2012-05-17 Vanessa Gil <vanessa.gil@artica.es>

* pandoradb.sql
	  pandoradb.postgreSQL.sql
	  pandoradb.oracle.sql
	  pandoradb_data.sql
	  pandoradb.data.oracle.sql
	  pandoradb.data.postgreSQL.sql
	  extras/pandoradb_migrate_4.0.x_to_4.1.mysql.sql
	  extras/pandoradb_migrate_4.0.x_to_4.1.oracle.sql
	  extras/pandoradb_migrate_4.0.x_to_4.1.postgreSQL.sql
	  index.php
	  godmode/users/configure_user.php
	  include/functions_config.php
	  include/javascript/jquery.pandora.js: Added password policy.


git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@6312 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f

pandora_console/ChangeLog

@@ -1,3 +1,19 @@
+2012-05-17  Vanessa Gil <vanessa.gil@artica.es>
+
+	* pandoradb.sql
+	  pandoradb.postgreSQL.sql
+	  pandoradb.oracle.sql
+	  pandoradb_data.sql
+	  pandoradb.data.oracle.sql
+	  pandoradb.data.postgreSQL.sql
+	  extras/pandoradb_migrate_4.0.x_to_4.1.mysql.sql
+	  extras/pandoradb_migrate_4.0.x_to_4.1.oracle.sql
+	  extras/pandoradb_migrate_4.0.x_to_4.1.postgreSQL.sql
+	  index.php
+	  godmode/users/configure_user.php
+	  include/functions_config.php
+	  include/javascript/jquery.pandora.js: Added password policy.
+
 2012-05-17  Kikuchi Koichiro  <koichiro@rworks.jp>
 
 	* extensions/update_manager/settings.php,

pandora_console/extras/pandoradb_migrate_4.0.x_to_4.1.mysql.sql

@@ -215,3 +215,12 @@ CREATE TABLE IF NOT EXISTS `ttimezone` (
   `timezone` varchar(60) NOT NULL,
 PRIMARY KEY  (`id_tz`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+-- -----------------------------------------------------
+-- Table `tusuario`
+-- -----------------------------------------------------
+
+ALTER TABLE `tusuario` ADD COLUMN `force_change_pass` tinyint(1) DEFAULT 0;
+ALTER TABLE `tusuario` ADD COLUMN `last_pass_change` DATETIME  NOT NULL DEFAULT 0;
+ALTER TABLE `tusuario` ADD COLUMN `last_failed_login` DATETIME  NOT NULL DEFAULT 0;
+ALTER TABLE `tusuario` ADD COLUMN `failed_attempt` int(4) NOT NULL DEFAULT 0;

pandora_console/extras/pandoradb_migrate_4.0.x_to_4.1.oracle.sql

@@ -218,3 +218,12 @@ CREATE OR REPLACE TRIGGER ttimezone_inc BEFORE INSERT ON ttimezone REFERENCING N
 -- -----------------------------------------------------
 
 ALTER TABLE tnetwork_component ADD COLUMN unit CLOB default '';
+
+-- -----------------------------------------------------
+-- Table `tusuario`
+-- -----------------------------------------------------
+
+alter table tusuario add (force_change_pass NUMBER(5,0) default 0 NOT NULL);
+alter table tusuario add (last_pass_change TIMESTAMP default 0);
+alter table tusuario add (last_failed_login TIMESTAMP default 0);
+alter table tusuario add (failed_attempt NUMBER(5,0) default 0 NOT NULL);

pandora_console/extras/pandoradb_migrate_4.0.x_to_4.1.postgreSQL.sql

@@ -208,3 +208,11 @@ CREATE TABLE "ttimezone" (
 
 ALTER TABLE "tnetwork_component" ADD COLUMN "unit" text default '';
 
