Hooks for other actions than password modification (#175)

* Hook command is specific for password reset * WIP hook for unlock event * Unlock prehook and posthook * Doc for unlock hooks * Add hooks for lock password * Prehook and Posthook for enable account * Prehook and Posthook for disable account * Doc for hooks account enable/disable * Prehook and Posthook for update validity dates * Doc for hook update validity dates
ltb-project · Nov 29, 2024 · f29ec27 · f29ec27
1 parent ebc2a13
commit f29ec27
Show file tree

Hide file tree

Showing 13 changed files with 691 additions and 86 deletions.
diff --git a/conf/config.inc.php b/conf/config.inc.php
@@ -276,13 +276,18 @@
 # Debug mode
 $debug = false;
 
-## Pre Hook
-# Launch a prehook script before changing password.
-# Script should return with 0, to allow password change.
-# Any other exit code would abort password modification
-#$prehook = "/usr/share/service-desk/prehook.sh";
+### Prehooks
+
+# Launch a prehook script before an action.
+# Script should return with 0, else action will be aborted, unless error is ignored
+
 # LDAP attribute used as login in posthook script
-#$prehook_login = "uid";
+$prehook_login = "uid";
+
+## Password reset
+
+#$prehook = "/usr/share/service-desk/prehook.sh";
+
 # Display prehook error
 #$display_prehook_error = true;
 # Encode passwords sent to prehook script as base64. This will prevent alteration of the passwords if set to true.
@@ -291,17 +296,78 @@
 # Ignore prehook error. This will allow to change password even if prehook script fails.
 #$ignore_prehook_error = true;
 
-## Post Hook
-# Launch a posthook script after successful password change
-#$posthook = "/usr/share/service-desk/posthook.sh";
+## Lock
+
+#$prehook_lock = "/usr/share/service-desk/prehook_lock.sh";
+#$display_prehook_lock_error = true;
+#$ignore_prehook_lock_error = true;
+
+## Unlock
+
+#$prehook_unlock = "/usr/share/service-desk/prehook_unlock.sh";
+#$display_prehook_unlock_error = true;
+#$ignore_prehook_unlock_error = true;
+
+## Enable
+
+#$prehook_enable = "/usr/share/service-desk/prehook_enable.sh";
+#$display_prehook_enable_error = true;
+#$ignore_prehook_enable_error = true;
+
+## Disable
+
+#$prehook_disable = "/usr/share/service-desk/prehook_disable.sh";
+#$display_prehook_disable_error = true;
+#$ignore_prehook_disable_error = true;
+
+## Update validity
+
+#$prehook_updatevalidity = "/usr/share/service-desk/prehook_updatevalidity.sh";
+#$display_prehook_updatevalidity_error = true;
+#$ignore_prehook_updatevalidity_error = true;
+
+### Posthooks
+
+# The posthook is only launched if the action was successful
+
 # LDAP attribute used as login in posthook script
-#$posthook_login = "uid";
+$posthook_login = "uid";
+
+## Password reset
+
+#$posthook = "/usr/share/service-desk/posthook.sh";
+
 # Display posthook error
 #$display_posthook_error = true;
 # Encode passwords sent to posthook script as base64. This will prevent alteration of the passwords if set to true.
 # To read the actual password in the posthook script, use a base64_decode function/tool
 #$posthook_password_encodebase64 = false;
 
+## Lock
+
+#$posthook_lock = "/usr/share/service-desk/posthook_lock.sh";
+#$display_posthook_lock_error = true;
+
+## Unlock
+
+#$posthook_unlock = "/usr/share/service-desk/posthook_unlock.sh";
+#$display_posthook_unlock_error = true;
+
+## Enable
+
+#$posthook_enable = "/usr/share/service-desk/posthook_enable.sh";
+#$display_posthook_enable_error = true;
+
+## Disable
+
+#$posthook_disable = "/usr/share/service-desk/posthook_disable.sh";
+#$display_posthook_disable_error = true;
+
+## Update validity
+
+#$posthook_updatevalidity = "/usr/share/service-desk/posthook_updatevalidity.sh";
+#$display_posthook_updatevalidity_error = true;
+
 # The name of an HTTP Header that may hold a reference to an extra config file to include.
 #$header_name_extra_config="SSP-Extra-Config";
 

diff --git a/docs/hook.rst b/docs/hook.rst
@@ -1,26 +1,38 @@
 Hook
 ====
 
-Hook feature allows to run a script before or after the password modification.
+Hook feature allows to run a script before or after an action:
+* Password reset
+* Password lock
+* Password unlock
+* Account enable
+* Account disable
+* Update validity dates
 
