Add LSformRule_zxcvbn

This commit is contained in:
Benjamin Renard 2021-12-16 18:58:29 +01:00
parent dfe3f7d27a
commit db287937b7
6 changed files with 175 additions and 12 deletions

2
debian/control vendored
View file

@ -7,7 +7,7 @@ Maintainer: Benjamin Renard <brenard@easter-eggs.com>
Package: ldapsaisie Package: ldapsaisie
Architecture: all Architecture: all
Depends: apache2 | httpd, php-ldap | php5-ldap, php-fpm | libapache2-mod-php5 | libapache2-mod-php | php5-cli | php-cli, smarty | smarty3, php-net-ldap2, php-net-ftp, php-mail, php-mail-mime, php-console-table Depends: apache2 | httpd, php-ldap | php5-ldap, php-fpm | libapache2-mod-php5 | libapache2-mod-php | php5-cli | php-cli, smarty | smarty3, php-net-ldap2, php-net-ftp, php-mail, php-mail-mime, php-console-table
Recommends: php-mbstring, php-phpseclib, php-unidecode Recommends: php-mbstring, php-phpseclib, php-unidecode, php-zxcvbn
Description: web based interface for managing LDAP servers content Description: web based interface for managing LDAP servers content
LdapSaisie is a Web application developed to manage LDAP directory. LdapSaisie is a Web application developed to manage LDAP directory.
It has been written in PHP / JavaScript and is published under the It has been written in PHP / JavaScript and is published under the

View file

@ -69,5 +69,6 @@ règles.</para>
&conf-LSattribute-check-data-required; &conf-LSattribute-check-data-required;
&conf-LSattribute-check-data-ssh_pub_key; &conf-LSattribute-check-data-ssh_pub_key;
&conf-LSattribute-check-data-telephonenumber; &conf-LSattribute-check-data-telephonenumber;
&conf-LSattribute-check-data-zxcvbn;
</sect3> </sect3>

View file

@ -24,3 +24,4 @@
<!ENTITY conf-LSattribute-check-data-required SYSTEM "required.docbook"> <!ENTITY conf-LSattribute-check-data-required SYSTEM "required.docbook">
<!ENTITY conf-LSattribute-check-data-ssh_pub_key SYSTEM "ssh_pub_key.docbook"> <!ENTITY conf-LSattribute-check-data-ssh_pub_key SYSTEM "ssh_pub_key.docbook">
<!ENTITY conf-LSattribute-check-data-telephonenumber SYSTEM "telephonenumber.docbook"> <!ENTITY conf-LSattribute-check-data-telephonenumber SYSTEM "telephonenumber.docbook">
<!ENTITY conf-LSattribute-check-data-zxcvbn SYSTEM "zxcvbn.docbook">

View file

@ -0,0 +1,67 @@
<sect4 id="config-LSattribute-check-data-zxcvbn">
<title>zxcvbn</title>
<para>Cette règle vérifie la sécurité d'un mot de passe en utilisant la librairie
<ulink url='https://github.com/bjeavons/zxcvbn-php'>ZxcvbnPhp</ulink>. Cette
librairie s'appuie sur un ensemble de vérifications permettant de déterminer à
quel point le mot de passe choisi est commun, prévisible et plus globalement,
estime en combien de temps il pourra être cassé par une personne malveillante. Sur
la base de l'analyse du mot de passe saisi, des conseils seront donnés à
l'utilisateur pour le guider dans le choix d'un mot de passe sûre.</para>
<variablelist>
<title>Paramètres de configuration</title>
<varlistentry>
<term>minScore</term>
<listitem>
<simpara>Le score minimal pour que le mot de passe soit accepté. Il doit s'agir d'un
entier cimpris entre 0 (le plus faible) et 4 (le plus sécurisé). Paramètre facultatif
valant 4 par défaut.</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term>userDataAttrs</term>
<listitem>
<simpara>Liste d'attributs de l'objet dont les valeurs seront passées à la librairie
<literal>Zxcvbn</literal> qui les considérera comme associés à l'utilisateur. Ainsi,
par exemple, si l'utilisateur utilise son nom de famille ou encore son prénom dans
son mot de passe, la librairie pourra lui indiqué que cela ne le protège que peut
des attaques ciblées. Paramètre facultatif, mais il est fortement conseillé de
renseigner un maximum d'attributs contenant des informations personnelles relatives
à l'utilisteur.</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term>showWarning</term>
<listitem>
<simpara>Booléen définissant si les messages d'alertes retournés par la librairie
<literal>Zxcvbn</literal> doivent être affichés à l'utilisateur. Paramètre facultatif
et vrai par défaut.</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term>showSuggestions</term>
<listitem>
<simpara>Booléen définissant si les messages de suggestions retournés par la librairie
<literal>Zxcvbn</literal> doivent être affichés à l'utilisateur. Paramètre facultatif
et vrai par défaut.</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term>zxcvbn_autoload_path</term>
<listitem>
<simpara>Le chemin vers le fichier de chargement automatique des classes de la
librairie <emphasis>ZxcvbnPhp</emphasis>. Ce paramètre est facultatif et vaut
par défaut <literal>Zxcvbn/autoload.php</literal>, ce qui est adapté si vous
utiliser le paquet Debian <literal>php-zxcvbn</literal> disponible sur le dépôt
Debian du projet LdapSaisie.</simpara>
</listitem>
</varlistentry>
</variablelist>
</sect4>

