mirror of
https://github.com/YunoHost/SSOwat.git
synced 2024-09-03 20:06:27 +02:00
Merge pull request #104 from YunoHost/enh-pwd-validate
[enh] Validate password strength
This commit is contained in:
Alexandre Aubin
GitHub
commit
99c108f362
3 changed files with 63 additions and 17 deletions
69
helpers.lua
69
helpers.lua
|
|
@ -597,6 +597,29 @@ function ensure_user_password_uses_strong_hash(ldap, user, password)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
-- Read result of a command after given it securely the password
|
||||||
|
function secure_cmd_password(cmd, password, start)
|
||||||
|
-- Check password validity
|
||||||
|
math.randomseed( os.time() )
|
||||||
|
local tmp_file = "/tmp/ssowat_"..math.random()
|
||||||
|
local w_pwd = io.popen("("..cmd..") | tee -a "..tmp_file, 'w')
|
||||||
|
w_pwd:write(password)
|
||||||
|
-- This second write is just to validate the password question
|
||||||
|
-- Do not remove
|
||||||
|
w_pwd:write("")
|
||||||
|
w_pwd:close()
|
||||||
|
local r_pwd = io.open(tmp_file, 'r')
|
||||||
|
text = r_pwd:read "*a"
|
||||||
|
|
||||||
|
-- Remove the extra end line
|
||||||
|
if text:sub(-1, -1) == "\n" then
|
||||||
|
text = text:sub(1, -2)
|
||||||
|
end
|
||||||
|
r_pwd:close()
|
||||||
|
os.remove(tmp_file)
|
||||||
|
return text
|
||||||
|
end
|
||||||
|
|
||||||
-- Compute the user modification POST request
|
-- Compute the user modification POST request
|
||||||
-- It has to update cached information and edit the LDAP user entry
|
-- It has to update cached information and edit the LDAP user entry
|
||||||
-- according to the changes detected.
|
-- according to the changes detected.
|
||||||
|
|
@ -626,22 +649,37 @@ function edit_user()
|
||||||
then
|
then
|
||||||
-- and the new password against the confirmation field's content
|
-- and the new password against the confirmation field's content
|
||||||
if args.newpassword == args.confirm then
|
if args.newpassword == args.confirm then
|
||||||
local dn = conf["ldap_identifier"].."="..user..","..conf["ldap_group"]
|
-- Check password validity
|
||||||
|
local result_msg = secure_cmd_password("python /usr/lib/moulinette/yunohost/utils/password.py", args.newpassword)
|
||||||
|
validation_error = true
|
||||||
|
if result_msg == nil or result_msg == "" then
|
||||||
|
validation_error = nil
|
||||||
|
end
|
||||||
|
if validation_error == nil then
|
||||||
|
|
||||||
-- Open the LDAP connection
|
local dn = conf["ldap_identifier"].."="..user..","..conf["ldap_group"]
|
||||||
local ldap = lualdap.open_simple(conf["ldap_host"], dn, args.currentpassword)
|
|
||||||
|
|
||||||
local password = hash_password(args.newpassword)
|
-- Open the LDAP connection
|
||||||
|
local ldap = lualdap.open_simple(conf["ldap_host"], dn, args.currentpassword)
|
||||||
|
|
||||||
|
local password = hash_password(args.newpassword)
|
||||||
|
|
||||||
-- Modify the LDAP information
|
-- Modify the LDAP information
|
||||||
if ldap:modify(dn, {'=', userPassword = password }) then
|
if ldap:modify(dn, {'=', userPassword = password }) then
|
||||||
flash("win", t("password_changed"))
|
if validation == nil then
|
||||||
|
flash("win", t("password_changed"))
|
||||||
|
else
|
||||||
|
flash("win", t(result_msg))
|
||||||
|
end
|
||||||
|
|
||||||
-- Reset the password cache
|
-- Reset the password cache
|
||||||
cache:set(user.."-password", args.newpassword, conf["session_timeout"])
|
cache:set(user.."-password", args.newpassword, conf["session_timeout"])
|
||||||
return redirect(conf.portal_url.."info.html")
|
return redirect(conf.portal_url.."info.html")
|
||||||
|
else
|
||||||
|
flash("fail", t("password_changed_error"))
|
||||||
|
end
|
||||||
else
|
else
|
||||||
flash("fail", t("password_changed_error"))
|
flash("fail", t(result_msg))
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
