security.php 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506
  1. <?php
  2. /* Copyright (C) 2004-2009 Laurent Destailleur <eldy@users.sourceforge.net>
  3. * Copyright (C) 2005-2007 Regis Houssin <regis.houssin@inodbox.com>
  4. * Copyright (C) 2013-2015 Juanjo Menent <jmenent@2byte.es>
  5. *
  6. * This program is free software; you can redistribute it and/or modify
  7. * it under the terms of the GNU General Public License as published by
  8. * the Free Software Foundation; either version 3 of the License, or
  9. * (at your option) any later version.
  10. *
  11. * This program is distributed in the hope that it will be useful,
  12. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  14. * GNU General Public License for more details.
  15. *
  16. * You should have received a copy of the GNU General Public License
  17. * along with this program. If not, see <https://www.gnu.org/licenses/>.
  18. */
  19. /**
  20. * \file htdocs/admin/security.php
  21. * \ingroup setup
  22. * \brief Page de configuration du module securite
  23. */
  24. require '../main.inc.php';
  25. require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php';
  26. require_once DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php';
  27. $action = GETPOST('action', 'aZ09');
  28. // Load translation files required by the page
  29. $langs->loadLangs(array("users", "admin", "other"));
  30. if (!$user->admin) {
  31. accessforbidden();
  32. }
  33. // Allow/Disallow change to clear passwords once passwords are crypted
  34. $allow_disable_encryption = true;
  35. /*
  36. * Actions
  37. */
  38. if ($action == 'setgeneraterule') {
  39. if (!dolibarr_set_const($db, 'USER_PASSWORD_GENERATED', GETPOST("value", "alphanohtml"), 'chaine', 0, '', $conf->entity)) {
  40. dol_print_error($db);
  41. } else {
  42. header("Location: ".$_SERVER["PHP_SELF"]);
  43. exit;
  44. }
  45. }
  46. if ($action == 'activate_encrypt') {
  47. $error = 0;
  48. $db->begin();
  49. // On old version a bug created the constant into user entity, so we delete it to be sure, such entry won't exists. We want it in entity 0 or nowhere.
  50. dolibarr_del_const($db, "DATABASE_PWD_ENCRYPTED", "1", 'chaine', 0, '', $conf->entity);
  51. // We set entity=0 (all) because DATABASE_PWD_ENCRYPTED is a setup into conf file, so always shared for everybody
  52. $entityforall = 0;
  53. dolibarr_set_const($db, "DATABASE_PWD_ENCRYPTED", "1", 'chaine', 0, '', $entityforall);
  54. $sql = "SELECT u.rowid, u.pass, u.pass_crypted";
  55. $sql .= " FROM ".MAIN_DB_PREFIX."user as u";
  56. $sql .= " WHERE u.pass IS NOT NULL AND LENGTH(u.pass) < 32"; // Not a MD5 value
  57. $resql = $db->query($sql);
  58. if ($resql) {
  59. $numrows = $db->num_rows($resql);
  60. $i = 0;
  61. while ($i < $numrows) {
  62. $obj = $db->fetch_object($resql);
  63. if (dol_hash($obj->pass)) {
  64. $sql = "UPDATE ".MAIN_DB_PREFIX."user";
  65. $sql .= " SET pass_crypted = '".dol_hash($obj->pass)."', pass = NULL";
  66. $sql .= " WHERE rowid=".((int) $obj->rowid);
  67. //print $sql;
  68. $resql2 = $db->query($sql);
  69. if (!$resql2) {
  70. dol_print_error($db);
  71. $error++;
  72. break;
  73. }
  74. $i++;
  75. }
  76. }
  77. } else {
  78. dol_print_error($db);
  79. }
  80. //print $error." ".$sql;
  81. //exit;
  82. if (!$error) {
  83. $db->commit();
  84. header("Location: security.php");
  85. exit;
  86. } else {
  87. $db->rollback();
  88. dol_print_error($db, '');
  89. }
  90. } elseif ($action == 'disable_encrypt') {
  91. //On n'autorise pas l'annulation de l'encryption car les mots de passe ne peuvent pas etre decodes
  92. //Do not allow "disable encryption" as passwords cannot be decrypted
  93. if ($allow_disable_encryption) {
  94. dolibarr_del_const($db, "DATABASE_PWD_ENCRYPTED", $conf->entity);
  95. }
  96. header("Location: security.php");
  97. exit;
  98. }
  99. if ($action == 'activate_encryptdbpassconf') {
  100. $result = encodedecode_dbpassconf(1);
  101. if ($result > 0) {
  102. sleep(3); // Don't know why but we need to wait file is completely saved before making the reload. Even with flush and clearstatcache, we need to wait.
