Allowed all special chars and rule to disable local password policy (#2266)
This commit is contained in:
parent
39ba25f91d
commit
0a4812203c
|
@ -224,14 +224,14 @@ sub defaultValues {
|
||||||
'pamAuthnLevel' => 2,
|
'pamAuthnLevel' => 2,
|
||||||
'pamService' => 'login',
|
'pamService' => 'login',
|
||||||
'passwordDB' => 'Demo',
|
'passwordDB' => 'Demo',
|
||||||
|
'passwordPolicy' => 1,
|
||||||
'passwordPolicyMinDigit' => 0,
|
'passwordPolicyMinDigit' => 0,
|
||||||
'passwordPolicyMinLower' => 0,
|
'passwordPolicyMinLower' => 0,
|
||||||
'passwordPolicyMinSize' => 0,
|
'passwordPolicyMinSize' => 0,
|
||||||
'passwordPolicyMinSpeChar' => 0,
|
'passwordPolicyMinSpeChar' => 0,
|
||||||
'passwordPolicyMinUpper' => 0,
|
'passwordPolicyMinUpper' => 0,
|
||||||
'passwordPolicySpecialChar' =>
|
'passwordPolicySpecialChar' => '__ALL__',
|
||||||
'! @ # $ % & * ( ) - = + [ ] { } ; : , . / ?',
|
'passwordResetAllowedRetries' => 3,
|
||||||
'passwordResetAllowedRetries' => 3,
|
|
||||||
'persistentSessionAttributes' =>
|
'persistentSessionAttributes' =>
|
||||||
'_loginHistory _2fDevices notification_',
|
'_loginHistory _2fDevices notification_',
|
||||||
'port' => -1,
|
'port' => -1,
|
||||||
|
|
|
@ -2483,6 +2483,13 @@ m[^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
|
||||||
],
|
],
|
||||||
'type' => 'select'
|
'type' => 'select'
|
||||||
},
|
},
|
||||||
|
'passwordPolicy' => {
|
||||||
|
'default' => 1,
|
||||||
|
'test' => sub {
|
||||||
|
return perlExpr(@_);
|
||||||
|
},
|
||||||
|
'type' => 'text'
|
||||||
|
},
|
||||||
'passwordPolicyMinDigit' => {
|
'passwordPolicyMinDigit' => {
|
||||||
'default' => 0,
|
'default' => 0,
|
||||||
'type' => 'int'
|
'type' => 'int'
|
||||||
|
@ -2504,8 +2511,8 @@ m[^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
|
||||||
'type' => 'int'
|
'type' => 'int'
|
||||||
},
|
},
|
||||||
'passwordPolicySpecialChar' => {
|
'passwordPolicySpecialChar' => {
|
||||||
'default' => '! @ # $ % & * ( ) - = + [ ] { } ; : , . / ?',
|
'default' => '__ALL__',
|
||||||
'test' => qr/^[\s\W_]*$/,
|
'test' => qr/^(?:__ALL__|[\S\W]*)$/,
|
||||||
'type' => 'text'
|
'type' => 'text'
|
||||||
},
|
},
|
||||||
'passwordResetAllowedRetries' => {
|
'passwordResetAllowedRetries' => {
|
||||||
|
|
|
@ -1454,6 +1454,12 @@ sub attributes {
|
||||||
type => 'bool',
|
type => 'bool',
|
||||||
documentation => 'Hide old password in portal',
|
documentation => 'Hide old password in portal',
|
||||||
},
|
},
|
||||||
|
passwordPolicy => {
|
||||||
|
type => 'text',
|
||||||
|
test => sub { return perlExpr(@_) },
|
||||||
|
default => 1,
|
||||||
|
documentation => 'Enable password policy',
|
||||||
|
},
|
||||||
passwordPolicyMinSize => {
|
passwordPolicyMinSize => {
|
||||||
default => 0,
|
default => 0,
|
||||||
type => 'int',
|
type => 'int',
|
||||||
|
@ -1480,9 +1486,9 @@ sub attributes {
|
||||||
documentation => 'Password policy: minimal special characters',
|
documentation => 'Password policy: minimal special characters',
|
||||||
},
|
},
|
||||||
passwordPolicySpecialChar => {
|
passwordPolicySpecialChar => {
|
||||||
default => '! @ # $ % & * ( ) - = + [ ] { } ; : , . / ?',
|
default => '__ALL__',
|
||||||
type => 'text',
|
type => 'text',
|
||||||
test => qr/^[\s\W_]*$/,
|
test => qr/^(?:__ALL__|[\S\W]*)$/,
|
||||||
documentation => 'Password policy: allowed special characters',
|
documentation => 'Password policy: allowed special characters',
|
||||||
},
|
},
|
||||||
portalDisplayPasswordPolicy => {
|
portalDisplayPasswordPolicy => {
|
||||||
|
|
File diff suppressed because one or more lines are too long
|
@ -17,7 +17,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
|
||||||
|
|
||||||
extends 'Lemonldap::NG::Portal::Main::Plugin';
|
extends 'Lemonldap::NG::Portal::Main::Plugin';
|
||||||
|
|
||||||
our $VERSION = '2.0.8';
|
our $VERSION = '2.0.10';
|
||||||
|
|
||||||
# INITIALIZATION
|
# INITIALIZATION
|
||||||
|
|
||||||
