From 77d040df63e48e426eaa65137940abd47b01c5f1 Mon Sep 17 00:00:00 2001 From: vgilc Date: Thu, 17 May 2012 11:08:11 +0000 Subject: [PATCH] 2012-05-17 Vanessa Gil * pandoradb.sql pandoradb.postgreSQL.sql pandoradb.oracle.sql pandoradb_data.sql pandoradb.data.oracle.sql pandoradb.data.postgreSQL.sql extras/pandoradb_migrate_4.0.x_to_4.1.mysql.sql extras/pandoradb_migrate_4.0.x_to_4.1.oracle.sql extras/pandoradb_migrate_4.0.x_to_4.1.postgreSQL.sql index.php godmode/users/configure_user.php include/functions_config.php include/javascript/jquery.pandora.js: Added password policy. git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@6312 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f --- pandora_console/ChangeLog | 16 ++++ .../pandoradb_migrate_4.0.x_to_4.1.mysql.sql | 9 +++ .../pandoradb_migrate_4.0.x_to_4.1.oracle.sql | 9 +++ ...doradb_migrate_4.0.x_to_4.1.postgreSQL.sql | 8 ++ .../godmode/users/configure_user.php | 5 ++ pandora_console/include/functions_config.php | 12 +++ .../include/javascript/jquery.pandora.js | 27 +++++++ pandora_console/index.php | 81 ++++++++++++++++--- pandora_console/pandoradb.data.oracle.sql | 8 ++ pandora_console/pandoradb.data.postgreSQL.sql | 9 +++ pandora_console/pandoradb.oracle.sql | 6 +- pandora_console/pandoradb.postgreSQL.sql | 6 +- pandora_console/pandoradb.sql | 4 + pandora_console/pandoradb_data.sql | 10 ++- 14 files changed, 198 insertions(+), 12 deletions(-) diff --git a/pandora_console/ChangeLog b/pandora_console/ChangeLog index f568504bc4..42bdabb8f6 100644 --- a/pandora_console/ChangeLog +++ b/pandora_console/ChangeLog @@ -1,3 +1,19 @@ +2012-05-17 Vanessa Gil + + * pandoradb.sql + pandoradb.postgreSQL.sql + pandoradb.oracle.sql + pandoradb_data.sql + pandoradb.data.oracle.sql + pandoradb.data.postgreSQL.sql + extras/pandoradb_migrate_4.0.x_to_4.1.mysql.sql + extras/pandoradb_migrate_4.0.x_to_4.1.oracle.sql + extras/pandoradb_migrate_4.0.x_to_4.1.postgreSQL.sql + index.php + godmode/users/configure_user.php + include/functions_config.php + include/javascript/jquery.pandora.js: Added password policy. + 2012-05-17 Kikuchi Koichiro * extensions/update_manager/settings.php, diff --git a/pandora_console/extras/pandoradb_migrate_4.0.x_to_4.1.mysql.sql b/pandora_console/extras/pandoradb_migrate_4.0.x_to_4.1.mysql.sql index 4c4ba5cfa8..88c53f60e0 100644 --- a/pandora_console/extras/pandoradb_migrate_4.0.x_to_4.1.mysql.sql +++ b/pandora_console/extras/pandoradb_migrate_4.0.x_to_4.1.mysql.sql @@ -215,3 +215,12 @@ CREATE TABLE IF NOT EXISTS `ttimezone` ( `timezone` varchar(60) NOT NULL, PRIMARY KEY (`id_tz`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +-- ----------------------------------------------------- +-- Table `tusuario` +-- ----------------------------------------------------- + +ALTER TABLE `tusuario` ADD COLUMN `force_change_pass` tinyint(1) DEFAULT 0; +ALTER TABLE `tusuario` ADD COLUMN `last_pass_change` DATETIME NOT NULL DEFAULT 0; +ALTER TABLE `tusuario` ADD COLUMN `last_failed_login` DATETIME NOT NULL DEFAULT 0; +ALTER TABLE `tusuario` ADD COLUMN `failed_attempt` int(4) NOT NULL DEFAULT 0; diff --git a/pandora_console/extras/pandoradb_migrate_4.0.x_to_4.1.oracle.sql