MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity
MISP/app/Model/User.php

433 lines
12 KiB
PHP
Raw Normal View History

Subscription to alerts from contact reporter - Users can now choose to subscribe to receive e-mails from the "Contact Reporter" feature.
2013-03-06 11:34:22 +01:00
<?php
App::uses('AppModel', 'Model');
App::uses('AuthComponent', 'Controller/Component');
/**
* User Model
*
* @property Role $Role
* @property Event $Event
*/
class User extends AppModel {
/**
* Display field
*
* @var string
*/
public $displayField = 'email';
public $orgField = 'org'; // TODO Audit, LogableBehaviour + org
Upgrade script for 2.1.8 - we have introduced the "locked" flag for events to protect events of the original creator from being edited by a sync user - IMPORTANT: before running the script below, make sure to create the locked field for the event table (see INSTALL/LOCKED.sql) - This script (generateLocked found in the Administrative tools menu) will attempt to set the locked value for existing events to ease the transition - The default value for locked is 0, and all events created on the instance should be set to this value - events that were synced from another instance should have their locked value set to 1 - this script checks for local organisations and sets the locked field to 1 for all events not created by them - a local organisation, as defined for the scope of this scrips is: an organisation with at least 2 members or an organisation with a single member that is not a sync user. - The script is only accessible by site admins and will return a notification about the number of events altered.
2013-08-21 11:33:30 +02:00
Subscription to alerts from contact reporter - Users can now choose to subscribe to receive e-mails from the "Contact Reporter" feature.
2013-03-06 11:34:22 +01:00
/**
* Validation rules
*
* @var array
*/
public $validate = array(
'role_id' => array(
'numeric' => array(
'rule' => array('numeric'),
//'message' => 'Your custom message here',
//'allowEmpty' => false,
//'required' => false,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
),
'password' => array(
'minlength' => array(
Password complexity definable by admin - administrators can use a regex and a length setting to define password requirements - old behavior used if left untouched
2015-01-27 10:41:43 +01:00
'rule' => array('passwordLength'),
'message' => 'Password length requirement not met.',
Subscription to alerts from contact reporter - Users can now choose to subscribe to receive e-mails from the "Contact Reporter" feature.
2013-03-06 11:34:22 +01:00
//'allowEmpty' => false,
'required' => true,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
'complexity' => array(
'rule' => array('complexPassword'),
Password complexity definable by admin - administrators can use a regex and a length setting to define password requirements - old behavior used if left untouched
2015-01-27 10:41:43 +01:00
'message' => 'Password complexity requirement not met.',
Subscription to alerts from contact reporter - Users can now choose to subscribe to receive e-mails from the "Contact Reporter" feature.
2013-03-06 11:34:22 +01:00
//'allowEmpty' => false,
//'required' => true,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
'identical' => array(
'rule' => array('identicalFieldValues', 'confirm_password'),
'message' => 'Please re-enter your password twice so that the values match.',
//'allowEmpty' => false,
//'required' => true,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
),
'org' => array(
'notempty' => array(
'rule' => array('notempty'),
'message' => 'Please specify the organisation where you are working.',
//'allowEmpty' => false,
//'required' => false,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
),
'org_id' => array(
'notempty' => array(
'rule' => array('notempty'),
Removal of more remnants of the old ACL and tightening of the filename checks - actAs acl removed from role and user models together with some extra code related to the ACL - Fix of the filename regex as pointed out by cvandeplas.
2013-04-29 10:52:07 +02:00
'message' => 'Please specify the organisation ID where you are working.',
Subscription to alerts from contact reporter - Users can now choose to subscribe to receive e-mails from the "Contact Reporter" feature.
2013-03-06 11:34:22 +01:00
//'allowEmpty' => false,
//'required' => false,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
),
'email' => array(
'email' => array(
'rule' => array('email'),
'message' => 'Please enter a valid email address.',
//'allowEmpty' => false,
'required' => true,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
'unique' => array(
'rule' => 'isUnique',
'message' => 'An account with this email address already exists.'
