From a7ab192274690a3b146d2a0abdb1e2947d70cd54 Mon Sep 17 00:00:00 2001
From: Benjamin Renard <brenard@easter-eggs.com>
Date: Wed, 2 Dec 2020 18:12:00 +0100
Subject: [PATCH] Add LSldap_attr::pwdHistory

---
 doc/conf/LSattribute/LSattr_ldap.docbook      |   1 +
 .../LSattr_ldap/LSattr_ldap.entities.xml      |   1 +
 .../LSattr_ldap_pwdHistory.docbook            |  74 +++++++++++
 .../class/class.LSattr_ldap_pwdHistory.php    | 115 ++++++++++++++++++
 4 files changed, 191 insertions(+)
 create mode 100644 doc/conf/LSattribute/LSattr_ldap/LSattr_ldap_pwdHistory.docbook
 create mode 100644 src/includes/class/class.LSattr_ldap_pwdHistory.php

diff --git a/doc/conf/LSattribute/LSattr_ldap.docbook b/doc/conf/LSattribute/LSattr_ldap.docbook
index deeb97fb..56f82601 100644
--- a/doc/conf/LSattribute/LSattr_ldap.docbook
+++ b/doc/conf/LSattribute/LSattr_ldap.docbook
@@ -12,6 +12,7 @@
   &conf-LSattr_ldap_numeric;
   &conf-LSattr_ldap_password;
   &conf-LSattr_ldap_postaladdress;
+  &conf-LSattr_ldap_pwdHistory;
   &conf-LSattr_ldap_sambaAcctFlags;
   &conf-LSattr_ldap_shadowExpire;
 </sect3>
diff --git a/doc/conf/LSattribute/LSattr_ldap/LSattr_ldap.entities.xml b/doc/conf/LSattribute/LSattr_ldap/LSattr_ldap.entities.xml
index f8ea992e..d7b17854 100644
--- a/doc/conf/LSattribute/LSattr_ldap/LSattr_ldap.entities.xml
+++ b/doc/conf/LSattribute/LSattr_ldap/LSattr_ldap.entities.xml
@@ -8,6 +8,7 @@
 <!ENTITY conf-LSattr_ldap_numeric SYSTEM "LSattr_ldap_numeric.docbook">
 <!ENTITY conf-LSattr_ldap_password SYSTEM "LSattr_ldap_password.docbook">
 <!ENTITY conf-LSattr_ldap_postaladdress SYSTEM "LSattr_ldap_postaladdress.docbook">
+<!ENTITY conf-LSattr_ldap_pwdHistory SYSTEM "LSattr_ldap_pwdHistory.docbook">
 <!ENTITY conf-LSattr_ldap_sambaAcctFlags SYSTEM "LSattr_ldap_sambaAcctFlags.docbook">
 <!ENTITY conf-LSattr_ldap_shadowExpire SYSTEM "LSattr_ldap_shadowExpire.docbook">
 
diff --git a/doc/conf/LSattribute/LSattr_ldap/LSattr_ldap_pwdHistory.docbook b/doc/conf/LSattribute/LSattr_ldap/LSattr_ldap_pwdHistory.docbook
new file mode 100644
index 00000000..a3bbc5c0
--- /dev/null
+++ b/doc/conf/LSattribute/LSattr_ldap/LSattr_ldap_pwdHistory.docbook
@@ -0,0 +1,74 @@
+<sect4 id="config-LSattr_ldap_pwdHistory">
+  <title>LSattr_ldap_pwdHistory</title>
+  <para>Ce type est utilisé pour la gestion de l'attribut standard <emphasis>pwdHistory</emphasis>.