b/pandora_console/extras/pandoradb_migrate_4.0.x_to_4.1.oracle.sql index 7e9791ea42..c5ec580eed 100644 --- a/pandora_console/extras/pandoradb_migrate_4.0.x_to_4.1.oracle.sql +++ b/pandora_console/extras/pandoradb_migrate_4.0.x_to_4.1.oracle.sql @@ -218,3 +218,12 @@ CREATE OR REPLACE TRIGGER ttimezone_inc BEFORE INSERT ON ttimezone REFERENCING N -- ----------------------------------------------------- ALTER TABLE tnetwork_component ADD COLUMN unit CLOB default ''; + +-- ----------------------------------------------------- +-- Table `tusuario` +-- ----------------------------------------------------- + +alter table tusuario add (force_change_pass NUMBER(5,0) default 0 NOT NULL); +alter table tusuario add (last_pass_change TIMESTAMP default 0); +alter table tusuario add (last_failed_login TIMESTAMP default 0); +alter table tusuario add (failed_attempt NUMBER(5,0) default 0 NOT NULL); diff --git a/pandora_console/extras/pandoradb_migrate_4.0.x_to_4.1.postgreSQL.sql b/pandora_console/extras/pandoradb_migrate_4.0.x_to_4.1.postgreSQL.sql index 992bd9457b..c92f5e187d 100644 --- a/pandora_console/extras/pandoradb_migrate_4.0.x_to_4.1.postgreSQL.sql +++ b/pandora_console/extras/pandoradb_migrate_4.0.x_to_4.1.postgreSQL.sql @@ -208,3 +208,11 @@ CREATE TABLE "ttimezone" ( ALTER TABLE "tnetwork_component" ADD COLUMN "unit" text default ''; +-- ----------------------------------------------------- +-- Table `tusuario` +-- ----------------------------------------------------- + +ALTER TABLE "tusuario" ADD COLUMN "force_change_pass" SMALLINT NOT NULL default 0; +ALTER TABLE "tusuario" ADD COLUMN "last_pass_change" BIGINT NOT NULL default 0; +ALTER TABLE "tusuario" ADD COLUMN "last_failed_login" BIGINT NOT NULL default 0; +ALTER TABLE "tusuario" ADD COLUMN "failed_attempt" INTEGER NOT NULL DEFAULT 0; diff --git a/pandora_console/godmode/users/configure_user.php b/pandora_console/godmode/users/configure_user.php index 9006dbef5e..1978f91c43 100644 --- a/pandora_console/godmode/users/configure_user.php +++ b/pandora_console/godmode/users/configure_user.php @@ -131,6 +131,11 @@ if ($create_user) { $values['block_size'] = (int) get_parameter ('block_size', $config["block_size"]); $values['flash_chart'] = (int) get_parameter ('flash_charts', $config["flash_charts"]); + if (defined('PANDORA_ENTERPRISE')) { + $values['force_change_pass'] = 1; + $values['last_pass_change'] = date ("Y/m/d H:i:s", get_system_time()); + } + if ($id == '') { ui_print_error_message (__('User ID cannot be empty')); $user_info = $values; diff --git a/pandora_console/include/functions_config.php b/pandora_console/include/functions_config.php index 59e569c80a..2cd1d758de 100644 --- a/pandora_console/include/functions_config.php +++ b/pandora_console/include/functions_config.php @@ -215,6 +215,18 @@ function config_update_config () { $config['relative_path'] = get_parameter('relative_path', $config['relative_path']); } + $enterprise = enterprise_include_once ('godmode/setup/setup.php'); + if ($enterprise !