send notification when passwords are about to expire

owncloud · Jul 10, 2018 · 6e90309 · 6e90309
1 parent ef0ce49
commit 6e90309
Show file tree

Hide file tree

Showing 13 changed files with 758 additions and 35 deletions.
diff --git a/appinfo/app.php b/appinfo/app.php
@@ -57,3 +57,6 @@
 	\OCP\IUser::class . '::firstLogin',
 	[$handler, 'checkForcePasswordChangeOnFirstLogin']
 );
+
+$app = new \OCA\PasswordPolicy\AppInfo\Application();
+$app->registerNotifier();
diff --git a/appinfo/info.xml b/appinfo/info.xml
@@ -9,7 +9,7 @@
 The Password Policy application enables ownCloud administrators to define password requirements like minimum characters, numbers, capital letters and more for all kinds of password endpoints like user passwords or public link sharing passwords. To add another layer of security, the administrator can enforce expiration dates for public link shares. As soon as the expiration date is reached the share will be removed automatically. Administrators find the configuration options in the 'Security' section of the ownCloud administration settings panel.
 
 The definition of certain password rules support administrators in the task of ensuring a minimum level of password security throughout the enterprise. It minimizes the risk of weak user passwords and therefore adds an additional security aspect to the ownCloud infrastructure. The expiration date for public link shares allows more control while e.g. working with external parties. Instead of having to manually remove a public link share when the work is done, the expiration date functionality will remove the link share after a defined period of time without further user interaction.</description>
-	<version>2.0.0</version>
+	<version>2.0.1</version>
 	<documentation>
 		<admin>https://doc.owncloud.com/server/10.0/admin_manual/configuration/server/security/password_policy.html</admin>
 	</documentation>
@@ -27,6 +27,9 @@ The definition of certain password rules support administrators in the task of e
 	<account-modules>
 		<module>OCA\PasswordPolicy\Authentication\AccountModule</module>
 	</account-modules>
+	<background-jobs>
+		<job>OCA\PasswordPolicy\Jobs\PasswordExpirationNotifierJob</job>
+	</background-jobs>
 
 	<screenshot>https://raw.githubusercontent.com/owncloud/screenshots/master/password_policy/owncloud-app-password_policy.jpg</screenshot>
 	<screenshot>https://raw.githubusercontent.com/owncloud/screenshots/master/password_policy/owncloud-app-password_policy2.jpg</screenshot>

diff --git a/lib/AppInfo/Application.php b/lib/AppInfo/Application.php
@@ -21,11 +21,24 @@
 namespace OCA\PasswordPolicy\AppInfo;
 
 use OCP\AppFramework\App;
+use OCP\Notification\Events\RegisterNotifierEvent;
+use OCA\PasswordPolicy\Notifier;
 
 class Application extends App {
 
 	public function __construct (array $urlParams = []) {
 		parent::__construct('password_policy', $urlParams);
 	}
 
+	/**
+	 * Registers the notifier
+	 */
+	public function registerNotifier() {
+		$container = $this->getContainer();
+		$dispatcher = $container->getServer()->getEventDispatcher();
+		$dispatcher->addListener(RegisterNotifierEvent::NAME, function (RegisterNotifierEvent $event) use ($container) {
+			$l10n = $container->getServer()->getL10N('password_policy');
+			$event->registerNotifier($container->query(Notifier::class), 'password_policy', $l10n->t('Password Policy'));
+		});
+	}
 }
diff --git a/lib/Controller/SettingsController.php b/lib/Controller/SettingsController.php
@@ -49,13 +49,26 @@ class SettingsController extends Controller implements ISettings {
 		'spv_password_history_value' => 3,
 		'spv_user_password_expiration_checked' => false,
 		'spv_user_password_expiration_value' => 90,
+		'spv_user_password_expiration_notification_checked' => false,
+		'spv_user_password_expiration_notification_value' => 30,
 		'spv_user_password_force_change_on_first_login_checked' => false,
 		'spv_expiration_password_checked' => false,
 		'spv_expiration_password_value' => 7,
 		'spv_expiration_nopassword_checked' => false,
 		'spv_expiration_nopassword_value' => 7,
 	];
 