flash("fail", t("password_not_match"))
|
flash("fail", t("password_not_match"))
|
||||||
|
|
@ -835,11 +873,8 @@ end
|
||||||
-- hash the user password using sha-512 and using {CRYPT} to uses linux auth system
|
-- hash the user password using sha-512 and using {CRYPT} to uses linux auth system
|
||||||
-- because ldap doesn't support anything stronger than sha1
|
-- because ldap doesn't support anything stronger than sha1
|
||||||
function hash_password(password)
|
function hash_password(password)
|
||||||
-- TODO is the password checked by regex? we don't want to
|
local hashed_password = secure_cmd_password("mkpasswd --method=sha-512", password)
|
||||||
-- allow shell injection
|
hashed_password = "{CRYPT}"..hashed_password
|
||||||
local mkpasswd = io.popen("mkpasswd --method=sha-512 '" ..password:gsub("'", "'\\''").."'")
|
|
||||||
local hashed_password = "{CRYPT}"..mkpasswd:read()
|
|
||||||
mkpasswd:close()
|
|
||||||
return hashed_password
|
return hashed_password
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
@ -853,7 +888,7 @@ function login()
|
||||||
local uri_args = ngx.req.get_uri_args()
|
local uri_args = ngx.req.get_uri_args()
|
||||||
|
|
||||||
args.user = string.lower(args.user)
|
args.user = string.lower(args.user)
|
||||||
|
|
||||||
local user = authenticate(args.user, args.password)
|
local user = authenticate(args.user, args.password)
|
||||||
if user then
|
if user then
|
||||||
ngx.status = ngx.HTTP_CREATED
|
ngx.status = ngx.HTTP_CREATED
|
||||||
|
|
|
||||||
|
|
@ -22,6 +22,12 @@
|
||||||
"password_changed": "Password successfully changed",
|
"password_changed": "Password successfully changed",
|
||||||
"password_changed_error": "An error occurred on password changing",
|
"password_changed_error": "An error occurred on password changing",
|
||||||
"password_not_match": "New passwords don't match",
|
"password_not_match": "New passwords don't match",
|
||||||
|
"password_listed": "This password is among the most used password in the world. Please choose something a bit more unique.",
|
||||||
|
"password_too_simple_1": "Password needs to be at least 8 characters long",
|
||||||
|
"password_too_simple_2": "Password needs to be at least 8 characters long and contains digit, upper and lower characters",
|
||||||
|
"password_too_simple_3": "Password needs to be at least 8 characters long and contains digit, upper, lower and special characters",
|
||||||
|
"password_too_simple_4": "Password needs to be at least 12 characters long and contains digit, upper, lower and special characters",
|
||||||
|
"good_practices_about_user_password": "You are now about to define a new user password. The password should be at least 8 characters - though it is good practice to use longer password (i.e. a passphrase) and/or to use various kind of characters (uppercase, lowercase, digits and special characters).",
|
||||||
"wrong_current_password": "Current password is wrong",
|
"wrong_current_password": "Current password is wrong",
|
||||||
"invalid_mail": "Invalid mail address",
|
"invalid_mail": "Invalid mail address",
|
||||||
"invalid_domain": "Invalid domain in",
|
"invalid_domain": "Invalid domain in",
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,11 @@
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<div class="ynh-wrapper password">
|
<div class="ynh-wrapper password">
|
||||||
|
|
||||||
|
<div class="messages warning">
|
||||||
|
{{t_good_practices_about_user_password}}
|
||||||
|
</div>
|
||||||
|
|
||||||
<form class="form-password" role="form" method="POST" action="password.html">
|
<form class="form-password" role="form" method="POST" action="password.html">
|
||||||
|
|
||||||
<div class="form-section">
|
<div class="form-section">
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue