/** * Checks the given token for validity and sets the token authentication status * accordingly (success, wrong credentials or no credentials given). * * @param \TYPO3\Flow\Security\Authentication\TokenInterface $authenticationToken The token to be authenticated * @return void * @throws \TYPO3\Flow\Security\Exception\UnsupportedAuthenticationTokenException */ public function authenticate(TokenInterface $authenticationToken) { if (!$authenticationToken instanceof UsernamePassword) { throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339840); } /** @var $account \TYPO3\Flow\Security\Account */ $account = NULL; $credentials = $authenticationToken->getCredentials(); if (is_array($credentials) && isset($credentials['username'])) { $providerName = $this->name; $accountRepository = $this->accountRepository; $this->securityContext->withoutAuthorizationChecks(function () use($credentials, $providerName, $accountRepository, &$account) { $account = $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($credentials['username'], $providerName); }); } if (is_object($account)) { if ($this->hashService->validatePassword($credentials['password'], $account->getCredentialsSource())) { $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL); $authenticationToken->setAccount($account); } else { $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); } } elseif ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) { $authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN); } }
/** * @test */ public function authenticationFailsWithWrongCredentialsInAnUsernamePasswordToken() { $this->mockHashService->expects($this->once())->method('validatePassword')->with('wrong password', '8bf0abbb93000e2e47f0e0a80721e834,80f117a78cff75f3f73793fd02aa9086')->will($this->returnValue(FALSE)); $this->mockAccount->expects($this->once())->method('getCredentialsSource')->will($this->returnValue('8bf0abbb93000e2e47f0e0a80721e834,80f117a78cff75f3f73793fd02aa9086')); $this->mockAccountRepository->expects($this->once())->method('findActiveByAccountIdentifierAndAuthenticationProviderName')->with('admin', 'myProvider')->will($this->returnValue($this->mockAccount)); $this->mockToken->expects($this->once())->method('getCredentials')->will($this->returnValue(array('username' => 'admin', 'password' => 'wrong password'))); $this->mockToken->expects($this->once())->method('setAuthenticationStatus')->with(\TYPO3\Flow\Security\Authentication\TokenInterface::WRONG_CREDENTIALS); $this->persistedUsernamePasswordProvider->authenticate($this->mockToken); }
/** * Renders hidden form fields for referrer information about * the current request. * * @return string Hidden fields with referrer information */ protected function renderHiddenReferrerFields() { $tagBuilder = new TagBuilder('input'); $tagBuilder->addAttribute('type', 'hidden'); $tagBuilder->addAttribute('name', $this->prefixFieldName('__state')); $serializedFormState = base64_encode(serialize($this->arguments['object']->getFormState())); $tagBuilder->addAttribute('value', $this->hashService->appendHmac($serializedFormState)); return $tagBuilder->render(); }
public function getEncryptedPasswordAndRemoveNonencryptedVersion() { if (!$this->arePasswordsEqual()) { throw new Exception('Passwords are not equal; so it is not allowed to call getEncryptedPassword().', 1464087097); } $encrypted = $this->hashService->hashPassword($this->password); $this->password = null; $this->passwordConfirmation = null; return $encrypted; }
/** * Extracts the WidgetContext from the given $httpRequest. * If the request contains an argument "__widgetId" the context is fetched from the session (AjaxWidgetContextHolder). * Otherwise the argument "__widgetContext" is expected to contain the serialized WidgetContext (protected by a HMAC suffix) * * @param Request $httpRequest * @return WidgetContext */ protected function extractWidgetContext(Request $httpRequest) { if ($httpRequest->hasArgument('__widgetId')) { return $this->ajaxWidgetContextHolder->get($httpRequest->getArgument('__widgetId')); } elseif ($httpRequest->hasArgument('__widgetContext')) { $serializedWidgetContextWithHmac = $httpRequest->getArgument('__widgetContext'); $serializedWidgetContext = $this->hashService->validateAndStripHmac($serializedWidgetContextWithHmac); return unserialize(base64_decode($serializedWidgetContext)); } return null; }
