send notification when passwords are about to expire

appinfo/app.php

@@ -61,3 +61,16 @@
 	\OCP\IUser::class . '::firstLogin',
 	[$handler, 'checkForcePasswordChangeOnFirstLogin']
 );
+
+$app = new \OCA\PasswordPolicy\AppInfo\Application();
+$app->registerNotifier();
+
+// only load notification JS code in the logged in layout page (not public links not login page)
+$request = \OC::$server->getRequest();
+if (\OC::$server->getUserSession() !== null && \OC::$server->getUserSession()->getUser() !== null
+	&& substr($request->getScriptName(), 0 - strlen('/index.php')) === '/index.php'
+	&& substr($request->getPathInfo(), 0, strlen('/s/')) !== '/s/'
+	&& substr($request->getPathInfo(), 0, strlen('/login')) !== '/login') {
+
+	\OCP\Util::addScript('password_policy', 'notification');
+}

appinfo/info.xml

@@ -12,12 +12,12 @@ The definition of certain password rules support administrators in the task of e
 Password history and expiration policies are supplements that allow IT to establish a level of password security that can comply with corporate guidelines of all sorts. The provided tools enable administrators to granularly choose their desired security level. At this point it is important to keep in mind that high levels of security might sacrifice usability and come at the expense of user experience. For this reason it is highly recommended to check [best practices](https://pages.nist.gov/800-63-3/sp800-63b.html) and decide carefully on the hurdles that are put upon users in order to maintain and optimize user adoption and satisfaction.
 
 Administrators find the configuration options in the 'Security' section of the ownCloud administration settings panel. The respective policies are designed for local user accounts, not for user accounts imported from LDAP or other user backends as these provide their own mechanisms. For more information and recommendations when deploying policies in an existing ownCloud, please consult the [ownCloud Documentation](https://doc.owncloud.com/server/latest/admin_manual/configuration/server/security/password-policy.html).</description>
-	<version>2.0.0</version>
+	<version>2.0.1</version>
 	<documentation>
 		<admin>https://doc.owncloud.com/server/10.0/admin_manual/configuration/server/security/password_policy.html</admin>
 	</documentation>
 	<dependencies>
-		<owncloud min-version="10.0.5" max-version="10.1" />
+		<owncloud min-version="10.0.9" max-version="10.1" />
 	</dependencies>
 	<namespace>PasswordPolicy</namespace>
 	<settings>
@@ -30,6 +30,9 @@ Administrators find the configuration options in the 'Security' section of the o
 	<account-modules>
 		<module>OCA\PasswordPolicy\Authentication\AccountModule</module>
 	</account-modules>
+	<background-jobs>
+		<job>OCA\PasswordPolicy\Jobs\PasswordExpirationNotifierJob</job>
+	</background-jobs>
 
 	<screenshot>https://raw.githubusercontent.com/owncloud/screenshots/master/password_policy/owncloud-app-password_policy.jpg</screenshot>
 	<screenshot>https://raw.githubusercontent.com/owncloud/screenshots/master/password_policy/owncloud-app-password_policy2.jpg</screenshot>

js/notification.js

@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2018 Vincent Petry <pvince81@owncloud.com>
+ *
+ * This file is licensed under the Affero General Public License version 3
+ * or later.
+ *
+ * See the COPYING-README file.
+ *
+ */
+(function () {
+
+	$(document).ready(function() {
+		// convert action URL to redirect
+		$('body').on('OCA.Notification.Action', function(e) {
+			if (e.notification.app === 'password_policy'
+				&& (e.notification.object_type === 'about_to_expire' || e.notification.object_type === 'expired')
+				&& e.action.type === 'GET'
+			) {
+				OC.redirect(e.notification.link);
+				return false;
+			}
+		});
+	});
+})();
+

lib/AppInfo/Application.php

@@ -21,11 +21,24 @@
 namespace OCA\PasswordPolicy\AppInfo;
 
 use OCP\AppFramework\App;
+use OCP\Notification\Events\RegisterNotifierEvent;
+use OCA\PasswordPolicy\Notifier;
 
 class Application extends App {
 
 	public function __construct (array $urlParams = []) {
 		parent::__construct('password_policy', $urlParams);
 	}
 
+	/**
+	 * Registers the notifier
+	 */
+	public function registerNotifier() {
+		$container = $this->getContainer();
+		$dispatcher = $container->getServer()->getEventDispatcher();
+		$dispatcher->addListener(RegisterNotifierEvent::NAME, function (RegisterNotifierEvent $event) use ($container) {
+			$l10n = $container->getServer()->getL10N('password_policy');
+			$event->registerNotifier($container->query(Notifier::class), 'password_policy', $l10n->t('Password Policy'));
+		});
+	}
 }

lib/Controller/PasswordController.php

@@ -141,7 +141,7 @@ public function update($current_password, $new_password, $confirm_password, $red
 		if ($new_password !== $confirm_password) {
 			return $this->createPasswordTemplateResponse(
 				$redirect_url,
-				$this->l10n->t('New passwords are not the same.')
+				$this->l10n->t('Password confirmation does not match the password.')
 			);
 		}
 
