CDN Features for files uploaded to system #123

If the search_base is not defined or not correct for the user being authenticated and a search user and password is given and is correct, attempt to lookup the user's DN and authenticate as the found DN with the given password.

Add the "Telephone Number" field on the "General" tab of the Windows user manager dialog to the "Phone Number" field of the user-to-be-created when adding users from the LDAP directory into the system.

If the DNS servers were not considered, the empty string would be interpreted as a list of one DNS server with an empty IP address. Therefore, the name servers specified in the system DNS configuration would not be used. This patch corrects the issue by filtering empty DNS server specifications.

This is necessary so we can split Staff/User authentication.

(For when we get there)

Authentication Backends Revisited Reviewed-By: Jared Hancock <[email protected]>

Add plugin builder script to create PHAR files

Previously the DN length was capped at 80 chars. This patch allows specification of up to 120 chars.

ldap: Allow specification of extremely long DNs

ldap: AD: Add validation errors

Also search for inetOrgPerson objectClass objects for standard LDAP systems rather than assuming that all users have the posixAccount class as well.

display some more information to the admin user configuring the plugin

Use composer to download and manage dependencies

Attachment storage in Amazon S3 Reviewed-By: Peter Rotich <[email protected]>

AWS supports sending a Content-MD5 header along with the data. The AWS server will re-hash the data received, and if the server-generated hash does not match the received hash, the request will fail and the content will be discarded. This offers a significant performance boost over the previous version, as the content of the file only needs to be sent over the internet once per transaction.

Reviewed-By: Peter Rotich <[email protected]>

The attributes for first and last name were incorrect for Active Directory

supportedCapabilities is not included by default for the rootDse lookup funciton in the Net_LDAP2 library. Perhaps Windows Server 2003 level Active Directory always included it.

The user@domain syntax is not a correct distinguished name when querying Active Directory for user information. Instead, the search base should be queried for an object with (userPrinicipalName=user@domain)

The way registraiton lookup was corrected broke user lookups in the staff portal for Active Directory. This patch allows them to coexist by looking up the User's DN in the registration pipeline for Active Directory.

make: Don't attempt to add directories to PHARs Reviewed-By: Peter Rotich <[email protected]>

Implement client authentication via LDAP Reviewed-By: Peter Rotich <[email protected]>

oath: Introduce external authentication with Google+ Reviewed-By: Peter Rotich <[email protected]>

http: Implement pass-through auth for clients Reviewed-By: Peter Rotich <[email protected]>

Here is a request from a forum member which does not like to create a github account, so I created the pull request on behalf for him/her. http://osticket.com/forum/discussion/79234/auth-ldap-and-anonymous-bind

This significantly reduces the size of generated PHAR files which should directly influence osTicket request time using such PHAR files.

- Providing no CA file path implies no verification will be used - An absolute path to a CA cert can no be provided - Resolved a bug with case-sensitive loading from PHAR

ldap: Fix client login under some circumstances Reviewed-By: Jared Hancock <[email protected]>

Allow for longer folder names in the storage-fs plugin

Try anonymous bind Reviewed-By: Jared Hancock <[email protected]>

i18n: Translate the plugins!

ldap, pass thru: Fix login with osTicket v1.9-next (post v1.9.7) Reviewed-By: Peter Rotich <[email protected]>

Add support for CAS authentication Reviewed-By: Jared Hancock <[email protected]>

needed to download Net_LDAP2 properly - as in #38 Reviewed-By: Jared Hancock <[email protected]>

Change the composer pear repo to https from http. This is necessary for newer versions of composer that do not allow unrestricted connections unless secure-http is set to false, which is NOT recommended. Without this change, running hydrate or composer update will result in an error and fail. https://getcomposer.org/doc/06-config.md#secure-http

fix url to plugin translation site

Unsecured http connections are forbidden in configuration. make.php hydrate DOES NOT FUNCTION without https.

modified pear.php.net to https in composer setup

Update README.md

This plugin audits events in the help desk done by Agents and Users. It tracks activities like logging in and out, creating Tickets, creating Departments, changing Configurations, and many more. Audits can be viewed individually for Tickets, Agents, and Users. Additionally, there is a new tab, Audit Logs, on the Dashboard that allows Admins to narrow down audits they would like to see across the whole helpdesk by a date range or specific event. All audit reports can be exported as CSV.

