MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity
MISP/app/Model/User.php

1597 lines
57 KiB
PHP
Raw Blame History

<?php
App::uses('AppModel', 'Model');
App::uses('AuthComponent', 'Controller/Component');
App::uses('RandomTool', 'Tools');
App::uses('GpgTool', 'Tools');
App::uses('SendEmail', 'Tools');
App::uses('SendEmailTemplate', 'Tools');
App::uses('BlowfishConstantPasswordHasher', 'Controller/Component/Auth');
/**
* @property Log $Log
* @property Organisation $Organisation
* @property Role $Role
* @property UserSetting $UserSetting
* @property Event $Event
* @property AuthKey $AuthKey
* @property Server $Server
*/
class User extends AppModel
{
public $displayField = 'email';
public $validate = array(
'role_id' => array(
'numeric' => array(
'rule' => array('numeric'),
//'message' => 'Your custom message here',
//'allowEmpty' => false,
//'required' => false,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
),
'password' => array(
'minlength' => array(
'rule' => array('passwordLength'),
'message' => 'Password length requirement not met.',
//'allowEmpty' => false,
'required' => true,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
'complexity' => array(
'rule' => array('complexPassword'),
'message' => 'Password complexity requirement not met.',
//'allowEmpty' => false,
//'required' => true,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
'identical' => array(
'rule' => array('identicalFieldValues', 'confirm_password'),
'message' => 'Please re-enter your password twice so that the values match.',
//'allowEmpty' => false,
//'required' => true,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
),
'org_id' => array(
'valueNotEmpty' => array(
'rule' => array('valueNotEmpty'),
),
'numeric' => array(
'rule' => array('numeric'),
'message' => 'The organisation ID has to be a numeric value.',
),
),
'email' => array(
'emailValidation' => array(
'rule' => array('validateEmail'),
'message' => 'Please enter a valid email address.',
'required' => true,
),
'unique' => array(
'rule' => 'isUnique',
'message' => 'An account with this email address already exists.'
),
),
'autoalert' => array(
'boolean' => array(
'rule' => array('boolean'),
//'message' => 'Your custom message here',
//'allowEmpty' => false,
'required' => false,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
),
'contactalert' => array(
'boolean' => array(
'rule' => array('boolean'),
//'message' => 'Your custom message here',
//'allowEmpty' => false,
'required' => false,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
),
'authkey' => array(
'minlength' => array(
'rule' => array('minlength', 40),
'message' => 'A authkey of a minimum length of 40 is required.',
'required' => true,
),
'valueNotEmpty' => array(
'rule' => array('valueNotEmpty'),
),
),
'invited_by' => array(
'numeric' => array(
'rule' => array('numeric'),
//'message' => 'Your custom message here',
//'allowEmpty' => false,
//'required' => false,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
),
'change_pw' => array(
'boolean' => array(
'rule' => array('boolean'),
//'message' => 'Your custom message here',
'allowEmpty' => true,
'required' => false,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
),
'gpgkey' => array(
'gpgvalidation' => array(
'rule' => array('validateGpgkey'),
'message' => 'GnuPG key not valid, please enter a valid key.',
),
),
'certif_public' => array(
'notempty' => array(
'rule' => array('validateCertificate'),
'message' => 'Certificate not valid, please enter a valid certificate (x509).',
//'allowEmpty' => false,
//'required' => false,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
),
'nids_sid' => array(
'numeric' => array(
'rule' => array('numeric'),
'message' => 'A SID should be an integer.',
'allowEmpty' => false,
'required' => true,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
),
'termsaccepted' => array(
'boolean' => array(
'rule' => array('boolean'),
//'message' => 'Your custom message here',
//'allowEmpty' => false,
//'required' => false,
//'last' => false, // Stop validation after this rule
//'on' => 'create', // Limit validation to 'create' or 'update' operations
),
),
'newsread' => array(
'numeric' => array(
'rule' => array('numeric')
),
),
);
// The Associations below have been created with all possible keys, those that are not needed can be removed
public $belongsTo = array(
'Role' => array(
'className' => 'Role',
'foreignKey' => 'role_id',
'conditions' => '',
'fields' => '',
'order' => ''
),
'Organisation' => array(
'className' => 'Organisation',
'foreignKey' => 'org_id',
'conditions' => '',
'fields' => '',
'order' => ''
),
'Server' => array(
'className' => 'Server',
'foreignKey' => 'server_id',
'conditions' => '',
'fields' => array('Server.id', 'Server.url', 'Server.push_rules'),
'order' => ''
)
);
public $hasMany = array(
'Event' => array(
'className' => 'Event',
'foreignKey' => 'user_id',
'dependent' => false,
'conditions' => '',
'fields' => '',
'order' => '',
'limit' => '',
'offset' => '',
'exclusive' => '',
'finderQuery' => '',
'counterQuery' => ''
),
'Post',
'UserSetting',
// 'AuthKey' - readd once the initial update storm is over
);
public $actsAs = array(
'AuditLog',