  103. // database value not required
  104. //dolibarr_set_const($db, "MAIN_DATABASE_PWD_CONFIG_ENCRYPTED", "1");
  105. header("Location: security.php");
  106. exit;
  107. } else {
  108. setEventMessages($langs->trans('InstrucToEncodePass', dol_encode($dolibarr_main_db_pass)), null, 'warnings');
  109. }
  110. } elseif ($action == 'disable_encryptdbpassconf') {
  111. $result = encodedecode_dbpassconf(0);
  112. if ($result > 0) {
  113. sleep(3); // Don't know why but we need to wait file is completely saved before making the reload. Even with flush and clearstatcache, we need to wait.
  114. // database value not required
  115. //dolibarr_del_const($db, "MAIN_DATABASE_PWD_CONFIG_ENCRYPTED",$conf->entity);
  116. header("Location: security.php");
  117. exit;
  118. } else {
  119. setEventMessages($langs->trans('InstrucToClearPass', $dolibarr_main_db_pass), null, 'warnings');
  120. }
  121. }
  122. if ($action == 'activate_MAIN_SECURITY_DISABLEFORGETPASSLINK') {
  123. dolibarr_set_const($db, "MAIN_SECURITY_DISABLEFORGETPASSLINK", '1', 'chaine', 0, '', $conf->entity);
  124. header("Location: security.php");
  125. exit;
  126. } elseif ($action == 'disable_MAIN_SECURITY_DISABLEFORGETPASSLINK') {
  127. dolibarr_del_const($db, "MAIN_SECURITY_DISABLEFORGETPASSLINK", $conf->entity);
  128. header("Location: security.php");
  129. exit;
  130. }
  131. if ($action == 'updatepattern') {
  132. $pattern = GETPOST("pattern", "alpha");
  133. $explodePattern = explode(';', $pattern);
  134. $patternInError = false;
  135. if ($explodePattern[0] < 1 || $explodePattern[4] < 0) {
  136. $patternInError = true;
  137. }
  138. if ($explodePattern[0] < $explodePattern[1] + $explodePattern[2] + $explodePattern[3]) {
  139. $patternInError = true;
  140. }
  141. if (!$patternInError) {
  142. dolibarr_set_const($db, "USER_PASSWORD_PATTERN", $pattern, 'chaine', 0, '', $conf->entity);
  143. setEventMessages($langs->trans("SetupSaved"), null, 'mesgs');
  144. header("Location: security.php");
  145. exit;
  146. }
  147. }
  148. /*
  149. * View
  150. */
  151. $form = new Form($db);
  152. $wikihelp = 'EN:Setup_Security|FR:Paramétrage_Sécurité|ES:Configuración_Seguridad';
  153. llxHeader('', $langs->trans("Passwords"), $wikihelp);
  154. print load_fiche_titre($langs->trans("SecuritySetup"), '', 'title_setup');
  155. print '<span class="opacitymedium">'.$langs->trans("GeneratedPasswordDesc")."</span><br>\n";
  156. print "<br>\n";
  157. $head = security_prepare_head();
  158. print dol_get_fiche_head($head, 'passwords', '', -1);
  159. print '<br>';
  160. // Select manager to generate passwords
  161. print '<form action="'.$_SERVER["PHP_SELF"].'" method="POST">';
  162. print '<input type="hidden" name="token" value="'.newToken().'">';
  163. print '<input type="hidden" name="action" value="update">';
  164. print '<input type="hidden" name="constname" value="USER_PASSWORD_GENERATED">';
  165. print '<input type="hidden" name="consttype" value="yesno">';
  166. // Charge tableau des modules generation
  167. $dir = "../core/modules/security/generate";
  168. clearstatcache();
  169. $handle = opendir($dir);
  170. $i = 1;
  171. if (is_resource($handle)) {
  172. while (($file = readdir($handle)) !== false) {
  173. if (preg_match('/(modGeneratePass[a-z]+)\.class\.php$/i', $file, $reg)) {
  174. // Charging the numbering class
  175. $classname = $reg[1];
  176. require_once $dir.'/'.$file;
  177. $obj = new $classname($db, $conf, $langs, $user);
  178. $arrayhandler[$obj->id] = $obj;
  179. $i++;
  180. }
  181. }
  182. closedir($handle);
  183. }
  184. asort($arrayhandler);
  185. print '<div class="div-table-responsive-no-min">';
  186. print '<table class="noborder centpercent">';
  187. print '<tr class="liste_titre">';
  188. print '<td colspan="2">'.$langs->trans("RuleForGeneratedPasswords").'</td>';
  189. print '<td>'.$langs->trans("Example").'</td>';
  190. print '<td class="center">'.$langs->trans("Activated").'</td>';
  191. print '</tr>';
  192. foreach ($arrayhandler as $key => $module) {
  193. // Show modules according to features level
  194. if (!empty($module->version) && $module->version == 'development' && $conf->global->MAIN_FEATURES_LEVEL < 2) {
  195. continue;
  196. }
  197. if (!empty($module->version) && $module->version == 'experimental' && $conf->global->MAIN_FEATURES_LEVEL < 1) {
  198. continue;
  199. }
  200. if ($module->isEnabled()) {
  201. print '<tr class="oddeven"><td width="100">';
  202. print ucfirst($key);
  203. print "</td><td>\n";
  204. print $module->getDescription().'<br>';
  205. print $langs->trans("MinLength").': '.$module->length;
  206. print '</td>';
  207. // Show example of numbering module
  208. print '<td class="nowrap">';
  209. $tmp = $module->getExample();
  210. if (preg_match('/^Error/', $tmp)) {
  211. $langs->load("errors");
  212. print '<div class="error">'.$langs->trans($tmp).'</div>';
  213. } elseif ($tmp == 'NotConfigured') {
  214. print '<span class="opacitymedium">'.$langs->trans($tmp).'</span>';
  215. } else {
  216. print '<span class="opacitymedium">'.$tmp.'</span>';
  217. }
  218. print '</td>'."\n";
  219. print '<td width="100" align="center">';
  220. if ($conf->global->USER_PASSWORD_GENERATED == $key) {
  221. //print img_picto('', 'tick');
  222. print img_picto($langs->trans("Enabled"), 'switch_on');
  223. } else {
  224. print '<a href="'.$_SERVER['PHP_SELF'].'?action=setgeneraterule&token='.newToken().'&value='.$key.'">';
  225. //print $langs->trans("Activate");
  226. print img_picto($langs->trans("Disabled"), 'switch_off');
  227. print '</a>';
  228. }
  229. print "</td></tr>\n";
  230. }
  231. }
  232. print '</table>';
  233. print '</div>';
  234. print '</form>';
  235. //if($conf->global->MAIN_SECURITY_DISABLEFORGETPASSLINK == 1)
  236. // Patter for Password Perso
  237. if ($conf->global->USER_PASSWORD_GENERATED == "Perso") {
  238. $tabConf = explode(";", $conf->global->USER_PASSWORD_PATTERN);
  239. print '<br>';
  240. print '<div class="div-table-responsive-no-min">';
  241. print '<table class="noborder centpercent">';
  242. print '<tr class="liste_titre">';
  243. print '<td colspan="2"> '.$langs->trans("PasswordPatternDesc").'</td>';
  244. print '</tr>';
  245. print '<tr class="oddeven">';
  246. print '<td>'.$langs->trans("MinLength")."</td>";
  247. print '<td><input type="number" value="'.$tabConf[0].'" id="minlenght" min="1"></td>';
  248. print '</tr>';
  249. print '<tr class="oddeven">';
  250. print '<td>'.$langs->trans("NbMajMin")."</td>";
  251. print '<td><input type="number" value="'.$tabConf[1].'" id="NbMajMin" min="0"></td>';
  252. print '</tr>';
  253. print '<tr class="oddeven">';
  254. print '<td>'.$langs->trans("NbNumMin")."</td>";
  255. print '<td><input type="number" value="'.$tabConf[2].'" id="NbNumMin" min="0"></td>';
  256. print '</tr>';
  257. print '<tr class="oddeven">';
  258. print '<td>'.$langs->trans("NbSpeMin")."</td>";
  259. print '<td><input type="number" value="'.$tabConf[3].'" id="NbSpeMin" min="0"></td>';
  260. print '</tr>';
  261. print '<tr class="oddeven">';
  262. print '<td>'.$langs->trans("NbIteConsecutive")."</td>";
  263. print '<td><input type="number" value="'.$tabConf[4].'" id="NbIteConsecutive" min="0"></td>';
  264. print '</tr>';
  265. print '<tr class="oddeven">';
  266. print '<td>'.$langs->trans("NoAmbiCaracAutoGeneration")."</td>";
  267. print '<td><input type="checkbox" id="NoAmbiCaracAutoGeneration" '.($tabConf[5] ? "checked" : "").' min="0"> <label for="NoAmbiCaracAutoGeneration" id="textcheckbox">'.($tabConf[5] ? $langs->trans("Activated") : $langs->trans("Disabled")).'</label></td>';