Make sure the overlay only stays showing for the ticket audit pagination. If you navigate to another page, it should go away as usual.

- Minor wording changes - Check if thisstaff and thisclient is_null rather than !$thisstaff or !$thisclient - Audit agent responses - Remove unused methods - Account for object coming in as an array

This commit allows us to email audit exports to an Agent if we reach the max execution limit.

Make the audit export work with the new implementation of csv exports.

This addresses 160 where setting `host:port` for the "LDAP Servers" option does not work when using PHP 7.2+. In PHP 7.2+ the `host:port` string will be used as the full hostname and since we are not passing a port the system assumes `389`. The end result of this is `host:port:389` which is not valid and fails every time. This adds a regex check for the port number in the string and if exists we add the port number to the `port` option in the `$info` array for `Net_LDAP2::bind()`. The end result of this is `host:port` which is valid and will connect successfully every time. If no port is passed the system assumes the port is the default (`389`) and the end result will be `host:389`.

- Modify code for lint fixes made in osTicket - Do audit HTML in signal within the plugin - Add missing configuration - Change audit table data field to text type field - Make sure we display text appropriately (translations/htmlchars)

This addresses an issue where attempting to use a password that starts with any of these characters (`= - + @`) fails with `Content cannot start with the following characters: = - + @` validation error. This adds a new validator to the Password Field called `noop` that skips validation. LDAP passwords do not need to be validated or checked against any local password policies as we are using an externally created password, not creating a new one inside the software.

This addresses issue reported at osTicket/osTicket/issues/5315 where the Audit Log plugin uses the REMOTE_ADDR header for the IP Address for some log entries which can be incorrect in some cases. A good case would be a reverse proxy, the `REMOTE_ADDR` header will be the IP Address of the Proxy and not the original Client’s IP. In order to get the actual Client IP Address from a proxied request you need to scan the request for the `X-Forwarded-For` header. osTicket already has function to accomplish this called `get_client_ip()`. This updates `audit/class.audit.php` to use `get_client_ip()` instead of the `REMOTE_ADDR` header which should return the actual Client IP Address.

ldap: PHP 7.2+ Host:Port Conflict

issue: Password Validation

This addresses an issue where having the Audit Log plugin Enabled and creating a new Agent throws a DB Error 1064. This error is due to an incomplete Staff object (as it's being created) which causes issues in later methods. This adds a check for a Staff ID and if none we avoid running the Audit queries.

Audit Plugin

This coommit fixes an issue we had with including the audit templates.

- Ticket Audit timestamp sort fix - User Audit description formatting fix

Fix #173

This commit allows us to use the object.deleted signal when deleting help topics, categories, and pages which will prevent us from calling the AuditEntry class from the main osTicket codebase.

audit: New Agent DB Error

Feature/audit plugin

Issue: Class AuditEntry Not Found

Reviewed-By: Peter Rotich <[email protected]>

This commit fixes an issue with the last commit where the timestamp sort was being added twice which threw off the pagination for the ticket audit modal.

Reviewed By: aydreeihn <[email protected]>

This commit fixes an issue where the pagination links were not being correctly formatted in the ticket audit modal.

Audit Issue

Reviewed-By: JediKev <[email protected]>

This commit extends and generalizes PR made by Jared. Notabled changes include; * Make plugin generic password policy plugin as opposed to just password complexity plugin * Support both class of characters AND password strength checking * Support checking policy on login.

Password Policy Plugin

This commit fixes an issue where we would always try to add events to the event table when installing the plugin when it was possible that they already existed. Now, we'll check to make sure those events don't exist before creating them, and if they do exist, log a warning (if warnings are being logged for the helpdesk).

Issue: Audit Events

Modified make.php Currently it's getting composer-stable, which happens to be composer 2. It seems that the installation is not compatible with composer 2.

This commit adds a new field to the plugin configuration that allows the Admin to put in an S3 Folder Path if they want to upload files to a specific S3 folder. If no folder is provided, the file will be uploaded directly to the S3 Bucket. If a folder is specified and it does not currently exist in S3, the folder will be created.

Needs to be lowercase. See https://stackoverflow.com/questions/63223402/composer-json-validation-error-for-regex-pattern-a-z0-9-a-z0-9-a/63225886#63225886 for more info.

> [RuntimeException] > require.pear-pear.php.net/Net_LDAP2 is invalid, it should not contain uppercase characters. Please use pear-pear.php.net/net_ldap2 instead.

This addresses an issue introduced with 162 where the port number is extracted from the Servers textbox but it is a string value instead of an int value. The `Net_LDAP2::__construct()` function expects the port number to be an integer so this casts the port number to an int.

Fix "name : Does not match the regex pattern"

Fix "pear-pear.php.net/Net_LDAP2 is invalid"

issue: Host/Port Int Vals

This commit adds extra functionality needed to ensure that using folders in S3 will still work with helpdesks using the existing plugin without folders as well as working if the name of the S3 folder is changed. We will now store the S3 bucket and folder name in the attrs of the file record so that we know where to retrieve the file from. If no attrs exist and you are downloading a file, we will download from the bucket configured in the plugin

This commit adds the Authenticator Plugin to the osTicket Plugins repo. The wording of the Plugin has been changed to specify that it works with other Authenticator apps, and when a QR code is scanned, the title shown in the app is the Helpdesk title.

Reviewed-By: Peter Rotich <[email protected]>

This commit makes sure we're using the defined static $id for the database key of the plugin.

Reviewed-By: Peter Rotich <[email protected]>

This commit fixes an issue in the Audit Plugin in a scenario that if we could not retrieve the staff or user during checks, the default else statement was $object->getUserId(). In the event that the object did not have that method, it resulted in a fatal error.

This commit fixes an issue we had with the audit plugin assuming that any time the config table is being updated, it is by a signed in Agent.

This commit adds an option for an Admin to add a custom Issuer name in the Config for the 2FA plugin. The issueer is the title shown i n an Authenticator app after the QR code is scanned. If no configuration is set up, we use 'osTicket' as the issuer name.. It also fixes an issue where some authenticators cannot handle spaces or special characters in the URL. It strips out spaces and special characters when generating the URL for the QR code.

This addresses issue 215 where the permissions for `mkdir()` need to be octal numbers. This updates the permissions from `751` to `0751`.

Reviewed-By: JediKev <[email protected]>, aydreeihn <[email protected]>, protich <[email protected]>

This addresses the `Non-static method XXX cannot be called statically` errors.

This updates the static calls that need to be non-static.

This addresses the `Declaration of Methods should be Compatible with Parent Methods` errors.

This removes the Pear Dependency for composer and includes it in lib until we completely rewrite the plugin.

This adds functionality to map custom decencies on hydrate. A custom dependency is a decency that is not managed through Composer (like auth-ldap is now). This means any decency that is included in lib/ and is configured to be mapped (via plugin config) will be mapped as normal Composer dependencies.

This updates the code to use Composer 2 on hydrate so we can utilize latest standards/dependencies.

This updates the storage-s3 plugin to utilize latest aws-sdk-php.

This commit fixes a PHP warning with the make.php file while trying to hydrate the plugins.

@aydreeihn

This addresses an issue found by @aydreeihn where the `$options` argument was missing from `mapDependencies()`. This adds the parameter so that it can be used.

This addresses some lingering errors with the auth-ldap plugin. This includes `calling a non-static method statically` and `expects two arguments but received three` errors.

Reviewed-By: JediKev <[email protected]>, aydreeihn <[email protected]>, protich <[email protected]>

This addresses an issue where `LDAPAuthentication::autodiscover()` is not static but is being called statically. This changes the method to static and updates the subsequent calls to static calls.

