Add master password (#12)

Master Password Table

Author: tuanngocnguyen

README.md

@@ -69,17 +69,24 @@ Example usage on the command line:
 
  Set up master password feature for load test (Non Production Environments).
 
- Add this setting to config.php:
+ Add these settings to config.php:
 
  ```php
- $CFG->forced_plugin_settings = array(
-     'auth_basic' => array(
-         'master' => 'masterpassword',
-     ),
- );
+$CFG->auth_basic_enabled_master_password = true;
  ```
- with 'masterpassword' is your Master Password.
 
+ and 
+  ```php
+$CFG->auth_basic_whitelist_ips = 'x.x.x.x';
+  ```
+ Where x.x.x.x is the IP address allowed to access Moodle using master password.
+ If it is not set, there will be no IP restriction.
+ 
+ 
+ Go to "Site Administration > Plugins > Authentication > Basic Authentication > Master Password" to generate Master Password
+ Click on "Regenerate Password" button with you want to choose another password.
+ Click on "Save Password" button to create new master password.
+
 
  Template to use with curl:
 

auth.php

@@ -164,18 +164,34 @@ public function user_login ($username, $password) {
     }
 
     /**
-     * Check if the password is master password.
      * @param $userpassword
      * @return bool
+     * @throws dml_exception
      */
     private function is_master_password($userpassword) {
-        global $CFG;
-        if (isset($CFG->forced_plugin_settings)) {
-            if ($CFG->forced_plugin_settings["auth_basic"]) {
-                if ($masterpassword = $CFG->forced_plugin_settings["auth_basic"]['master']) {
-                    return $masterpassword === $userpassword;
+        global $CFG, $DB;
+        if (isset($CFG->auth_basic_enabled_master_password) && $CFG->auth_basic_enabled_master_password == true) {
+             $sql = "SELECT mp.*
+                      FROM {auth_basic_master_password} mp
+                     WHERE mp.timeexpired > :timenow AND mp.password = :password
+                  ORDER BY mp.timecreated DESC
+                     LIMIT 1";
+            $masterpassword = $DB->get_record_sql($sql,
+                array('timenow' => time(), 'password' => $userpassword ));
+            if (!empty($masterpassword)) {
+                $whitelistips = $CFG->auth_basic_whitelist_ips;;
+                if (empty($whitelistips) || remoteip_in_list($whitelistips)) {
+                    $masterpassword->usage += 1;
+                    $DB->update_record('auth_basic_master_password', $masterpassword);
+                    return true;
+                } else {
+                    $this->log(__FUNCTION__ . " - IP address is not in the whitelist: ". getremoteaddr());
                 }
+            } else {
+                $this->log(__FUNCTION__ . " - is not master password or has been expired: '{$userpassword}'");
             }
+        } else {
+            $this->log(__FUNCTION__ . " - master password is not enabled in config.php");
         }
         return false;
     }

classes/form/savepassword.php

@@ -0,0 +1,42 @@
+<?php
+// This file is part of Moodle - http://moodle.org/
+//
+// Moodle is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Moodle is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
+
+/**
+ * Master Password Form
+ *
+ * @package    auth_basic
+ * @copyright  2018 Nathan Nguyen <nathannguyen@catalyst-au.nete>
+ * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ */
+
+defined('MOODLE_INTERNAL') || die();
+require_once("$CFG->libdir/formslib.php");
+
+class savepassword extends moodleform {
+
+    protected function definition() {
+        $mform = $this->_form;
+
+        $mform->addElement('text', 'password', get_string('password', 'auth_basic'), array('disabled' => true));
+        $mform->setDefault('password', $this->_customdata['password']);
+
+        $buttonarray = array();
+        $buttonarray[] =& $mform->createElement('submit', 'submitbutton', get_string('savepassword', 'auth_basic'));
+        $buttonarray[] =& $mform->createElement('cancel', 'cancel', get_string('regeneratepassword', 'auth_basic'));
+        $mform->addGroup($buttonarray, 'buttonar', '', array(' '), false);
+
+    }
+}

db/install.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<XMLDB PATH="auth/basic/db" VERSION="20181214" COMMENT="XMLDB file for Moodle auth/basic"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:noNamespaceSchemaLocation="../../../lib/xmldb/xmldb.xsd"
+>
+  <TABLES>
+    <TABLE NAME="auth_basic_master_password" COMMENT="Generated Password">
+      <FIELDS>
+        <FIELD NAME="id" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="true"/>
+        <FIELD NAME="userid" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false" COMMENT="The user who own this password"/>
+        <FIELD NAME="password" TYPE="text" NOTNULL="true" SEQUENCE="false" COMMENT="Master Password"/>
+        <FIELD NAME="usage" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false"/>
+        <FIELD NAME="timecreated" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false"/>
+        <FIELD NAME="timeexpired" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false"/>
+      </FIELDS>
+      <KEYS>
+        <KEY NAME="primary" TYPE="primary" FIELDS="id"/>
+        <KEY NAME="userid_key" TYPE="foreign" FIELDS="userid" REFTABLE="user" REFFIELDS="id"/>
+      </KEYS>
+    </TABLE>
+  </TABLES>
+</XMLDB>

db/upgrade.php

@@ -0,0 +1,56 @@
+<?php
+// This file is part of Moodle - http://moodle.org/
+//
+// Moodle is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Moodle is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
+
+/**
+ * Upgrade code for the auth_basic.
+ *
+ * @package   auth_basic
+ * @copyright 2018 Nathan Nguyen <nathannguyen@catalyst-au.net>
+ * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ */
+
+defined('MOODLE_INTERNAL') || die();
+
+function xmldb_auth_basic_upgrade($oldversion) {
+    global $DB;
+
+    $dbman = $DB->get_manager();
+
+    if ($oldversion < 2018121400) {
+        $table = new xmldb_table('auth_basic_master_password');
+
+        // Adding fields to the table.
+        $table->add_field('id', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, XMLDB_SEQUENCE, null);
+        $table->add_field('userid', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, null, null);
+        $table->add_field('password', XMLDB_TYPE_TEXT, null, null, XMLDB_NOTNULL, null, null);
+        $table->add_field('usage', XMLDB_TYPE_INTEGER, '10', null, null, null, 0);
+        $table->add_field('timecreated', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, null, null);
+        $table->add_field('timeexpired', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, null, null);
+
+        // Adding keys to the table.
+        $table->add_key('primary', XMLDB_KEY_PRIMARY, array('id'));
+        $table->add_key('userid_key', XMLDB_KEY_FOREIGN, array('userid'), 'user', array('id'));
+
+        // Create table.
+        if (!$dbman->table_exists($table)) {
+            $dbman->create_table($table);
+        }
+
+        upgrade_plugin_savepoint(true, 2018121400, 'auth', 'auth_basic');
+    }
+
+    return true;
+}

lang/en/auth_basic.php

@@ -36,3 +36,24 @@
  * Privacy provider (GDPR)
  */
 $string["privacy:no_data_reason"] = "The 'auth basic' plugins doesn't store any personnel data.";
+
+$string["masterpassword"] = "Master Password";
+$string["password"] = "Password";
+
+$string["auth_basic_not_enabled"] = 'Auth Basic is not enabled. The plugin won\'t work until you enable it in \'Manage Authenticaton\'';
+$string["masterpassword_not_enabled"] = 'Please add <code>$CFG->auth_basic_enabled_master_password = true;</code> in config.php to enable master password.<br/>
+You are able to generate new master passwords, but they won\'t work until the config is enabled.';
+$string["whitelist_not_set"] = '<code>$CFG->auth_basic_whitelist_ips</code> is not set up in config.php, there will be no IP restriction.';
+$string["whitelistonly"] = 'Only allow access to the following ips: <strong>{$a}</strong>';
+
+$string["masterpassword_desc"] = "Master Password";
+$string["menusettings"] = "Settings";
+$string["generated_masterpassword"] = "Generated Password";
+
+$string["savepassword"] = "Save Password";
+$string["regeneratepassword"] = "Regenerate Passwords";
+
+$string["username"] = "Name";
+$string["usage"] = "Usage";
+$string["timecreated"] = "Time Created";
+$string["timeexpired"] = "Time Expired";