+-- -----------------------------------------------------
+-- Table `tusuario`
+-- -----------------------------------------------------
+
+ALTER TABLE "tusuario" ADD COLUMN "force_change_pass" SMALLINT NOT NULL default 0;
+ALTER TABLE "tusuario" ADD COLUMN "last_pass_change" BIGINT NOT NULL default 0;
+ALTER TABLE "tusuario" ADD COLUMN "last_failed_login" BIGINT NOT NULL default 0;
+ALTER TABLE "tusuario" ADD COLUMN "failed_attempt" INTEGER NOT NULL DEFAULT 0;

pandora_console/godmode/users/configure_user.php

@@ -131,6 +131,11 @@ if ($create_user) {
 	$values['block_size'] = (int) get_parameter ('block_size', $config["block_size"]);
 	$values['flash_chart'] = (int) get_parameter ('flash_charts', $config["flash_charts"]);
 	
+	if (defined('PANDORA_ENTERPRISE')) {
+		$values['force_change_pass'] = 1;
+		$values['last_pass_change'] = date ("Y/m/d H:i:s", get_system_time());
+	}
+	
 	if ($id == '') {
 		ui_print_error_message (__('User ID cannot be empty'));
 		$user_info = $values;

pandora_console/include/functions_config.php

@@ -215,6 +215,18 @@ function config_update_config () {
 		$config['relative_path'] = get_parameter('relative_path', $config['relative_path']);
 	}
 	
+	$enterprise = enterprise_include_once ('godmode/setup/setup.php');
+	if ($enterprise !== ENTERPRISE_NOT_HOOK) {
+		$config['enable_pass_policy'] = get_parameter('enable_pass_policy', $config['enable_pass_policy']);
+		$config['pass_size'] = get_parameter('pass_size', $config['pass_size']);
+		$config['pass_expire'] = get_parameter('pass_expire', $config['pass_expire']);
+		$config['first_login'] = get_parameter('first_login', $config['first_login']);
+		$config['mins_fail_pass'] = get_parameter('mins_fail_pass', $config['mins_fail_pass']);
+		$config['number_attempts'] = get_parameter('number_attempts', $config['number_attempts']);
+		$config['pass_needs_numbers'] = get_parameter('pass_needs_numbers', $config['pass_needs_numbers']);
+		$config['pass_needs_symbols'] = get_parameter('pass_needs_symbols', $config['pass_needs_symbols']);
+	}
+	
 	# Update of Pandora FMS license 
 	$update_manager_installed = db_get_value('value', 'tconfig', 'token', 'update_manager_installed');
 

pandora_console/include/javascript/jquery.pandora.js

@@ -132,5 +132,32 @@ $(document).ready (function () {
 		);	
 		return false;
 	});
+	
+	$( "#msg_change_password" ).dialog({
+				resizable: true,
+				draggable: true,
+				modal: true,
+				height: 280,
+				width: 600,
+				overlay: {
+							opacity: 0.5,
+							background: "black"
+						},
+				bgiframe: jQuery.browser.msie
+	});
+	
+	$( "#login_blocked" ).dialog({
+				resizable: true,
+				draggable: true,
+				modal: true,
+				height: 140,
+				width: 300,
+				overlay: {
+							opacity: 0.5,
+							background: "black"
+						},
+				bgiframe: jQuery.browser.msie
+	});
+	
 
 });

pandora_console/index.php

@@ -62,11 +62,16 @@ if ((! file_exists ("include/config.php")) || (! is_readable ("include/config.ph
 session_start ();
 require_once ("include/config.php");
 
+$fails = get_parameter('fails', 0);
+
 /* Enterprise support */
 if (file_exists (ENTERPRISE_DIR."/load_enterprise.php")) {
 	include_once (ENTERPRISE_DIR."/load_enterprise.php");
 }
 
+if (file_exists (ENTERPRISE_DIR."/include/functions_login.php")) {
+	include_once (ENTERPRISE_DIR."/include/functions_login.php");
+}
 
 if (!empty ($config["https"]) && empty ($_SERVER['HTTPS'])) {
 	$query = '';
@@ -127,6 +132,18 @@ $sec = safe_url_extraclean ($sec);
 
 $process_login = false;
 
