Merge branch 'feature/modern-password-1' into develop

Author: helje5

Logic/LSAccount/LSChangePasswordCommand.m

@@ -296,6 +296,19 @@ - (void)_executeInContext:(id)_context {
     [self _writePasswordToLdap:_context writeOnly:NO];
   else {
     [super _executeInContext:_context];
+
+    // 2025-04-25: See LSLoginAccountCommand for details!
+    extern NSString *GetSHA512PasswordUpdate(NSString *, NSString *);
+    id obj = [self object];
+
+    NSString *sql = GetSHA512PasswordUpdate(
+      self->newPlainTextPassword, [[obj valueForKey:@"companyId"] stringValue]);
+    
+    EOAdaptorChannel *adChannel = [[self databaseChannel] adaptorChannel];
+    id error;
+    if ((error = [adChannel evaluateExpressionX:sql]) != nil) {
+      [self errorWithFormat:@"Couldn't write modern_password: %@", error];
+    }
 
     if (WritePasswordToLDAP)
       [self _writePasswordToLdap:_context writeOnly:YES];

Logic/LSAccount/LSLoginAccountCommand.m

@@ -20,6 +20,7 @@
 */
 
 #include "LSGetAccountCommand.h"
+#import <openssl/sha.h> // hh(2025-04-25) will this build?
 
 @class NSString, NSNumber;
 
@@ -56,6 +57,54 @@ - (id)initWithUserDefaults:(NSUserDefaults *)_ud
   andContext:(LSCommandContext *)_tx;
 @end
 
+NSString *GetSHA512PasswordUpdate(NSString *plainPassword, NSString *companyId) 
+{
+  const char *cstr = [plainPassword UTF8String];
+  unsigned char hash[SHA512_DIGEST_LENGTH];
+  SHA512((const unsigned char*)cstr, strlen(cstr), hash);
+  
+  NSMutableString *sha512 = 
+    [NSMutableString stringWithCapacity:SHA512_DIGEST_LENGTH * 2 + 8];
+  [sha512 appendString:@"{SHA512}"];
+  
+  int i;
+  for (i = 0; i < SHA512_DIGEST_LENGTH; i++) {
+    [sha512 appendFormat:@"%02x", hash[i]];
+  }
+  
+  /* What we do here should be pretty safe wrt SQL injection given the
+   * nature of the values. Would be better to do with the entity/adaptor
+   * anyways */
+  NSMutableString *sql = [NSMutableString stringWithCapacity:256];
+  /*
+  DO $$
+  BEGIN
+    BEGIN
+      EXECUTE 'UPDATE my_table SET missing_column = 42';
+    EXCEPTION
+      WHEN undefined_column THEN
+        RAISE NOTICE 'Column does not exist, update skipped.';
+    END;
+  END;
+  $$;*/
+  [sql appendString:@"DO $$ BEGIN BEGIN EXECUTE '"];
+  
+  [sql appendString:@"UPDATE person SET modern_password = ''"];
+  [sql appendString:sha512];
+  [sql appendString:@"'' WHERE company_id = "];
+  [sql appendString:companyId];
+  [sql appendString:@" AND (modern_password != ''"];
+  [sql appendString:sha512];
+  [sql appendString:@"'' OR modern_password IS NULL)"];
+
+  [sql appendString:@"'; "];
+
+  [sql appendString:@"EXCEPTION WHEN undefined_column THEN "];
+  [sql appendString:@"RAISE NOTICE 'Column does not exist, update skipped.'; "];
+  [sql appendString:@"END; END; $$;"];
+  return sql;
+}
+
 @implementation LSLoginAccountCommand
 
 - (id)initForOperation:(NSString *)_operation inDomain:(NSString *)_domain {
@@ -120,7 +169,7 @@ - (void)_executeInContext:(id)_context {
                                        qualifierFormat:
                                           @"login='%@' AND isAccount=1 AND "
                                           @"(NOT login='template') AND "
-                                          @"(isLocked=0 OR isLocked is null)",
+                                          @"(isLocked=0 OR isLocked IS NULL)",
                                           userName];
   isArchivedQualifier =
     [[EOSQLQualifier alloc] initWithEntity:[self entity]
@@ -186,14 +235,14 @@ - (void)_executeInContext:(id)_context {
       }
     }
     else { /* use table for authorization */
-      NSString *cryptedPwd = nil;
-      id       accountPassword;
-      
-      accountPassword =  [account valueForKey:@"password"];
-    
+
+      // This is the hashed password in the account.
+      id accountPassword = [account valueForKey:@"password"];
       if (accountPassword == nil)
         accountPassword = @"";
-      
+
+      // The crypted version of the password.
+      NSString *cryptedPwd = nil;
       if (![self->crypted boolValue] && [[self password] isNotEmpty]) {
         id cmd = LSLookupCommandV(@"system", @"crypt",
                                   @"password", [self password],
@@ -232,6 +281,25 @@ - (void)_executeInContext:(id)_context {
   if (account) {
     NSUserDefaults *defs;
 
