send notification when passwords are about to expire

appinfo/app.php

@@ -57,3 +57,6 @@
 	\OCP\IUser::class . '::firstLogin',
 	[$handler, 'checkForcePasswordChangeOnFirstLogin']
 );
+
+$app = new \OCA\PasswordPolicy\AppInfo\Application();
+$app->registerNotifier();

appinfo/info.xml

@@ -9,7 +9,7 @@
 The Password Policy application enables ownCloud administrators to define password requirements like minimum characters, numbers, capital letters and more for all kinds of password endpoints like user passwords or public link sharing passwords. To add another layer of security, the administrator can enforce expiration dates for public link shares. As soon as the expiration date is reached the share will be removed automatically. Administrators find the configuration options in the 'Security' section of the ownCloud administration settings panel.
 
 The definition of certain password rules support administrators in the task of ensuring a minimum level of password security throughout the enterprise. It minimizes the risk of weak user passwords and therefore adds an additional security aspect to the ownCloud infrastructure. The expiration date for public link shares allows more control while e.g. working with external parties. Instead of having to manually remove a public link share when the work is done, the expiration date functionality will remove the link share after a defined period of time without further user interaction.</description>
-	<version>2.0.0</version>
+	<version>2.0.1</version>
 	<documentation>
 		<admin>https://doc.owncloud.com/server/10.0/admin_manual/configuration/server/security/password_policy.html</admin>
 	</documentation>
@@ -27,6 +27,9 @@ The definition of certain password rules support administrators in the task of e
 	<account-modules>
 		<module>OCA\PasswordPolicy\Authentication\AccountModule</module>
 	</account-modules>
+	<background-jobs>
+		<job>OCA\PasswordPolicy\Jobs\PasswordExpirationNotifierJob</job>
+	</background-jobs>
 
 	<screenshot>https://raw.githubusercontent.com/owncloud/screenshots/master/password_policy/owncloud-app-password_policy.jpg</screenshot>
 	<screenshot>https://raw.githubusercontent.com/owncloud/screenshots/master/password_policy/owncloud-app-password_policy2.jpg</screenshot>

lib/AppInfo/Application.php

@@ -21,11 +21,24 @@
 namespace OCA\PasswordPolicy\AppInfo;
 
 use OCP\AppFramework\App;
+use OCP\Notification\Events\RegisterNotifierEvent;
+use OCA\PasswordPolicy\Notifier;
 
 class Application extends App {
 
 	public function __construct (array $urlParams = []) {
 		parent::__construct('password_policy', $urlParams);
 	}
 
+	/**
+	 * Registers the notifier
+	 */
+	public function registerNotifier() {
+		$container = $this->getContainer();
+		$dispatcher = $container->getServer()->getEventDispatcher();
+		$dispatcher->addListener(RegisterNotifierEvent::NAME, function (RegisterNotifierEvent $event) use ($container) {
+			$l10n = $container->getServer()->getL10N('password_policy');
+			$event->registerNotifier($container->query(Notifier::class), 'password_policy', $l10n->t('Password Policy'));
+		});
+	}
 }

lib/Controller/SettingsController.php

@@ -49,13 +49,22 @@ class SettingsController extends Controller implements ISettings {
 		'spv_password_history_value' => 3,
 		'spv_user_password_expiration_checked' => false,
 		'spv_user_password_expiration_value' => 90,
+		'spv_user_password_expiration_notification_checked' => false,
+		'spv_user_password_expiration_notification_value' => 30,
 		'spv_user_password_force_change_on_first_login_checked' => false,
 		'spv_expiration_password_checked' => false,
 		'spv_expiration_password_value' => 7,
 		'spv_expiration_nopassword_checked' => false,
 		'spv_expiration_nopassword_value' => 7,
 	];
 
+	const CONVERSIONS = [
+		'spv_user_password_expiration_notification_value' => [
+			'in' => 'daysToSeconds',
+			'out' => 'secondsToDays',
+		],
+	];
+
 	public function __construct($appName,
 								IRequest $request,
 								IConfig $config) {
@@ -71,6 +80,10 @@ public function updatePolicy() {
 			if ($this->request->getParam($key) !== null) {
 				if ($key !== 'spv_def_special_chars_value' && \substr($key, -6) === '_value') {
 					$value = \min(\max(0, (int)$this->request->getParam($key)), 255);
+					if (isset(self::CONVERSIONS[$key]['in'])) {
+						$convertFuncName = self::CONVERSIONS[$key]['in'];
+						$value = $this->$convertFuncName($value);
+					}
 					$this->config->setAppValue('password_policy', $key, $value);
 				} else {
 					$this->config->setAppValue('password_policy', $key, \strip_tags($this->request->getParam($key)));
@@ -92,9 +105,22 @@ public function getPriority() {
 	public function getPanel() {
 		$template = new Template('password_policy', 'admin');
 		foreach(self::DEFAULTS as $key => $default) {
-			$template->assign($key, $this->config->getAppValue('password_policy', $key, $default));
+			$value = $this->config->getAppValue('password_policy', $key, $default);
+			if (isset(self::CONVERSIONS[$key]['out'])) {
+				$convertFuncName = self::CONVERSIONS[$key]['out'];
+				$value = $this->$convertFuncName($value);
+			}
+			$template->assign($key, $value);
 		}
 		return $template;
 	}
 