'SysLogLogable.SysLogLogable' => array(
'userModel' => 'User',
'userKey' => 'user_id',
'change' => 'full',
'ignore' => array('password')
),
'Trim',
'Containable'
);
public function __construct($id = false, $table = null, $ds = null)
{
parent::__construct($id, $table, $ds);
// bind AuthKey just when authkey table already exists. This is important for updating from old versions
if (in_array('auth_keys', $this->getDataSource()->listSources(), true)) {
$this->bindModel([
'hasMany' => ['AuthKey']
], false);
}
}
/** @var CryptGpgExtended|null|false */
private $gpg;
public function beforeValidate($options = array())
{
if (!isset($this->data['User']['id'])) {
if ((isset($this->data['User']['enable_password']) && (!$this->data['User']['enable_password'])) || (empty($this->data['User']['password']) && empty($this->data['User']['confirm_password']))) {
$this->data['User']['password'] = $this->generateRandomPassword();
$this->data['User']['confirm_password'] = $this->data['User']['password'];
}
}
if (!isset($this->data['User']['certif_public']) || empty($this->data['User']['certif_public'])) {
$this->data['User']['certif_public'] = '';
}
if (!isset($this->data['User']['authkey']) || empty($this->data['User']['authkey'])) {
$this->data['User']['authkey'] = $this->generateAuthKey();
}
if (!isset($this->data['User']['nids_sid']) || empty($this->data['User']['nids_sid'])) {
$this->data['User']['nids_sid'] = mt_rand(1000000, 9999999);
}
if (isset($this->data['User']['newsread']) && $this->data['User']['newsread'] === null) {
$this->data['User']['newsread'] = 0;
}
return true;
}
public function beforeSave($options = array())
{
$this->data[$this->alias]['date_modified'] = time();
if (isset($this->data[$this->alias]['password'])) {
$passwordHasher = new BlowfishConstantPasswordHasher();
$this->data[$this->alias]['password'] = $passwordHasher->hash($this->data[$this->alias]['password']);
}
return true;
}
public function afterSave($created, $options = array())
{
$pubToZmq = $this->pubToZmq('user');
$kafkaTopic = $this->kafkaTopic('user');
if ($pubToZmq || $kafkaTopic) {
if (!empty($this->data)) {
$user = $this->data;
if (!isset($user['User'])) {
$user['User'] = $user;
}
$action = $created ? 'edit' : 'add';
if (isset($user['User']['action'])) {
$action = $user['User']['action'];
}
if (isset($user['User']['id'])) {
$user = $this->find('first', array(
'recursive' => -1,
'conditions' => array('User.id' => $user['User']['id']),
'fields' => array('id', 'email', 'last_login', 'org_id', 'termsaccepted', 'autoalert', 'newsread', 'disabled'),
'contain' => array(
'Organisation' => array(
'fields' => array('Organisation.id', 'Organisation.name', 'Organisation.description', 'Organisation.uuid', 'Organisation.nationality', 'Organisation.sector', 'Organisation.type', 'Organisation.local')
)
)
));
}
if (isset($user['User']['password'])) {
unset($user['User']['password']);
unset($user['User']['confirm_password']);
}
if ($pubToZmq) {
$pubSubTool = $this->getPubSubTool();
$pubSubTool->modified($user, 'user', $action);
}
if ($kafkaTopic) {
$kafkaPubTool = $this->getKafkaPubTool();
$kafkaPubTool->publishJson($kafkaTopic, $user, $action);
}
}
}
return true;
}
/**
* Checks if the GnuPG key is a valid key.
* @param array $check
* @return bool
*/
public function validateGpgkey($check)
{
// LATER first remove the old gpgkey from the keychain
// empty value
if (empty($check['gpgkey'])) {
return true;
}
// we have a clean, hopefully public, key here
$gpg = $this->initializeGpg();
if (!$gpg) {
return true;
}
try {
$gpgTool = new GpgTool($gpg);
$gpgTool->validateGpgKey($check['gpgkey']);
return true;
} catch (Exception $e) {
$this->logException("Exception during validating GPG key", $e, LOG_NOTICE);
return false;
}
}
// Checks if the certificate is a valid x509 certificate, but also import it in the keychain.
// this will NOT fail on keys that can only be used for signing but not encryption!
// the method in verifyUsers will fail in that case.
public function validateCertificate($check)
{
// LATER first remove the old certif_public from the keychain
// empty value
if (empty($check['certif_public'])) {
return true;
}
// certif_public is entered
// Check if $check is a x509 certificate
if (openssl_x509_read($check['certif_public'])) {
return $this->testSmimeCertificate($check['certif_public']);
} else {
return false;
}
}
public function passwordLength($check)
{
$length = Configure::read('Security.password_policy_length');
if (empty($length) || $length < 0) {
$length = 12;
}
$value = array_values($check);
$value = $value[0];
if (strlen($value) < $length) {
return false;
}
return true;
}
public function validateEmail($check)
{
$localPartReg = '[\p{L}0-9!#$%&\'*+\/=?^_`{|}~-]+(?:\.[\p{L}0-9!#$%&\'*+\/=?^_`{|}~-]+)*@';
$domainReg = '[a-z0-9_\-\.]+';
$fullReg = sprintf('/^%s%s$/ui', $localPartReg, $domainReg);
$check = array_values($check);
$check = $check[0];
return preg_match($fullReg, $check, $matches) ? true : false;
}
/*
default password:
6 characters minimum
1 or more upper-case letters
1 or more lower-case letters
1 or more digits or special characters
example: "EasyPeasy34"
If Security.password_policy_complexity is set and valid, use the regex provided.