/** * Creates a new account and sets the given password and roles * * @param string $identifier Identifier of the account, must be unique * @param string $password The clear text password * @param array $roleIdentifiers Optionally an array of role identifiers to assign to the new account * @param string $authenticationProviderName Optional name of the authentication provider the account is affiliated with * @param string $passwordHashingStrategy Optional password hashing strategy to use for the password * @return \TYPO3\Flow\Security\Account A new account, not yet added to the account repository */ public function createAccountWithPassword($identifier, $password, $roleIdentifiers = array(), $authenticationProviderName = 'DefaultProvider', $passwordHashingStrategy = 'default') { $account = new \TYPO3\Flow\Security\Account(); $account->setAccountIdentifier($identifier); $account->setCredentialsSource($this->hashService->hashPassword($password, $passwordHashingStrategy)); $account->setAuthenticationProviderName($authenticationProviderName); $roles = array(); foreach ($roleIdentifiers as $roleIdentifier) { $roles[] = $this->policyService->getRole($roleIdentifier); } $account->setRoles($roles); return $account; }
/** * @test */ public function validateAndStripHmacReturnsTheStringWithoutHmac() { $string = ' Some arbitrary string with special characters: öäüß!"§$ '; $hashedString = $this->hashService->appendHmac($string); $actualResult = $this->hashService->validateAndStripHmac($hashedString); $this->assertSame($string, $actualResult); }
/** * @param string $emailAddress * @param string $requirement * * @throws \Exception * * @return string */ public function resetPasswordAction($emailAddress, $requirement = '') { if ($requirement !== '') { throw new \Exception('Bot detection', 12393182738); } $locale = new Locale('nl'); $account = $this->accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($emailAddress, 'DefaultProvider'); if ($account instanceof Account) { try { /** @var Person $profile */ $profile = $this->profileService->getProfileNodeOfAccount($account); $password = $this->randomPassword(); $hashedPassword = $this->hashService->hashPassword($password, 'default'); $this->mailerService->sendEmail(array('email' => $emailAddress, 'name' => $profile->getDisplayName()), 'Nieuw wachtwoord', 'Packages/Application/BuJitsuDo.Authentication/Resources/Private/Templates/Email/PasswordReset.html', array('password' => $password, 'profile' => $profile)); $account->setCredentialsSource($hashedPassword); $this->accountRepository->update($account); $this->persistenceManager->persistAll(); } catch (\Exception $exception) { return $exception->getMessage(); } } else { $this->response->setHeader('Notification', $this->translator->translateById('profile.reset.password.response.failure', [], NULL, $locale, 'Main', 'BuJitsuDo.Authentication')); $this->response->setHeader('NotificationType', 'alert'); return ''; } $this->response->setHeader('Notification', $this->translator->translateById('profile.reset.password.response.success', [], NULL, $locale, 'Main', 'BuJitsuDo.Authentication')); $this->response->setHeader('NotificationType', 'success'); return ''; }
/** * @return string * @throws \TYPO3\Flow\Security\Exception\InvalidArgumentForHashGenerationException */ public function getJWTToken() { /** @var \TYPO3\Flow\Security\Account $account */ $account = $this->securityContext->getAccount(); $this->apiToken = $this->securityContext->getAuthenticationTokensOfType('RFY\\JWT\\Security\\Authentication\\Token\\JwtToken')[0]; if ($account->getAuthenticationProviderName() !== $this->apiToken->getAuthenticationProviderName()) { // TODO: Currently you can get only 1 tokenAccount because of the duplication restraint based on accountIdentifier & AuthenticationProviderName $account = $this->accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($account->getAccountIdentifier(), $this->apiToken->getAuthenticationProviderName()); if ($account === NULL) { $account = $this->generateTokenAccount(); } } $payload = array(); $payload['identifier'] = $account->getAccountIdentifier(); $payload['partyIdentifier'] = $this->persistenceManager->getIdentifierByObject($account->getParty()); $payload['user_agent'] = $this->request->getHeader('User-Agent'); $payload['ip_address'] = $this->request->getClientIpAddress(); if ($account->getCreationDate() instanceof \DateTime) { $payload['creationDate'] = $account->getCreationDate()->getTimestamp(); } if ($account->getExpirationDate() instanceof \DateTime) { $payload['expirationDate'] = $account->getExpirationDate()->getTimestamp(); } // Add hmac $hmac = $this->hashService->generateHmac($this->signature); return JWT::encode($payload, $hmac); }