+	private function daysToSeconds($days) {
+		return $days * 24 * 60 * 60;
+	}
+
+	private function secondsToDays($seconds) {
+		$floatDays = $seconds / (24 * 60 * 60);
+		return \intval(\ceil($floatDays));
+	}
 }

lib/Db/OldPasswordMapper.php

@@ -63,4 +63,30 @@ public function getLatestPassword($uid) {
 		}
 		return $passwords[0];
 	}
+
+	public function getPasswordsAboutToExpire($maxTimestamp) {
+		$oldPasswords = [];
+
+		$query = "select `f`.`*` from (";
+		$query .= "select `uid`, max(`change_time`) as `maxtime` from `*PREFIX*user_password_history` group by `uid`";
+		$query .= ") as `x` inner join `*PREFIX*user_password_history` as `f` on `f`.`uid` = `x`.`uid` and `f`.`change_time` = `x`.`maxtime`";
+		$query .= " where `f`.`change_time` < ?";
+
+		$stmt = $this->db->prepare($query);
+		$stmt->bindValue(1, $maxTimestamp);
+		$result = $stmt->execute();
+
+		if ($result === false) {
+			$info = \json_encode($stmt->erroInfo());
+			$message = "Cannot get the password that are going to be expired: error: {$info}";
+			\OCP\Util::writeLog('password_policy', $message, \OCP\Util::ERROR);
+			return false;
+		}
+
+		while ($row = $stmt->fetch()) {
+			$oldPasswords[] = OldPassword::fromRow($row);
+		}
+		$stmt->closeCursor();
+		return $oldPasswords;
+	}
 }

lib/HooksHandler.php

@@ -26,6 +26,7 @@
 use OCA\PasswordPolicy\Db\OldPasswordMapper;
 use OCA\PasswordPolicy\Rules\PasswordExpired;
 use OCA\PasswordPolicy\Rules\PolicyException;
+use OCA\PasswordPolicy\UserNotificationConfigHandler;
 use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\IConfig;
 use OCP\IL10N;
@@ -60,6 +61,9 @@ class HooksHandler {
 	/** @var ISession */
 	private $session;
 
+	/** @var UserNotificationConfigHandler */
+	private $userNotificationConfigHandler;
+
 	public function __construct(
 		IConfig $config = null,
 		Engine $engine = null,
@@ -68,7 +72,8 @@ public function __construct(
 		IL10N $l10n = null,
 		PasswordExpired $passwordExpiredRule = null,
 		OldPasswordMapper $oldPasswordMapper = null,
-		ISession $session = null
+		ISession $session = null,
+		UserNotificationConfigHandler $userNotificationConfigHandler = null
 	) {
 		$this->config = $config;
 		$this->engine = $engine;
@@ -78,6 +83,7 @@ public function __construct(
 		$this->passwordExpiredRule = $passwordExpiredRule;
 		$this->oldPasswordMapper = $oldPasswordMapper;
 		$this->session = $session;
+		$this->userNotificationConfigHandler = $userNotificationConfigHandler;
 	}
 
 	private function fixDI() {
@@ -103,6 +109,7 @@ private function fixDI() {
 				$this->hasher
 			);
 			$this->session = \OC::$server->getSession();
+			$this->userNotificationConfigHandler = new UserNotificationConfigHandler($this->config);
 		}
 	}
 
@@ -185,6 +192,7 @@ public function saveOldPassword(GenericEvent $event) {
 		$oldPassword->setPassword($this->hasher->hash($password));
 		$oldPassword->setChangeTime($this->timeFactory->getTime());
 		$this->oldPasswordMapper->insert($oldPassword);
+		$this->userNotificationConfigHandler->resetExpirationMarks($user->getUID());
 	}
 