+  Cet attribut, accessible en lecture uniquement, stocke dans un format prédéfini l'historique des
+  mots de passe d'une utilisateur avec pour chaque entrée :
+  <itemizedlist>
+    <listitem><simpara>la date et heure de l'ajout du mot de passe dans l'historique</simpara></listitem>
+    <listitem><simpara>l'OID de la syntaxe du mot de passe</simpara></listitem>
+    <listitem><simpara>la longueur du mot de passe</simpara></listitem>
+    <listitem><simpara>le mot de passe (hâché)</simpara></listitem>
+  </itemizedlist>
+  </para>
+  <para>Ce type d'attribut LDAP permettra de convertir la valeur en son équivalent <literal>JSON</literal>
+  pour pouvoir être traité à l'aide du type d'attribut HTML &LSattr_html_jsonCompositeAttribute;.</para>
+  <programlisting linenumbering="unnumbered">
+<citetitle>Exemple de valeur de l'attribut pwdHistory</citetitle>
+<![CDATA[20201202144718Z#1.3.6.1.4.1.1466.115.121.1.40#105#{SSHA512}XDSiR6Sh6W7gyVIk6Rr2OUv8rNPr+0rHF99d9lcirE/TnnEdkjkncIi5iPubErL5lpfgh8gXLgSfmqvmFcMqXLToC25xIqyk]]>
+</programlisting>
+<programlisting linenumbering="unnumbered">
+<citetitle>Exemple de valeur tranformée</citetitle>
+<![CDATA[{"time":1606920438,"syntaxOID":"1.3.6.1.4.1.1466.115.121.1.40","length":105,"hashed_password":"{SSHA512}XDSiR6Sh6W7gyVIk6Rr2OUv8rNPr+0rHF99d9lcirE/TnnEdkjkncIi5iPubErL5lpfgh8gXLgSfmqvmFcMqXLToC25xIqyk"}]]>
+</programlisting>
+<programlisting linenumbering="unnumbered">
+<citetitle>Exemple de configuration complète de l'attribut</citetitle>
+<![CDATA['pwdHistory' => array (
+    'label' => 'Passwords in history',
+    'ldap_type' => 'pwdHistory',
+    'html_type' => 'jsonCompositeAttribute',
+    'html_options' => array (
+      'components' => array (
+        'time' => array (
+          'label' => 'Date added to history',
+          'type' => 'text',
+          'required' => true,
+          'multiple' => false,
+        ),
+        'syntaxOID' => array (
+          'label' => 'Syntax OID',
+          'type' => 'text',
+          'required' => true,
+          'multiple' => false,
+        ),
+        'length' => array (
+          'label' => 'Length',
+          'type' => 'text',
+          'required' => true,
+          'multiple' => false,
+        ),
+        'hashed_password' => array (
+          'label' => 'Hashed password',
+          'type' => 'text',
+          'required' => true,
+          'multiple' => false,
+        ),
+      ),
+    ),
+    'no_value_label' => 'History is empty.',
+    'multiple' => 1,
+    'rights' => array(
+      'admin' => 'r',
+    ),
+    'view' => 1,
+),]]>
+</programlisting>
+  <para>La date et heure de l'ajout du mot de passe dans l'historique est convertie dans un format lisible.
