mirror of
https://gitlab.easter-eggs.com/ee/ldapsaisie.git
synced 2024-12-22 08:23:49 +01:00
Add LSformRule_zxcvbn
This commit is contained in:
parent
dfe3f7d27a
commit
db287937b7
6 changed files with 175 additions and 12 deletions
2
debian/control
vendored
2
debian/control
vendored
|
@ -7,7 +7,7 @@ Maintainer: Benjamin Renard <brenard@easter-eggs.com>
|
|||
Package: ldapsaisie
|
||||
Architecture: all
|
||||
Depends: apache2 | httpd, php-ldap | php5-ldap, php-fpm | libapache2-mod-php5 | libapache2-mod-php | php5-cli | php-cli, smarty | smarty3, php-net-ldap2, php-net-ftp, php-mail, php-mail-mime, php-console-table
|
||||
Recommends: php-mbstring, php-phpseclib, php-unidecode
|
||||
Recommends: php-mbstring, php-phpseclib, php-unidecode, php-zxcvbn
|
||||
Description: web based interface for managing LDAP servers content
|
||||
LdapSaisie is a Web application developed to manage LDAP directory.
|
||||
It has been written in PHP / JavaScript and is published under the
|
||||
|
|
|
@ -69,5 +69,6 @@ règles.</para>
|
|||
&conf-LSattribute-check-data-required;
|
||||
&conf-LSattribute-check-data-ssh_pub_key;
|
||||
&conf-LSattribute-check-data-telephonenumber;
|
||||
&conf-LSattribute-check-data-zxcvbn;
|
||||
|
||||
</sect3>
|
||||
|
|
|
@ -24,3 +24,4 @@
|
|||
<!ENTITY conf-LSattribute-check-data-required SYSTEM "required.docbook">
|
||||
<!ENTITY conf-LSattribute-check-data-ssh_pub_key SYSTEM "ssh_pub_key.docbook">
|
||||
<!ENTITY conf-LSattribute-check-data-telephonenumber SYSTEM "telephonenumber.docbook">
|
||||
<!ENTITY conf-LSattribute-check-data-zxcvbn SYSTEM "zxcvbn.docbook">
|
||||
|
|
67
doc/conf/LSattribute/check_data/zxcvbn.docbook
Normal file
67
doc/conf/LSattribute/check_data/zxcvbn.docbook
Normal file
|
@ -0,0 +1,67 @@
|
|||
<sect4 id="config-LSattribute-check-data-zxcvbn">
|
||||
<title>zxcvbn</title>
|
||||
<para>Cette règle vérifie la sécurité d'un mot de passe en utilisant la librairie
|
||||
<ulink url='https://github.com/bjeavons/zxcvbn-php'>ZxcvbnPhp</ulink>. Cette
|
||||
librairie s'appuie sur un ensemble de vérifications permettant de déterminer à
|
||||
quel point le mot de passe choisi est commun, prévisible et plus globalement,
|
||||
estime en combien de temps il pourra être cassé par une personne malveillante. Sur
|
||||
la base de l'analyse du mot de passe saisi, des conseils seront donnés à
|
||||
l'utilisateur pour le guider dans le choix d'un mot de passe sûre.</para>
|
||||
|
||||
<variablelist>
|
||||
<title>Paramètres de configuration</title>
|
||||
|
||||
<varlistentry>
|
||||
<term>minScore</term>
|
||||
<listitem>
|
||||
<simpara>Le score minimal pour que le mot de passe soit accepté. Il doit s'agir d'un
|
||||
entier cimpris entre 0 (le plus faible) et 4 (le plus sécurisé). Paramètre facultatif
|
||||
valant 4 par défaut.</simpara>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>userDataAttrs</term>
|
||||
<listitem>
|
||||
<simpara>Liste d'attributs de l'objet dont les valeurs seront passées à la librairie
|
||||
<literal>Zxcvbn</literal> qui les considérera comme associés à l'utilisateur. Ainsi,
|
||||
par exemple, si l'utilisateur utilise son nom de famille ou encore son prénom dans
|
||||
son mot de passe, la librairie pourra lui indiqué que cela ne le protège que peut
|
||||
des attaques ciblées. Paramètre facultatif, mais il est fortement conseillé de
|
||||
renseigner un maximum d'attributs contenant des informations personnelles relatives
|
||||
à l'utilisteur.</simpara>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>showWarning</term>
|
||||
<listitem>
|
||||
<simpara>Booléen définissant si les messages d'alertes retournés par la librairie
|
||||
<literal>Zxcvbn</literal> doivent être affichés à l'utilisateur. Paramètre facultatif
|
||||
et vrai par défaut.</simpara>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>showSuggestions</term>
|
||||
<listitem>
|
||||
<simpara>Booléen définissant si les messages de suggestions retournés par la librairie
|
||||
<literal>Zxcvbn</literal> doivent être affichés à l'utilisateur. Paramètre facultatif
|
||||
et vrai par défaut.</simpara>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>zxcvbn_autoload_path</term>
|
||||
<listitem>
|
||||
<simpara>Le chemin vers le fichier de chargement automatique des classes de la
|
||||
librairie <emphasis>ZxcvbnPhp</emphasis>. Ce paramètre est facultatif et vaut
|
||||
par défaut <literal>Zxcvbn/autoload.php</literal>, ce qui est adapté si vous
|
||||
utiliser le paquet Debian <literal>php-zxcvbn</literal> disponible sur le dépôt