/** * Returns an ActionRequest which referred to this request, if any. * * The referring request is not set or determined automatically but must be * explicitly set through the corresponding internal argument "__referrer". * This mechanism is used by Flow's form and validation mechanisms. * * @return ActionRequest the referring request, or NULL if no referrer found */ public function getReferringRequest() { if ($this->referringRequest !== null) { return $this->referringRequest; } if (!isset($this->internalArguments['__referrer'])) { return null; } if (is_array($this->internalArguments['__referrer'])) { $referrerArray = $this->internalArguments['__referrer']; $referringRequest = new ActionRequest($this->getHttpRequest()); $arguments = array(); if (isset($referrerArray['arguments'])) { $serializedArgumentsWithHmac = $referrerArray['arguments']; $serializedArguments = $this->hashService->validateAndStripHmac($serializedArgumentsWithHmac); $arguments = unserialize(base64_decode($serializedArguments)); unset($referrerArray['arguments']); } $referringRequest->setArguments(Arrays::arrayMergeRecursiveOverrule($arguments, $referrerArray)); return $referringRequest; } else { $this->referringRequest = $this->internalArguments['__referrer']; } return $this->referringRequest; }
public function setUp() { $this->mockRole = $this->getMockBuilder('TYPO3\\Flow\\Security\\Policy\\Role')->disableOriginalConstructor()->getMock(); $this->mockRole->expects($this->any())->method('getIdentifier')->will($this->returnValue('TYPO3.Flow:TestRoleIdentifier')); $this->mockPolicyService = $this->getMockBuilder('TYPO3\\Flow\\Security\\Policy\\PolicyService')->disableOriginalConstructor()->getMock(); $this->mockPolicyService->expects($this->any())->method('getRole')->with('TYPO3.Flow:TestRoleIdentifier')->will($this->returnValue($this->mockRole)); $this->mockHashService = $this->getMockBuilder('TYPO3\\Flow\\Security\\Cryptography\\HashService')->disableOriginalConstructor()->getMock(); $expectedPassword = $this->testKeyClearText; $expectedHashedPasswordAndSalt = $this->testKeyHashed; $this->mockHashService->expects($this->any())->method('validatePassword')->will($this->returnCallback(function ($password, $hashedPasswordAndSalt) use($expectedPassword, $expectedHashedPasswordAndSalt) { return $hashedPasswordAndSalt === $expectedHashedPasswordAndSalt && $password === $expectedPassword; })); $this->mockFileBasedSimpleKeyService = $this->getMockBuilder('TYPO3\\Flow\\Security\\Cryptography\\FileBasedSimpleKeyService')->disableOriginalConstructor()->getMock(); $this->mockFileBasedSimpleKeyService->expects($this->any())->method('getKey')->with('testKey')->will($this->returnValue($this->testKeyHashed)); $this->mockToken = $this->getMockBuilder('TYPO3\\Flow\\Security\\Authentication\\Token\\PasswordToken')->disableOriginalConstructor()->getMock(); }
/** * Renders hidden form fields for referrer information about * the current controller and action. * * @return string Hidden fields with referrer information * @todo filter out referrer information that is equal to the target (e.g. same packageKey) */ protected function renderHiddenReferrerFields() { $result = chr(10); $request = $this->controllerContext->getRequest(); $argumentNamespace = NULL; if (!$request->isMainRequest()) { $argumentNamespace = $request->getArgumentNamespace(); $referrer = array('@package' => $request->getControllerPackageKey(), '@subpackage' => $request->getControllerSubpackageKey(), '@controller' => $request->getControllerName(), '@action' => $request->getControllerActionName(), 'arguments' => $this->hashService->appendHmac(base64_encode(serialize($request->getArguments())))); foreach ($referrer as $referrerKey => $referrerValue) { $referrerValue = \htmlspecialchars($referrerValue); $result .