),
),
'autoalert' => array(
'boolean' => array(
'rule' => array('boolean'),
//'message' => 'Your custom message here',
'allowEmpty' => true,
'required' => false,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
),
'contactalert' => array(
'boolean' => array(
'rule' => array('boolean'),
//'message' => 'Your custom message here',
'allowEmpty' => true,
'required' => false,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
),
'authkey' => array(
'minlength' => array(
'rule' => array('minlength', 40),
'message' => 'A authkey of a minimum length of 40 is required.',
'required' => true,
),
'notempty' => array(
'rule' => array('notempty'),
//'message' => 'Your custom message here',
//'allowEmpty' => false,
//'required' => false,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
),
'invited_by' => array(
'numeric' => array(
'rule' => array('numeric'),
//'message' => 'Your custom message here',
//'allowEmpty' => false,
//'required' => false,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
),
'change_pw' => array(
'numeric' => array(
'rule' => array('numeric'),
//'message' => 'Your custom message here',
'allowEmpty' => true,
'required' => false,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
),
'gpgkey' => array(
'notempty' => array(
'rule' => array('validateGpgkey'),
'message' => 'GPG key not valid, please enter a valid key.',
//'allowEmpty' => false,
//'required' => false,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
),
'nids_sid' => array(
'numeric' => array(
'rule' => array('numeric'),
'message' => 'A SID should be an integer.',
'allowEmpty' => false,
'required' => true,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
),
'termsaccepted' => array(
'boolean' => array(
'rule' => array('boolean'),
//'message' => 'Your custom message here',
//'allowEmpty' => false,
//'required' => false,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
),
'newsread' => array(
'date' => array(
'rule' => array('date'),
//'message' => 'Your custom message here',
//'allowEmpty' => false,
//'required' => false,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
),
);
//The Associations below have been created with all possible keys, those that are not needed can be removed
/**
* belongsTo associations
*
* @var array
*/
public $belongsTo = array(
'Role' => array(
'className' => 'Role',
'foreignKey' => 'role_id',
'conditions' => '',
'fields' => '',
'order' => ''
Initial commit
2015-02-23 11:33:38 +01:00
),
'Organisation' => array(
'className' => 'Organisation',
'foreignKey' => 'organisation_id',
'conditions' => '',
'fields' => '',
'order' => ''
Subscription to alerts from contact reporter - Users can now choose to subscribe to receive e-mails from the "Contact Reporter" feature.
2013-03-06 11:34:22 +01:00
)
);
/**
* hasMany associations
*
* @var array
*/
public $hasMany = array(
'Event' => array(
'className' => 'Event',
'foreignKey' => 'user_id',
'dependent' => false,
'conditions' => '',
'fields' => '',
'order' => '',
'limit' => '',
'offset' => '',
'exclusive' => '',
'finderQuery' => '',
'counterQuery' => ''
Discussion boards - First fully working version - Create threads or create a thread attached to an event - Add posts to threads / edit them / delete them
2013-08-14 17:46:57 +02:00
),
'Post' => array(
Subscription to alerts from contact reporter - Users can now choose to subscribe to receive e-mails from the "Contact Reporter" feature.
2013-03-06 11:34:22 +01:00
)
);
public $actsAs = array(
'SysLogLogable.SysLogLogable' => array( // TODO Audit, logable
'userModel' => 'User',
'userKey' => 'user_id',
'change' => 'full'
),
'Trim',
Upgrade script for 2.1.8 - we have introduced the "locked" flag for events to protect events of the original creator from being edited by a sync user - IMPORTANT: before running the script below, make sure to create the locked field for the event table (see INSTALL/LOCKED.sql) - This script (generateLocked found in the Administrative tools menu) will attempt to set the locked value for existing events to ease the transition - The default value for locked is 0, and all events created on the instance should be set to this value - events that were synced from another instance should have their locked value set to 1 - this script checks for local organisations and sets the locked field to 1 for all events not created by them - a local organisation, as defined for the scope of this scrips is: an organisation with at least 2 members or an organisation with a single member that is not a sync user. - The script is only accessible by site admins and will return a notification about the number of events altered.
2013-08-21 11:33:30 +02:00
'Containable'
Subscription to alerts from contact reporter - Users can now choose to subscribe to receive e-mails from the "Contact Reporter" feature.
2013-03-06 11:34:22 +01:00
//'RemoveNewline' => array('fields' => array('gpgkey')),
);
Strict messages fixes #99 and user edit requiring to change password fixes #67 - Plugins and the user model were throwing strict messages in php 5.4+ or with E_STRICT on php 5.3 and lower. Should be fixed. - New cakePHP added automatic HTML5 validation to form fields, which breaks fields that can alternatively be left empty to not be edited (such as the password field in user edits) - removed the html5 form validation from user edits.
2013-05-13 14:27:40 +02:00
public function beforeSave($options = array()) {
Subscription to alerts from contact reporter - Users can now choose to subscribe to receive e-mails from the "Contact Reporter" feature.
2013-03-06 11:34:22 +01:00
if (isset($this->data[$this->alias]['password'])) {
$this->data[$this->alias]['password'] = AuthComponent::password($this->data[$this->alias]['password']);
}
return true;
// only accept add and edit in own org
//if ($this->data[$this->alias]['org'] != "TEST") {
// return false;
//}
//return true;
}
/**
* Checks if the GPG key is a valid key
* But also import it in the keychain.