*/
public function complexPassword($check)
{
$regex = Configure::read('Security.password_policy_complexity');
if (empty($regex) || @preg_match($regex, 'test') === false) {
$regex = '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/';
}
$value = array_values($check);
$value = $value[0];
return preg_match($regex, $value);
}
public function identicalFieldValues($field = array(), $compareField = null)
{
foreach ($field as $key => $value) {
$v1 = $value;
$v2 = $this->data[$this->name][$compareField];
if ($v1 !== $v2) {
return false;
} else {
continue;
}
}
return true;
}
public function generateAuthKey()
{
return (new RandomTool())->random_str(true, 40);
}
/**
* Generates a cryptographically secure password
*
* @param int $passwordLength
* @return string
*/
public function generateRandomPassword($passwordLength = 40)
{
// makes sure, the password policy isn't undermined by setting a manual passwordLength
$policyPasswordLength = Configure::read('Security.password_policy_length') ? Configure::read('Security.password_policy_length') : false;
if (is_int($policyPasswordLength) && $policyPasswordLength > $passwordLength) {
$passwordLength = $policyPasswordLength;
}
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-+=!@#$%^&*()<>/?';
return (new RandomTool())->random_str(true, $passwordLength, $characters);
}
public function checkAndCorrectPgps()
{
$fails = array();
$users = $this->find('all', array('recursive' => 0));
foreach ($users as $user) {
if (strlen($user['User']['gpgkey']) && strpos($user['User']['gpgkey'], "\n")) {
$fails[] = $user['User']['id'] . ':' . $user['User']['id'];
}
}
return $fails;
}
public function getOrgs()
{
$orgs = $this->Organisation->find('list', array(
'recursive' => -1,
'fields' => array('name'),
));
return $orgs;
}
public function getOrgMemberCount($org)
{
return $this->find('count', array(
'conditions' => array(
'org =' => $org,
)));
}
/**
* 0 - true if key is valid
* 1 - User e-mail
* 2 - Error message
* 3 - Not used
* 4 - Key fingerprint
* 5 - Key fingerprint
* @param array $user
* @return array
*/
public function verifySingleGPG(array $user)
{
$result = [0 => false, 1 => $user['User']['email']];
$gpg = $this->initializeGpg();
if (!$gpg) {
$result[2] = 'GnuPG is not configured on this system.';
return $result;
}
try {
$currentTimestamp = time();
$keys = $gpg->keyInfo($user['User']['gpgkey']);
if (count($keys) !== 1) {
$result[2] = 'Multiple or no key found';
return $result;
}
$key = $keys[0];
$result[4] = $key->getPrimaryKey()->getFingerprint();
$result[5] = $result[4];
$sortedKeys = ['valid' => 0, 'expired' => 0, 'noEncrypt' => 0];
foreach ($key->getSubKeys() as $subKey) {
$expiration = $subKey->getExpirationDate();
if ($expiration != 0 && $currentTimestamp > $expiration) {
$sortedKeys['expired']++;
continue;
}
if (!$subKey->canEncrypt()) {
$sortedKeys['noEncrypt']++;
continue;
}
$sortedKeys['valid']++;
}
if (!$sortedKeys['valid']) {
$result[2] = 'The user\'s PGP key does not include a valid subkey that could be used for encryption.';
if ($sortedKeys['expired']) {
$result[2] .= ' ' . __n('Found %s subkey that have expired.', 'Found %s subkeys that have expired.', $sortedKeys['expired'], $sortedKeys['expired']);
}
if ($sortedKeys['noEncrypt']) {
$result[2] .= ' ' . __n('Found %s subkey that is sign only.', 'Found %s subkeys that are sign only.', $sortedKeys['noEncrypt'], $sortedKeys['noEncrypt']);
}
} else {
$result[0] = true;
}
} catch (Exception $e) {
$result[2] = $e->getMessage();
}
return $result;
}
public function verifyGPG($id = false)
{
$this->Behaviors->detach('Trim');
$conditions = array('not' => array('gpgkey' => ''));
if ($id !== false) {
$conditions['User.id'] = $id;
}
$users = $this->find('all', array(
'conditions' => $conditions,
'fields' => ['id', 'email', 'gpgkey'],
'recursive' => -1,
));
if (empty($users)) {
return [];
}
$gpg = $this->initializeGpg();
if (!$gpg) {
return [];
}
$results = [];
foreach ($users as $user) {
$results[$user['User']['id']] = $this->verifySingleGPG($user);
}
return $results;
}
private function testSmimeCertificate($certif_public)
{
$sendEmail = new SendEmail();
try {
$sendEmail->testSmimeCertificate($certif_public);
return true;
} catch (Exception $e) {
if ($e->getPrevious()) {
return $e->getMessage() . ": " . $e->getPrevious()->getMessage();
}
return $e->getMessage();
}
}
public function verifyCertificate()
{
$this->Behaviors->detach('Trim');
$results = array();
$users = $this->find('all', array(
'conditions' => array('not' => array('certif_public' => '')),
'recursive' => -1,
));
foreach ($users as $k => $user) {
$result = $this->testSmimeCertificate($user['User']['certif_public']);
if ($result !== true) {
$results[$user['User']['id']] = array(0 => true, 1 => $user['User']['email']);
}
}
return $results;
}
/**
* If you want to check if user has GPG or X.509 or send encrypted emails to that user, you need user keys. But by
* default, keys are part of default user model. This method add that keys to user model.
*
* @param array $user
* @return array
* @throws Exception
*/
public function fillKeysToUser(array $user)
{
if (empty($user['id'])) {
throw new InvalidArgumentException("Invalid user model provided, not ID found.");
}
$result = $this->find('first', array(
'recursive' => -1,
'fields' => array('certif_public', 'gpgkey'),
'conditions' => array('id' => $user['id']),
));
if (!$result) {
throw new Exception("User with ID {$user['id']} not found.");
}
$user['gpgkey'] = $result['User']['gpgkey'];
$user['certif_public'] = $result['User']['certif_public'];
return $user;
}
/**
* @param int $id
* @return array|null
*/
public function getUserById($id)
{
if (empty($id)) {
throw new NotFoundException('Invalid user ID.');
}
return $this->find(
'first',
array(
'conditions' => array('User.id' => $id),
'recursive' => -1,
'contain' => array(
'Organisation',
'Role',
'Server',
'UserSetting',
)
)
);
}
/**
* Get the current user and rearrange it to be in the same format as in the auth component.
* @param int $id
* @param bool $full
* @return array|null
*/
public function getAuthUser($id, $full = false)
{
if (empty($id)) {
throw new InvalidArgumentException('Invalid user ID.');
}
$conditions = ['User.id' => $id];
return $this->getAuthUserByConditions($conditions, $full);
}
/**
* Get the current user and rearrange it to be in the same format as in the auth component.