= '<input type="hidden" name="' . $argumentNamespace . '[__referrer][' . $referrerKey . ']" value="' . $referrerValue . '" />' . chr(10); } $request = $request->getParentRequest(); } $arguments = $request->getArguments(); if ($argumentNamespace !== NULL && isset($arguments[$argumentNamespace])) { // A sub request was there; thus we can unset the sub requests arguments, // as they are transferred separately via the code block shown above. unset($arguments[$argumentNamespace]); } $referrer = array('@package' => $request->getControllerPackageKey(), '@subpackage' => $request->getControllerSubpackageKey(), '@controller' => $request->getControllerName(), '@action' => $request->getControllerActionName(), 'arguments' => $this->hashService->appendHmac(base64_encode(serialize($arguments)))); foreach ($referrer as $referrerKey => $referrerValue) { $result .= '<input type="hidden" name="__referrer[' . $referrerKey . ']' . '" value="' . htmlspecialchars($referrerValue) . '" />' . chr(10); } return $result; }
/** * Checks the given token for validity and sets the token authentication status * accordingly (success, wrong credentials or no credentials given). * * @param TokenInterface $authenticationToken The token to be authenticated * @return void * @throws UnsupportedAuthenticationTokenException */ public function authenticate(TokenInterface $authenticationToken) { if (!$authenticationToken instanceof JwtToken) { throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1417040168); } /** @var $account Account */ $account = NULL; $credentials = $authenticationToken->getCredentials(); if (!is_array($credentials) || !isset($credentials['token'])) { $authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN); return; } $hmac = $this->hashService->generateHmac($this->signature); $payload = NULL; try { $payload = (array) JWT::decode($credentials['token'], $hmac, array('HS256')); } catch (\Exception $exception) { $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); } if (isset($credentials['username'])) { $providerName = $this->name; $accountRepository = $this->accountRepository; $this->securityContext->withoutAuthorizationChecks(function () use($credentials, $providerName, $accountRepository, &$account) { $account = $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($credentials['username'], $providerName); }); if ($this->hashService->validatePassword($credentials['password'], $account->getCredentialsSource())) { $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL); $authenticationToken->setAccount($account); return; } else { $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); return; } } if ($credentials['user_agent'] === $payload['user_agent'] && $credentials['ip_address'] === $payload['ip_address']) { $this->securityContext->withoutAuthorizationChecks(function () use($payload, &$account) { $account = $this->accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($payload['identifier'], $this->name); }); } if (is_object($account)) { $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL); $authenticationToken->setAccount($account); return; } $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); return; }
/** * Sets a new password for the given user * * @param User $user The user to set the password for * @param string $password A new password * @return void */ public function setUserPassword(User $user, $password) { foreach ($user->getAccounts() as $account) { /** @var Account $account */ $account->setCredentialsSource($this->hashService->hashPassword($password, 'default')); $this->accountRepository->update($account); } }
/** * An advice which intercepts the original route() method if a widget AJAX request * was identified. * * If the HTTP request contains an argument hinting on an AJAX request directed * to a widget, this method will create a matching ActionRequest rather than * invoking the whole routing mechanism. * * @Flow\Around("method(TYPO3\Flow\Mvc\Routing\Router->route())") * @param \TYPO3\Flow\Aop\JoinPointInterface $joinPoint * @return \TYPO3\Flow\Mvc\ActionRequest */ public function routeAjaxWidgetRequestAdvice(JoinPointInterface $joinPoint) { $httpRequest = $joinPoint->getMethodArgument('httpRequest'); if ($httpRequest->hasArgument('__widgetId') || $httpRequest->hasArgument('__widgetContext')) { $actionRequest = $httpRequest->createActionRequest(); $widgetId = $actionRequest->getInternalArgument('__widgetId'); if ($widgetId !