== ENTERPRISE_NOT_HOOK) { + $config['enable_pass_policy'] = get_parameter('enable_pass_policy', $config['enable_pass_policy']); + $config['pass_size'] = get_parameter('pass_size', $config['pass_size']); + $config['pass_expire'] = get_parameter('pass_expire', $config['pass_expire']); + $config['first_login'] = get_parameter('first_login', $config['first_login']); + $config['mins_fail_pass'] = get_parameter('mins_fail_pass', $config['mins_fail_pass']); + $config['number_attempts'] = get_parameter('number_attempts', $config['number_attempts']); + $config['pass_needs_numbers'] = get_parameter('pass_needs_numbers', $config['pass_needs_numbers']); + $config['pass_needs_symbols'] = get_parameter('pass_needs_symbols', $config['pass_needs_symbols']); + } + # Update of Pandora FMS license $update_manager_installed = db_get_value('value', 'tconfig', 'token', 'update_manager_installed'); diff --git a/pandora_console/include/javascript/jquery.pandora.js b/pandora_console/include/javascript/jquery.pandora.js index 783b5a5e74..c02eab43ac 100644 --- a/pandora_console/include/javascript/jquery.pandora.js +++ b/pandora_console/include/javascript/jquery.pandora.js @@ -132,5 +132,32 @@ $(document).ready (function () { ); return false; }); + + $( "#msg_change_password" ).dialog({ + resizable: true, + draggable: true, + modal: true, + height: 280, + width: 600, + overlay: { + opacity: 0.5, + background: "black" + }, + bgiframe: jQuery.browser.msie + }); + + $( "#login_blocked" ).dialog({ + resizable: true, + draggable: true, + modal: true, + height: 140, + width: 300, + overlay: { + opacity: 0.5, + background: "black" + }, + bgiframe: jQuery.browser.msie + }); + }); diff --git a/pandora_console/index.php b/pandora_console/index.php index 92839f85cf..308c287e98 100644 --- a/pandora_console/index.php +++ b/pandora_console/index.php @@ -62,11 +62,16 @@ if ((! file_exists ("include/config.php")) || (! is_readable ("include/config.ph session_start (); require_once ("include/config.php"); +$fails = get_parameter('fails', 0); + /* Enterprise support */ if (file_exists (ENTERPRISE_DIR."/load_enterprise.php")) { include_once (ENTERPRISE_DIR."/load_enterprise.php"); } +if (file_exists (ENTERPRISE_DIR."/include/functions_login.php")) { + include_once (ENTERPRISE_DIR."/include/functions_login.php"); +} if (!empty ($config["https"]) && empty ($_SERVER['HTTPS'])) { $query = ''; @@ -127,6 +132,18 @@ $sec = safe_url_extraclean ($sec); $process_login = false; +// Update user password +$change_pass = get_parameter('renew_password', 0); + +if ($change_pass == 1) { + + $password_new = (string) get_parameter ('new_password', ''); + $password_confirm = (string) get_parameter ('confirm_new_password', ''); + $id = (string) get_parameter ('login', ''); + + $changed_pass = login_update_password_check ($password_new, $password_confirm, $id); +} + $searchPage = false; $search = get_parameter_get("head_search_keywords"); if (strlen($search) > 0) { @@ -169,7 +186,39 @@ elseif (! isset ($config['id_user']) && isset ($_GET["login"])) { // process_user_login should return false in case of errors or invalid login, the nickname if correct $nick_in_db = process_user_login ($nick, $pass); - if ($nick_in_db !== false) { + $expired_pass = false; + + if (($nick_in_db != false)&&(!is_user_admin($nick)) && (defined('PANDORA_ENTERPRISE')) && ($config['enable_pass_policy'])) { + include_once(ENTERPRISE_DIR."