From f8666adf0f0fc51d13072c8954d044ae99bcc148 Mon Sep 17 00:00:00 2001 From: marcos Date: Wed, 30 Sep 2020 14:20:57 +0200 Subject: [PATCH 01/11] F2 feature --- pandora_console/godmode/setup/setup_auth.php | 31 ++++++++++++++++++++ pandora_console/include/functions_config.php | 4 +++ 2 files changed, 35 insertions(+) diff --git a/pandora_console/godmode/setup/setup_auth.php b/pandora_console/godmode/setup/setup_auth.php index db436224c3..9ba6c00c4f 100644 --- a/pandora_console/godmode/setup/setup_auth.php +++ b/pandora_console/godmode/setup/setup_auth.php @@ -221,6 +221,20 @@ if (is_ajax()) { ); $table->data['double_auth_enabled'] = $row; + // Enable 2FA for all users. + // Set default value. + set_unless_defined($config['2FA_all_users'], false); + $row = []; + $row['name'] = __('Force 2FA for all users is enabled'); + $row['control'] .= html_print_checkbox_switch( + ' + ', + 1, + $config['2FA_all_users'], + true + ); + $table->data['2FA_all_users'] = $row; + // Session timeout. // Default session timeout. set_when_empty($config['session_timeout'], 90); @@ -313,6 +327,23 @@ echo ''; ?> + '; +} + $newsletter = null; ?> diff --git a/pandora_console/godmode/setup/setup_auth.php b/pandora_console/godmode/setup/setup_auth.php index acd4e99833..273fa17de5 100644 --- a/pandora_console/godmode/setup/setup_auth.php +++ b/pandora_console/godmode/setup/setup_auth.php @@ -329,12 +329,20 @@ echo ''; $( document ).ready(function() { //For change autocreate remote users + console.log($('input[type=checkbox][id=checkbox-double_auth_enabled]:checked').val()); + if ($('input[type=checkbox][name=double_auth_enabled]:checked').val() == 1) { + $('#table1-2FA_all_users').show(); + } + else { + $('#table1-2FA_all_users').hide(); + } $('input[type=checkbox][name=double_auth_enabled]').change(function () { if ($('input[type=checkbox][name=double_auth_enabled]:checked').val() == 1) { $('#table1-2FA_all_users').show(); } else { $('#table1-2FA_all_users').hide(); + $('input[type=checkbox][name=2FA_all_users][value=0]').prop('checked', false); } }).change(); }); diff --git a/pandora_console/godmode/users/configure_user.php b/pandora_console/godmode/users/configure_user.php index b98d35e003..daac4addeb 100644 --- a/pandora_console/godmode/users/configure_user.php +++ b/pandora_console/godmode/users/configure_user.php @@ -1128,6 +1128,28 @@ if ($config['ehorus_user_level_conf']) { $ehorus .= ''; } +$double_auth_enabled = (bool) db_get_value('id', 'tuser_double_auth', 'id_user', $id); + +if ($config['double_auth_enabled'] && check_acl($config['id_user'], 0, 'PM')) { + $double_authentication = '

'.__('Double authentication').'

'; + if (($config['2FA_all_users'] == '' && !$double_auth_enabled) + || ($config['double_auth_enabled'] == '' && $double_auth_enabled) + || check_acl($config['id_user'], 0, 'PM') + ) { + $double_authentication .= html_print_checkbox_switch('double_auth', 1, $double_auth_enabled, true); + } + + // Dialog. + $double_authentication .= ''; +} + +if ($double_auth_enabled && $config['double_auth_enabled'] && $config['2FA_all_users'] != '') { + $double_authentication .= html_print_button(__('Show information'), 'show_info', false, 'javascript:show_double_auth_info();', '', true); +} + +if (isset($double_authentication)) { + $double_authentication .= '
'; +} if ($meta) { enterprise_include_once('include/functions_metaconsole.php'); @@ -1179,7 +1201,7 @@ echo '