== NULL) { $widgetContext = $this->ajaxWidgetContextHolder->get($widgetId); } else { $serializedWidgetContextWithHmac = $actionRequest->getInternalArgument('__widgetContext'); $serializedWidgetContext = $this->hashService->validateAndStripHmac($serializedWidgetContextWithHmac); $widgetContext = unserialize($serializedWidgetContext); } $actionRequest->setArgument('__widgetContext', $widgetContext); $actionRequest->setControllerObjectName($widgetContext->getControllerObjectName()); return $actionRequest; } else { return $joinPoint->getAdviceChain()->proceed($joinPoint); } }
/** * Persists a key to the file system * * @param string $name * @param string $password * @return void * @throws \TYPO3\Flow\Security\Exception */ protected function persistKey($name, $password) { $hashedPassword = $this->hashService->hashPassword($password, $this->passwordHashingStrategy); $keyPathAndFilename = $this->getKeyPathAndFilename($name); if (!is_dir($this->getPath())) { Files::createDirectoryRecursively($this->getPath()); } $result = file_put_contents($keyPathAndFilename, $hashedPassword); if ($result === false) { throw new \TYPO3\Flow\Security\Exception(sprintf('The key could not be stored ("%s").', $keyPathAndFilename), 1305812921); } }
/** * Sets isAuthenticated to TRUE for all tokens. * * @param TokenInterface $authenticationToken The token to be authenticated * @return void * @throws UnsupportedAuthenticationTokenException */ public function authenticate(TokenInterface $authenticationToken) { if (!$authenticationToken instanceof PasswordToken) { throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339840); } $credentials = $authenticationToken->getCredentials(); if (is_array($credentials) && isset($credentials['password'])) { if ($this->hashService->validatePassword($credentials['password'], $this->fileBasedSimpleKeyService->getKey($this->options['keyName']))) { $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL); $account = new Account(); $roles = array(); foreach ($this->options['authenticateRoles'] as $roleIdentifier) { $roles[] = $this->policyService->getRole($roleIdentifier); } $account->setRoles($roles); $authenticationToken->setAccount($account); } else { $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); } } elseif ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) { $authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN); } }
/** * Returns the web accessible URI pointing to the specified persistent resource * * @param Resource $resource Resource object * @return string The URI * @throws Exception */ public function getPublicPersistentResourceUri(Resource $resource) { $resourceData = array('resourceIdentifier' => $resource->getSha1()); if ($this->shouldIncludeSecurityContext()) { $resourceData['securityContextHash'] = $this->securityContext->getContextHash(); } elseif (!empty($this->options['tokenLifetime'])) { $expirationDateTime = clone $this->now; $expirationDateTime = $expirationDateTime->modify(sprintf('+%d seconds', $this->options['tokenLifetime'])); $resourceData['expirationDateTime'] = $expirationDateTime->format(\DateTime::ISO8601); } $encodedResourceData = base64_encode(json_encode($resourceData)); $signedResourceData = $this->hashService->appendHmac($encodedResourceData); return $this->detectResourcesBaseUri() . '?__protectedResource=' . $signedResourceData; }
/** * @test */ public function extractWidgetContextDecodesSerializedWidgetContextIfPresent() { $ajaxWidgetComponent = $this->getAccessibleMock(\TYPO3\Fluid\Core\Widget\AjaxWidgetComponent::class, array('dummy')); $this->inject($ajaxWidgetComponent, 'hashService', $this->mockHashService); $mockWidgetContext = 'SomeWidgetContext'; $mockSerializedWidgetContext = base64_encode(serialize($mockWidgetContext)); $mockSerializedWidgetContextWithHmac = $mockSerializedWidgetContext . 'HMAC'; $this->mockHttpRequest->expects($this->at(0))->method('hasArgument')->with('__widgetId')->will($this->returnValue(false)); $this->mockHttpRequest->expects($this->at(1))->method('hasArgument')->with('__widgetContext')->will($this->returnValue(true)); $this->mockHttpRequest->expects($this->atLeastOnce())->method('getArgument')->with('__widgetContext')->will($this->returnValue($mockSerializedWidgetContextWithHmac)); $this->mockHashService->expects($this->atLeastOnce())->method('validateAndStripHmac')->with($mockSerializedWidgetContextWithHmac)->will($this->returnValue($mockSerializedWidgetContext)); $actualResult = $ajaxWidgetComponent->_call('extractWidgetContext', $this->mockHttpRequest); $this->assertEquals($mockWidgetContext, $actualResult); }