+// Update user password
+$change_pass = get_parameter('renew_password', 0);
+	
+if ($change_pass == 1) {
+	
+	$password_new = (string) get_parameter ('new_password', '');
+	$password_confirm = (string) get_parameter ('confirm_new_password', '');
+	$id = (string) get_parameter ('login', '');
+
+	$changed_pass = login_update_password_check ($password_new, $password_confirm, $id);
+}
+
 $searchPage = false;
 $search = get_parameter_get("head_search_keywords");
 if (strlen($search) > 0) {
@@ -169,7 +186,39 @@ elseif (! isset ($config['id_user']) && isset ($_GET["login"])) {
 	// process_user_login should return false in case of errors or invalid login, the nickname if correct
 	$nick_in_db = process_user_login ($nick, $pass);
 	
-	if ($nick_in_db !== false) {
+	$expired_pass = false;
+	
+	if (($nick_in_db != false)&&(!is_user_admin($nick)) && (defined('PANDORA_ENTERPRISE')) && ($config['enable_pass_policy'])) {
+		include_once(ENTERPRISE_DIR."/include/auth/mysql.php");
+	
+		$blocked = login_check_blocked($nick);
+		
+		if ($blocked) {
+			require_once ('general/login_page.php');
+			db_pandora_audit("Password expired", "Password expired: ".$nick, $nick);
+			while (@ob_end_flush ());
+			exit ("</html>");
+		}
+		
+		//Checks if password has expired
+		$check_status = check_pass_status($nick, $pass);
+		
+		switch ($check_status) {
+			case 1: //first change
+			case 2: //pass expired
+				$expired_pass = true;
+				login_change_password($nick);
+				break;
+		}
+	
+	}
+		
+	if (($nick_in_db !== false) && $expired_pass) { //login ok and password has expired
+		require_once ('general/login_page.php');
+		db_pandora_audit("Password expired", "Password expired: ".$nick, $nick);
+		while (@ob_end_flush ());
+		exit ("</html>");
+	} else	if (($nick_in_db !== false) && (!$expired_pass)) { //login ok and password has not expired
 		$process_login = true;
 		
 		unset ($_GET["sec2"]);
@@ -234,18 +283,32 @@ elseif (! isset ($config['id_user']) && isset ($_GET["login"])) {
 			$l10n->load_tables();
 		}
 	}
-	else {
+	else { //login wrong
-		// User not known
+		$blocked = false;
-		$login_failed = true;
+		
-		require_once ('general/login_page.php');
+		if (!is_user_admin($nick)) {
-		db_pandora_audit("Logon Failed", "Invalid login: ".$nick, $nick);
+			$blocked = login_check_blocked($nick);
-		while (@ob_end_flush ());
+		}
-		exit ("</html>");
+		
+		if (!$blocked) {
+			login_check_failed($nick); //Checks failed attempts
+			$login_failed = true;
+			require_once ('general/login_page.php');
+			db_pandora_audit("Logon Failed", "Invalid login: ".$nick, $nick);
+			while (@ob_end_flush ());
+			exit ("</html>");
+		} else {
+			require_once ('general/login_page.php');
+			db_pandora_audit("Logon Failed", "Invalid login: ".$nick, $nick);
+			while (@ob_end_flush ());
+			exit ("</html>");
+		}
+
 	}
 }
 elseif (! isset ($config['id_user'])) {
+
 	// There is no user connected
-	
 	require_once ('general/login_page.php');
 	while (@ob_end_flush ());
 	exit ("</html>");

pandora_console/pandoradb.data.oracle.sql

@@ -90,6 +90,14 @@ INSERT INTO tconfig (token, value) VALUES ('netflow_interval', '300');
 INSERT INTO tconfig (token, value) VALUES ('netflow_daemon', '/usr/bin/nfcapd');
 INSERT INTO tconfig (token, value) VALUES ('event_fields', 'evento,id_agente,estado,timestamp');
 INSERT INTO tconfig (token, value) VALUES ('list_ACL_IPs_for_API_0', '127.0.0.1');
+INSERT INTO tconfig (token, value) VALUES ('enable_pass_policy', 0);
+INSERT INTO tconfig (token, value) VALUES ('pass_size', 4);
+INSERT INTO tconfig (token, value) VALUES ('pass_needs_numbers', 0);
+INSERT INTO tconfig (token, value) VALUES ('pass_needs_simbols', 0);
+INSERT INTO tconfig (token, value) VALUES ('pass_expire', 0);
+INSERT INTO tconfig (token, value) VALUES ('first_login', 0);
+INSERT INTO tconfig (token, value) VALUES ('mins_fail_pass', 5);
+INSERT INTO tconfig (token, value) VALUES ('number_attempts', 5);
 COMMIT;
 END;;
 

pandora_console/pandoradb.data.postgreSQL.sql

@@ -87,6 +87,15 @@ INSERT INTO "tconfig" ("token", "value") VALUES
 ('netflow_daemon', '/usr/bin/nfcapd'),
 ('event_fields', 'evento,id_agente,estado,timestamp'),
 ('list_ACL_IPs_for_API_0', '127.0.0.1');
+('enable_pass_policy', 0);
+('pass_size', 4);
+('pass_needs_numbers', 0);
+('pass_needs_simbols', 0);
+('pass_expire', 0);
+('first_login', 0);
+('mins_fail_pass', 5);
+('number_attempts', 5);
+
 COMMIT WORK;
 
 

pandora_console/pandoradb.oracle.sql

@@ -873,7 +873,11 @@ CREATE TABLE tusuario (
 	shortcut NUMBER(5, 0) DEFAULT 0,
 	shortcut_data CLOB default '',
 	section VARCHAR2(255) NOT NULL,
-	data_section VARCHAR2(255) NOT NULL
+	data_section VARCHAR2(255) NOT NULL,
+	force_change_pass NUMBER(5,0) default 0 NOT NULL,
+	last_pass_change TIMESTAMP default 0,
+	last_failed_login TIMESTAMP default 0,
+	failed_attempt NUMBER(5,0) default 0 NOT NULL
 );
 
 CREATE TABLE tusuario_perfil (

pandora_console/pandoradb.postgreSQL.sql

@@ -703,7 +703,11 @@ CREATE TABLE "tusuario" (
 	"shortcut" SMALLINT DEFAULT 0,
 	"shortcut_data" text default '',
 	"section" varchar(255) NOT NULL DEFAULT '',
-	"data_section" varchar(255) NOT NULL DEFAULT ''
+	"data_section" varchar(255) NOT NULL DEFAULT '',
+	"force_change_pass" SMALLINT NOT NULL default 0,
+	"last_pass_change" BIGINT NOT NULL default 0,
+	"last_failed_login" BIGINT NOT NULL default 0,
+	"failed_attempt" INTEGER NOT NULL DEFAULT 0
 );
 
 CREATE TABLE "tusuario_perfil" (

pandora_console/pandoradb.sql

@@ -779,6 +779,10 @@ CREATE TABLE IF NOT EXISTS `tusuario` (
   `shortcut_data` text,
   `section` TEXT NOT NULL,
   `data_section` TEXT NOT NULL,
+  `force_change_pass` tinyint(1) unsigned NOT NULL default 0,
+  `last_pass_change` DATETIME  NOT NULL DEFAULT 0,
+  `last_failed_login` DATETIME  NOT NULL DEFAULT 0,
+  `failed_attempt` int(4) NOT NULL DEFAULT 0,
   UNIQUE KEY `id_user` (`id_user`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 

pandora_console/pandoradb_data.sql

@@ -85,7 +85,15 @@ INSERT INTO `tconfig` (`token`, `value`) VALUES
 ('netflow_interval', '300'),
 ('netflow_daemon', '/usr/bin/nfcapd'),
 ('event_fields', 'evento,id_agente,estado,timestamp'),
-('list_ACL_IPs_for_API_0', '127.0.0.1');
+('list_ACL_IPs_for_API_0', '127.0.0.1'),
+('enable_pass_policy', 0),
+('pass_size', 4),
+('pass_needs_numbers', 0),
+('pass_needs_symbols', 0),
+('pass_expire', 0),
+('first_login', 0),
+('mins_fail_pass', 5),
+('number_attempts', 5);
 
 UNLOCK TABLES;