  268. print '</tr>';
  269. print '</table>';
  270. print '<br>';
  271. print '<div class="center">';
  272. print '<a class="button button-save" id="linkChangePattern">'.$langs->trans("Save").'</a>';
  273. print '</div>';
  274. print '<br><br>';
  275. print '<script type="text/javascript">';
  276. print ' function getStringArg(){';
  277. print ' var pattern = "";';
  278. print ' pattern += $("#minlenght").val() + ";";';
  279. print ' pattern += $("#NbMajMin").val() + ";";';
  280. print ' pattern += $("#NbNumMin").val() + ";";';
  281. print ' pattern += $("#NbSpeMin").val() + ";";';
  282. print ' pattern += $("#NbIteConsecutive").val() + ";";';
  283. print ' pattern += $("#NoAmbiCaracAutoGeneration")[0].checked ? "1" : "0";';
  284. print ' return pattern;';
  285. print ' }';
  286. print ' function valuePossible(){';
  287. print ' var fields = ["#minlenght", "#NbMajMin", "#NbNumMin", "#NbSpeMin", "#NbIteConsecutive"];';
  288. print ' for(var i = 0 ; i < fields.length ; i++){';
  289. print ' if($(fields[i]).val() < $(fields[i]).attr("min")){';
  290. print ' return false;';
  291. print ' }';
  292. print ' }';
  293. print ' ';
  294. print ' var length = parseInt($("#minlenght").val());';
  295. print ' var length_mini = parseInt($("#NbMajMin").val()) + parseInt($("#NbNumMin").val()) + parseInt($("#NbSpeMin").val());';
  296. print ' return length >= length_mini;';
  297. print ' }';
  298. print ' function generatelink(){';
  299. print ' return "security.php?action=updatepattern&token='.newToken().'&pattern="+getStringArg();';
  300. print ' }';
  301. print ' function valuePatternChange(){';
  302. print ' console.log("valuePatternChange");';
  303. print ' var lang_save = "'.$langs->trans("Save").'";';
  304. print ' var lang_error = "'.$langs->trans("Error").'";';
  305. print ' var lang_Disabled = "'.$langs->trans("Disabled").'";';
  306. print ' var lang_Activated = "'.$langs->trans("Activated").'";';
  307. print ' $("#textcheckbox").html($("#NoAmbiCaracAutoGeneration")[0].checked ? unescape(lang_Activated) : unescape(lang_Disabled));';
  308. print ' if(valuePossible()){';
  309. print ' $("#linkChangePattern").attr("href",generatelink()).text(lang_save);';
  310. print ' }';
  311. print ' else{';
  312. print ' $("#linkChangePattern").attr("href", null).text(lang_error);';
  313. print ' }';
  314. print ' }';
  315. print ' $("#minlenght").change(function(){valuePatternChange();});';
  316. print ' $("#NbMajMin").change(function(){valuePatternChange();});';
  317. print ' $("#NbNumMin").change(function(){valuePatternChange();});';
  318. print ' $("#NbSpeMin").change(function(){valuePatternChange();});';
  319. print ' $("#NbIteConsecutive").change(function(){valuePatternChange();});';
  320. print ' $("#NoAmbiCaracAutoGeneration").change(function(){valuePatternChange();});';
  321. print '</script>';
  322. }
  323. // Crypt passwords in database
  324. print '<br>';
  325. print "<form method=\"post\" action=\"".$_SERVER["PHP_SELF"]."\">";
  326. print '<input type="hidden" name="token" value="'.newToken().'">';
  327. print "<input type=\"hidden\" name=\"action\" value=\"encrypt\">";
  328. print '<table class="noborder centpercent">';
  329. print '<tr class="liste_titre">';
  330. print '<td colspan="3">'.$langs->trans("Parameters").'</td>';
  331. print '<td class="center">'.$langs->trans("Activated").'</td>';
  332. print '<td class="center">'.$langs->trans("Action").'</td>';
  333. print '</tr>';
  334. // Disable clear password in database
  335. print '<tr class="oddeven">';
  336. print '<td colspan="3">'.$langs->trans("DoNotStoreClearPassword").'</td>';
  337. print '<td class="center" width="60">';
  338. if (getDolGlobalString('DATABASE_PWD_ENCRYPTED')) {