* @param string $authkey
* @return array|null
*/
public function getAuthUserByAuthkey($authkey)
{
if (empty($authkey)) {
throw new InvalidArgumentException('Invalid user auth key.');
}
$conditions = array('User.authkey' => $authkey);
return $this->getAuthUserByConditions($conditions);
}
/**
* @param string $auth_key
* @return array|null
*/
public function getAuthUserByExternalAuth($auth_key)
{
if (empty($auth_key)) {
throw new InvalidArgumentException('Invalid user external auth key.');
}
$conditions = array(
'User.external_auth_key' => $auth_key,
'User.external_auth_required' => true
);
return $this->getAuthUserByConditions($conditions);
}
/**
* Get user model with Role, Organisation and Server, but without PGP and S/MIME keys
* @param array $conditions
* @param bool $full When true, fetch all user fields.
* @return array|null
*/
private function getAuthUserByConditions(array $conditions, $full = false)
{
$user = $this->find('first', [
'conditions' => $conditions,
'fields' => $full ? [] : $this->describeAuthFields(),
'recursive' => -1,
'contain' => [
'Organisation',
'Role',
'Server',
],
]);
if (empty($user)) {
return $user;
}
return $this->rearrangeToAuthForm($user);
}
/**
* User model is a mess. Sometimes it is necessary to convert User model to form that is created during the login
* process. This method do that work for you.
*
* @param array $user
* @return array
*/
public function rearrangeToAuthForm(array $user)
{
if (!isset($user['User'])) {
throw new InvalidArgumentException('Invalid user model provided.');
}
$user['User']['Role'] = $user['Role'];
$user['User']['Organisation'] = $user['Organisation'];
$user['User']['Server'] = $user['Server'];
if (isset($user['UserSetting'])) {
$user['User']['UserSetting'] = $user['UserSetting'];
}
return $user['User'];
}
// Fetch all users that have access to an event / discussion for e-mailing (or maybe something else in the future.
// parameters are an array of org IDs that are owners (for an event this would be orgc and org)
public function getUsersWithAccess($owners = array(), $distribution, $sharing_group_id = 0, $userConditions = array())
{
$conditions = array();
$validOrgs = array();
$all = true;
// add owners to the conditions
if ($distribution == 0 || $distribution == 4) {
$all = false;
$validOrgs = $owners;
}
// add all orgs to the conditions that can see the SG
if ($distribution == 4) {
$sgModel = ClassRegistry::init('SharingGroup');
$sgOrgs = $sgModel->getOrgsWithAccess($sharing_group_id);
if ($sgOrgs === true) {
$all = true;
} else {
$validOrgs = array_merge($validOrgs, $sgOrgs);
}
}
$validOrgs = array_unique($validOrgs);
$conditions['AND'][] = array('disabled' => 0);
if (!$all) {
$conditions['AND']['OR'][] = array('org_id' => $validOrgs);
// Add the site-admins to the list
$roles = $this->Role->find('all', array(
'conditions' => array('perm_site_admin' => 1),
'fields' => array('id')
));
$roleIDs = array();
foreach ($roles as $role) {
$roleIDs[] = $role['Role']['id'];
}
$conditions['AND']['OR'][] = array('role_id' => $roleIDs);
}
$conditions['AND'][] = $userConditions;
$users = $this->find('all', array(
'conditions' => $conditions,
'recursive' => -1,
'fields' => array('id', 'email', 'gpgkey', 'certif_public', 'org_id', 'disabled'),
'contain' => ['Role' => ['fields' => ['perm_site_admin', 'perm_audit']], 'Organisation' => ['fields' => ['id', 'name']]],
));
foreach ($users as $k => $user) {
$user = $user['User'];
unset($users[$k]['User']);
$users[$k] = array_merge($user, $users[$k]);
}
return $users;
}
/**
* @param array $params
* @return array|bool
* @throws Crypt_GPG_Exception
* @throws SendEmailException
*/
public function sendEmailExternal(array $params)
{
$gpg = $this->initializeGpg();
$sendEmail = new SendEmail($gpg);
return $sendEmail->sendExternal($params);
}
/**
* All e-mail sending is now handled by this method
* Just pass the user array that is the target of the e-mail along with the message body and the alternate message body if the message cannot be encrypted
* the remaining two parameters are the e-mail subject and a secondary user object which will be used as the replyto address if set. If it is set and an encryption key for the replyTo user exists, then his/her public key will also be attached
*
* @param array $user
* @param SendEmailTemplate|string $body
* @param string|false $bodyNoEnc
* @param string $subject
* @param array|false $replyToUser
* @return bool
* @throws Crypt_GPG_BadPassphraseException
* @throws Crypt_GPG_Exception
*/
public function sendEmail(array $user, $body, $bodyNoEnc = false, $subject, $replyToUser = false)
{
if ($user['User']['disabled'] || !$this->checkIfUserIsValid($user['User'])) {
return true;
}
$this->loadLog();
$replyToLog = $replyToUser ? ' from ' . $replyToUser['User']['email'] : '';
$gpg = $this->initializeGpg();
$sendEmail = new SendEmail($gpg);
$result = $sendEmail->sendToUser($user, $subject, $body, $bodyNoEnc,$replyToUser ?: []);
try {
$result = $sendEmail->sendToUser($user, $subject, $body, $bodyNoEnc,$replyToUser ?: []);
} catch (SendEmailException $e) {
$this->logException("Exception during sending e-mail", $e);
$this->Log->create();
$this->Log->save(array(
'org' => 'SYSTEM',
'model' => 'User',
'model_id' => $user['User']['id'],
'email' => $user['User']['email'],
'action' => 'email',
'title' => 'Email' . $replyToLog . ' to ' . $user['User']['email'] . ', titled "' . $subject . '" failed. Reason: ' . $e->getMessage(),
'change' => null,
));
return false;
}
$logTitle = $result['encrypted'] ? 'Encrypted email' : 'Email';
// Intentional two spaces to pass test :)
$logTitle .= $replyToLog . ' to ' . $user['User']['email'] . ' sent, titled "' . $result['subject'] . '".';
$this->Log->create();
$this->Log->save(array(
'org' => 'SYSTEM',
'model' => 'User',
'model_id' => $user['User']['id'],
'email' => $user['User']['email'],
'action' => 'email',
'title' => $logTitle,
'change' => null,
));
return true;
}
/**
* @param string $email
* @return array
* @throws Exception
*/
public function searchGpgKey($email)
{
$gpgTool = new GpgTool(null);
return $gpgTool->searchGpgKey($email);
}
/**
* @param string $fingerprint
* @return string|null
* @throws Exception
*/
public function fetchGpgKey($fingerprint)
{
$gpgTool = new GpgTool($this->initializeGpg());
return $gpgTool->fetchGpgKey($fingerprint);
}
/**
* Returns fields that should be fetched from database.
* @return array
*/
public function describeAuthFields()
{
$fields = $this->schema();
// Do not include keys, because they are big and usually not necessary
unset($fields['gpgkey']);
unset($fields['certif_public']);
// Do not fetch password from db, it is automatically fetched by BaseAuthenticate::_findUser
unset($fields['password']);
// Do not fetch authkey from db, it is sensitive and not need
unset($fields['authkey']);
$fields = array_keys($fields);
foreach ($this->belongsTo as $relatedModel => $foo) {
$fields[] = $relatedModel . '.*';
}
return $fields;
}
public function findAdminsResponsibleForUser($user)
{
$admin = $this->find('first', array(
'recursive' => -1,
'conditions' => array(
'Role.perm_admin' => 1,
'User.disabled' => 0,
'User.org_id' => $user['org_id']
),
'contain' => array(
'Role' => array('fields' => array('perm_admin'))
),
'fields' => array('User.id', 'User.email', 'User.org_id')
));
if (count($admin) == 0) {
$admin = $this->find('first', array(
'recursive' => -1,
'conditions' => array(
'Role.perm_site_admin' => 1,
'User.disabled' => 0,
),
'contain' => array(
'Role' => array('fields' => array('perm_site_admin'))
),
'fields' => array('User.id', 'User.email', 'User.org_id')
));
}
return $admin['User'];
}
public function initiatePasswordReset($user, $firstTime = false, $simpleReturn = false, $fixedPassword = false)
{
$org = Configure::read('MISP.org');
$subjects = array('[' . $org . ' MISP] New user registration', '[' . $org . ' MISP] Password reset');
$subject = $subjects[($firstTime ? 0 : 1)];
$this->Server = ClassRegistry::init('Server');
if ($fixedPassword) {
$password = $fixedPassword;
} else {
$password = $this->generateRandomPassword();
}
$body = $this->preparePasswordResetEmail($user, $password, $firstTime, $subject);
$result = $this->sendEmail($user, $body, false, $subject);
if ($result) {
$this->id = $user['User']['id'];
$this->saveField('password', $password);
$this->updateField($user['User'], 'change_pw', 1);
if ($simpleReturn) {
return true;
} else {
return array('body'=> json_encode(array('saved' => true, 'success' => 'New credentials sent.')),'status'=>200);
}
}
if ($simpleReturn) {
return false;
} else {
return array('body'=> json_encode(array('saved' => false, 'errors' => 'There was an error notifying the user. His/her credentials were not altered.')),'status'=>200);
}
}
private function preparePasswordResetEmail($user, $password, $firstTime, $subject)
{
$textToFetch = $firstTime ? 'newUserText': 'passwordResetText';
$this->Server = ClassRegistry::init('Server');
$bodyTemplate = Configure::read('MISP.' . $textToFetch);
if (!$bodyTemplate) {
$bodyTemplate = $this->Server->serverSettings['MISP'][$textToFetch]['value'];
}
$template = new SendEmailTemplate('password_reset');
$template->set('body', $bodyTemplate);
$template->set('user', $user);
$template->set('password', $password);
$template->subject($subject);
return $template;
}
public function getOrgAdminsForOrg($org_id, $excludeUserId = false)
{
$adminRoles = $this->Role->find('column', array(
'conditions' => array('perm_admin' => 1),
'fields' => array('Role.id')
));
$conditions = array(
'User.org_id' => $org_id,
'User.disabled' => 0,
'User.role_id' => $adminRoles
);
if ($excludeUserId) {
$conditions['User.id !='] = $excludeUserId;
}
return $this->find('list', array(
'recursive' => -1,
'conditions' => $conditions,
'fields' => array(
'User.id', 'User.email'
)
));
}
public function verifyPassword($user_id, $password)
{
$currentUser = $this->find('first', array(
'conditions' => array('User.id' => $user_id),
'recursive' => -1,
'fields' => array('User.password')
));
if (empty($currentUser)) {
return false;
}
if (strlen($currentUser['User']['password']) == 40) {
App::uses('SimplePasswordHasher', 'Controller/Component/Auth');
$passwordHasher = new SimplePasswordHasher();
} else {
$passwordHasher = new BlowfishConstantPasswordHasher();
}
$hashed = $passwordHasher->check($password, $currentUser['User']['password']);
return $hashed;
}
public function createInitialUser($org_id)
{
$authKey = $this->generateAuthKey();
$admin = array('User' => array(
'id' => 1,
'email' => 'admin@admin.test',
'org_id' => $org_id,
'password' => 'admin',
'confirm_password' => 'admin',
'authkey' => $authKey,
'nids_sid' => 4000000,
'newsread' => 0,
'role_id' => 1,
'change_pw' => 1
));
$this->validator()->remove('password'); // password is too simple, remove validation
$this->save($admin);
if (!empty(Configure::read("Security.advanced_authkeys"))) {
$this->AuthKey = ClassRegistry::init('AuthKey');
$newKey = [
'authkey' => $authKey,
'user_id' => 1,
'comment' => 'Initial auto-generated key',
'allowed_ips' => null,
];
$this->AuthKey->create();
$this->AuthKey->save($newKey);
}
return $authKey;
}
public function resetAllSyncAuthKeysRouter($user, $jobId = false)
{
if (Configure::read('MISP.background_jobs')) {
/** @var Job $job */
$job = ClassRegistry::init('Job');
$jobId = $job->createJob(
$user,
Job::WORKER_PRIO,
'reset_all_sync_api_keys',
__('Reseting all API keys'),
'Issuing new API keys to all sync users.'