@@ -150,7 +150,7 @@ public function update($current_password, $new_password, $confirm_password, $red
 		if(!$this->userManager->checkPassword($user->getUID(), $current_password)) {
 			return $this->createPasswordTemplateResponse(
 				$redirect_url,
-				$this->l10n->t('Incorrect current password supplied.')
+				$this->l10n->t('The current password is incorrect.')
 			);
 		}
 

lib/Controller/SettingsController.php

@@ -26,6 +26,7 @@
 use OCP\IRequest;
 use OCP\Settings\ISettings;
 use OCP\Template;
+use OCA\PasswordPolicy\UserNotificationConfigHandler;
 
 class SettingsController extends Controller implements ISettings {
 
@@ -49,13 +50,26 @@ class SettingsController extends Controller implements ISettings {
 		'spv_password_history_value' => 3,
 		'spv_user_password_expiration_checked' => false,
 		'spv_user_password_expiration_value' => 90,
+		'spv_user_password_expiration_notification_checked' => false,
+		'spv_user_password_expiration_notification_value' => UserNotificationConfigHandler::DEFAULT_EXPIRATION_FOR_NORMAL_NOTIFICATION,
 		'spv_user_password_force_change_on_first_login_checked' => false,
 		'spv_expiration_password_checked' => false,
 		'spv_expiration_password_value' => 7,
 		'spv_expiration_nopassword_checked' => false,
 		'spv_expiration_nopassword_value' => 7,
 	];
 
+	/**
+	 * functions to convert values between what is shown and what is stored
+	 * these functions must be defined in this class, they're per config key
+	 */
+	const CONVERSIONS = [
+		'spv_user_password_expiration_notification_value' => [
+			'in' => 'daysToSeconds',
+			'out' => 'secondsToDays',
+		],
+	];
+
 	public function __construct($appName,
 								IRequest $request,
 								IConfig $config) {
@@ -71,6 +85,10 @@ public function updatePolicy() {
 			if ($this->request->getParam($key) !== null) {
 				if ($key !== 'spv_def_special_chars_value' && \substr($key, -6) === '_value') {
 					$value = \min(\max(0, (int)$this->request->getParam($key)), 255);
+					if (isset(self::CONVERSIONS[$key]['in'])) {
+						$convertFuncName = self::CONVERSIONS[$key]['in'];
+						$value = $this->$convertFuncName($value);
+					}
 					$this->config->setAppValue('password_policy', $key, $value);
 				} else {
 					$this->config->setAppValue('password_policy', $key, \strip_tags($this->request->getParam($key)));
@@ -92,9 +110,33 @@ public function getPriority() {
 	public function getPanel() {
 		$template = new Template('password_policy', 'admin');
 		foreach(self::DEFAULTS as $key => $default) {
-			$template->assign($key, $this->config->getAppValue('password_policy', $key, $default));
+			$value = $this->config->getAppValue('password_policy', $key, $default);
+			if (isset(self::CONVERSIONS[$key]['out'])) {
+				$convertFuncName = self::CONVERSIONS[$key]['out'];
+				$value = $this->$convertFuncName($value);
+			}
+			$template->assign($key, $value);
 		}
 		return $template;
 	}
 
+	/**
+	 * Convert the days to seconds
+	 * @param int $days
+	 * @return int the number of seconds
+	 */
+	private function daysToSeconds($days) {
+		return $days * 24 * 60 * 60;
+	}
+
+	/**
+	 * Convert seconds to days. The value will always be rounded up,
+	 * so 1 second will be converted to 1 day
+	 * @param int $seconds the number of seconds to be converted
+	 * @return int the number of days in those seconds, rounded up
+	 */
+	private function secondsToDays($seconds) {
+		$floatDays = $seconds / (24 * 60 * 60);
+		return \intval(\ceil($floatDays));
+	}
 }

lib/Db/OldPasswordMapper.php

@@ -63,4 +63,39 @@ public function getLatestPassword($uid) {
 		}
 		return $passwords[0];
 	}
-}
+
+	/**
+	 * Get the passwords that are about to expire or already expired.
+	 * Last passwords which have been changed before the timestamp are the ones
+	 * selectable. Previous stored passwords won't be included
+	 * In addition, passwords from multiple users are expected
+	 * @param int $maxTimestamp timestamp marker, last passwords changed before
+	 * the timestamp will be selected
+	 * @return OldPassword[] the selected passwords
+	 */
+	public function getPasswordsAboutToExpire($maxTimestamp) {
+		$oldPasswords = [];
+
+		$query = "SELECT `f`.`id`, `f`.`uid`, `f`.`password`, `f`.`change_time` FROM (";
+		$query .= "SELECT `uid`, max(`change_time`) AS `maxtime` FROM `*PREFIX*user_password_history` GROUP BY `uid`";
+		$query .= ") AS `x` INNER JOIN `*PREFIX*user_password_history` AS `f` ON `f`.`uid` = `x`.`uid` AND `f`.`change_time` = `x`.`maxtime`";
+		$query .= " WHERE `f`.`change_time` < ?";
+
+		$stmt = $this->db->prepare($query);
+		$stmt->bindValue(1, $maxTimestamp);
+		$result = $stmt->execute();
+
+		if ($result === false) {
+			$info = \json_encode($stmt->erroInfo());
+			$message = "Cannot get the passwords that are about to expire. Error: {$info}";
+			\OCP\Util::writeLog('password_policy', $message, \OCP\Util::ERROR);
+			return false;
+		}
+
+		while ($row = $stmt->fetch()) {
+			$oldPasswords[] = OldPassword::fromRow($row);
+		}
+		$stmt->closeCursor();
+		return $oldPasswords;
+	}
+}