*/
Changes to the admin methods - cleaned up the methods, they all now return results without debug mode enabled - Added a verification method for all user GPG keys (as an expired key for example would send out empty messages)
2014-01-21 11:28:18 +01:00
// TODO: this will NOT fail on keys that can only be used for signing but not encryption!
// the method in verifyUsers will fail in that case.
Subscription to alerts from contact reporter - Users can now choose to subscribe to receive e-mails from the "Contact Reporter" feature.
2013-03-06 11:34:22 +01:00
public function validateGpgkey($check) {
// LATER first remove the old gpgkey from the keychain
// empty value
if (empty($check['gpgkey'])) {
return true;
}
// we have a clean, hopefull public, key here
// key is entered
require_once 'Crypt/GPG.php';
try {
$gpg = new Crypt_GPG(array('homedir' => Configure::read('GnuPG.homedir')));
try {
$keyImportOutput = $gpg->importKey($check['gpgkey']);
if (!empty($keyImportOutput['fingerprint'])) {
return true;
}
} catch (Exception $e) {
//debug($e);
more logging with PGP errors
2013-07-17 12:54:55 +02:00
$this->log($e->getMessage());
Subscription to alerts from contact reporter - Users can now choose to subscribe to receive e-mails from the "Contact Reporter" feature.
2013-03-06 11:34:22 +01:00
return false;
}
} catch (Exception $e) {
//debug($e);
more logging with PGP errors
2013-07-17 12:54:55 +02:00
$this->log($e->getMessage());
Subscription to alerts from contact reporter - Users can now choose to subscribe to receive e-mails from the "Contact Reporter" feature.
2013-03-06 11:34:22 +01:00
return true; // TODO was false
}
}
Password complexity definable by admin - administrators can use a regex and a length setting to define password requirements - old behavior used if left untouched
2015-01-27 10:41:43 +01:00
public function passwordLength($check) {
$length = Configure::read('Security.password_policy_length');
if (empty($length) || $length < 0) $length = 6;
$value = array_values($check);
$value = $value[0];
if (strlen($value) < $length) return false;
return true;
}
Subscription to alerts from contact reporter - Users can now choose to subscribe to receive e-mails from the "Contact Reporter" feature.
2013-03-06 11:34:22 +01:00
public function complexPassword($check) {
/*
Password complexity definable by admin - administrators can use a regex and a length setting to define password requirements - old behavior used if left untouched
2015-01-27 10:41:43 +01:00
default password:
Subscription to alerts from contact reporter - Users can now choose to subscribe to receive e-mails from the "Contact Reporter" feature.
2013-03-06 11:34:22 +01:00
6 characters minimum
1 or more upper-case letters
1 or more lower-case letters
1 or more digits or special characters
example: "EasyPeasy34"
Password complexity definable by admin - administrators can use a regex and a length setting to define password requirements - old behavior used if left untouched
2015-01-27 10:41:43 +01:00
If Security.password_policy_complexity is set and valid, use the regex provided.
Subscription to alerts from contact reporter - Users can now choose to subscribe to receive e-mails from the "Contact Reporter" feature.
2013-03-06 11:34:22 +01:00
*/
Password complexity definable by admin - administrators can use a regex and a length setting to define password requirements - old behavior used if left untouched
2015-01-27 10:41:43 +01:00
$regex = Configure::read('Security.password_policy_complexity');
if (empty($regex) || @preg_match($regex, 'test') === false) $regex = '/((?=.*\d)|(?=.*\W+))(?![.\n])(?=.*[A-Z])(?=.*[a-z]).*$/';
Subscription to alerts from contact reporter - Users can now choose to subscribe to receive e-mails from the "Contact Reporter" feature.
2013-03-06 11:34:22 +01:00
$value = array_values($check);
$value = $value[0];
Password complexity definable by admin - administrators can use a regex and a length setting to define password requirements - old behavior used if left untouched
2015-01-27 10:41:43 +01:00
return preg_match($regex, $value);
Subscription to alerts from contact reporter - Users can now choose to subscribe to receive e-mails from the "Contact Reporter" feature.