);
$this->getBackgroundJobsTool()->enqueue(
BackgroundJobsTool::PRIO_QUEUE,
BackgroundJobsTool::CMD_ADMIN,
[
'resetSyncAuthkeys',
$user['id'],
$jobId
],
true,
$jobId
);
return true;
} else {
return $this->resetAllSyncAuthKeys($user);
}
}
public function resetAllSyncAuthKeys($user, $jobId = false)
{
$affected_users = $this->find('all', array(
'recursive' => -1,
'contain' => array('Role'),
'conditions' => array(
'OR' => array(
'Role.perm_sync' => 1,
'Role.perm_admin' => 1
),
'Role.perm_site_admin' => 0
)
));
$results = array('success' => 0, 'fails' => 0);
$user_count = count($affected_users);
if ($jobId) {
$job = ClassRegistry::init('Job');
$existingJob = $job->find('first', array(
'conditions' => array('Job.id' => $jobId),
'recursive' => -1
));
if (empty($existingJob)) {
$jobId = false;
}
}
foreach ($affected_users as $k => $affected_user) {
try {
$reset_result = $this->resetauthkey($user, $affected_user['User']['id'], true);
if ($reset_result) {
$results['success'] += 1;
} else {
$results['fails'] += 1;
}
} catch (Exception $e) {
$results['fails'] += 1;
}
if ($jobId) {
if ($k % 100 == 0) {
$job->id = $jobId;
$job->saveField('progress', 100 * (($k + 1) / $user_count));
$job->saveField('message', __('Reset in progress - %s/%s.', $k, $user_count));
}
}
}
if ($jobId) {
$message = __('%s authkeys reset, %s could not be reset', $results['success'], $results['fails']);
$job->saveField('progress', 100);
$job->saveField('message', $message);
$job->saveField('status', 4);
}
return $results;
}
public function resetauthkey($user, $id, $alert = false, $keyId = null)
{
$this->id = $id;
if (!$id || !$this->exists($id)) {
return false;
}
$updatedUser = $this->read();
if (empty($user['Role']['perm_site_admin']) && !($user['Role']['perm_admin'] && $user['org_id'] == $updatedUser['User']['org_id']) && ($user['id'] != $id)) {
return false;
}
if (empty(Configure::read('Security.advanced_authkeys'))) {
$oldKey = $this->data['User']['authkey'];
$newkey = $this->generateAuthKey();
$this->updateField($updatedUser['User'], 'authkey', $newkey);
$this->extralog(
$user,
'reset_auth_key',
__('Authentication key for user %s (%s) updated.',
$updatedUser['User']['id'],
$updatedUser['User']['email']
),
$fieldsResult = ['authkey' => [$oldKey, $newkey]],
$updatedUser
);
} else {
$this->AuthKey = ClassRegistry::init('AuthKey');
$newkey = $this->AuthKey->resetAuthKey($id, $keyId);
}
if ($alert) {
$baseurl = Configure::read('MISP.external_baseurl');
if (empty($baseurl)) {
$baseurl = Configure::read('MISP.baseurl');
}
$body = __(
"Dear user,\n\nan API key reset has been triggered by an administrator for your user account on %s.\n\nYour new API key is: %s\n\nPlease update your server's sync setup to reflect this change.\n\nWe apologise for the inconvenience.",
$baseurl,
$newkey
);
$bodyNoEnc = __(
"Dear user,\n\nan API key reset has been triggered by an administrator for your user account on %s.\n\nYour new API key can be retrieved by logging in using this sync user's account.\n\nPlease update your server's sync setup to reflect this change.\n\nWe apologise for the inconvenience.",
$baseurl,
$newkey
);
$this->sendEmail(
$updatedUser,
$body,
$bodyNoEnc,
__('API key reset by administrator')
);
}
return $newkey;
}
public function extralog($user, $action = null, $description = null, $fieldsResult = null, $modifiedUser = null)
{
// new data
$model = 'User';
$modelId = $user['id'];
if (!empty($modifiedUser)) {
$modelId = $modifiedUser['User']['id'];
}
if ($action == 'login') {
$description = "User (" . $user['id'] . "): " . $user['email'];
} elseif ($action == 'logout') {
$description = "User (" . $user['id'] . "): " . $user['email'];
} elseif ($action == 'edit') {
$description = "User (" . $modifiedUser['User']['id'] . "): " . $modifiedUser['User']['email'];
} elseif ($action == 'change_pw') {
$description = "User (" . $modifiedUser['User']['id'] . "): " . $modifiedUser['User']['email'];
$fieldsResult = "Password changed.";
}
// query
$this->Log = ClassRegistry::init('Log');
$result = $this->Log->createLogEntry($user, $action, $model, $modelId, $description, $fieldsResult);
// write to syslogd as well
App::import('Lib', 'SysLog.SysLog');
$syslog = new SysLog();
$syslog->write('notice', "$description -- $action" . (empty($fieldsResult) ? '' : ' -- ' . $result['Log']['change']));
}
/**
* @return array|null
* @throws Exception
*/
public function getGpgPublicKey()
{
$email = Configure::read('GnuPG.email');
if (!$email) {
throw new Exception("Configuration option 'GnuPG.email' is not set, public key cannot be exported.");
}
$cryptGpg = $this->initializeGpg();
$fingerprint = $cryptGpg->getFingerprint($email);