 	/**

lib/Jobs/PasswordExpirationNotifierJob.php

@@ -0,0 +1,165 @@
+<?php
+/**
+ *
+ * @author Juan Pablo Villafáñez <[email protected]>
+ * @copyright Copyright (c) 2018, ownCloud GmbH
+ * @license GPL-2.0
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\PasswordPolicy\Jobs;
+
+use OC\BackgroundJob\TimedJob;
+use OCP\Notification\IManager;
+use OCP\IUserManager;
+use OCP\IConfig;
+use OCP\IURLGenerator;
+use OCP\ILogger;
+use OCP\AppFramework\Utility\ITimeFactory;
+use OCA\PasswordPolicy\Db\OldPasswordMapper;
+use OCA\PasswordPolicy\Db\OldPassword;
+use OCA\PasswordPolicy\UserNotificationConfigHandler;
+
+class PasswordExpirationNotifierJob extends TimedJob {
+	/** @var OldPasswordMapper */
+	private $mapper;
+
+	/** @var $manager */
+	private $manager;
+
+	/** @var IUserManager */
+	private $userManager;
+
+	/** @var UserNotificationConfigHandler */
+	private $unConfigHandler;
+
+	/** @var ITimeFactory */
+	private $timeFactory;
+
+	/** @var IURLGenerator */
+	private $urlGenerator;
+
+	/** @var ILogger */
+	private $logger;
+
+	public function __construct(
+		OldPasswordMapper $mapper,
+		IManager $manager,
+		IUserManager $userManager,
+		UserNotificationConfigHandler $unConfigHandler,
+		ITimeFactory $timeFactory,
+		IURLGenerator $urlGenerator,
+		ILogger $logger
+	) {
+		$this->mapper = $mapper;
+		$this->manager = $manager;
+		$this->userManager = $userManager;
+		$this->unConfigHandler = $unConfigHandler;
+		$this->timeFactory = $timeFactory;
+		$this->urlGenerator = $urlGenerator;
+		$this->logger = $logger;
+
+		$this->setInterval(12 * 60 * 60);
+	}
+
+	protected function run($arguments) {
+		$expirationTime = $this->unConfigHandler->getExpirationTime();
+		if ($expirationTime === null) {
+			return;  // expiration not configured
+		}
+
+		$expirationTime = $expirationTime * 24 * 60 * 60;  // convert days to seconds
+		$expirationTimeNotification = $this->unConfigHandler->getExpirationTimeForNormalNotification();
+		if ($expirationTimeNotification === null) {
+			$expirationTimeNotification = 0;
+		}
+
+		// ensure ranges are correct
+		if ($expirationTime <= $expirationTimeNotification) {
+			$message = "wrong expiration range: normal ($expirationTimeNotification) < expired ($expirationTime)";
+			$this->logger->warning($message, ['app' => 'password_policy']);
+			return;
+		}
+
+		$notifyAfter = $expirationTime - $expirationTimeNotification;
+
+		$currentTime = $this->timeFactory->getTime();
+
+		$maxTimestamp = $currentTime - $notifyAfter;
+		// passwords changed before $maxTimestamp are expired or about to be expired
+		// according to the expiration time range
+
+		$oldPasswordsAboutToExpire = $this->mapper->getPasswordsAboutToExpire($maxTimestamp);
+		foreach ($oldPasswordsAboutToExpire as $passInfo) {
+			$elapsedTime = $currentTime - $passInfo->getChangeTime();
+			if ($elapsedTime >= $expirationTime) {
+				$this->logger->debug("password timestamp for {$passInfo->getUid()}: {$passInfo->getChangeTime()}; elapsed time: {$elapsedTime} -> EXPIRED", ['app' => 'password_policy']);
+				$this->sendPassExpiredNotification($passInfo, $expirationTime);
+			} elseif ($elapsedTime >= $notifyAfter) {
+				$this->logger->debug("password timestamp for {$passInfo->getUid()}: {$passInfo->getChangeTime()}; elapsed time: {$elapsedTime} -> NOTIFY", ['app' => 'password_policy']);
+				$this->sendAboutToExpireNotification($passInfo, $expirationTime);
+			}
+		}
+	}
+
+	private function sendAboutToExpireNotification(OldPassword $passInfo, $expirationTime) {
+		if ($this->unConfigHandler->isSentAboutToExpireNotification($passInfo)) {
+			return;  // notification already sent
+		}
+
+		$notificationTimestamp = $this->timeFactory->getTime();
+
+		$notification = $this->manager->createNotification();
+		$notification->setApp('password_policy')
+			->setUser($passInfo->getUid())
+			->setDateTime(new \DateTime("@{$notificationTimestamp}"))
+			->setObject('about_to_expire', $passInfo->getId())
+			->setSubject('about_to_expire', [$passInfo->getChangeTime(), $expirationTime])
+			->setMessage('about_to_expire', [$passInfo->getChangeTime(), $expirationTime])
+			->setLink($this->getNotificationLink());
+		$this->manager->notify($notification);
+
+		$this->unConfigHandler->markAboutToExpireNotificationSentFor($passInfo);
+	}
+
+	private function sendPassExpiredNotification(OldPassword $passInfo, $expirationTime) {
+		if ($this->unConfigHandler->isSentExpiredNotification($passInfo)) {
+			return;  // notification already sent
+		}
+
+		$notificationTimestamp = $this->timeFactory->getTime();
+
+		$notification = $this->manager->createNotification();
+		$notification->setApp('password_policy')
+			->setUser($passInfo->getUid())
+			->setDateTime(new \DateTime("@{$notificationTimestamp}"))
+			->setObject('expired', $passInfo->getId())
+			->setSubject('expired', [$passInfo->getChangeTime(), $expirationTime])
+			->setMessage('expired', [$passInfo->getChangeTime(), $expirationTime])
+			->setLink($this->getNotificationLink());
+		$this->manager->notify($notification);
+
+		$this->unConfigHandler->markExpiredNotificationSentFor($passInfo);
+	}
+
+	private function getNotificationLink() {
+		$link = $this->urlGenerator->linkToRouteAbsolute(
+			'password_policy.password.show',
+			['redirect_url' => '']
+		);
+		return $link;
+	}
+}