lib/HooksHandler.php

@@ -26,12 +26,14 @@
 use OCA\PasswordPolicy\Db\OldPasswordMapper;
 use OCA\PasswordPolicy\Rules\PasswordExpired;
 use OCA\PasswordPolicy\Rules\PolicyException;
+use OCA\PasswordPolicy\UserNotificationConfigHandler;
 use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\IConfig;
 use OCP\IL10N;
 use OCP\ISession;
 use OCP\IUser;
 use OCP\Security\IHasher;
+use OCP\Notification\IManager;
 use Symfony\Component\EventDispatcher\GenericEvent;
 
 class HooksHandler {
@@ -60,6 +62,12 @@ class HooksHandler {
 	/** @var ISession */
 	private $session;
 
+	/** @var IManager */
+	private $notificationManager;
+
+	/** @var UserNotificationConfigHandler */
+	private $userNotificationConfigHandler;
+
 	public function __construct(
 		IConfig $config = null,
 		Engine $engine = null,
@@ -68,7 +76,9 @@ public function __construct(
 		IL10N $l10n = null,
 		PasswordExpired $passwordExpiredRule = null,
 		OldPasswordMapper $oldPasswordMapper = null,
-		ISession $session = null
+		ISession $session = null,
+		IManager $notificationManager = null,
+		UserNotificationConfigHandler $userNotificationConfigHandler = null
 	) {
 		$this->config = $config;
 		$this->engine = $engine;
@@ -78,6 +88,8 @@ public function __construct(
 		$this->passwordExpiredRule = $passwordExpiredRule;
 		$this->oldPasswordMapper = $oldPasswordMapper;
 		$this->session = $session;
+		$this->notificationManager = $notificationManager;
+		$this->userNotificationConfigHandler = $userNotificationConfigHandler;
 	}
 
 	private function fixDI() {
@@ -103,6 +115,8 @@ private function fixDI() {
 				$this->hasher
 			);
 			$this->session = \OC::$server->getSession();
+			$this->notificationManager = \OC::$server->getNotificationManager();
+			$this->userNotificationConfigHandler = new UserNotificationConfigHandler($this->config);
 		}
 	}
 
@@ -196,11 +210,34 @@ public function saveOldPassword(GenericEvent $event) {
 		$user = $this->getUser($event);
 		$password = $event->getArgument('password');
 
+		$userId = $user->getUID();
+
 		$oldPassword = new OldPassword();
-		$oldPassword->setUid($user->getUID());
+		$oldPassword->setUid($userId);
 		$oldPassword->setPassword($this->hasher->hash($password));
 		$oldPassword->setChangeTime($this->timeFactory->getTime());
 		$this->oldPasswordMapper->insert($oldPassword);
+
+		// get previous marks
+		$aboutToExpireMark = $this->userNotificationConfigHandler->getMarkAboutToExpireNotificationSentFor($userId);
+		$expiredMark = $this->userNotificationConfigHandler->getMarkExpiredNotificationSentFor($userId);
+
+		$this->userNotificationConfigHandler->resetExpirationMarks($userId);
+
+		if ($aboutToExpireMark !== null) {
+			$notification = $this->notificationManager->createNotification();
+			$notification->setApp('password_policy')
+				->setUser($userId)
+				->setObject('about_to_expire', $aboutToExpireMark);
+			$this->notificationManager->markProcessed($notification);
+		}
+		if ($expiredMark !== null) {
+			$notification = $this->notificationManager->createNotification();
+			$notification->setApp('password_policy')
+				->setUser($userId)
+				->setObject('expired', $expiredMark);
+			$this->notificationManager->markProcessed($notification);
+		}
 	}
 
 	public function savePasswordForCreatedUser(GenericEvent $event) {
@@ -214,6 +251,7 @@ public function savePasswordForCreatedUser(GenericEvent $event) {
 		$oldPassword->setPassword($this->hasher->hash($password));
 		$oldPassword->setChangeTime($this->timeFactory->getTime());
 		$this->oldPasswordMapper->insert($oldPassword);
+		$this->userNotificationConfigHandler->resetExpirationMarks($userid);
 	}
 
 	/**