2013-03-06 11:34:22 +01:00
}
public function identicalFieldValues($field=array(), $compareField=null) {
foreach ($field as $key => $value) {
$v1 = $value;
$v2 = $this->data[$this->name][$compareField];
if ($v1 !== $v2) {
return false;
} else {
continue;
}
}
return true;
}
/**
* Generates an authentication key for each user
*/
public function generateAuthKey() {
$length = 40;
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$charLen = strlen($characters) - 1;
$key = '';
for ($p = 0; $p < $length; $p++) {
$key .= $characters[rand(0, $charLen)];
}
improved password generation algorithm in reset password
2013-07-11 14:26:28 +02:00
return $key;
}
Subscription to alerts from contact reporter - Users can now choose to subscribe to receive e-mails from the "Contact Reporter" feature.
2013-03-06 11:34:22 +01:00
must be sleepy...holliday effect?
2013-07-11 14:30:56 +02:00
public function generateRandomPassword() {
improved password generation algorithm in reset password
2013-07-11 14:26:28 +02:00
$length = 12;
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-+=!@#$%&*()<>/?';
$charLen = strlen($characters) - 1;
$key = '';
for ($p = 0; $p < $length; $p++) {
$key .= $characters[rand(0, $charLen)];
}
Subscription to alerts from contact reporter - Users can now choose to subscribe to receive e-mails from the "Contact Reporter" feature.
2013-03-06 11:34:22 +01:00
return $key;
}
improved password generation algorithm in reset password
2013-07-11 14:26:28 +02:00
Subscription to alerts from contact reporter - Users can now choose to subscribe to receive e-mails from the "Contact Reporter" feature.
2013-03-06 11:34:22 +01:00
public function checkAndCorrectPgps() {
$fails = array();
$users = $this->find('all', array('recursive' => 0));
foreach ($users as $user) {
if (strlen($user['User']['gpgkey']) && strpos($user['User']['gpgkey'], "\n")) {
$fails[] = $user['User']['id'] . ':' . $user['User']['id'];
//$check['gpgkey'] = trim(preg_replace('/\n', '', $check['gpgkey']));
}
}
return $fails;
}
More work on the background jobs - added scheduler to the export caching - site admins can set up the intervals of the automated caches, and the exact times at which they should be executed.
2014-01-03 15:26:35 +01:00
public function getOrgs() {
$this->recursive = -1;
$orgs = $this->find('all', array(
'fields' => array('DISTINCT (User.org) AS org'),
));
$orgNames = array();
foreach ($orgs as $org) {
$orgNames[] = $org['User']['org'];
}
return $orgNames;
}
Changes to the admin methods - cleaned up the methods, they all now return results without debug mode enabled - Added a verification method for all user GPG keys (as an expired key for example would send out empty messages)
2014-01-21 11:28:18 +01:00
public function getOrgMemberCount($org) {
return $this->find('count', array(
'conditions' => array(
'org =' => $org,
)));
}
public function verifyGPG() {
require_once 'Crypt/GPG.php';
$this->Behaviors->detach('Trim');
$results = array();
$users = $this->find('all', array(
'conditions' => array('not' => array('gpgkey' => '')),
//'fields' => array('id', 'email', 'gpgkey'),
'recursive' => -1,
));
foreach ($users as $k => $user) {
Small fix to avoid repeated incorrect invalid messages after the first failed check
2014-09-08 13:34:14 +02:00
$gpg = new Crypt_GPG(array('homedir' => Configure::read('GnuPG.homedir')));
Changes to the admin methods - cleaned up the methods, they all now return results without debug mode enabled - Added a verification method for all user GPG keys (as an expired key for example would send out empty messages)
2014-01-21 11:28:18 +01:00
$key = $gpg->importKey($user['User']['gpgkey']);
$gpg->addEncryptKey($key['fingerprint']); // use the key that was given in the import
try {
$enc = $gpg->encrypt('test', true);
} catch (Exception $e){
$results[$user['User']['id']][0] = true;
}
$results[$user['User']['id']][1] = $user['User']['email'];
}
return $results;
}
Very large PGP keys would prevent users from logging in - fixes #142 - removed the PGP key from the Auth user - PGP key of currently logged in user is looked up on demand and not stored in the session
2014-04-01 16:20:47 +02:00
public function getPGP($id) {
$result = $this->find('first', array(
'recursive' => -1,
'fields' => array('id', 'gpgkey'),
Fixed an incorrect check for the no PGP key warning condition partially responsible for #271
2014-08-21 15:27:25 +02:00
'conditions' => array('id' => $id),
Very large PGP keys would prevent users from logging in - fixes #142 - removed the PGP key from the Auth user - PGP key of currently logged in user is looked up on demand and not stored in the session
2014-04-01 16:20:47 +02:00
));
return $result['User']['gpgkey'];
}
Subscription to alerts from contact reporter - Users can now choose to subscribe to receive e-mails from the "Contact Reporter" feature.
2013-03-06 11:34:22 +01:00
}