+    // 2025-04-25:
+    // HH: Persist a better hash.
+    // We could also upgrade from crypt to SHA512, but for that we would need
+    // to support this everywhere, doesn't seem worthwile, just yet? Move Auth
+    // out of OGo itself into Apache instead?
+    // TODO: protect by default
+    if (![self->crypted boolValue]) {
+      NSString *sql = GetSHA512PasswordUpdate(
+        [self password], [[account valueForKey:@"companyId"] stringValue]);
+            
+      EOAdaptorChannel *adChannel = [[self databaseChannel] adaptorChannel];
+      id error;
+      if ((error = [adChannel evaluateExpressionX:sql]) != nil) {
+        [self errorWithFormat:@"Couldn't write modern_password: %@", error];
+      }
+    }
+    
+    
+    
     /* load defaults */
 
     Class defaultsClass = NGClassFromString(@"LSUserDefaults");

Logic/LSFoundation/OGoContextManager.m

@@ -503,7 +503,7 @@ - (BOOL)isLoginAuthorized:(NSString *)_login password:(NSString *)_pwd
     return NO;
   }
 
-  if (_crypted) {
+  if (_crypted && [LSCommandContext useLDAPAuthorization]) {
     [self errorWithFormat:
 	    @"%s: cannot not perform LDAP-Login with crypted password",
 	    __PRETTY_FUNCTION__];

WebUI/Common/OGoUIElements/SkyCalendarPopUp.m

@@ -140,9 +140,11 @@ - (NSString *)popupScript {
 
   return [NSString stringWithFormat:
                    @"<!--\n"
-                   @" var calendar_%@ = new skycalendar(%@);\n"
-                   @" calendar_%@.setCalendarPage('%@');\n"
-                   @" calendar_%@.setDateFormat('%@');\n"
+                   @"  setTimeout(function() {\n"
+                   @"    window.calendar_%@ = new skycalendar(%@);\n"
+                   @"    window.calendar_%@.setCalendarPage('%@');\n"
+                   @"    window.calendar_%@.setDateFormat('%@');\n"
+                   @"  }, 50);\n"
                    @"// -->",
                    self->elementName, fullName,
                    self->elementName, [self calendarPageURL],

WebUI/Templates/LSWProject/LSWProjectEditor.wod

@@ -30,6 +30,7 @@ ProjectEditor: LSWObjectEditor {
     { key = "name"; },
     { key = "number"; label = "code"; },
     { key = "startDate"; calendarFormat = "%Y-%m-%d"; time = "00:00:00"; },
+    { key = "endDate";   calendarFormat = "%Y-%m-%d"; time = "23:59:59"; }
   );
 }
 

WebUI/Templates/LSWProject/SkyProjectInlineViewer.html

@@ -15,7 +15,13 @@
   <tr>
     <#SubAttributeCell><#Font><#StartDateLabel/>:</#Font></#SubAttributeCell>
     <#SubValueCell><#Font>
-      <#ProjectStartDate/> <!-- - <#ProjectEndDate/> -->
+      <#ProjectStartDate/>
+    </#Font></#SubValueCell>
+  </tr>
+  <tr>
+    <#SubAttributeCell><#Font><#EndDateLabel/>:</#Font></#SubAttributeCell>
+    <#SubValueCell><#Font>
+      <#ProjectEndDate/>
     </#Font></#SubValueCell>
   </tr>
 

WebUI/Templates/LSWProject/SkyProjectInlineViewer.wod

@@ -25,6 +25,7 @@ Buttons: SkyButtonRow {
 NameLabel:      WOString { value = labels.name;      }
 NumberLabel:    WOString { value = labels.number;    }
 StartDateLabel: WOString { value = labels.startDate; }
+EndDateLabel:   WOString { value = labels.endDate;   }
 
 ProjectName:   WOString { value = project.name;   }
 ProjectNumber: WOString { value = project.number; }