/include/auth/mysql.php"); + + $blocked = login_check_blocked($nick); + + if ($blocked) { + require_once ('general/login_page.php'); + db_pandora_audit("Password expired", "Password expired: ".$nick, $nick); + while (@ob_end_flush ()); + exit (""); + } + + //Checks if password has expired + $check_status = check_pass_status($nick, $pass); + + switch ($check_status) { + case 1: //first change + case 2: //pass expired + $expired_pass = true; + login_change_password($nick); + break; + } + + } + + if (($nick_in_db !== false) && $expired_pass) { //login ok and password has expired + require_once ('general/login_page.php'); + db_pandora_audit("Password expired", "Password expired: ".$nick, $nick); + while (@ob_end_flush ()); + exit (""); + } else if (($nick_in_db !== false) && (!$expired_pass)) { //login ok and password has not expired $process_login = true; unset ($_GET["sec2"]); @@ -234,18 +283,32 @@ elseif (! isset ($config['id_user']) && isset ($_GET["login"])) { $l10n->load_tables(); } } - else { - // User not known - $login_failed = true; - require_once ('general/login_page.php'); - db_pandora_audit("Logon Failed", "Invalid login: ".$nick, $nick); - while (@ob_end_flush ()); - exit (""); + else { //login wrong + $blocked = false; + + if (!is_user_admin($nick)) { + $blocked = login_check_blocked($nick); + } + + if (!$blocked) { + login_check_failed($nick); //Checks failed attempts + $login_failed = true; + require_once ('general/login_page.php'); + db_pandora_audit("Logon Failed", "Invalid login: ".$nick, $nick); + while (@ob_end_flush ()); + exit (""); + } else { + require_once ('general/login_page.php'); + db_pandora_audit("Logon Failed", "Invalid login: ".$nick, $nick); + while (@ob_end_flush ()); + exit (""); + } + } } elseif (! isset ($config['id_user'])) { + // There is no user connected - require_once ('general/login_page.php'); while (@ob_end_flush ()); exit (""); diff --git a/pandora_console/pandoradb.data.oracle.sql b/pandora_console/pandoradb.data.oracle.sql index 81775394e7..54a41c7967 100644 --- a/pandora_console/pandoradb.data.oracle.sql +++ b/pandora_console/pandoradb.data.oracle.sql @@ -90,6 +90,14 @@ INSERT INTO tconfig (token, value) VALUES ('netflow_interval', '300'); INSERT INTO tconfig (token, value) VALUES ('netflow_daemon', '/usr/bin/nfcapd'); INSERT INTO tconfig (token, value) VALUES ('event_fields', 'evento,id_agente,estado,timestamp'); INSERT INTO tconfig (token, value) VALUES ('list_ACL_IPs_for_API_0', '127.0.0.1'); +INSERT INTO tconfig (token, value) VALUES ('enable_pass_policy', 0); +INSERT INTO tconfig (token, value) VALUES ('pass_size', 4); +INSERT INTO tconfig (token, value) VALUES ('pass_needs_numbers', 0); +INSERT INTO tconfig (token, value) VALUES ('pass_needs_simbols', 0); +INSERT INTO tconfig (token, value) VALUES ('pass_expire', 0); +INSERT INTO tconfig (token, value) VALUES ('first_login', 0); +INSERT INTO tconfig (token, value) VALUES ('mins_fail_pass', 5); +INSERT INTO tconfig (token, value) VALUES ('number_attempts', 5); COMMIT; END;; diff --git a/pandora_console/pandoradb.data.postgreSQL.sql b/pandora_console/pandoradb.data.postgreSQL.sql index 8611e6a789..5540c37ec2 100644 --- a/pandora_console/pandoradb.data.postgreSQL.sql +++ b/pandora_console/pandoradb.data.postgreSQL.sql @@ -87,6 +87,15 @@ INSERT INTO "tconfig" ("token", "value") VALUES ('netflow_daemon', '/usr/bin/nfcapd'), ('event_fields', 'evento,id_agente,estado,timestamp'), ('list_ACL_IPs_for_API_0', '127.0.0.1'); +('enable_pass_policy', 0); +('pass_size', 4); +('pass_needs_numbers', 0); +('pass_needs_simbols', 0); +('pass_expire', 0); +('first_login', 0); +('mins_fail_pass', 5); +('number_attempts', 5); + COMMIT WORK; diff --git a/pandora_console/pandoradb.oracle.sql b/pandora_console/pandoradb.oracle.sql index f33f16030c..6a5f78092b 100644 --- a/pandora_console/pandoradb.oracle.sql +++ b/pandora_console/pandoradb.oracle.sql @@ -873,7 +873,11 @@ CREATE TABLE tusuario ( shortcut NUMBER(5, 0) DEFAULT 0, shortcut_data CLOB default '', section VARCHAR2(255) NOT NULL, - data_section VARCHAR2(255) NOT NULL + data_section VARCHAR2(255) NOT NULL, + force_change_pass NUMBER(5,0) default 0 NOT NULL, + last_pass_change TIMESTAMP default 0, + last_failed_login TIMESTAMP default 0, + failed_attempt NUMBER(5,0) default 0 NOT NULL ); CREATE TABLE tusuario_perfil ( diff --git a/pandora_console/pandoradb.postgreSQL.sql b/pandora_console/pandoradb.postgreSQL.sql index 664a42f94d..33cdde5084 100644 --- a/pandora_console/pandoradb.postgreSQL.sql +++ b/pandora_console/pandoradb.postgreSQL.sql @@ -703,7 +703,11 @@ CREATE TABLE "tusuario" ( "shortcut" SMALLINT DEFAULT 0, "shortcut_data" text default '', "section" varchar(255) NOT NULL DEFAULT '', - "data_section" varchar(255) NOT NULL DEFAULT '' + "data_section" varchar(255) NOT NULL DEFAULT '', + "force_change_pass" SMALLINT NOT NULL default 0, + "last_pass_change" BIGINT NOT NULL default 0, + "last_failed_login" BIGINT NOT NULL default 0, + "failed_attempt" INTEGER NOT NULL DEFAULT 0 ); CREATE TABLE "tusuario_perfil" ( diff --git a/pandora_console/pandoradb.sql b/pandora_console/pandoradb.sql index cc3e90c513..82c73243dc 100644 --- a/pandora_console/pandoradb.sql +++ b/pandora_console/pandoradb.sql @@ -779,6 +779,10 @@ CREATE TABLE IF NOT EXISTS `tusuario` ( `shortcut_data` text, `section` TEXT NOT NULL, `data_section` TEXT NOT NULL, + `force_change_pass` tinyint(1) unsigned NOT NULL default 0, + `last_pass_change` DATETIME NOT NULL DEFAULT 0, + `last_failed_login` DATETIME NOT NULL DEFAULT 0, + `failed_attempt` int(4) NOT NULL DEFAULT 0, UNIQUE KEY `id_user` (`id_user`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; diff --git a/pandora_console/pandoradb_data.sql b/pandora_console/pandoradb_data.sql index 1d7d944e9a..70e5a665ff 100644 --- a/pandora_console/pandoradb_data.sql +++ b/pandora_console/pandoradb_data.sql @@ -85,7 +85,15 @@ INSERT INTO `tconfig` (`token`, `value`) VALUES ('netflow_interval', '300'), ('netflow_daemon', '/usr/bin/nfcapd'), ('event_fields', 'evento,id_agente,estado,timestamp'), -('list_ACL_IPs_for_API_0', '127.0.0.1'); +('list_ACL_IPs_for_API_0', '127.0.0.1'), +('enable_pass_policy', 0), +('pass_size', 4), +('pass_needs_numbers', 0), +('pass_needs_symbols', 0), +('pass_expire', 0), +('first_login', 0), +('mins_fail_pass', 5), +('number_attempts', 5); UNLOCK TABLES;