-The script is called with two parameters: login and new password.
+The script must return 0 if no error occured. Any text printed on STDOUT
+will be displayed as an error message (see options).
 
-Parameters
-----------
+Login
+-----
 
-Define prehook or posthook script (and enable the feature):
+Define which attribute will be used as login in prehook and posthook scripts:
 
 .. code-block:: php
 
-    $prehook = "/usr/share/service-desk/prehook.sh";
-    $posthook = "/usr/share/service-desk/posthook.sh";
+    $prehook_login = "uid";
+    $posthook_login = "uid";
 
-Define which attribute will be used as login:
+Password reset
+--------------
+
+The script is called with two parameters: login and new password.
+
+Define prehook or posthook script (and enable the feature):
 
 .. code-block:: php
 
-    $prehook_login = "uid";
-    $posthook_login = "uid";
+    $prehook = "/usr/share/service-desk/prehook.sh";
+    $posthook = "/usr/share/service-desk/posthook.sh";
 
 You can choose to display an error if the script return code is greater
 than 0:
@@ -48,3 +60,128 @@ if it fails, but still try to update password in the directory.
 .. code-block:: php
 
     $ignore_prehook_error = true;
+
+Password lock
+-------------
+
+The script is called with one parameter: login.
+
+Define prehook or posthook script (and enable the feature):
+
+.. code-block:: php
+
+    $prehook_lock = "/usr/share/service-desk/prehook_lock.sh";
+    $posthook_lock = "/usr/share/service-desk/posthook_lock.sh";
+
+To display hook error:
+
+.. code-block:: php
+
+   $display_prehook_lock_error = true;
+   $display_posthook_lock_error = true;
+
+To ignore prehook error:
+
+.. code-block:: php
+
+    $ignore_prehook_lock_error = true;
+
+Password unlock
+---------------
+
+The script is called with one parameter: login.
+
+Define prehook or posthook script (and enable the feature):
+
+.. code-block:: php
+
+    $prehook_unlock = "/usr/share/service-desk/prehook_unlock.sh";
+    $posthook_unlock = "/usr/share/service-desk/posthook_unlock.sh";
+
+To display hook error:
+
+.. code-block:: php
+
+   $display_prehook_unlock_error = true;
+   $display_posthook_unlock_error = true;
+
+To ignore prehook error:
+
+.. code-block:: php
+
+    $ignore_prehook_unlock_error = true;
+
+Account enable
+--------------
+
+The script is called with one parameter: login.
+
+Define prehook or posthook script (and enable the feature):
+
+.. code-block:: php
+
+    $prehook_enable = "/usr/share/service-desk/prehook_enable.sh";
+    $posthook_enable = "/usr/share/service-desk/posthook_enable.sh";
+
+To display hook error:
+
+.. code-block:: php
+
+   $display_prehook_enable_error = true;
+   $display_posthook_enable_error = true;
+
+To ignore prehook error:
+
+.. code-block:: php
+
+    $ignore_prehook_enable_error = true;
+
+Account disable
+---------------
+
+The script is called with one parameter: login.
+
+Define prehook or posthook script (and disable the feature):
+
+.. code-block:: php
+
+    $prehook_disable = "/usr/share/service-desk/prehook_disable.sh";
+    $posthook_disable = "/usr/share/service-desk/posthook_disable.sh";
+
+To display hook error:
+
+.. code-block:: php
+
+   $display_prehook_disable_error = true;
+   $display_posthook_disable_error = true;
+
+To ignore prehook error:
+
+.. code-block:: php
+
+    $ignore_prehook_disable_error = true;
+
+Update validity dates
+---------------------
+
+The script is called with one parameter: login.
+
+Define prehook or posthook script (and updatevalidity the feature):
+
+.. code-block:: php
+
+    $prehook_updatevalidity = "/usr/share/service-desk/prehook_updatevalidity.sh";
+    $posthook_updatevalidity = "/usr/share/service-desk/posthook_updatevalidity.sh";
+
+To display hook error:
+
+.. code-block:: php
+
+   $display_prehook_updatevalidity_error = true;
+   $display_posthook_updatevalidity_error = true;
+
+To ignore prehook error:
+
+.. code-block:: php
+
+    $ignore_prehook_updatevalidity_error = true;
diff --git a/htdocs/disableaccount.php b/htdocs/disableaccount.php
@@ -8,6 +8,12 @@
 $password = "";
 $comment = "";
 $returnto = "display";
+$prehook_login_value = "";
+$prehook_message = "";
+$prehook_return = 0;
+$posthook_login_value = "";
+$posthook_message = ""; 
+$posthook_return = 0;
 
