Add hooks for lock password

ltb-project · Oct 30, 2024 · 30b8f45 · 30b8f45
1 parent 9e92a0a
commit 30b8f45
Show file tree

Hide file tree

Showing 5 changed files with 127 additions and 14 deletions.
diff --git a/conf/config.inc.php b/conf/config.inc.php
@@ -278,6 +278,12 @@
 # Ignore prehook error. This will allow to change password even if prehook script fails.
 #$ignore_prehook_error = true;
 
+## Lock
+
+#$prehook_lock = "/usr/share/service-desk/prehook_lock.sh";
+#$display_prehook_lock_error = true;
+#$ignore_prehook_lock_error = true;
+
 ## Unlock
 
 #$prehook_unlock = "/usr/share/service-desk/prehook_unlock.sh";
@@ -301,6 +307,11 @@
 # To read the actual password in the posthook script, use a base64_decode function/tool
 #$posthook_password_encodebase64 = false;
 
+## Lock
+
+#$posthook_lock = "/usr/share/service-desk/posthook_lock.sh";
+#$display_posthook_lock_error = true;
+
 ## Unlock
 
 #$posthook_unlock = "/usr/share/service-desk/posthook_unlock.sh";

diff --git a/docs/hook.rst b/docs/hook.rst
@@ -3,6 +3,7 @@ Hook
 
 Hook feature allows to run a script before or after an action:
 * Password reset
+* Password lock
 * Password unlock
 
 The script must return 0 if no error occured. Any text printed on STDOUT
@@ -57,6 +58,31 @@ if it fails, but still try to update password in the directory.
 
     $ignore_prehook_error = true;
 
+Password lock
+-------------
+
+The script is called with one parameter: login.
+
+Define prehook or posthook script (and enable the feature):
+
+.. code-block:: php
+
+    $prehook_lock = "/usr/share/service-desk/prehook_lock.sh";
+    $posthook_lock = "/usr/share/service-desk/posthook_lock.sh";
+
+To display hook error:
+
+.. code-block:: php
+
+   $display_prehook_lock_error = true;
+   $display_posthook_lock_error = true;
+
+To ignore prehook error:
+
+.. code-block:: php
+
+    $ignore_prehook_lock_error = true;
+
 Password unlock
 ---------------
 

diff --git a/htdocs/display.php b/htdocs/display.php
@@ -13,6 +13,8 @@
 $accountlockresult= "";
 $prehookresult= "";
 $posthookresult= "";
+$prehooklockresult= "";
+$posthooklockresult= "";
 $prehookunlockresult= "";
 $posthookunlockresult= "";
 $ldapExpirationDate="";
@@ -52,6 +54,14 @@
     $posthookresult = $_GET["posthookresult"];
 }
 
+if (isset($_GET["prehooklockresult"]) and $_GET["prehooklockresult"]) {
+    $prehooklockresult = $_GET["prehooklockresult"];
+}
+
+if (isset($_GET["posthooklockresult"]) and $_GET["posthooklockresult"]) {
+    $posthooklockresult = $_GET["posthooklockresult"];
+}
+
 if (isset($_GET["prehookunlockresult"]) and $_GET["prehookunlockresult"]) {
     $prehookunlockresult = $_GET["prehookunlockresult"];
 }
@@ -154,6 +164,8 @@
 $smarty->assign("accountlockresult", $accountlockresult);
 $smarty->assign("prehookresult", $prehookresult);
 $smarty->assign("posthookresult", $posthookresult);
+$smarty->assign("prehooklockresult", $prehooklockresult);
+$smarty->assign("posthooklockresult", $posthooklockresult);
 $smarty->assign("prehookunlockresult", $prehookunlockresult);
 $smarty->assign("posthookunlockresult", $posthookunlockresult);
 if ($canLockAccount == false) { $smarty->assign("use_lockaccount", $canLockAccount); }

diff --git a/htdocs/lockaccount.php b/htdocs/lockaccount.php
@@ -6,6 +6,12 @@
 $result = "";
 $dn = "";
 $comment = "";
+$prehook_login_value = "";
+$prehook_message = "";
+$prehook_return = 0;
+$posthook_login_value = "";
+$posthook_message = "";
+$posthook_return = 0;
 
 if (isset($_POST["dn"]) and $_POST["dn"]) {
     $dn = $_POST["dn"];
@@ -21,33 +27,79 @@
 
     require_once("../conf/config.inc.php");
     require __DIR__ . '/../vendor/autoload.php';
+    require_once("../lib/hook.inc.php");
 
     # Connect to LDAP
     $ldap_connection = $ldapInstance->connect();
 
     $ldap = $ldap_connection[0];
     $result = $ldap_connection[1];
 