Reviewed-By: JediKev <[email protected]>, aydreeihn <[email protected]>

This mitigates a vulnerability discovered by the AppSec Research Team at Checkmarx where it's possible to perform injection via Audit Log plugin. This is due to passing the `order` URL param directly to the select query. This refactors the `getOrder()` method to only return predefined sort orders to prevent using user-input.

This mitigates a vulnerability discovered by the AppSec Research Team at Checkmarx where it's possible to perform XSS via the Audit Log plugin. This is due to not properly escaping the `state` and `type` URL params. This adds `Format::htmlchars()` to both params to ensure they are properly escaped.

This helps mitigate a vulnerability discovered by the AppSec Research Team at Checkmarx where it's possible to list the contents of the attachment directory if one setup the directory in the site root without proper permissions, access, etc. This updates the `pre_save()` method so that upon saving the Plugin configuration we create an `.htaccess` file with `Options -Indexes` content so that directory listing is disabled.

…-05-2022 Reviewed-By: JediKev <[email protected]>, aydreeihn <[email protected]>

The plugin provides OAuth2 Authentication and Authorization backends

Plugin replaced by auth-oauth2

Make sure OAuth2 Plugin is active when triggering email authorization.

Password Field supports auto encrypt/decrypt

Make sure authorized email matches local email address.

This commit addresses scopes related issues

This commit changes Outlook office scopes separator to space. It also sets separator to comma when scopes are command separated as entered.

This commit changes the plugin version to 0.2 due to recent changes since 0.1 release

This commit exposes email address atrribute setting when configuring an instance via email interface.

Add ERR_EMAIL_ATTR error to help hint that the attribute is wrong.

This commits moves scopes up the list of inputs when configuring an instance via basic/email interface.

This commits removes maxlength restriction on config fields since the url used can be terrifically long depending on the provider.

Use Mail.ReadWrite by default instead of individual scopes. Change the email default atrribute from mail to EmailAddress.

Stash authorization result (errors or msg) via email onject before redirecting

This is necessay so we can override the default Config class.

- Restructure fields and add visibility options - Add pre_save to reject Authorization updates via plugin interface

This Commit adds default endpoints and Username attribute for Azure common tenant app. It was not preciously added because endpoints can point to directory specific application. It also adds the posibility to backfill email with principal name if it's an email address.

This commit adds support for expanded matching when hydrating libraries. This allows us to only pick part of the library or sdk we need to make the plugin functional without any extra packages. PS: GLOB_BRACE flag used for expanded search is not available on some non GNU systems, like Solaris or Alpine Linux.

Reviewed-By: osTicket Team <[email protected]>

Reviewed-By: aydreeihn <[email protected]>, JediKev <[email protected]>

Microsoft OAuth2 endpoints are smart enough that we don't need to tell it to issue a consent prompt. In a number of cases (I tested this with two separate differently configured differently-secured tenants on MS365 today), defining `'prompt' => 'consent'` as one of the url options will force **admin consent** (this is translated to `admin_consent` on the MS365 backend - figured out after a 3 hour power session with MS365 admins and support who discovered this). When you send the OAuth request to MS365, the system is smart enough to determine if you need consent or not, and you do **NOT** need to tell MS365 that a consent window is required. That may be a requisite for other providers, but not MS365 based on the testing I've done.

This commit disables strict email match when doing email authorization (getting token). While strict by default was noble, checking for a match is troublesome when a global admin can authorize for an email account or/and its aliases. A strict placeholder flag is set to false default for now with the intention of making it configurable in the future.

This commit reduces the size of the S3 plugin by only pulling services related to S3 from the AWS SDK. This is done by following the steps outlined here: https://github.com/stobrien89/aws-sdk-php/tree/remove-unused-services/src/Script/Composer

Reviewed-By: JediKev <[email protected]>, aydreeihn <[email protected]>

Reviewed-By: Peter Rotich <[email protected]>

When authorizing an email account to obtain a token - some providers, like Office365, allow for global admins to authorize on behalf of the accounts they manage. This is possible when OAuth2 plugin is NOT in strict mode (default: false) - however , on-authorization, the returned resource owner email is set to the authorizing admin email / account which in turn causes account / resource mismatch when the token is used onbehalf of resource owner. This commit changes the plugin so that on mismatch and with strict mode set to false - the email address being authorized is set as the resource owner.