|
||||
Debian du projet LdapSaisie.</simpara>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
|
||||
</sect4>
|
|
@ -553,18 +553,10 @@ $GLOBALS['LSobjects']['LSpeople'] = array (
|
|||
'confirmChangeQuestion' => "Do you confirm change of this user's password?",
|
||||
),
|
||||
'check_data' => array(
|
||||
'password' => array(
|
||||
'msg' => 'Your password must contain from 8 to 10 characters and contains at least one caracter that match with 3 of this types :<ul><li>Uppercase unaccent character</li><li>Lowercase unaccent character</li><li>Digit</li><li>Anything that is not a letter or a digit</li></ul>',
|
||||
'zxcvbn' => array(
|
||||
'params' => array(
|
||||
'minLength' => 8,
|
||||
'maxLength' => 10,
|
||||
'regex' => array (
|
||||
'/[A-Z]/',
|
||||
'/[a-z]/',
|
||||
'/[0-9]/',
|
||||
'/[^A-Za-z0-9]/',
|
||||
),
|
||||
'minValidRegex' => 3,
|
||||
'minScore' => 4,
|
||||
'userDataAttrs' => array('sn', 'givenName', 'mail'),
|
||||
),
|
||||
),
|
||||
),
|
||||
|
|
102
src/includes/class/class.LSformRule_zxcvbn.php
Normal file
102
src/includes/class/class.LSformRule_zxcvbn.php
Normal file
|
@ -0,0 +1,102 @@
|
|||
<?php
|
||||
/*******************************************************************************
|
||||
* Copyright (C) 2007 Easter-eggs
|
||||
* https://ldapsaisie.org
|
||||
*
|
||||
* Author: See AUTHORS file in top-level directory.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License version 2
|
||||
* as published by the Free Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
|
||||
******************************************************************************/
|
||||
|
||||
use ZxcvbnPhp\Zxcvbn;
|
||||
LSsession :: includeFile(
|
||||
LSconfig :: get(
|
||||
'params.zxcvbn_autoload_path', 'Zxcvbn/autoload.php',
|
||||
'string', $options
|
||||
), true
|
||||
);
|
||||
|
||||
/**
|
||||
* Rule to validate password using ZXCVBN-PHP lib
|
||||
*
|
||||
* @author Benjamin Renard <brenard@easter-eggs.com>
|
||||
*/
|
||||
class LSformRule_zxcvbn extends LSformRule {
|
||||
|
||||
// CLI parameters autocompleters
|
||||
protected static $cli_params_autocompleters = array(
|
||||
'minScore' => array('LScli', 'autocomplete_int'),
|
||||
'userDataAttrs' => null,
|
||||
'showWarning' => array('LScli', 'autocomplete_bool'),
|
||||
'showSuggestions' => array('LScli', 'autocomplete_bool'),
|
||||
'zxcvbn_autoload_path' => null,
|
||||
);
|
||||
|
||||
/**
|
||||
* Validate form element values with specified rule
|
||||
*
|
||||
* @param mixed $rule_name The LSformRule name
|
||||
* @param mixed $value The values to validate
|
||||
* @param array $options Validation options
|
||||
* @param object $formElement The attached LSformElement object
|
||||
*
|
||||
* @return boolean True if value is valid, False otherwise
|
||||
*/
|
||||
public static function validate($value, $options=array(), &$formElement) {
|
||||
$zxcvbn = new Zxcvbn();
|
||||
$userData = array();
|
||||
$userDataAttrs = LSconfig :: get('params.userDataAttrs', array(), 'array', $options);
|
||||
if ($userDataAttrs) {
|
||||
foreach ($userDataAttrs as $attr) {
|
||||
$attr_values = $formElement -> attr_html -> attribute -> ldapObject -> getValue($attr, false, array());
|
||||
if (is_empty($attr_values)) continue;
|
||||
foreach($attr_values as $attr_value)
|
||||
if (!in_array($attr_value, $userData))
|
||||
$userData[] = $attr_value;
|
||||
}
|
||||
}
|
||||
self :: log_trace("User data: ".varDump($userData));
|
||||
$result = $zxcvbn->passwordStrength($value, $userData);
|
||||
self :: log_trace("Zxcvbn result: ".varDump($result));
|
||||
self :: log_debug("Zxcvbn score: ".$result['score']);
|
||||
|
||||
$minScore = LSconfig :: get('params.minScore', 4, 'int', $options);
|
||||
if($result['score'] >= $minScore) {
|
||||
return True;
|
||||
}
|
||||
|
||||
$errors = array();
|
||||
if (
|
||||
$result['feedback']['warning'] &&
|
||||
LSconfig :: get('params.showWarning', true, 'bool', $options)
|
||||
) {
|
||||
$errors[] = $result['feedback']['warning'];
|
||||
}
|
||||
if (!$errors)
|
||||
$errors[] = _('The security of this password is too weak.');
|
||||
|
||||
if (
|
||||
is_array($result['feedback']['suggestions']) &&
|
||||
LSconfig :: get('params.showSuggestions', true, 'bool', $options)
|
||||
) {
|
||||
foreach($result['feedback']['suggestions'] as $msg)
|
||||
if ($msg)
|
||||
$errors[] = $msg;
|
||||
}
|
||||
|
||||
throw new LSformRuleException($errors);
|
||||
}
|
||||
|
||||
}
|
Loading…
Reference in a new issue