-    if ($ldap)
-    {
-        # Get password policy configuration
-        $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $dn, $ldap_default_ppolicy);
-        if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; }
-        if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; }
-
-        # Apply the modification only the password can be locked
-        if ($pwdPolicyConfiguration["lockout_enabled"]) {
-            if ( $directory->lockAccount($ldap, $dn) ) {
-                $result = "accountlocked";
+    if ($ldap) {
+
+        if ( isset($prehook_lock) || isset($posthook_lock) ) {
+            if ( isset($prehook_login) ) {
+                $prehook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $prehook_login);
+            }
+            if ( isset($posthook_login) ) {
+                $posthook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $posthook_login);
+            }
+        }
+
+        if ( isset($prehook_lock) ) {
+
+            if ( !isset($prehook_login_value) ) {
+                $prehook_return = 255;
+                $prehook_message = "No login found, cannot execute prehook script";
+            } else {
+                $command = hook_command($prehook_lock, $prehook_login_value);
+                exec($command, $prehook_output, $prehook_return);
+                $prehook_message = $prehook_output[0];
+            }
+        }
+
+        if ( $prehook_return > 0 and !$ignore_prehook_lock_error) {
+            $result = "hookerror";
+        } else {
+            # Get password policy configuration
+            $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $dn, $ldap_default_ppolicy);
+            if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; }
+            if ($ldap_password_max_age) { $pwdPolicyConfiguration['password_max_age'] = $ldap_password_max_age; }
+
+            # Apply the modification only if the password can be locked
+            if ($pwdPolicyConfiguration["lockout_enabled"]) {
+                if ( $directory->lockAccount($ldap, $dn) ) {
+                    $result = "accountlocked";
+                } else {
+                    $result = "ldaperror";
+                }
+            }
+        }
+
+        if ( $result === "accountlocked" && isset($posthook_lock) ) {
+
+            if ( !isset($posthook_login_value) ) {
+                $posthook_return = 255;
+                $posthook_message = "No login found, cannot execute posthook script";
             } else {
-                $result = "ldaperror";
+                $command = hook_command($posthook_lock, $posthook_login_value);
+                exec($command, $posthook_output, $posthook_return);
+                $posthook_message = $posthook_output[0];
             }
         }
+
     }
 }
 
 if ($audit_log_file) {
     auditlog($audit_log_file, $dn, $audit_admin, "lockaccount", $result, $comment);
 }
 
-header('Location: index.php?page=display&dn='.$dn.'&lockaccountresult='.$result);
+$location = 'index.php?page=display&dn='.$dn.'&lockaccountresult='.$result;
+if ( isset($prehook_return) and $display_prehook_lock_error and $prehook_return > 0 ) {
+    $location .= '&prehooklockresult='.$prehook_message;
+}
+if ( isset($posthook_return) and $display_posthook_lock_error and $posthook_return > 0 ) {
+    $location .= '&posthooklockresult='.$posthook_message;
+}
+header('Location: '.$location);
diff --git a/templates/display.tpl b/templates/display.tpl
@@ -234,6 +234,12 @@
             </div>
 
              <div class="card-body">
+                {if $prehooklockresult}
+                <div class="alert alert-warning"><i class="fa fa-fw fa-exclamation-triangle"></i> {$prehooklockresult}</div>
+                {/if}
+                {if $posthooklockresult}
+                <div class="alert alert-warning"><i class="fa fa-fw fa-exclamation-triangle"></i> {$posthooklockresult}</div>
+                {/if}
                 {if $prehookunlockresult}
                 <div class="alert alert-warning"><i class="fa fa-fw fa-exclamation-triangle"></i> {$prehookunlockresult}</div>
                 {/if}
@@ -277,8 +283,14 @@
                 </p>
             </div>
 
-            {if $use_lockaccount || $prehookunlockresult || $posthookunlockresult}
+            {if $use_lockaccount || $prehooklockresult || $posthooklockresult || $prehookunlockresult || $posthookunlockresult}
             <div class="card-body">
+                {if $prehooklockresult}
+                <div class="alert alert-warning"><i class="fa fa-fw fa-exclamation-triangle"></i> {$prehooklockresult}</div>
+                {/if}
+                {if $posthooklockresult}
+                <div class="alert alert-warning"><i class="fa fa-fw fa-exclamation-triangle"></i> {$posthooklockresult}</div>
+                {/if}
                 {if $prehookunlockresult}
                 <div class="alert alert-warning"><i class="fa fa-fw fa-exclamation-triangle"></i> {$prehookunlockresult}</div>
                 {/if}