|
@ -65,7 +65,10 @@ sub _modifyPassword {
|
||||||
unless ( $self->confirm( $req, $req->data->{oldpassword} ) );
|
unless ( $self->confirm( $req, $req->data->{oldpassword} ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
my $cpq = $self->checkPasswordQuality( $req->data->{newpassword} );
|
my $cpq =
|
||||||
|
$self->conf->{passwordPolicy}
|
||||||
|
? $self->checkPasswordQuality( $req->data->{newpassword} )
|
||||||
|
: PE_OK;
|
||||||
return $cpq unless ( $cpq == PE_OK );
|
return $cpq unless ( $cpq == PE_OK );
|
||||||
|
|
||||||
# Call password package
|
# Call password package
|
||||||
|
@ -142,29 +145,38 @@ sub checkPasswordQuality {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
## Special characters policy
|
### Special characters policy
|
||||||
my $speChars = $self->conf->{passwordPolicySpecialChar};
|
my $speChars = $self->conf->{passwordPolicySpecialChar};
|
||||||
$speChars =~ s/\s+//g;
|
$speChars =~ s/\s+//g;
|
||||||
|
|
||||||
# Min special characters
|
## Min special characters
|
||||||
|
# Just number of special characters must be checked
|
||||||
|
if ( $self->conf->{passwordPolicyMinSpeChar} && $speChars eq '__ALL__' ) {
|
||||||
|
my $spe = $password =~ s/\w//g;
|
||||||
|
if ( $spe < $self->conf->{passwordPolicyMinSpeChar} ) {
|
||||||
|
$self->logger->error("Password has not enough special characters");
|
||||||
|
return PE_PP_INSUFFICIENT_PASSWORD_QUALITY;
|
||||||
|
}
|
||||||
|
return PE_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Number of special characters must be checked
|
||||||
if ( $self->conf->{passwordPolicyMinSpeChar} && $speChars ) {
|
if ( $self->conf->{passwordPolicyMinSpeChar} && $speChars ) {
|
||||||
my $spe = 0;
|
|
||||||
my $test = $password;
|
my $test = $password;
|
||||||
$spe = $test =~ s/[\Q$speChars\E]//g;
|
my $spe = $test =~ s/[\Q$speChars\E]//g;
|
||||||
if ( $spe < $self->conf->{passwordPolicyMinSpeChar} ) {
|
if ( $spe < $self->conf->{passwordPolicyMinSpeChar} ) {
|
||||||
$self->logger->error("Password has not enough special characters");
|
$self->logger->error("Password has not enough special characters");
|
||||||
return PE_PP_INSUFFICIENT_PASSWORD_QUALITY;
|
return PE_PP_INSUFFICIENT_PASSWORD_QUALITY;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# Fobidden special characters
|
## Fobidden special characters
|
||||||
$password =~ s/[\Q$speChars\E\w]//g;
|
$password =~ s/[\Q$speChars\E\w]//g;
|
||||||
if ($password) {
|
if ($password) {
|
||||||
$self->logger->error( 'Password contains '
|
$self->logger->error( 'Password contains '
|
||||||
. length($password)
|
. length($password)
|
||||||
. " forbidden character(s): $password" );
|
. " forbidden character(s): $password" );
|
||||||
return
|
return length($password) > 1
|
||||||
length($password) > 1
|
|
||||||
? PE_PP_NOT_ALLOWED_CHARACTERS
|
? PE_PP_NOT_ALLOWED_CHARACTERS
|
||||||
: PE_PP_NOT_ALLOWED_CHARACTER;
|
: PE_PP_NOT_ALLOWED_CHARACTER;
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,14 +13,15 @@ my $res;
|
||||||
|
|
||||||
my $client = LLNG::Manager::Test->new( {
|
my $client = LLNG::Manager::Test->new( {
|
||||||
ini => {
|
ini => {
|
||||||
logLevel => 'error',
|
logLevel => 'error',
|
||||||
passwordDB => 'Demo',
|
passwordDB => 'Demo',
|
||||||
portalRequireOldPassword => 1,
|
passwordPolicy => 1,
|
||||||
passwordPolicyMinSize => 6,
|
portalRequireOldPassword => 1,
|
||||||
passwordPolicyMinLower => 3,
|
passwordPolicyMinSize => 6,
|
||||||
passwordPolicyMinUpper => 3,
|
passwordPolicyMinLower => 3,
|
||||||
passwordPolicyMinDigit => 1,
|
passwordPolicyMinUpper => 3,
|
||||||
passwordPolicyMinSpeChar => 2,
|
passwordPolicyMinDigit => 1,
|
||||||
|
passwordPolicyMinSpeChar => 2,
|
||||||
passwordPolicySpecialChar => ' [ } \ ',
|
passwordPolicySpecialChar => ' [ } \ ',
|
||||||
portalDisplayPasswordPolicy => 1
|
portalDisplayPasswordPolicy => 1
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user