Merge pull request #104 from YunoHost/enh-pwd-validate

[enh] Validate password strength
This commit is contained in:
Alexandre Aubin 2018-11-04 15:59:39 +01:00 committed by GitHub
commit 99c108f362
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 63 additions and 17 deletions

View file

@ -597,6 +597,29 @@ function ensure_user_password_uses_strong_hash(ldap, user, password)
end end
end end
-- Read result of a command after given it securely the password
function secure_cmd_password(cmd, password, start)
-- Check password validity
math.randomseed( os.time() )
local tmp_file = "/tmp/ssowat_"..math.random()
local w_pwd = io.popen("("..cmd..") | tee -a "..tmp_file, 'w')
w_pwd:write(password)
-- This second write is just to validate the password question
-- Do not remove
w_pwd:write("")
w_pwd:close()
local r_pwd = io.open(tmp_file, 'r')
text = r_pwd:read "*a"
-- Remove the extra end line
if text:sub(-1, -1) == "\n" then
text = text:sub(1, -2)
end
r_pwd:close()
os.remove(tmp_file)
return text
end
-- Compute the user modification POST request -- Compute the user modification POST request
-- It has to update cached information and edit the LDAP user entry -- It has to update cached information and edit the LDAP user entry
-- according to the changes detected. -- according to the changes detected.
@ -626,6 +649,14 @@ function edit_user()
then then
-- and the new password against the confirmation field's content -- and the new password against the confirmation field's content
if args.newpassword == args.confirm then if args.newpassword == args.confirm then
-- Check password validity
local result_msg = secure_cmd_password("python /usr/lib/moulinette/yunohost/utils/password.py", args.newpassword)
validation_error = true
if result_msg == nil or result_msg == "" then
validation_error = nil
end
if validation_error == nil then
local dn = conf["ldap_identifier"].."="..user..","..conf["ldap_group"] local dn = conf["ldap_identifier"].."="..user..","..conf["ldap_group"]
-- Open the LDAP connection -- Open the LDAP connection
@ -635,7 +666,11 @@ function edit_user()
-- Modify the LDAP information -- Modify the LDAP information
if ldap:modify(dn, {'=', userPassword = password }) then if ldap:modify(dn, {'=', userPassword = password }) then
if validation == nil then
flash("win", t("password_changed")) flash("win", t("password_changed"))
else
flash("win", t(result_msg))
end
-- Reset the password cache -- Reset the password cache
cache:set(user.."-password", args.newpassword, conf["session_timeout"]) cache:set(user.."-password", args.newpassword, conf["session_timeout"])
@ -643,6 +678,9 @@ function edit_user()
else else
flash("fail", t("password_changed_error")) flash("fail", t("password_changed_error"))
end end
else
flash("fail", t(result_msg))
end
else else
flash("fail", t("password_not_match")) flash("fail", t("password_not_match"))
end end
@ -835,11 +873,8 @@ end
-- hash the user password using sha-512 and using {CRYPT} to uses linux auth system -- hash the user password using sha-512 and using {CRYPT} to uses linux auth system
-- because ldap doesn't support anything stronger than sha1 -- because ldap doesn't support anything stronger than sha1
function hash_password(password) function hash_password(password)
-- TODO is the password checked by regex? we don't want to local hashed_password = secure_cmd_password("mkpasswd --method=sha-512", password)
-- allow shell injection hashed_password = "{CRYPT}"..hashed_password
local mkpasswd = io.popen("mkpasswd --method=sha-512 '" ..password:gsub("'", "'\\''").."'")
local hashed_password = "{CRYPT}"..mkpasswd:read()
mkpasswd:close()
return hashed_password return hashed_password
end end

View file

@ -22,6 +22,12 @@
"password_changed": "Password successfully changed", "password_changed": "Password successfully changed",
"password_changed_error": "An error occurred on password changing", "password_changed_error": "An error occurred on password changing",
"password_not_match": "New passwords don't match", "password_not_match": "New passwords don't match",
"password_listed": "This password is among the most used password in the world. Please choose something a bit more unique.",
"password_too_simple_1": "Password needs to be at least 8 characters long",
"password_too_simple_2": "Password needs to be at least 8 characters long and contains digit, upper and lower characters",
"password_too_simple_3": "Password needs to be at least 8 characters long and contains digit, upper, lower and special characters",
"password_too_simple_4": "Password needs to be at least 12 characters long and contains digit, upper, lower and special characters",
"good_practices_about_user_password": "You are now about to define a new user password. The password should be at least 8 characters - though it is good practice to use longer password (i.e. a passphrase) and/or to use various kind of characters (uppercase, lowercase, digits and special characters).",
"wrong_current_password": "Current password is wrong", "wrong_current_password": "Current password is wrong",
"invalid_mail": "Invalid mail address", "invalid_mail": "Invalid mail address",
"invalid_domain": "Invalid domain in", "invalid_domain": "Invalid domain in",

View file

@ -10,6 +10,11 @@
</div> </div>
<div class="ynh-wrapper password"> <div class="ynh-wrapper password">
<div class="messages warning">
{{t_good_practices_about_user_password}}
</div>
<form class="form-password" role="form" method="POST" action="password.html"> <form class="form-password" role="form" method="POST" action="password.html">
<div class="form-section"> <div class="form-section">