Extra info

'.$email.$phone.$not_login.$session_time.'
-
'.$language.$access_or_pagination.$skin.$home_screen.$default_event_filter.$newsletter.'
+
'.$language.$access_or_pagination.$skin.$home_screen.$default_event_filter.$newsletter.$double_authentication.'
'.$timezone; if (!is_metaconsole()) { @@ -1278,6 +1300,15 @@ if (!is_metaconsole()) { var json_profile = $('#hidden-json_profile'); /* '; + + var $loadingSpinner = $("/images/spinner.gif\" />"); + var $dialogContainer = $("div#dialog-double_auth-container"); + + $dialogContainer.html($loadingSpinner); +console.log(userID); + // Load the info page + var request = $.ajax({ + url: "", + type: 'POST', + dataType: 'html', + data: { + page: 'include/ajax/double_auth.ajax', + id_user: userID, + get_double_auth_data_page: 1, + FA_forced: 1, + containerID: $dialogContainer.prop('id') + }, + complete: function(xhr, textStatus) { + + }, + success: function(data, textStatus, xhr) { + // isNaN = is not a number + if (isNaN(data)) { + $dialogContainer.html(data); + } + // data is a number, convert it to integer to do the compare + else if (Number(data) === -1) { + $dialogContainer.html("
'.__('Authentication error').'
'; ?>"); + } + else { + $dialogContainer.html("
'.__('Error').'
'; ?>"); + } + }, + error: function(xhr, textStatus, errorThrown) { + $dialogContainer.html("
'.__('There was an error loading the data').'
'; ?>"); + } + }); + + $("div#dialog-double_auth") + .css('display','block') + .append($dialogContainer) + .dialog({ + resizable: true, + draggable: true, + modal: true, + title: "", + overlay: { + opacity: 0.5, + background: "black" + }, + width: 400, + height: 375, + close: function(event, ui) { + // Abort the ajax request + if (typeof request != 'undefined') + request.abort(); + // Remove the contained html + $dialogContainer.empty(); + } + }) + .show(); + +} + +function show_double_auth_activation () { + var userID = ''; + + var $loadingSpinner = $("/images/spinner.gif\" />"); + var $dialogContainer = $("div#dialog-double_auth-container"); + + $dialogContainer.html($loadingSpinner); + + // Load the info page + var request = $.ajax({ + url: "", + type: 'POST', + dataType: 'html', + data: { + page: 'include/ajax/double_auth.ajax', + id_user: userID, + FA_forced: 1, + get_double_auth_info_page: 1, + containerID: $dialogContainer.prop('id') + }, + complete: function(xhr, textStatus) { + + }, + success: function(data, textStatus, xhr) { + // isNaN = is not a number + if (isNaN(data)) { + $dialogContainer.html(data); + } + // data is a number, convert it to integer to do the compare + else if (Number(data) === -1) { + $dialogContainer.html("
'.__('Authentication error').'
'; ?>"); + } + else { + $dialogContainer.html("
'.__('Error').'
'; ?>"); + } + }, + error: function(xhr, textStatus, errorThrown) { + $dialogContainer.html("
'.__('There was an error loading the data').'
'; ?>"); + } + }); + + $("div#dialog-double_auth").dialog({ + resizable: true, + draggable: true, + modal: true, + title: "", + overlay: { + opacity: 0.5, + background: "black" + }, + width: 500, + height: 400, + close: function(event, ui) { + // Abort the ajax request + if (typeof request != 'undefined') + request.abort(); + // Remove the contained html + $dialogContainer.empty(); + + document.location.reload(); + } + }) + .show(); +} + +function show_double_auth_deactivation () { + var userID = ''; + console.log(userID); + var $loadingSpinner = $("/images/spinner.gif\" />"); + var $dialogContainer = $("div#dialog-double_auth-container"); + + var message = "