+	/**
+	 * functions to convert values between what is shown and what is stored
+	 * these functions must be defined in this class, they're per config key
+	 */
+	const CONVERSIONS = [
+		'spv_user_password_expiration_notification_value' => [
+			'in' => 'daysToSeconds',
+			'out' => 'secondsToDays',
+		],
+	];
+
 	public function __construct($appName,
 								IRequest $request,
 								IConfig $config) {
@@ -71,6 +84,10 @@ public function updatePolicy() {
 			if ($this->request->getParam($key) !== null) {
 				if ($key !== 'spv_def_special_chars_value' && \substr($key, -6) === '_value') {
 					$value = \min(\max(0, (int)$this->request->getParam($key)), 255);
+					if (isset(self::CONVERSIONS[$key]['in'])) {
+						$convertFuncName = self::CONVERSIONS[$key]['in'];
+						$value = $this->$convertFuncName($value);
+					}
 					$this->config->setAppValue('password_policy', $key, $value);
 				} else {
 					$this->config->setAppValue('password_policy', $key, \strip_tags($this->request->getParam($key)));
@@ -92,9 +109,33 @@ public function getPriority() {
 	public function getPanel() {
 		$template = new Template('password_policy', 'admin');
 		foreach(self::DEFAULTS as $key => $default) {
-			$template->assign($key, $this->config->getAppValue('password_policy', $key, $default));
+			$value = $this->config->getAppValue('password_policy', $key, $default);
+			if (isset(self::CONVERSIONS[$key]['out'])) {
+				$convertFuncName = self::CONVERSIONS[$key]['out'];
+				$value = $this->$convertFuncName($value);
+			}
+			$template->assign($key, $value);
 		}
 		return $template;
 	}
 
+	/**
+	 * Convert the days to seconds
+	 * @param int $days
+	 * @return int the number of seconds
+	 */
+	private function daysToSeconds($days) {
+		return $days * 24 * 60 * 60;
+	}
+
+	/**
+	 * Convert seconds to days. The value will always be rounded up,
+	 * so 1 second will be converted to 1 day
+	 * @param int $seconds the number of seconds to be converted
+	 * @return int the number of days in those seconds, rounded up
+	 */
+	private function secondsToDays($seconds) {
+		$floatDays = $seconds / (24 * 60 * 60);
+		return \intval(\ceil($floatDays));
+	}
 }
diff --git a/lib/Db/OldPasswordMapper.php b/lib/Db/OldPasswordMapper.php
@@ -63,4 +63,39 @@ public function getLatestPassword($uid) {
 		}
 		return $passwords[0];
 	}
+
+	/**
+	 * Get the passwords that are about to expired or already expired.
+	 * Last passwords which has been changed before the timestamp are the ones
+	 * selectable. Previous stored passwords won't be included
+	 * In addition, passwords from multiple users are expected
+	 * @param int $maxTimestamp timestamp marker, last passwords changed before
+	 * the timestamp will be selected
+	 * @return OldPassword[] the selected passwords
+	 */
+	public function getPasswordsAboutToExpire($maxTimestamp) {
+		$oldPasswords = [];
+
+		$query = "select `f`.`*` from (";
+		$query .= "select `uid`, max(`change_time`) as `maxtime` from `*PREFIX*user_password_history` group by `uid`";
+		$query .= ") as `x` inner join `*PREFIX*user_password_history` as `f` on `f`.`uid` = `x`.`uid` and `f`.`change_time` = `x`.`maxtime`";
+		$query .= " where `f`.`change_time` < ?";
+
+		$stmt = $this->db->prepare($query);
+		$stmt->bindValue(1, $maxTimestamp);
+		$result = $stmt->execute();
+
+		if ($result === false) {
+			$info = \json_encode($stmt->erroInfo());
+			$message = "Cannot get the password that are going to be expired: error: {$info}";
+			\OCP\Util::writeLog('password_policy', $message, \OCP\Util::ERROR);
+			return false;
+		}
+
+		while ($row = $stmt->fetch()) {
+			$oldPasswords[] = OldPassword::fromRow($row);
+		}
+		$stmt->closeCursor();
+		return $oldPasswords;
+	}
 }
diff --git a/lib/HooksHandler.php b/lib/HooksHandler.php
@@ -26,6 +26,7 @@
 use OCA\PasswordPolicy\Db\OldPasswordMapper;
 use OCA\PasswordPolicy\Rules\PasswordExpired;
 use OCA\PasswordPolicy\Rules\PolicyException;
+use OCA\PasswordPolicy\UserNotificationConfigHandler;
 use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\IConfig;
 use OCP\IL10N;
@@ -60,6 +61,9 @@ class HooksHandler {
 	/** @var ISession */
 	private $session;
 