/** * @param ComponentContext $componentContext * @return void * @throws FileNotFoundException|AccessDeniedException|FlowException */ public function handle(ComponentContext $componentContext) { $httpRequest = $componentContext->getHttpRequest(); if (!$httpRequest->hasArgument('__protectedResource')) { return; } try { $encodedResourceData = $this->hashService->validateAndStripHmac($httpRequest->getArgument('__protectedResource')); } catch (InvalidHashException $exception) { throw new AccessDeniedException('Invalid HMAC!', 1421241393, $exception); } $tokenData = json_decode(base64_decode($encodedResourceData), TRUE); $this->verifyExpiration($tokenData); $this->verifySecurityContextHash($tokenData, $httpRequest); $resource = $this->resourceManager->getResourceBySha1($tokenData['resourceIdentifier']); if ($resource === NULL) { throw new FileNotFoundException(sprintf('Unknown resource!%sCould not find resource with identifier "%s"', chr(10), $tokenData['resourceIdentifier']), 1429621743); } // TODO there should be a better way to determine the absolute path of the resource? Resource::createTemporaryLocalCopy() is too expensive $resourcePathAndFilename = Files::concatenatePaths(array($this->options['basePath'], $tokenData['resourceIdentifier'][0], $tokenData['resourceIdentifier'][1], $tokenData['resourceIdentifier'][2], $tokenData['resourceIdentifier'][3], $tokenData['resourceIdentifier'])); if (!is_file($resourcePathAndFilename)) { throw new FileNotFoundException(sprintf('File not found!%sThe file "%s" does not exist', chr(10), $resourcePathAndFilename), 1429702284); } if (!isset($this->options['serveStrategy'])) { throw new FlowException('No "serveStrategy" configured!', 1429704107); } $fileServeStrategy = $this->objectManager->get($this->options['serveStrategy']); if (!$fileServeStrategy instanceof FileServeStrategyInterface) { throw new FlowException(sprintf('The class "%s" does not implement the FileServeStrategyInterface', get_class($fileServeStrategy)), 1429704284); } $httpResponse = $componentContext->getHttpResponse(); $httpResponse->setHeader('Content-Type', $resource->getMediaType()); $this->emitResourceServed($resource, $httpRequest); $fileServeStrategy->serve($resourcePathAndFilename, $httpResponse); $componentContext->setParameter('TYPO3\\Flow\\Http\\Component\\ComponentChain', 'cancel', TRUE); }
/** * @param \DLigo\Animaltool\Domain\Model\User $user * @param array $username * @Flow\Validate(argumentName="$username", type="notEmpty") * @param array $password * @param string $role * @Flow\Validate(argumentName="$password", type="\DLigo\Animaltool\Validation\Validator\PasswordValidator", options={"allowEmpty"=true}) * @Flow\Validate(argumentName="$username", type="\DLigo\Animaltool\Validation\Validator\AccountExistsValidator") * @return void */ public function updateAction(User $user, $username, $password = null, $role = null) { if ($role) { $roleObj = $this->policyService->getRole($role); foreach ($user->getAccounts() as $account) { $account->setRoles(array($role => $roleObj)); $account->setAccountIdentifier($username['new']); $account->setCredentialsSource($this->hashService->hashPassword($password[0], 'default')); $this->accountRepository->update($account); } } $this->userRepository->update($user); $this->addFlashMessage('Updated the user.', '', \TYPO3\Flow\Error\Message::SEVERITY_OK, array(), 'flash.user.update'); $this->redirect('index'); }
/** * Initialize the property mapping configuration in $controllerArguments if * the trusted properties are set inside the request. * * @param \TYPO3\Flow\Mvc\ActionRequest $request * @param \TYPO3\Flow\Mvc\Controller\Arguments $controllerArguments * @return void */ public function initializePropertyMappingConfigurationFromRequest(\TYPO3\Flow\Mvc\ActionRequest $request, \TYPO3\Flow\Mvc\Controller\Arguments $controllerArguments) { $trustedPropertiesToken = $request->getInternalArgument('__trustedProperties'); if (!is_string($trustedPropertiesToken)) { return; } $serializedTrustedProperties = $this->hashService->validateAndStripHmac($trustedPropertiesToken); $trustedProperties = unserialize($serializedTrustedProperties); foreach ($trustedProperties as $propertyName => $propertyConfiguration) { if (!$controllerArguments->hasArgument($propertyName)) { continue; } $propertyMappingConfiguration = $controllerArguments->getArgument($propertyName)->getPropertyMappingConfiguration(); $this->modifyPropertyMappingConfiguration($propertyConfiguration, $propertyMappingConfiguration); } }
/** * Set a new password for the given user * * @param string $username user to modify * @param string $password new password * @param string $authenticationProvider Name of the authentication provider to use for finding the user. Default: "Sandstorm.UserManagement:Login". * @return void */ public function setPasswordCommand($username, $password, $authenticationProvider = 'Sandstorm.UserManagement:Login') { // If we're in Neos context, we simply forward the command to the Neos command controller. if ($this->shouldUseNeosService()) { $cliRequest = new Request($this->request); $cliRequest->setControllerObjectName(UserCommandController::class); $cliRequest->setControllerCommandName('setPassword'); $cliRequest->setArguments(['username' => $username, 'password' => $password, 'authenticationProvider' => $authenticationProvider]); $cliResponse = new Response($this->response); $this->dispatcher->dispatch($cliRequest, $cliResponse); $this->quit(0); } // Otherwise, we use our own logic. $account = $this->accountRepository->findByAccountIdentifierAndAuthenticationProviderName($username, $authenticationProvider); if ($account === null) { $this->outputLine('The user <b>' . $username . '</b> could not be found with auth provider <b>' . $authenticationProvider . '</b>.'); $this->quit(1); } $encrypted = $this->hashService->hashPassword($password); $account->setCredentialsSource($encrypted); $this->accountRepository->update($account); $this->outputLine('Password for user <b>' . $username . '</b> changed.'); }
/** * @param string $password, * @param string $passwordconfirm * @param string $code * @return string|void */ public function changePasswordAction($password = NULL, $passwordconfirm = NULL, $code = NULL) { if ($code !== NULL) { $cryptJson = $code; $cryptKey = md5($this->providerName); $uncryptJson = base64_decode($cryptJson); $uncryptJson = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $cryptKey, $uncryptJson, MCRYPT_MODE_CBC, md5($cryptKey)); $uncryptJson = rtrim($uncryptJson, ""); $json = json_decode($uncryptJson); } else { $json = NULL; } $this->view->assign('code', $code); // @TODO Check if User has random number if ($json != NULL) { if ($this->time->getTimestamp() - $json->date > 86400) { $this->flashMessageContainer->addMessage(new \TYPO3\Flow\Error\Error($this->translator->translateById('login.messages.registration.not_valid', array(), NULL, NULL, 'Main', 'Incvisio.LostFound'))); $this->redirect('index', 'Standard', NULL, array()); } else { $account = $this->accountRepository->findByAccountIdentifierAndAuthenticationProviderName($json->username, $this->providerName); if ($password == $passwordconfirm && $password !== NULL) { $account->setExpirationDate(NULL); $account->setCredentialsSource($this->hashService->hashPassword($password, 'default')); $this->accountRepository->update($account); $this->flashMessageContainer->addMessage(new Message($this->translator->translateById('login.login.update', array(), NULL, NULL, 'Main', 'Incvisio.LostFound'))); $this->redirect('index', 'Standard', NULL, array()); } else { if ($password !== NULL) { $this->flashMessageContainer->addMessage(new \TYPO3\Flow\Error\Error("Sorry")); } } } } else { $this->flashMessageContainer->addMessage(new \TYPO3\Flow\Error\Error($this->translator->translateById('login.messages.registration.not_valid', array(), NULL, NULL, 'Main', 'Incvisio.LostFound'))); $this->redirect('index', 'Standard', NULL, array()); } }