if (!$fingerprint) {
return null;
}
$publicKey = $cryptGpg->exportPublicKey($fingerprint);
return array($fingerprint, $publicKey);
}
public function getOrgActivity($orgId, $params=array())
{
$conditions = array();
$options = array();
foreach($params as $paramName => $value) {
$options['filter'] = $paramName;
$filterParam[$paramName] = $value;
$conditions = $this->Event->set_filter_timestamp($filterParam, $conditions, $options);
}
$conditions['Event.orgc_id'] = $orgId;
$events = $this->Event->find('all', array(
'recursive' => -1,
'fields' => array('Event.orgc_id', 'Event.timestamp', 'Event.attribute_count'),
'conditions' => $conditions,
'order' => 'Event.timestamp'
));
$sparklineData = array();
foreach ($events as $event) {
$date = date("Y-m-d", $event['Event']['timestamp']);
if (!isset($sparklineData[$event['Event']['attribute_count']][$date])) {
$sparklineData[$date] = $event['Event']['attribute_count'];
} else {
$sparklineData[$date] += $event['Event']['attribute_count'];
}
}
// get first and last timestamp
if (isset($params['from'])) {
$startDate = $params['from'];
} else {
$startDate = $this->resolveTimeDelta($params['event_timestamp']);
}
if (isset($params['to'])) {
$endDate = $params['to'];
} else {
$endDate = time();
}
$dates = array();
for ($d=$startDate; $d < $endDate; $d=$d+3600*24) {
$dates[] = date('Y-m-d', $d);
}
$csv = 'Date,Close\n';
foreach ($dates as $date) {
$csv .= sprintf('%s,%s\n', $date, isset($sparklineData[$date]) ? $sparklineData[$date] : 0);
}
$data = array(
'csv' => $csv,
'data' => $sparklineData,
'orgId' => $orgId
);
return $data;
}
public function registerUser($added_by, $registration, $org_id, $role_id) {
$user = array(
'email' => $registration['data']['email'],
'gpgkey' => empty($registration['data']['pgp']) ? '' : $registration['data']['pgp'],
'disabled' => 0,
'newsread' => 0,
'change_pw' => 1,
'authkey' => $this->generateAuthKey(),
'termsaccepted' => 0,
'org_id' => $org_id,
'role_id' => $role_id,
'invited_by' => $added_by['id'],
'contactalert' => 1,
'autoalert' => Configure::check('MISP.default_publish_alert') ? Configure::read('MISP.default_publish_alert') : 1
);
$this->create();
$this->Log = ClassRegistry::init('Log');
$result = $this->save(array('User' => $user));
$currentOrg = $this->Organisation->find('first', array(
'recursive' => -1,
'conditions' => array('Organisation.id' => $org_id)
));
if (!empty($currentOrg) && empty($currentOrg['Organisation']['local'])) {
$currentOrg['Organisation']['local'] = 1;
$this->Organisation->save($currentOrg);
}
if (empty($result)) {
$error = array();
foreach ($this->validationErrors as $key => $errors) {
$error[$key] = $key . ': ' . implode(', ', $errors);
}
$error = implode(PHP_EOL, $error);
$this->Log->save(array(
'org' => 'SYSTEM',
'model' => 'User',
'model_id' => $added_by['id'],
'email' => $added_by['email'],
'action' => 'registration_error',
'title' => 'User registration failed for ' . $user['email'] . '. Reason(s): ' . $error,
'change' => null,
));
return false;
} else {
$user = $this->find('first', array(
'recursive' => -1,
'conditions' => array('id' => $this->id)
));
$this->Log->save(array(
'org' => 'SYSTEM',
'model' => 'User',
'model_id' => $added_by['id'],
'email' => $added_by['email'],
'action' => 'registration',
'title' => sprintf('User registration success for %s (id=%s)', $user['User']['email'], $user['User']['id']),
'change' => null,
));
$this->initiatePasswordReset($user, true, true, false);
$this->Inbox = ClassRegistry::init('Inbox');
$this->Inbox->delete($registration['id']);
return true;
}
}
/**
* Updates `current_login` and `last_login` time in database.
*
* @param array $user
* @return array|bool
* @throws Exception
*/
public function updateLoginTimes(array $user)
{
if (!isset($user['id'])) {
throw new InvalidArgumentException("Invalid user object provided.");
}
$user['action'] = 'login'; // for afterSave callbacks
$user['last_login'] = $user['current_login'];
$user['current_login'] = time();
return $this->save($user, true, array('id', 'last_login', 'current_login'));
}
/**
* Update field in user model and also set `date_modified`
*
* @param array $user
* @param string $name
* @param mixed $value
* @throws Exception
*/
public function updateField(array $user, $name, $value)
{
if (!isset($user['id'])) {
throw new InvalidArgumentException("Invalid user object provided.");
}
$success = $this->save([
'id' => $user['id'],
$name => $value,
], true, ['id', $name, 'date_modified']);
if (!$success) {
throw new RuntimeException("Could not save setting $name for user {$user['id']}.");
}
}
/**
* Check if user still valid at identity provider.
