mirror of
https://github.com/inverse-inc/sogo.git
synced 2026-07-03 15:54:18 +00:00
feat(core): Check password strength on login (SQL Source). Closes #6025.
This commit is contained in:
@@ -2471,4 +2471,4 @@ _makeLDAPChanges (NGLdapConnection *ldapConnection,
|
||||
return rc;
|
||||
}
|
||||
|
||||
@end
|
||||
@end
|
||||
@@ -65,7 +65,8 @@
|
||||
domain: &domain
|
||||
perr: &perr
|
||||
expire: &expire
|
||||
grace: &grace]
|
||||
grace: &grace
|
||||
additionalInfo: nil]
|
||||
&& perr == PolicyNoError);
|
||||
|
||||
if (!rc)
|
||||
|
||||
@@ -502,6 +502,7 @@ static const NSString *kObfuscatedSecondaryEmailKey = @"obfuscatedSecondaryEmail
|
||||
perr: (SOGoPasswordPolicyError *) perr
|
||||
expire: (int *) expire
|
||||
grace: (int *) grace
|
||||
additionalInfo: (NSMutableDictionary **)_additionalInfo
|
||||
{
|
||||
NSObject <SOGoSource> *sogoSource;
|
||||
NSEnumerator *authIDs;
|
||||
@@ -520,8 +521,11 @@ static const NSString *kObfuscatedSecondaryEmailKey = @"obfuscatedSecondaryEmail
|
||||
perr: perr
|
||||
expire: expire
|
||||
grace: grace];
|
||||
if (_additionalInfo && *_additionalInfo && [sogoSource userPasswordPolicy] && [[sogoSource userPasswordPolicy] count] > 0) {
|
||||
[*_additionalInfo setObject:[sogoSource userPasswordPolicy] forKey:@"userPolicies"];
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if (checkOK && *domain == nil)
|
||||
{
|
||||
SOGoSystemDefaults *sd = [SOGoSystemDefaults sharedSystemDefaults];
|
||||
@@ -554,6 +558,7 @@ static const NSString *kObfuscatedSecondaryEmailKey = @"obfuscatedSecondaryEmail
|
||||
perr: (SOGoPasswordPolicyError *) _perr
|
||||
expire: (int *) _expire
|
||||
grace: (int *) _grace
|
||||
additionalInfo:(NSMutableDictionary **)_additionalInfo
|
||||
{
|
||||
return [self checkLogin: _login
|
||||
password: _pwd
|
||||
@@ -561,6 +566,7 @@ static const NSString *kObfuscatedSecondaryEmailKey = @"obfuscatedSecondaryEmail
|
||||
perr: _perr
|
||||
expire: _expire
|
||||
grace: _grace
|
||||
additionalInfo: _additionalInfo
|
||||
useCache: YES];
|
||||
}
|
||||
|
||||
@@ -573,6 +579,7 @@ static const NSString *kObfuscatedSecondaryEmailKey = @"obfuscatedSecondaryEmail
|
||||
perr: (SOGoPasswordPolicyError *) _perr
|
||||
expire: (int *) _expire
|
||||
grace: (int *) _grace
|
||||
additionalInfo: (NSMutableDictionary **)_additionalInfo
|
||||
useCache: (BOOL) useCache
|
||||
{
|
||||
NSString *dictPassword, *username, *jsonUser;
|
||||
@@ -726,7 +733,8 @@ static const NSString *kObfuscatedSecondaryEmailKey = @"obfuscatedSecondaryEmail
|
||||
domain: _domain
|
||||
perr: _perr
|
||||
expire: _expire
|
||||
grace: _grace])
|
||||
grace: _grace
|
||||
additionalInfo: _additionalInfo])
|
||||
{
|
||||
checkOK = YES;
|
||||
if (!currentUser)
|
||||
|
||||
@@ -37,20 +37,22 @@
|
||||
|
||||
+ (id) sharedSOGoWebAuthenticator;
|
||||
|
||||
- (BOOL) checkLogin: (NSString *) _login
|
||||
password: (NSString *) _pwd
|
||||
domain: (NSString **) _domain
|
||||
perr: (SOGoPasswordPolicyError *) _perr
|
||||
expire: (int *) _expire
|
||||
grace: (int *) _grace;
|
||||
- (BOOL)checkLogin:(NSString *)_login
|
||||
password:(NSString *)_pwd
|
||||
domain:(NSString **)_domain
|
||||
perr:(SOGoPasswordPolicyError *)_perr
|
||||
expire:(int *)_expire
|
||||
grace:(int *)_grace
|
||||
additionalInfo:(NSMutableDictionary **)_additionalInfo;
|
||||
|
||||
- (BOOL) checkLogin: (NSString *) _login
|
||||
