From 45b3311f54414f6c3e972e066f65531943aca42c Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Sat, 7 Oct 2023 22:44:29 +0100
Subject: [PATCH] Add function to reset all user/agent passwords in case of IR

---
 post/user.php                     | 44 +++++++++++++++++++++++++++++++
 user_all_reset_password_modal.php | 31 ++++++++++++++++++++++
 users.php                         |  5 ++++
 3 files changed, 80 insertions(+)
 create mode 100644 user_all_reset_password_modal.php

diff --git a/post/user.php b/post/user.php
index 363eb752e..fcbb9e158 100644
--- a/post/user.php
+++ b/post/user.php
@@ -280,3 +280,47 @@
     exit;
 
 }
+
+if (isset($_POST['ir_reset_user_password'])) {
+
+    // Incident response: allow mass reset of agent passwords
+
+    validateAdminRole();
+
+    validateCSRFToken($_POST['csrf_token']);
+
+    // Confirm logged-in user password, for security
+    $admin_password = $_POST['admin_password'];
+    $sql = mysqli_query($mysqli, "SELECT * FROM users WHERE user_id = $session_user_id");
+    $userRow = mysqli_fetch_array($sql);
+    if (!password_verify($admin_password, $userRow['user_password'])) {
+        $_SESSION['alert_type'] = "error";
+        $_SESSION['alert_message'] = "Incorrect password.";
+        header("Location: " . $_SERVER["HTTP_REFERER"]);
+        exit;
+    }
+
+    // Get agents/users, other than the current user
+    $sql_users = mysqli_query($mysqli, "SELECT * FROM users WHERE (user_archived_at IS NULL AND user_id != $session_user_id)");
+
+    // Reset passwords
+    while ($row = mysqli_fetch_array($sql_users)) {
+        $user_id = intval($row['user_id']);
+        $user_email = sanitizeInput($row['user_email']);
+        $new_password = randomString();
+        $user_specific_encryption_ciphertext = encryptUserSpecificKey(trim($new_password));
+
+        echo $user_email . " -- " . $new_password; // Show
+        $new_password = password_hash($new_password, PASSWORD_DEFAULT);
+
+        mysqli_query($mysqli, "UPDATE users SET user_password = '$new_password', user_specific_encryption_ciphertext = '$user_specific_encryption_ciphertext' WHERE user_id = $user_id");
+
+        echo "<br><br>";
+    }
+
+    // Logging
+    mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'User', log_action = 'Modify', log_description = '$session_name reset ALL user passwords', log_ip = '$session_ip', log_user_agent = '$session_user_agent',  log_user_id = $session_user_id");
+
+    exit; // Stay on the plain text password page
+
+}
diff --git a/user_all_reset_password_modal.php b/user_all_reset_password_modal.php
new file mode 100644
index 000000000..746bfaa13
--- /dev/null
+++ b/user_all_reset_password_modal.php
@@ -0,0 +1,31 @@
+<div class="modal" id="resetAllUserPassModal" tabindex="-1">
+    <div class="modal-dialog modal-lg">
+        <div class="modal-content">
+            <div class="modal-body">
+                <div class="mb-4" style="text-align: center;">
+                    <i class="far fas fa-10x fa-skull-crossbones text-danger mb-3 mt-3"></i>
+                    <h2>Incident Response: Agent Password Reset</h2>
+                    <br>
+                    <div class="alert alert-danger" role="alert">
+                        <b>This is a potentially destructive function.<br>It is intended to be used as part of a potential security incident.</b>
+                    </div>
+                    <h6 class="mb-4 text-secondary"><b>All ITFlow agent passwords will be reset and shown to you </b><i>(except yours - change yours first!)</i>.<br/><br/>You should communicate temporary passwords to agents out of band (e.g. via a phone call) and require they are changed ASAP.</h6>
+                    <form action="post.php" method="POST">
+                        <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
+                        <div class="row col-7 offset-4">
+                            <div class="input-group">
+                                <div class="input-group-prepend">
+                                    <input type="password" class="form-control" placeholder="Enter your account password to continue" name="admin_password" autocomplete="new-password" required>
+                                </div>
+                            </div>
+                        </div>
+                        <br>
+                        <button class="btn btn-danger" type="submit" name="ir_reset_user_password"><i class="fas fa-fw fa-key mr-2"></i>Reset passwords</button>
+                    </form>
+                </div>
+                <button type="button" class="btn btn-outline-secondary btn-lg px-5 mr-4" data-dismiss="modal">Cancel</button>
+
+            </div>
+        </div>
+    </div>
+</div>
diff --git a/users.php b/users.php
index e7435a8d9..53c47673f 100644
--- a/users.php
+++ b/users.php
@@ -33,6 +33,10 @@
                 <button type="button" class="btn btn-primary dropdown-toggle dropdown-toggle-split" data-toggle="dropdown"></button>
                 <div class="dropdown-menu">
                     <!--<a class="dropdown-item text-dark" href="#" data-toggle="modal" data-target="#userInviteModal"><i class="fas fa-paper-plane mr-2"></i>Invite User</a>-->
+                    <?php if ($num_rows[0] > 1) { ?>
+                        <div class="dropdown-divider"></div>
+                        <a class="dropdown-item text-danger" href="#" data-toggle="modal" data-target="#resetAllUserPassModal"><i class="fas fa-skull-crossbones mr-2"></i>IR</a>
+                    <?php } ?>
                 </div>
             </div>
         </div>
@@ -197,4 +201,5 @@ function generatePassword() {
 require_once("user_add_modal.php");
 require_once("user_invite_modal.php");
 require_once("user_export_modal.php");
+require_once("user_all_reset_password_modal.php");
 require_once("footer.php");