+	/** @var UserNotificationConfigHandler */
+	private $userNotificationConfigHandler;
+
 	public function __construct(
 		IConfig $config = null,
 		Engine $engine = null,
@@ -68,7 +72,8 @@ public function __construct(
 		IL10N $l10n = null,
 		PasswordExpired $passwordExpiredRule = null,
 		OldPasswordMapper $oldPasswordMapper = null,
-		ISession $session = null
+		ISession $session = null,
+		UserNotificationConfigHandler $userNotificationConfigHandler = null
 	) {
 		$this->config = $config;
 		$this->engine = $engine;
@@ -78,6 +83,7 @@ public function __construct(
 		$this->passwordExpiredRule = $passwordExpiredRule;
 		$this->oldPasswordMapper = $oldPasswordMapper;
 		$this->session = $session;
+		$this->userNotificationConfigHandler = $userNotificationConfigHandler;
 	}
 
 	private function fixDI() {
@@ -103,6 +109,7 @@ private function fixDI() {
 				$this->hasher
 			);
 			$this->session = \OC::$server->getSession();
+			$this->userNotificationConfigHandler = new UserNotificationConfigHandler($this->config);
 		}
 	}
 
@@ -185,6 +192,7 @@ public function saveOldPassword(GenericEvent $event) {
 		$oldPassword->setPassword($this->hasher->hash($password));
 		$oldPassword->setChangeTime($this->timeFactory->getTime());
 		$this->oldPasswordMapper->insert($oldPassword);
+		$this->userNotificationConfigHandler->resetExpirationMarks($user->getUID());
 	}
 