password: (NSString *) _pwd
|
||||
domain: (NSString **) _domain
|
||||
perr: (SOGoPasswordPolicyError *) _perr
|
||||
expire: (int *) _expire
|
||||
grace: (int *) _grace
|
||||
useCache: (BOOL) useCache;
|
||||
- (BOOL)checkLogin:(NSString *)_login
|
||||
password:(NSString *)_pwd
|
||||
domain:(NSString **)_domain
|
||||
perr:(SOGoPasswordPolicyError *)_perr
|
||||
expire:(int *)_expire
|
||||
grace:(int *)_grace
|
||||
additionalInfo:(NSMutableDictionary **)_additionalInfo
|
||||
useCache:(BOOL)useCache;
|
||||
|
||||
- (WOCookie *) cookieWithUsername: (NSString *) username
|
||||
andPassword: (NSString *) password
|
||||
|
||||
@@ -102,7 +102,8 @@
|
||||
domain: &domain
|
||||
perr: &perr
|
||||
expire: &expire
|
||||
grace: &grace];
|
||||
grace: &grace
|
||||
additionalInfo: nil];
|
||||
}
|
||||
|
||||
- (BOOL) checkLogin: (NSString *) _login
|
||||
@@ -111,6 +112,7 @@
|
||||
perr: (SOGoPasswordPolicyError *) _perr
|
||||
expire: (int *) _expire
|
||||
grace: (int *) _grace
|
||||
additionalInfo: (NSMutableDictionary **)_additionalInfo
|
||||
{
|
||||
return [self checkLogin: _login
|
||||
password: _pwd
|
||||
@@ -118,6 +120,7 @@
|
||||
perr: _perr
|
||||
expire: _expire
|
||||
grace: _grace
|
||||
additionalInfo: _additionalInfo
|
||||
useCache: YES];
|
||||
}
|
||||
|
||||
@@ -127,6 +130,7 @@
|
||||
perr: (SOGoPasswordPolicyError *) _perr
|
||||
expire: (int *) _expire
|
||||
grace: (int *) _grace
|
||||
additionalInfo: (NSMutableDictionary **)_additionalInfo
|
||||
useCache: (BOOL) _useCache
|
||||
{
|
||||
SOGoCASSession *session;
|
||||
@@ -164,6 +168,7 @@
|
||||
perr: _perr
|
||||
expire: _expire
|
||||
grace: _grace
|
||||
additionalInfo: _additionalInfo
|
||||
useCache: _useCache];
|
||||
|
||||
//[self logWithFormat: @"Checked login with ppolicy enabled: %d %d %d", *_perr, *_expire, *_grace];
|
||||
@@ -250,7 +255,8 @@
|
||||
domain: &domain
|
||||
perr: &perr
|
||||
expire: &expire
|
||||
grace: &grace])
|
||||
grace: &grace
|
||||
additionalInfo: nil])
|
||||
return nil;
|
||||
|
||||
if (domain && [login rangeOfString: @"@"].location == NSNotFound)
|
||||
|
||||
+77
-25
@@ -245,6 +245,20 @@
|
||||
return result;
|
||||
}
|
||||
|
||||
- (BOOL) checkLogin: (NSString *) _login
|
||||
password: (NSString *) _pwd
|
||||
perr: (SOGoPasswordPolicyError *) _perr
|
||||
expire: (int *) _expire
|
||||
grace: (int *) _grace
|
||||
{
|
||||
return [self checkLogin: _login
|
||||
password: _pwd
|
||||
perr: _perr
|
||||
expire: _perr
|
||||
grace: _grace
|
||||
disablepasswordPolicyCheck: NO];
|
||||
}
|
||||
|
||||
//
|
||||
// SQL sources don't support right now all the password policy
|
||||
// stuff supported by OpenLDAP (and others). If we want to support
|
||||
@@ -256,6 +270,7 @@
|
||||
perr: (SOGoPasswordPolicyError *) _perr
|
||||
expire: (int *) _expire
|
||||
grace: (int *) _grace
|
||||
disablepasswordPolicyCheck: (BOOL) _disablepasswordPolicyCheck
|
||||
{
|
||||
EOAdaptorChannel *channel;
|
||||
EOQualifier *qualifier;
|
||||
@@ -335,10 +350,69 @@
|
||||
else
|
||||
[self errorWithFormat:@"failed to acquire channel for URL: %@",
|
||||
[_viewURL absoluteString]];
|
||||
|
||||
if (YES == rc && !_disablepasswordPolicyCheck) {
|
||||
[self checkPasswordPolicyWithPassword:_pwd perr: _perr];
|
||||
}
|
||||
|
||||
return rc;
|
||||
}
|
||||
|
||||
/**
|
||||
* Validates a given password against the configured user password policies.