* @param array $user
* @return bool
* @throws Exception
*/
public function checkIfUserIsValid(array $user)
{
$auth = Configure::read('Security.auth');
if (!$auth) {
return true;
}
if (!is_array($auth)) {
throw new Exception("`Security.auth` config value must be array.");
}
if (!in_array('OidcAuth.Oidc', $auth, true)) {
return true; // this method currently makes sense just for OIDC auth provider
}
App::uses('Oidc', 'OidcAuth.Lib');
$oidc = new Oidc($this);
return $oidc->isUserValid($user);
}
/**
* Initialize GPG. Returns `null` if initialization failed.
*
* @return null|CryptGpgExtended
*/
private function initializeGpg()
{
if ($this->gpg !== null) {
if ($this->gpg === false) { // initialization failed
return null;
}
return $this->gpg;
}
try {
$this->gpg = GpgTool::initializeGpg();
return $this->gpg;
} catch (Exception $e) {
$this->logException("GPG couldn't be initialized, GPG encryption and signing will be not available.", $e, LOG_NOTICE);
$this->gpg = false;
return null;
}
}
public function updateToAdvancedAuthKeys()
{
$users = $this->find('all', [
'recursive' => -1,
'contain' => ['AuthKey'],
'fields' => ['id', 'authkey']
]);
$updated = 0;
foreach ($users as $user) {
if (!empty($user['AuthKey'])) {
$currentKeyStart = substr($user['User']['authkey'], 0, 4);
$currentKeyEnd = substr($user['User']['authkey'], -4);
foreach ($user['AuthKey'] as $authkey) {
if ($authkey['authkey_start'] === $currentKeyStart && $authkey['authkey_end'] === $currentKeyEnd) {
continue 2;
}
}
}
$this->AuthKey->create();
$this->AuthKey->save([
'authkey' => $user['User']['authkey'],
'expiration' => 0,
'user_id' => $user['User']['id']
]);
$updated += 1;
}
return $updated;
}
public function checkNotificationBanStatus(array $user)
{
$banStatus = [
'error' => false,
'active' => false,
'message' => __('User is not banned to sent email notification')
];
if (!empty($user['Role']['perm_site_admin'])) {
return $banStatus;
}
if (Configure::read('MISP.user_email_notification_ban')) {
$banThresholdAmount = intval(Configure::read('MISP.user_email_notification_ban_amount_threshold'));
$banThresholdMinutes = intval(Configure::read('MISP.user_email_notification_ban_time_threshold'));
$banThresholdSeconds = 60 * $banThresholdMinutes;
$redis = $this->setupRedis();
if ($redis === false) {
$banStatus['error'] = true;
$banStatus['active'] = true;
$banStatus['message'] = __('Reason: Could not reach redis to check user email notification ban status.');
return $banStatus;
}
$redisKeyAmountThreshold = "misp:user_email_notification_ban_amount:{$user['id']}";
$notificationAmount = $redis->get($redisKeyAmountThreshold);
if (!empty($notificationAmount)) {
$remainingAttempt = $banThresholdAmount - intval($notificationAmount);
if ($remainingAttempt <= 0) {
$ttl = $redis->ttl($redisKeyAmountThreshold);
$remainingMinutes = intval($ttl) / 60;
$banStatus['active'] = true;
$banStatus['message'] = __('Reason: User is banned from sending out emails (%s notification tried to be sent). Ban will be lifted in %smin %ssec.', $notificationAmount, floor($remainingMinutes), intval($ttl) % 60);
}
}
$pipe = $redis->multi(Redis::PIPELINE)
->incr($redisKeyAmountThreshold);
if (!$banStatus['active']) { // no need to refresh the ttl if the ban is active
$pipe->expire($redisKeyAmountThreshold, $banThresholdSeconds);
}
$pipe->exec();
return $banStatus;
}
$banStatus['message'] = __('User email notification ban setting is not enabled');
return $banStatus;
}
/**
* @param array $user
* @return bool
*/
public function hasNotifications(array $user)
{
$hasProposal = $this->Event->ShadowAttribute->hasAny([
'ShadowAttribute.event_org_id' => $user['org_id'],
'ShadowAttribute.deleted' => 0,
]);
if ($hasProposal) {
return true;
}
if (Configure::read('MISP.delegation') && $this->_getDelegationCount($user)) {
return true;
}
return false;
}
/**
* @param array $user
* @return array
*/
public function populateNotifications(array $user)
{
$notifications = array();
list($notifications['proposalCount'], $notifications['proposalEventCount']) = $this->_getProposalCount($user);
$notifications['total'] = $notifications['proposalCount'];
if (Configure::read('MISP.delegation')) {
$notifications['delegationCount'] = $this->_getDelegationCount($user);
$notifications['total'] += $notifications['delegationCount'];
}
return $notifications;
}
// if not using $mode === 'full', simply check if an entry exists. We really don't care about the real count for the top menu.
private function _getProposalCount($user, $mode = 'full')
{
$results[0] = $this->Event->ShadowAttribute->find('count', [
'conditions' => array(
'ShadowAttribute.event_org_id' => $user['org_id'],
'ShadowAttribute.deleted' => 0,
)
]);
$results[1] = $this->Event->ShadowAttribute->find('count', [
'conditions' => array(
'ShadowAttribute.event_org_id' => $user['org_id'],
'ShadowAttribute.deleted' => 0,
),
'fields' => 'distinct event_id'
]);
return $results;
}
private function _getDelegationCount($user)
{
$this->EventDelegation = ClassRegistry::init('EventDelegation');
return $this->EventDelegation->find('count', array(
'recursive' => -1,
'conditions' => array('EventDelegation.org_id' => $user['org_id'])
));
}
}
Reference in New Issue View Git Blame Copy Permalink