'.__('The double authentication will be deactivated'); ?>

"; + var $button = $("\" />"); + + $dialogContainer + .empty() + .append(message) + .append($button); + + var request; + + $button.click(function(e) { + e.preventDefault(); + + $dialogContainer.html($loadingSpinner); + + // Deactivate the double auth + request = $.ajax({ + url: "", + type: 'POST', + dataType: 'json', + data: { + page: 'include/ajax/double_auth.ajax', + id_user: userID, + FA_forced: 1, + deactivate_double_auth: 1 + }, + complete: function(xhr, textStatus) { + + }, + success: function(data, textStatus, xhr) { + console.log(data); + if (data === -1) { + $dialogContainer.html("
'.__('Authentication error').'
'; ?>"); + } + else if (data) { + $dialogContainer.html("
'.__('The double autentication was deactivated successfully').'
'; ?>"); + } + else { + $dialogContainer.html("
'.__('There was an error deactivating the double autentication').'
'; ?>"); + } + }, + error: function(xhr, textStatus, errorThrown) { + $dialogContainer.html("
'.__('There was an error deactivating the double autentication').'
'; ?>"); + } + }); + }); + + + $("div#dialog-double_auth").dialog({ + resizable: true, + draggable: true, + modal: true, + title: "", + overlay: { + opacity: 0.5, + background: "black" + }, + width: 300, + height: 150, + close: function(event, ui) { + // Abort the ajax request + if (typeof request != 'undefined') + request.abort(); + // Remove the contained html + $dialogContainer.empty(); + + document.location.reload(); + } + }) + .show(); +} + + /* ]]> */ diff --git a/pandora_console/include/ajax/double_auth.ajax.php b/pandora_console/include/ajax/double_auth.ajax.php index 7633a28979..2f2970ee23 100644 --- a/pandora_console/include/ajax/double_auth.ajax.php +++ b/pandora_console/include/ajax/double_auth.ajax.php @@ -17,7 +17,9 @@ check_login(); // Security check $id_user = (string) get_parameter('id_user'); -if ($id_user !== $config['id_user']) { +$FA_forced = (int) get_parameter('FA_forced'); + +if ($id_user !== $config['id_user'] && $FA_forced != 1) { db_pandora_audit( 'ACL Violation', 'Trying to access Double Authentication' diff --git a/pandora_console/include/functions_config.php b/pandora_console/include/functions_config.php index f4c48ec0bb..d65720b44f 100644 --- a/pandora_console/include/functions_config.php +++ b/pandora_console/include/functions_config.php @@ -1990,6 +1990,10 @@ function config_process_config() config_update_value('welcome_state', WELCOME_STARTED); } + if (!isset($config['2Fa_auth'])) { + config_update_value('2Fa_auth', ''); + } + /* * Parse the ACL IP list for access API */ diff --git a/pandora_console/index.php b/pandora_console/index.php index af8671ded7..289a91b3f1 100755 --- a/pandora_console/index.php +++ b/pandora_console/index.php @@ -389,6 +389,7 @@ if (! isset($config['id_user'])) { } $login_button_saml = get_parameter('login_button_saml', false); + config_update_value('2Fa_auth', ''); if (isset($double_auth_success) && $double_auth_success) { // This values are true cause there are checked before complete // the 2nd auth step. @@ -709,6 +710,8 @@ if (! isset($config['id_user'])) { $redirect_url .= '&'.safe_url_extraclean($key).'='.safe_url_extraclean($value); } + $double_auth_enabled = (bool) db_get_value('id', 'tuser_double_auth', 'id_user', $config['id_user']); + header('Location: '.ui_get_full_url('index.php'.$redirect_url)); exit; // Always exit after sending location headers. diff --git a/pandora_console/operation/users/user_edit.php b/pandora_console/operation/users/user_edit.php index 1e04ad89e0..b55a0952e4 100644 --- a/pandora_console/operation/users/user_edit.php +++ b/pandora_console/operation/users/user_edit.php @@ -393,11 +393,13 @@ $timezone .= html_print_timezone_select('timezone', $user_info['timezone']).''; - if ($config['double_auth_enabled']) { - $double_authentication .= html_print_checkbox_switch('double_auth', 1, 1, true); - } else { + if (($config['2FA_all_users'] == '' && !$double_auth_enabled) + || ($config['2FA_all_users'] != '' && !$double_auth_enabled) + || ($config['double_auth_enabled'] == '' && $double_auth_enabled) + || check_acl($config['id_user'], 0, 'PM') + ) { $double_authentication .= html_print_checkbox_switch('double_auth', 1, $double_auth_enabled, true); } @@ -405,7 +407,7 @@ if ($config['double_auth_enabled']) { $double_authentication .= ''; } -if ($double_auth_enabled) { +if ($double_auth_enabled && $config['double_auth_enabled'] && $config['2FA_all_users'] != '') { $double_authentication .= html_print_button(__('Show information'), 'show_info', false, 'javascript:show_double_auth_info();', '', true); } @@ -883,17 +885,14 @@ $(document).ready (function () { $("#text-block_size").removeAttr('disabled'); } } - var fa_enable = $("input#checkbox-double_auth").change(function (e) { e.preventDefault(); - if(fa_enable != 1){ if (this.checked) { show_double_auth_activation(); } else { show_double_auth_deactivation(); } - } }); From 53362f64244aa0fb1e48a673a9bbdc46676b3354 Mon Sep 17 00:00:00 2001 From: marcos Date: Tue, 13 Oct 2020 15:04:33 +0200 Subject: [PATCH 04/11] update branch --- pandora_console/godmode/setup/setup_auth.php | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/pandora_console/godmode/setup/setup_auth.php b/pandora_console/godmode/setup/setup_auth.php index 273fa17de5..9b39734b57 100644 --- a/pandora_console/godmode/setup/setup_auth.php +++ b/pandora_console/godmode/setup/setup_auth.php @@ -329,13 +329,7 @@ echo ''; $( document ).ready(function() { //For change autocreate remote users - console.log($('input[type=checkbox][id=checkbox-double_auth_enabled]:checked').val()); - if ($('input[type=checkbox][name=double_auth_enabled]:checked').val() == 1) { - $('#table1-2FA_all_users').show(); - } - else { - $('#table1-2FA_all_users').hide(); - } + $('input[type=checkbox][name=double_auth_enabled]').change(function () { if ($('input[type=checkbox][name=double_auth_enabled]:checked').val() == 1) { $('#table1-2FA_all_users').show(); From 96387a874f1b81e0ff4474f7a52bb4aaba04a454 Mon Sep 17 00:00:00 2001 From: marcos Date: Wed, 18 Nov 2020 10:38:49 +0100 Subject: [PATCH 05/11] remove console log --- pandora_console/general/register.php | 1 - 1 file changed, 1 deletion(-) diff --git a/pandora_console/general/register.php b/pandora_console/general/register.php index 12196fab08..07b63421a5 100644 --- a/pandora_console/general/register.php +++ b/pandora_console/general/register.php @@ -193,7 +193,6 @@ if (!$double_auth_enabled && $config['2FA_all_users'] != '' ?>