  339. print img_picto($langs->trans("Active"), 'tick');
  340. }
  341. print '</td>';
  342. if (!getDolGlobalString('DATABASE_PWD_ENCRYPTED')) {
  343. print '<td class="center" width="100">';
  344. print '<a href="security.php?action=activate_encrypt">'.$langs->trans("Activate").'</a>';
  345. print "</td>";
  346. }
  347. // Database conf file encryption
  348. if (getDolGlobalString('DATABASE_PWD_ENCRYPTED')) {
  349. print '<td class="center" width="100">';
  350. if ($allow_disable_encryption) {
  351. //On n'autorise pas l'annulation de l'encryption car les mots de passe ne peuvent pas etre decodes
  352. //Do not allow "disable encryption" as passwords cannot be decrypted
  353. print '<a href="'.$_SERVER["PHP_SELF"].'?action=disable_encrypt&token='.newToken().'">'.$langs->trans("Disable").'</a>';
  354. } else {
  355. print '-';
  356. }
  357. print "</td>";
  358. }
  359. print "</td>";
  360. print '</tr>';
  361. // Crypt password into config file conf.php
  362. print '<tr class="oddeven">';
  363. print '<td colspan="3">'.$langs->trans("MainDbPasswordFileConfEncrypted").'</td>';
  364. print '<td align="center" width="60">';
  365. if (preg_match('/crypted:/i', $dolibarr_main_db_pass) || !empty($dolibarr_main_db_encrypted_pass)) {
  366. print img_picto($langs->trans("Active"), 'tick');
  367. }
  368. print '</td>';
  369. print '<td class="center" width="100">';
  370. if (empty($dolibarr_main_db_pass) && empty($dolibarr_main_db_encrypted_pass)) {
  371. $langs->load("errors");
  372. print img_warning($langs->trans("WarningPassIsEmpty"));
  373. } else {
  374. if (empty($dolibarr_main_db_encrypted_pass)) {
  375. print '<a href="'.$_SERVER["PHP_SELF"].'?action=activate_encryptdbpassconf&token='.newToken().'">'.$langs->trans("Activate").'</a>';
  376. }
  377. if (!empty($dolibarr_main_db_encrypted_pass)) {
  378. print '<a href="'.$_SERVER["PHP_SELF"].'?action=disable_encryptdbpassconf&token='.newToken().'">'.$langs->trans("Disable").'</a>';
  379. }
  380. }
  381. print "</td>";
  382. print "</td>";
  383. print '</tr>';
  384. // Disable link "Forget password" on logon
  385. print '<tr class="oddeven">';
  386. print '<td colspan="3">'.$langs->trans("DisableForgetPasswordLinkOnLogonPage").'</td>';
  387. print '<td class="center" width="60">';
  388. if (getDolGlobalString('MAIN_SECURITY_DISABLEFORGETPASSLINK')) {
  389. print img_picto($langs->trans("Active"), 'tick');
  390. }
  391. print '</td>';
  392. if (!getDolGlobalString('MAIN_SECURITY_DISABLEFORGETPASSLINK')) {
  393. print '<td class="center" width="100">';
  394. print '<a href="'.$_SERVER["PHP_SELF"].'?action=activate_MAIN_SECURITY_DISABLEFORGETPASSLINK&token='.newToken().'">'.$langs->trans("Activate").'</a>';
  395. print "</td>";
  396. }
  397. if (getDolGlobalString('MAIN_SECURITY_DISABLEFORGETPASSLINK')) {
  398. print '<td class="center" width="100">';
  399. print '<a href="'.$_SERVER["PHP_SELF"].'?action=disable_MAIN_SECURITY_DISABLEFORGETPASSLINK&token='.newToken().'">'.$langs->trans("Disable").'</a>';
  400. print "</td>";
  401. }
  402. print "</td>";
  403. print '</tr>';
  404. print '</table>';
  405. print '</form>';
  406. print '<br>';
  407. if (GETPOST('info', 'int') > 0) {
  408. if (function_exists('password_hash')) {
  409. print $langs->trans("Note: The function password_hash exists on your PHP")."<br>\n";
  410. } else {
  411. print $langs->trans("Note: The function password_hash does not exists on your PHP")."<br>\n";
  412. }
  413. print 'MAIN_SECURITY_HASH_ALGO = '.getDolGlobalString('MAIN_SECURITY_HASH_ALGO')."<br>\n";
  414. print 'MAIN_SECURITY_SALT = '.getDolGlobalString('MAIN_SECURITY_SALT')."<br>\n";
  415. }
  416. print '</div>';
  417. // End of page
  418. llxFooter();
  419. $db->close();