|
||||
*
|
||||
* This method checks if the provided password complies with all defined
|
||||
* password policies for the user. Each policy is expected to include
|
||||
* a regular expression (`regex`) that the password must match.
|
||||
*
|
||||
* If the password violates any policy, the method sets an appropriate error
|
||||
* in the `perr` parameter and stops further validation.
|
||||
*
|
||||
* @param password the password to validate.
|
||||
* @param perr will be set to indicate a policy violation, if the password
|
||||
* does not meet the required standards. Possible values include:
|
||||
* `PolicyInsufficientPasswordQuality` for insufficient complexity.
|
||||
* @return YES if the password satisfies all policies, NO otherwise.
|
||||
*
|
||||
* @note This method assumes that `_userPasswordPolicy` is an array of dictionaries,
|
||||
* where each dictionary represents a password policy with at least a "regex" key.
|
||||
* @warning If a policy does not include a "regex" key, an error will be logged, and
|
||||
* the method will continue to the next policy.
|
||||
*/
|
||||
- (BOOL) checkPasswordPolicyWithPassword: (NSString *)password perr: (SOGoPasswordPolicyError *)perr
|
||||
{
|
||||
BOOL isPolicyOk;
|
||||
NSDictionary *policy;
|
||||
NSEnumerator *policies;
|
||||
NSRange match;
|
||||
NSString *regex;
|
||||
|
||||
isPolicyOk = YES;
|
||||
|
||||
if ([_userPasswordPolicy count])
|
||||
{
|
||||
policies = [_userPasswordPolicy objectEnumerator];
|
||||
while (isPolicyOk && (policy = [policies nextObject]))
|
||||
{
|
||||
regex = [policy objectForKey: @"regex"];
|
||||
if (regex)
|
||||
{
|
||||
match = [password rangeOfString: regex options: NSRegularExpressionSearch];
|
||||
isPolicyOk = isPolicyOk && match.length > 0;
|
||||
if (match.length == 0)
|
||||
{
|
||||
// [self errorWithFormat: @"Password not conform to policy %@ (%@)", regex, [policy objectForKey: @"label"]];
|
||||
*perr = PolicyInsufficientPasswordQuality;
|
||||
}
|
||||
}
|
||||
else
|
||||
[self errorWithFormat: @"Invalid password policy (missing regex): %@", policy];
|
||||
}
|
||||
}
|
||||
|
||||
return isPolicyOk;
|
||||
}
|
||||
|
||||
/**
|
||||
* Change a user's password.
|
||||
* @param login the user's login name.
|
||||
@@ -357,11 +431,8 @@
|
||||
BOOL didChange, isOldPwdOk, isPolicyOk;
|
||||
EOAdaptorChannel *channel;
|
||||
GCSChannelManager *cm;
|
||||
NSDictionary *policy;
|
||||
NSEnumerator *policies;
|
||||
NSException *ex;
|
||||
NSRange match;
|
||||
NSString *sqlstr, *regex;
|
||||
NSString *sqlstr;
|
||||
|
||||
*perr = -1;
|
||||
isOldPwdOk = NO;
|
||||
@@ -369,30 +440,11 @@
|
||||
didChange = NO;
|
||||
|
||||
// Verify current password
|
||||
isOldPwdOk = [self checkLogin:login password:oldPassword perr:perr expire:0 grace:0];
|
||||
isOldPwdOk = [self checkLogin:login password:oldPassword perr:perr expire:0 grace:0 disablepasswordPolicyCheck: YES];
|
||||
|
||||
if (isOldPwdOk || passwordRecovery)
|
||||
{
|
||||
if ([_userPasswordPolicy count])
|
||||
{
|
||||
policies = [_userPasswordPolicy objectEnumerator];
|
||||
while (isPolicyOk && (policy = [policies nextObject]))
|
||||
{
|
||||
regex = [policy objectForKey: @"regex"];
|
||||
if (regex)
|
||||
{
|
||||
match = [newPassword rangeOfString: regex options: NSRegularExpressionSearch];
|
||||
isPolicyOk = isPolicyOk && match.length > 0;
|
||||
if (match.length == 0)
|
||||
{
|
||||
// [self errorWithFormat: @"Password not conform to policy %@ (%@)", regex, [policy objectForKey: @"label"]];
|
||||
*perr = PolicyInsufficientPasswordQuality;
|
||||
}
|
||||
}
|
||||
else
|
||||
[self errorWithFormat: @"Invalid password policy (missing regex): %@", policy];
|
||||
}
|
||||
}
|
||||
isPolicyOk = [self checkPasswordPolicyWithPassword:newPassword perr: perr];
|
||||
}
|
||||
|
||||
if ((isOldPwdOk || passwordRecovery) && isPolicyOk)
|
||||
|
||||
Reference in New Issue
Block a user