WIP hook for unlock event

conf/config.inc.php

@@ -258,13 +258,18 @@
 # Debug mode
 $debug = false;
 
-## Pre Hook
-# Launch a prehook script before changing password.
-# Script should return with 0, to allow password change.
-# Any other exit code would abort password modification
-#$prehook = "/usr/share/service-desk/prehook.sh";
+### Prehooks
+
+# Launch a prehook script before an action.
+# Script should return with 0, else action will be aborted, unless error is ignored
+
 # LDAP attribute used as login in posthook script
-#$prehook_login = "uid";
+$prehook_login = "uid";
+
+## Password reset
+
+#$prehook = "/usr/share/service-desk/prehook.sh";
+
 # Display prehook error
 #$display_prehook_error = true;
 # Encode passwords sent to prehook script as base64. This will prevent alteration of the passwords if set to true.
@@ -273,17 +278,34 @@
 # Ignore prehook error. This will allow to change password even if prehook script fails.
 #$ignore_prehook_error = true;
 
-## Post Hook
-# Launch a posthook script after successful password change
-#$posthook = "/usr/share/service-desk/posthook.sh";
+## Unlock
+
+#$prehook_unlock = "/usr/share/service-desk/prehook_unlock.sh";
+#$display_prehook_unlock_error = true;
+#$ignore_prehook_unlock_error = true;
+
+### Posthooks
+
+# The posthook is only launched if the action was successful
+
 # LDAP attribute used as login in posthook script
-#$posthook_login = "uid";
+$posthook_login = "uid";
+
+## Password reset
+
+#$posthook = "/usr/share/service-desk/posthook.sh";
+
 # Display posthook error
 #$display_posthook_error = true;
 # Encode passwords sent to posthook script as base64. This will prevent alteration of the passwords if set to true.
 # To read the actual password in the posthook script, use a base64_decode function/tool
 #$posthook_password_encodebase64 = false;
 
+## Unlock
+
+#$posthook_unlock = "/usr/share/service-desk/posthook_unlock.sh";
+#$display_posthook_unlock_error = true;
+
 # The name of an HTTP Header that may hold a reference to an extra config file to include.
 #$header_name_extra_config="SSP-Extra-Config";
 

htdocs/unlockaccount.php

@@ -7,6 +7,12 @@
 $dn = "";
 $comment = "";
 $returnto = "display";
+$prehook_login_value = "";
+$prehook_message = "";
+$prehook_return = 0;
+$posthook_login_value = "";
+$posthook_message = "";
+$posthook_return = 0;
 
 if (isset($_POST["dn"]) and $_POST["dn"]) {
     $dn = $_POST["dn"];
@@ -28,6 +34,7 @@
 
     require_once("../conf/config.inc.php");
     require __DIR__ . '/../vendor/autoload.php';
+    require_once("../lib/hook.inc.php");
 
     # Connect to LDAP
     $ldap_connection = $ldapInstance->connect();
@@ -36,10 +43,48 @@
     $result = $ldap_connection[1];
 
     if ($ldap) {
-        if ( $directory->unlockAccount($ldap, $dn) ) {
-            $result = "accountunlocked";
+
+        if ( isset($prehook_unlock) || isset($posthook_unlock) ) {
+            if ( isset($prehook_login) ) {
+                $prehook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $prehook_login);
+            }
+            if ( isset($posthook_login) ) {
+                $posthook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $posthook_login);
+            }
+        }
+
+        if ( isset($prehook_unlock) ) {
+
+            if ( !isset($prehook_login_value) ) {
+                $prehook_return = 255;
+                $prehook_message = "No login found, cannot execute prehook script";
+            } else {
+                $command = hook_command($prehook_unlock, $prehook_login_value);
+                exec($command, $prehook_output, $prehook_return);
+                $prehook_message = $prehook_output[0];
+            }
+        }
+
+        if ( $prehook_return > 0 and !$ignore_prehook_unlock_return) {
+            $result = "hookerror";
         } else {
-            $result = "ldaperror";
+            if ( $directory->unlockAccount($ldap, $dn) ) {
+                $result = "accountunlocked";
+            } else {
+                $result = "ldaperror";
+            }
+        }
+
+        if ( $result === "accountunlocked" && isset($posthook_unlock) ) {
+
+            if ( !isset($posthook_login_value) ) {
+                $posthook_return = 255;
+                $posthook_message = "No login found, cannot execute posthook script";
+            } else {
+                $command = hook_command($posthook_unlock, $posthook_login_value);
+                exec($command, $posthook_output, $posthook_return);
+                $posthook_message = $posthook_output[0];
+            }
         }
     }
 }
@@ -48,4 +93,11 @@
     auditlog($audit_log_file, $dn, $audit_admin, "unlockaccount", $result, $comment);
 }
 
-header('Location: index.php?page='.$returnto.'&dn='.$dn.'&unlockaccountresult='.$result);
+$location = 'index.php?page='.$returnto.'&dn='.$dn.'&unlockaccountresult='.$result;
+if ( isset($prehook_return) and $display_prehook_unlock_error and $prehook_return > 0 ) {
+    $location .= '&prehookunlockresult='.$prehook_message;
+}
+if ( isset($posthook_return) and $display_posthook_unlock_error and $posthook_return > 0 ) {
+    $location .= '&posthookunlockresult='.$posthook_message;
+}
+header('Location: '.$location);

templates/display.tpl

@@ -224,6 +224,12 @@
         {/if}
 
         {if $show_lockstatus}
+        {if $prehookunlockresult}
+        <div class="alert alert-warning"><i class="fa fa-fw fa-exclamation-triangle"></i> {$prehookunlockresult}</div>
+        {/if}
+        {if $posthookunlockresult}
+        <div class="alert alert-warning"><i class="fa fa-fw fa-exclamation-triangle"></i> {$posthookunlockresult}</div>
+        {/if}
         {if $isLocked}
         <div class="card mb-3 shadow border-danger">
             <div class="card-header text-bg-danger text-center">