This addresses an issue where we are still using the static ID instead of using the Backend ID causing Agent lookups and searches to fail. This updates both places we use the static ID to `getBkId()` instead. This will retrieve the proper Backend ID and will allow Agent lookups and searches to function successfully.

This addresses an issue reported on the Forum where you click a direct link from an email or something, you hit the login page, you login via OAuth2 SSO, and when you are redirected back you are not presented with the original URL. This is due to not accounting for the destination URL in the `onSignIn()` methods for the OAuth2 User/Agent backends. This adds a ternary statement that uses the dest URL from the session, otherwise it defaults to the base URL.

This addresses an issue where `msad` schemas can return `false` when calling `current()` on an LDAP search result. We do not check if `current()` is false before attempting to call `dn()` on it so this adds a check to see if `current()` returns a value before using it.

…protich/osTicket-plugins into develop

This commit addresses an issue where Refersh Token expires after 90 days for users using Office 365 as the provider. It turns out Microsoft (Office 365) issues a new Refresh Token everytime Access Token is refreshed, otherwise the original Refresh Token expires after 90 days from the time it was issued. This commit adds the logic to update Refresh Token while refreshing Access Token, **if reissued**.

This issue has been discussed in the following forum post https://forum.osticket.com/d/101462-oauth2-shared-mailboxes/34 This push fixes and resolves the issue so that the **`resource_owner_email`** is set correctly as the **Shared Mailbox** email on the **_Remote Mailbox_** tab and the **User Mailbox / Global Admin** is set on the **_Outgoing (SMTP)_** tab. The logic for this is - To pickup emails you need to use the email address of the account that emails were sent to, this can either be a **User Mailbox** or a **Shared Mailbox**. - To send emails a **_Licenced Microsoft 365 User Mailbox_** must be used, so the emails are sent from the **User Mailbox** account that is used to authenticate the **Shared Mailbox** or the actual **User Mailbox** on the Microsoft 365 OAuth2 challenge. If using Shared Mailboxes, the User Mailbox account that is used to send emails is often referred to as a **Service Account** or a **Global Admin** account. This account needs to have permissions to be able to access and send emails on behalf of the Shared Mailbox(es) that you configure on your osTicket configuration.

This commit simply cleans up the logic in commit `231acddb1` to make sure it only targets Office 365 Accounts as intended.

This is a temp hack to delegate strict matching mode checking to provider.

This commit reverses changes added in 512d93d to remove Application logic from plugin level. Core osTicket will handle Shared Mailbox logic going forward.

Reviewed-By: protich <[email protected]>, JediKev <[email protected]>

This resolves and issue where when hydrating the S3 plugin it's still including uneeded dependencies even though the plugin info includes the script and extra tags. This is due to `make.php` not taking those into account when resolving the dependencies. This updates the `resolveDependencies` method to account for the scripts and extra tags and will include them if found. This also addresses an small issue where the extra value needs to be an array otherwise it causes fatal error.

…s-and-extra Reviewed-By: Peter Rotich <[email protected]>

This adds the OAuth2 Authentication defaults for Okta provider. This will make Okta setup a little easier.

This is the second part to the main core pull that fixes an issue where using any other language than English and attempting to export `All` events for a specific object fails. This removes the translation method from the instances that do not need it and cause issues.

This addresses PHP 8.1 compatibilty issues with the LDAP plugin. Since the LDAP resources were converted to LDAP\Connection, LDAP\Result, and LDAP\ResultEntry objects respectively, the previous `is_resource()` checks fail. This updates all relevant cases of `is_resource()` to `!== false` checks to make LDAP plugin compatible with PHP 8.1.

This addresses an error reported in 270 where we are attempting to call `dn()` on `$r->current()` but `current()` can sometimes return `false`. This adds a check for `!$r->current()` before continuing to `dn()`. See similar issue here: 260

Reviewed-By: JediKev <[email protected]>

This is a commit that goes along with a core commit for password length. We should limit passwords to minimum of 1 and maximum of 128.

