the user-password, because on the app-password side you need to know the old password, which you do not. So: While changing the "app"-password, you can check the entropy between "app"-password and user-password, but if you change the user-password, you can not check the entropy to the already set "app"-password. So this check is useless in this aspect.
I will try to adopt the added .js-functionality
There was a problem hiding this comment.
should be resolved now
There was a problem hiding this comment.
Hello,
Thanks for the taking into consideration my remarks. Globally, it is much better.
Your branch 1.5 and origin/master are in conflict, and furthermore you rebase in the wrong direction. This makes the rebase very complicated, so I preferred to do a global patch from your branch, and apply it to the master branch.
See this issue for referencing the feature: #864
And this new MR for continuing the work: #865
There was a problem hiding this comment.
Hello,
Thanks for creating the new branch. But I have some problem:
I can not push to change-custom-password-fields, how should I continue working on this? Should I create a new fork and create PRs for every commit to change-custom-password-fields?
There was a problem hiding this comment.
Hello,
Thanks for creating the new branch. But I have some problem:
I can not push to change-custom-password-fields, how should I continue working on this? Should I create a new fork and create PRs for every commit to change-custom-password-fields?
You could clone again or synchronize your personal repository, work on your local change-custom-password-fields branch, and propose a PR to self-service-password change-custom-password-fields branch
| $change_apppwd_labels[$i] = array(); | ||
| $change_apppwd_labels[$i]['label'] = $change_apppwd[$i]['label']; | ||
| $change_apppwd_labels[$i]['msg_changehelpextramessage'] = $change_apppwd[$i]['msg_changehelpextramessage']; | ||
| } |
There was a problem hiding this comment.
The password-app button is not displayed like the others, and seems ugly. (see capture)
There was a problem hiding this comment.
Is this with the new version of bootstrap? It is not included in my PR yet, it was working with bootstrap v3.4.1, this seams to be bootstrap 5.3.1. Am I right?
Here, it looks like the following:
There was a problem hiding this comment.
should be resolved now
| * @param array $hash_options additional options to be used by the hashing algorithm | ||
| * @return string | ||
| */ | ||
| function make_password($password, $hash, $hash_options): string { |
There was a problem hiding this comment.
Typically, I think that these functions should go into https://github.com/ltb-project/ltb-ldap
@coudot what is your opinion on this?
There was a problem hiding this comment.
| } | ||
| } | ||
| } | ||
| $hash = get_hash_type($ldap, $dn, $pwd_attribute); |
There was a problem hiding this comment.
Same comment as above: I think these functions should go into https://github.com/ltb-project/ltb-ldap
There was a problem hiding this comment.
as above: see ltb-project/ltb-common#7
| ><i class="fa fa-fw fa-terminal"></i> {$msg_menuapppwd|cat:$app.label} </a> | ||
| </li> | ||
| {/foreach} | ||
| {/if} |
There was a problem hiding this comment.
Same comment as above: the password-app button is not displayed like the others, and seems ugly. (see capture)
There was a problem hiding this comment.
Same as above, I did not yet adopt it to bootstrap 5.3.1
There was a problem hiding this comment.
should be resolved now
This reverts commit 109b926.
in the form, I had to use the same ids as in change.tpl for the ppolicy js to work. Also, I have to reuse the policy config variables.
markus-96
changed the title
|
I have reworked this PR in #865 See this PR for next discussions and comments. |
I think I have written everything needed for this feature. Only the messages shown on the page have to be changed, and also the translations. I will try my best here. I will remove [in progress] when everything is finished and after some additional testing.
You will be able to:
You can use it also for updating user information, but I do not think this would be very user friendly.
Also, take care about the discussion regarding this feature: #745