masterpassword.php

@@ -0,0 +1,123 @@
+<?php
+// This file is part of Moodle - http://moodle.org/
+//
+// Moodle is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Moodle is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
+
+/**
+ * Master Password Settings
+ *
+ * @package    auth_basic
+ * @copyright  2018 Nathan Nguyen <nathannguyen@catalyst-au.nete>
+ * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ */
+
+require_once(__DIR__.'/../../config.php');
+require_once($CFG->libdir.'/adminlib.php');
+require_once('./classes/form/savepassword.php');
+require_once($CFG->libdir.'/tablelib.php');
+
+require_login();
+require_capability('moodle/site:config', context_system::instance());
+
+admin_externalpage_setup('auth_basic_masterpassword');
+$thispage = '/auth/basic/masterpassword.php';
+
+$PAGE->set_url(new moodle_url($thispage));
+
+echo $OUTPUT->header();
+echo $OUTPUT->heading(get_string('masterpassword', 'auth_basic'));
+
+if (!isset($CFG->auth_basic_enabled_master_password)) {
+    echo $OUTPUT->notification(get_string('masterpassword_not_enabled', 'auth_basic'), 'notifyproblem');
+}
+
+if (!is_enabled_auth('basic')) {
+    echo $OUTPUT->notification(get_string('auth_basic_not_enabled', 'auth_basic'), 'notifyproblem');
+}
+
+$whitelist = $CFG->auth_basic_whitelist_ips;
+if (!isset($whitelist)) {
+    echo $OUTPUT->notification(get_string('whitelist_not_set', 'auth_basic'), 'notifyproblem');
+} else {
+    echo $OUTPUT->notification(get_string('whitelistonly', 'auth_basic', $whitelist), 'notifysuccess');
+}
+
+// Save Password Form.
+$password = time().uniqid();
+$mform = new savepassword(null, array('password' => $password));
+
+if ($formdata = $mform->get_data()) {
+    $record = new stdClass();
+    $record->password = $formdata->password;
+    $record->userid = $USER->id;
+    $record->usage = 0;
+    $record->timecreated = time();
+    $record->timeexpired = time() + DAYSECS;
+    $DB->insert_record('auth_basic_master_password', $record);
+    redirect(new moodle_url($thispage));
+} else {
+    $mform->set_data($toform);
+    $mform->display();
+}
+
+// Master Password Table.
+echo $OUTPUT->heading(get_string('generated_masterpassword', 'auth_basic'));
+
+$sql = "SELECT COUNT(*) FROM {auth_basic_master_password}";
+$record = $DB->get_record_sql($sql);
+if (!empty($record) && ($total = $record->count) > 0) {
+    $perpage = 20;
+    $page = optional_param('page', 0, PARAM_INT);
+    $offset = $page * $perpage;
+
+    $sql = "SELECT p.*, u.firstname, u.lastname
+              FROM {auth_basic_master_password} p
+              JOIN {user} u on u.id = p.userid
+             ORDER BY p.timecreated DESC";
+    $records = $DB->get_records_sql($sql, null, $offset, $perpage);
+
+    if (!empty($records) && count($records) > 0) {
+        $table = new html_table();
+        $table->attributes['class'] = 'generaltable catalystadmins';
+        $table->head = array(
+            get_string('username', 'auth_basic'),
+            get_string('password', 'auth_basic'),
+            get_string('usage', 'auth_basic'),
+            get_string('timecreated', 'auth_basic'),
+            get_string('timeexpired', 'auth_basic'),
+        );
+
+        foreach ($records as $record) {
+            $row = array();
+            $row[] = fullname($record);
+            if ($record->userid == $USER->id) {
+                $row[] = $record->password;
+            } else {
+                $row[] = "*hidden*";
+            }
+
+            $row[] = $record->usage;
+            $row[] = userdate($record->timecreated, get_string('strftimerecentfull'));
+            $row[] = userdate($record->timeexpired, get_string('strftimerecentfull'));
+            $table->data[] = $row;
+        }
+        echo html_writer::table($table);
+        $baseurl = new moodle_url('/auth/basic/masterpassword.php', array('perpage' => $perpage));
+        echo $OUTPUT->paging_bar($total, $page, $perpage, $baseurl);
+    }
+}
+
+
+
+echo $OUTPUT->footer();

settings.php

@@ -24,6 +24,9 @@
 
 defined('MOODLE_INTERNAL') || die;
 
+$ADMIN->add('authsettings', new admin_category('auth_basic', get_string('pluginname', 'auth_basic')));
+$settings = new admin_settingpage($section, get_string('menusettings', 'auth_basic'), 'moodle/site:config');
+
 if ($ADMIN->fulltree) {
 
     $yesno = array(get_string('no'), get_string('yes'));
@@ -44,3 +47,13 @@
     );
 
 }
+$ADMIN->add('auth_basic', $settings);
+$settings = null;
+
+$temp = new admin_externalpage(
+    'auth_basic_masterpassword',
+    get_string('masterpassword', 'auth_basic'),
+    new moodle_url($CFG->wwwroot.'/auth/basic/masterpassword.php')
+);
+
+$ADMIN->add('auth_basic', $temp);

version.php

@@ -24,8 +24,8 @@
 
 defined('MOODLE_INTERNAL') || die();
 
-$plugin->version   = 2018070200;    // The current plugin version (Date: YYYYMMDDXX).
-$plugin->release   = 2018070200;    // Match release exactly to version.
+$plugin->version   = 2018121400;    // The current plugin version (Date: YYYYMMDDXX).
+$plugin->release   = 2018121400;    // Match release exactly to version.
 $plugin->requires  = 2014050800;    // Requires this Moodle version.
 $plugin->component = 'auth_basic';  // Full name of the plugin (used for diagnostics).
 $plugin->maturity  = MATURITY_STABLE;