Reviewed-By: JediKev <[email protected]>

This addresses an issue where `ldap://` and `ldaps://` gets stripped from the hostname by weak REGEX. This updates the REGEX to make it account for `ldap://` and `ldaps://` so that it remains as part of the hostname. This will allow people to typehint LDAPS connections.

Reviewed-By: Peter Rotich <[email protected]>

…nt-selection-prompt Reviewed-By: Peter Rotich <[email protected]>

Commits on Apr 18, 2014

Bump version code for AWS S3 storage

Jared Hancock committed Apr 18, 2014

Configuration menu

View commit details

Copy full SHA for a7e3a08

Browse repository at this point

Copy the full SHA

a7e3a08 View commit details

Browse the repository at this point in the history

Commits on Jun 4, 2015

Add i18n support

kevinoconnor7 committed Jun 4, 2015

Configuration menu

View commit details

Copy full SHA for f70b28f

Browse repository at this point

Copy the full SHA

f70b28f View commit details

Browse the repository at this point in the history

Commits on Jul 13, 2022

auth-oauth2: Add GuzzleHttp/{Psr7,Promise}

protich committed Jul 13, 2022

Configuration menu

View commit details

Copy full SHA for c91489f

Browse repository at this point

Copy the full SHA

c91489f View commit details

Browse the repository at this point in the history

CDN Features for files uploaded to system #123

Are you sure you want to change the base?

CDN Features for files uploaded to system #123

Commits on Dec 13, 2013

Commits on Dec 18, 2013

Commits on Dec 23, 2013

Commits on Jan 1, 2014

Commits on Jan 17, 2014

Commits on Jan 20, 2014

Commits on Jan 21, 2014

Commits on Jan 31, 2014

Commits on Feb 3, 2014

Commits on Feb 19, 2014

Commits on Mar 3, 2014

Commits on Mar 18, 2014

Commits on Mar 20, 2014

Commits on Mar 21, 2014

Commits on Mar 25, 2014

Commits on Mar 26, 2014

Commits on Apr 7, 2014

Commits on Apr 14, 2014

Commits on Apr 18, 2014

Commits on Apr 29, 2014

Commits on May 4, 2014

Commits on May 5, 2014

Commits on May 19, 2014

Commits on May 20, 2014

Commits on May 30, 2014

Commits on Sep 17, 2014

Commits on Dec 31, 2014

Commits on Mar 26, 2015

Commits on Mar 29, 2015

Commits on Apr 2, 2015

Commits on Apr 9, 2015

Commits on Apr 10, 2015

Commits on Apr 30, 2015

Commits on Jun 4, 2015

Commits on Jul 30, 2015

Commits on Aug 31, 2015

Commits on Dec 28, 2015

Commits on Jun 21, 2016

Commits on Sep 21, 2016

Commits on Sep 22, 2016

Commits on Nov 2, 2016

Commits on Jul 11, 2019

Commits on Jul 15, 2019

Commits on Aug 1, 2019

Commits on Aug 13, 2019

Commits on Sep 17, 2019

Commits on Jan 7, 2020

Commits on Mar 6, 2020

Commits on Mar 10, 2020

Commits on Mar 24, 2020

Commits on Mar 25, 2020

Commits on Apr 15, 2020

Commits on Apr 23, 2020

Commits on Apr 27, 2020

Commits on Apr 30, 2020

Commits on May 1, 2020

Commits on May 6, 2020

Commits on May 30, 2020

Commits on Jun 10, 2020

Commits on Oct 14, 2020

Commits on Nov 30, 2020

Commits on Jan 15, 2021

Commits on Feb 2, 2021

Commits on Feb 12, 2021

Commits on Apr 12, 2021

Commits on Apr 13, 2021

Commits on May 3, 2021

Commits on May 5, 2021

Commits on May 13, 2021

Commits on Jul 28, 2021

Commits on Oct 29, 2021

Commits on Nov 1, 2021

Commits on Nov 2, 2021

Commits on Feb 1, 2022

Commits on Feb 2, 2022

Commits on Feb 8, 2022

Commits on Feb 15, 2022