 if (isset($_POST["returnto"]) and $_POST["returnto"]) {
     $returnto = $_POST["returnto"];
@@ -32,6 +38,7 @@
 
     require_once("../conf/config.inc.php");
     require __DIR__ . '/../vendor/autoload.php';
+    require_once("../lib/hook.inc.php");
 
     # Connect to LDAP
     $ldap_connection = $ldapInstance->connect();
@@ -44,16 +51,60 @@
         $result = "noentriesfound";
         error_log("LDAP - $dn not found using the configured search settings, reject request");
     } else {
-        if ( $directory->disableAccount($ldap, $dn) ) {
-            $result = "accountdisabled";
+
+        if ( isset($prehook_disable) || isset($posthook_disable) ) {
+            if ( isset($prehook_login) ) {
+                $prehook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $prehook_login);
+            }
+            if ( isset($posthook_login) ) {
+                $posthook_login_value = $ldapInstance->get_first_value($dn, "base", '(objectClass=*)', $posthook_login);
+            }
+        }
+        if ( isset($prehook_disable) ) {
+
+            if ( !isset($prehook_login_value) ) {
+                $prehook_return = 255;
+                $prehook_message = "No login found, cannot execute prehook script";
+            } else {
+                $command = hook_command($prehook_disable, $prehook_login_value);
+                exec($command, $prehook_output, $prehook_return);
+                $prehook_message = $prehook_output[0];
+            }
+        }
+
+        if ( $prehook_return > 0 and !$ignore_prehook_disable_error) {
+            $result = "hookerror";
         } else {
-            $result = "ldaperror";
+            if ( $directory->disableAccount($ldap, $dn) ) {
+                $result = "accountdisabled";
+            } else {
+                $result = "ldaperror";
+            }
         }
+        if ( $result === "accountdisabled" && isset($posthook_disable) ) {
+
+            if ( !isset($posthook_login_value) ) {
+                $posthook_return = 255;
+                $posthook_message = "No login found, cannot execute posthook script";
+            } else {
+                $command = hook_command($posthook_disable, $posthook_login_value);
+                exec($command, $posthook_output, $posthook_return);
+                $posthook_message = $posthook_output[0];
+            }
+        }
+
     }
 }
 
 if ($audit_log_file) {
     auditlog($audit_log_file, $dn, $audit_admin, "disableaccount", $result, $comment);
 }
 
-header('Location: index.php?page='.$returnto.'&dn='.$dn.'&disableaccountresult='.$result);
+$location = 'index.php?page='.$returnto.'&dn='.$dn.'&disableaccountresult='.$result;
+if ( isset($prehook_return) and $display_prehook_disable_error and $prehook_return > 0 ) {
+    $location .= '&prehookdisableresult='.$prehook_message;
+}
+if ( isset($posthook_return) and $display_posthook_disable_error and $posthook_return > 0 ) {
+    $location .= '&posthookdisableresult='.$posthook_message;
+}
+header('Location: '.$location);