/** * Sends an email to a user with the new password * * @param \TYPO3\Flow\Security\Account $account * @param array $settings * @param string $newEnteredPassword * @return boolean $success */ public function sendMail(Account $account, $settings, $newEnteredPassword = NULL) { if ($newEnteredPassword !== NULL) { $newPassword = $newEnteredPassword; } else { $newPassword = $this->algorithms->generateRandomString(10); $account->setCredentialsSource($this->hashService->hashPassword($newPassword, 'default')); $this->accountRepository->update($account); } // @TODO: Localize the email format $mailBody[] = 'Dear %1$s'; $mailBody[] = ''; $mailBody[] = 'Your password for First Visit.'; $mailBody[] = 'The password is %2$s'; $mailBody[] = ''; $mailBody[] = 'If you haven\'t requested this information, please change your password at once'; $mailBody[] = 'as others might be able to access your account'; $success = FALSE; $message = new SwiftMessage(); if ($message->setTo(array($account->getAccountIdentifier() => $account->getParty()->getName()))->setFrom(array($settings['PasswordRecovery']['Sender']['Email'] => $settings['PasswordRecovery']['Sender']['Name']))->setSubject($settings['PasswordRecovery']['Subject'])->setBody(vsprintf(implode(PHP_EOL, $mailBody), array($account->getParty()->getName(), $newPassword)))->send()) { $success = TRUE; } return $success; }
/** * Get the URI for an AJAX Request. * * @return string the AJAX URI * @throws WidgetContextNotFoundException */ protected function getAjaxUri() { $action = $this->arguments['action']; $arguments = $this->arguments['arguments']; if ($action === NULL) { $action = $this->controllerContext->getRequest()->getControllerActionName(); } $arguments['@action'] = $action; if (strlen($this->arguments['format']) > 0) { $arguments['@format'] = $this->arguments['format']; } /** @var $widgetContext WidgetContext */ $widgetContext = $this->controllerContext->getRequest()->getInternalArgument('__widgetContext'); if ($widgetContext === NULL) { throw new WidgetContextNotFoundException('Widget context not found in <f:widget.uri>', 1307450639); } if ($this->arguments['includeWidgetContext'] === TRUE) { $serializedWidgetContext = base64_encode(serialize($widgetContext)); $arguments['__widgetContext'] = $this->hashService->appendHmac($serializedWidgetContext); } else { $arguments['__widgetId'] = $widgetContext->getAjaxWidgetIdentifier(); } return '?' . http_build_query($arguments, NULL, '&'); }
/** * Set a new password for the given account * * This allows for setting a new password for an existing user account. * * @param Account $account * @param $password * @param string $passwordHashingStrategy * * @return boolean */ public function resetPassword(Account $account, $password, $passwordHashingStrategy = 'default') { $account->setCredentialsSource($this->hashService->hashPassword($password, $passwordHashingStrategy)); $this->accountRepository->update($account); return TRUE; }
/** * Sets a new password for the given user * * This method will iterate over all accounts owned by the given user and, if the account uses a UsernamePasswordToken, * sets a new password accordingly. * * @param User $user The user to set the password for * @param string $password A new password * @return void * @api */ public function setUserPassword(User $user, $password) { $tokens = $this->authenticationManager->getTokens(); $indexedTokens = array(); foreach ($tokens as $token) { /** @var TokenInterface $token */ $indexedTokens[$token->getAuthenticationProviderName()] = $token; } foreach ($user->getAccounts() as $account) { /** @var Account $account */ $authenticationProviderName = $account->getAuthenticationProviderName(); if (isset($indexedTokens[$authenticationProviderName]) && $indexedTokens[$authenticationProviderName] instanceof UsernamePassword) { $account->setCredentialsSource($this->hashService->hashPassword($password)); $this->accountRepository->update($account); } } }
/** * @param string $phrase * @return string */ protected function hashPhrase($phrase) { $phraseBuilder = new \Gregwar\Captcha\PhraseBuilder(); return $this->hashService->generateHmac($this->salt . "::" . $phraseBuilder->niceize($phrase)); }
/** * @param string $newPassword * @param \TYPO3\Flow\Security\Cryptography\HashService $hashService * @throws \InvalidArgumentException */ public function changePassword($newPassword, $hashService) { $newPassword = trim($newPassword); if (empty($newPassword)) { throw new \InvalidArgumentException('Password must be set.'); } $this->edits++; $this->login->setCredentialsSource($hashService->hashPassword($newPassword, 'default')); }