View file

@ -553,18 +553,10 @@ $GLOBALS['LSobjects']['LSpeople'] = array (
'confirmChangeQuestion' => "Do you confirm change of this user's password?", 'confirmChangeQuestion' => "Do you confirm change of this user's password?",
), ),
'check_data' => array( 'check_data' => array(
'password' => array( 'zxcvbn' => array(
'msg' => 'Your password must contain from 8 to 10 characters and contains at least one caracter that match with 3 of this types :<ul><li>Uppercase unaccent character</li><li>Lowercase unaccent character</li><li>Digit</li><li>Anything that is not a letter or a digit</li></ul>',
'params' => array( 'params' => array(
'minLength' => 8, 'minScore' => 4,
'maxLength' => 10, 'userDataAttrs' => array('sn', 'givenName', 'mail'),
'regex' => array (
'/[A-Z]/',
'/[a-z]/',
'/[0-9]/',
'/[^A-Za-z0-9]/',
),
'minValidRegex' => 3,
), ),
), ),
), ),

View file

@ -0,0 +1,102 @@
<?php
/*******************************************************************************
* Copyright (C) 2007 Easter-eggs
* https://ldapsaisie.org
*
* Author: See AUTHORS file in top-level directory.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License version 2
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
******************************************************************************/
use ZxcvbnPhp\Zxcvbn;
LSsession :: includeFile(
LSconfig :: get(
'params.zxcvbn_autoload_path', 'Zxcvbn/autoload.php',
'string', $options
), true
);
/**
* Rule to validate password using ZXCVBN-PHP lib
*
* @author Benjamin Renard <brenard@easter-eggs.com>
*/
class LSformRule_zxcvbn extends LSformRule {
// CLI parameters autocompleters
protected static $cli_params_autocompleters = array(
'minScore' => array('LScli', 'autocomplete_int'),
'userDataAttrs' => null,
'showWarning' => array('LScli', 'autocomplete_bool'),
'showSuggestions' => array('LScli', 'autocomplete_bool'),
'zxcvbn_autoload_path' => null,
);
/**
* Validate form element values with specified rule
*
* @param mixed $rule_name The LSformRule name
* @param mixed $value The values to validate
* @param array $options Validation options
* @param object $formElement The attached LSformElement object
*
* @return boolean True if value is valid, False otherwise
*/
public static function validate($value, $options=array(), &$formElement) {
$zxcvbn = new Zxcvbn();
$userData = array();
$userDataAttrs = LSconfig :: get('params.userDataAttrs', array(), 'array', $options);
if ($userDataAttrs) {
foreach ($userDataAttrs as $attr) {
$attr_values = $formElement -> attr_html -> attribute -> ldapObject -> getValue($attr, false, array());
if (is_empty($attr_values)) continue;
foreach($attr_values as $attr_value)
if (!in_array($attr_value, $userData))
$userData[] = $attr_value;
}
}
self :: log_trace("User data: ".varDump($userData));
$result = $zxcvbn->passwordStrength($value, $userData);
self :: log_trace("Zxcvbn result: ".varDump($result));
self :: log_debug("Zxcvbn score: ".$result['score']);
$minScore = LSconfig :: get('params.minScore', 4, 'int', $options);
if($result['score'] >= $minScore) {
return True;
}
$errors = array();
if (
$result['feedback']['warning'] &&
LSconfig :: get('params.showWarning', true, 'bool', $options)
) {
$errors[] = $result['feedback']['warning'];
}
if (!$errors)
$errors[] = _('The security of this password is too weak.');
if (
is_array($result['feedback']['suggestions']) &&
LSconfig :: get('params.showSuggestions', true, 'bool', $options)
) {
foreach($result['feedback']['suggestions'] as $msg)
if ($msg)
$errors[] = $msg;
}
throw new LSformRuleException($errors);
}
}