 	/**

diff --git a/lib/Jobs/PasswordExpirationNotifierJob.php b/lib/Jobs/PasswordExpirationNotifierJob.php
@@ -0,0 +1,158 @@
+<?php
+/**
+ *
+ * @author Juan Pablo Villafáñez <[email protected]>
+ * @copyright Copyright (c) 2018, ownCloud GmbH
+ * @license GPL-2.0
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\PasswordPolicy\Jobs;
+
+use OC\BackgroundJob\TimedJob;
+use OCP\Notification\IManager;
+use OCP\IURLGenerator;
+use OCP\ILogger;
+use OCP\AppFramework\Utility\ITimeFactory;
+use OCA\PasswordPolicy\Db\OldPasswordMapper;
+use OCA\PasswordPolicy\Db\OldPassword;
+use OCA\PasswordPolicy\UserNotificationConfigHandler;
+
+class PasswordExpirationNotifierJob extends TimedJob {
+	/** @var OldPasswordMapper */
+	private $mapper;
+
+	/** @var $manager */
+	private $manager;
+
+	/** @var UserNotificationConfigHandler */
+	private $unConfigHandler;
+
+	/** @var ITimeFactory */
+	private $timeFactory;
+
+	/** @var IURLGenerator */
+	private $urlGenerator;
+
+	/** @var ILogger */
+	private $logger;
+
+	public function __construct(
+		OldPasswordMapper $mapper,
+		IManager $manager,
+		UserNotificationConfigHandler $unConfigHandler,
+		ITimeFactory $timeFactory,
+		IURLGenerator $urlGenerator,
+		ILogger $logger
+	) {
+		$this->mapper = $mapper;
+		$this->manager = $manager;
+		$this->unConfigHandler = $unConfigHandler;
+		$this->timeFactory = $timeFactory;
+		$this->urlGenerator = $urlGenerator;
+		$this->logger = $logger;
+
+		$this->setInterval(12 * 60 * 60);
+	}
+
+	protected function run($arguments) {
+		$expirationTime = $this->unConfigHandler->getExpirationTime();
+		if ($expirationTime === null) {
+			return;  // expiration not configured
+		}
+
+		$expirationTime = $expirationTime * 24 * 60 * 60;  // convert days to seconds
+		$expirationTimeNotification = $this->unConfigHandler->getExpirationTimeForNormalNotification();
+		if ($expirationTimeNotification === null) {
+			$expirationTimeNotification = 0;
+		}
+
+		// ensure ranges are correct
+		if ($expirationTime <= $expirationTimeNotification) {
+			$message = "wrong expiration range: normal ($expirationTimeNotification) < expired ($expirationTime)";
+			$this->logger->warning($message, ['app' => 'password_policy']);
+			return;
+		}
+
+		$notifyAfter = $expirationTime - $expirationTimeNotification;
+
+		$currentTime = $this->timeFactory->getTime();
+
+		$maxTimestamp = $currentTime - $notifyAfter;
+		// passwords changed before $maxTimestamp are expired or about to be expired
+		// according to the expiration time range
+
+		$oldPasswordsAboutToExpire = $this->mapper->getPasswordsAboutToExpire($maxTimestamp);
+		foreach ($oldPasswordsAboutToExpire as $passInfo) {
+			$elapsedTime = $currentTime - $passInfo->getChangeTime();
+			if ($elapsedTime >= $expirationTime) {
+				$this->logger->debug("password timestamp for {$passInfo->getUid()}: {$passInfo->getChangeTime()}; elapsed time: {$elapsedTime} -> EXPIRED", ['app' => 'password_policy']);
+				$this->sendPassExpiredNotification($passInfo, $expirationTime);
+			} elseif ($elapsedTime >= $notifyAfter) {
+				$this->logger->debug("password timestamp for {$passInfo->getUid()}: {$passInfo->getChangeTime()}; elapsed time: {$elapsedTime} -> NOTIFY", ['app' => 'password_policy']);
+				$this->sendAboutToExpireNotification($passInfo, $expirationTime);
+			}
+		}
+	}
+
+	private function sendAboutToExpireNotification(OldPassword $passInfo, $expirationTime) {
+		if ($this->unConfigHandler->isSentAboutToExpireNotification($passInfo)) {
+			return;  // notification already sent
+		}
+
+		$notificationTimestamp = $this->timeFactory->getTime();
+
+		$notification = $this->manager->createNotification();
+		$notification->setApp('password_policy')
+			->setUser($passInfo->getUid())
+			->setDateTime(new \DateTime("@{$notificationTimestamp}"))
+			->setObject('about_to_expire', $passInfo->getId())
+			->setSubject('about_to_expire', [$passInfo->getChangeTime(), $expirationTime])
+			->setMessage('about_to_expire', [$passInfo->getChangeTime(), $expirationTime])
+			->setLink($this->getNotificationLink());
+		$this->manager->notify($notification);
+
+		$this->unConfigHandler->markAboutToExpireNotificationSentFor($passInfo);
+	}
+
+	private function sendPassExpiredNotification(OldPassword $passInfo, $expirationTime) {
+		if ($this->unConfigHandler->isSentExpiredNotification($passInfo)) {
+			return;  // notification already sent
+		}
+
+		$notificationTimestamp = $this->timeFactory->getTime();
+
+		$notification = $this->manager->createNotification();
+		$notification->setApp('password_policy')
+			->setUser($passInfo->getUid())
+			->setDateTime(new \DateTime("@{$notificationTimestamp}"))
+			->setObject('expired', $passInfo->getId())
+			->setSubject('expired', [$passInfo->getChangeTime(), $expirationTime])
+			->setMessage('expired', [$passInfo->getChangeTime(), $expirationTime])
+			->setLink($this->getNotificationLink());
+		$this->manager->notify($notification);
+
+		$this->unConfigHandler->markExpiredNotificationSentFor($passInfo);
+	}
+
+	private function getNotificationLink() {
+		$link = $this->urlGenerator->linkToRouteAbsolute(
+			'password_policy.password.show',
+			['redirect_url' => '']
+		);
+		return $link;
+	}
+}