+  Par défaut, ce format est <literal>AAAA/MM/JJ HH:MM:SS</literal>, mais il peut aussi est personnalisé via
+  le paramètre <literal>date_format</literal>. Ce format est composé à partir des motifs clés gérés par la
+  fonction <function>date()</function> de &php;. Pour plus d'information, consulter
+  <ulink url='http://www.php.net/date'>la documentation officielle</ulink>.</para>
+  <note><simpara>La valeur par défaut est <emphasis>YmdHisO</emphasis>, correspondant à la syntaxe
+  <literal>Generalized Time</literal> telle que définie dans la <ulink url='https://tools.ietf.org/html/rfc4517'>RFC4517
+  </ulink> et prévu par le <ulink url='http://tools.ietf.org/id/draft-behera-ldap-password-policy-10.txt'>
+  Draft-behera-ldap-password-policy</ulink> spécifiant cet attribut standard.</simpara></note>
+</sect4>
diff --git a/src/includes/class/class.LSattr_ldap_pwdHistory.php b/src/includes/class/class.LSattr_ldap_pwdHistory.php
new file mode 100644
index 00000000..b71f5217
--- /dev/null
+++ b/src/includes/class/class.LSattr_ldap_pwdHistory.php
@@ -0,0 +1,115 @@
+<?php
+/*******************************************************************************
+ * Copyright (C) 2007 Easter-eggs
+ * http://ldapsaisie.labs.libre-entreprise.org
+ *
+ * Author: See AUTHORS file in top-level directory.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+
+******************************************************************************/
+
+/**
+ * Ldap attribute type for stanard pwdHistory attribute (see draft-behera-ldap-password-policy-10)
+ *
+ * Convert pwdHistory attribute value :
+ * From : 
+ *   
+ *   20201202144718Z#1.3.6.1.4.1.1466.115.121.1.40#105#{SSHA512}XDSiR6Sh6W7gyVIk6Rr2OUv8rNPr+0rHF99d9lcirE/TnnEdkjkncIi5iPubErL5lpfgh8gXLgSfmqvmFcMqXLToC25xIqyk
+ * To:
+ *
+ *   {"time":1606920438,"syntaxOID":"1.3.6.1.4.1.1466.115.121.1.40","length":105,"hashed_password":"{SSHA512}XDSiR6Sh6W7gyVIk6Rr2OUv8rNPr+0rHF99d9lcirE/TnnEdkjkncIi5iPubErL5lpfgh8gXLgSfmqvmFcMqXLToC25xIqyk"}
+ */
+class LSattr_ldap_pwdHistory extends LSattr_ldap {
+
+  /**
+   * Return the values as JSON encoded string
+   *
+   * @param[in] $data mixed LDAP attribute value
+   *
+   * @retval mixed Array of JSON encoded string
+   */
+  public function getDisplayValue($data) {
+    $ret = array();
+    foreach(ensureIsArray($data) as $key => $val)
+      $ret[$key] = json_encode($this -> parseValue($val));
+    return $ret;
+  }
+
+  /**
+   * Return the values for saving
+   *
+   * @param[in] $data mixed Array of timestamp
+   *
+   * @retval mixed LDAP attribute values
+   */
+  public function getUpdateData($data) {
+    $ret = array();
+    foreach(ensureIsArray($data) as $key => $val)
+      $ret[$key] = $this -> encodeValue(json_decode($val, true));
+    return $ret;
+  }
+
+  public function parseValue($value) {
+    $parts = explode('#', $value);
+    if (!is_array($parts) || count($parts) != 4) {
+      self :: log_warning($this."->parseValue($value): Invalid value (parts count != 4).");
+      return;
+    }
+    $datetime = date_create_from_format('YmdHisO', $parts[0]);
+    if ($datetime instanceof DateTime) {
+      $time = $datetime -> format($this -> getFormat());
+    }
+    else {
+      self :: log_warning($this."->parseValue($value): Fail to parse time '".$parts[0]."'.");
+      $time = getFData(_('Unknown (%{raw_value})'), $parts[0]);
+    }
+    return array(
+      "time" => $time,
+      "syntaxOID" => $parts[1],
+      "length" => intval($parts[2]),
+      "hashed_password" => $parts[3],
+    );
+  }
+
+  public function encodeValue($value) {
+    if (!is_array($value)) {
+      self :: log_warning($this."->encodeValue($value): Provided value is not an array.");
+      return;
+    }
+    $datetime = date_create_from_format('YmdHisO', $value['time']);
+    $datetime -> setTimezone('UTC');
+    $datetime_string = $datetime -> format('YmdHisO');
+    $datetime_string = preg_replace('/[\+\-]0000$/', 'Z', $datetime_string);
+    return implode(
+      "#",
+      array (
+        $datetime_string,
+        $value['syntaxOID'],
+        $value['length'],
+        $value['hashed_password'],
+      )
+    );
+  }
+
+ /**
+  * Return date format
+  *
+  * @retval string The date format (as accept by Datetime :: format() and date_create_from_format())
+  **/
+  public function getFormat() {
+    return $this -> getConfig('ldap_options.date_format', 'Y/m/d H:i:s');
+  }
+
+}