n°524 - password policy

datamodels/2.x/authent-local/datamodel.authent-local.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<itop_design xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.7">
+
+    <module_parameters>
+        <parameters id="authent-local" _delta="define">
+            <password_validation.pattern>^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^\da-zA-Z]).{8,15}$</password_validation.pattern>
+            <password_validation.classes></password_validation.classes>
+        </parameters>
+    </module_parameters>
+</itop_design>

datamodels/2.x/authent-local/en.dict.authent-local.php

@@ -40,4 +40,6 @@ Dict::Add('EN US', 'English', 'English', array(
 	'Class:UserLocal+' => 'User authentified by iTop',
 	'Class:UserLocal/Attribute:password' => 'Password',
 	'Class:UserLocal/Attribute:password+' => 'user authentication string',
+
+	'Error:UserLocalPasswordValidator:UserPasswordPolicyRegex/validation_failed' => 'The password does not respect the policy',
 ));

datamodels/2.x/authent-local/fr.dict.authent-local.php

@@ -24,4 +24,6 @@ Dict::Add('FR FR', 'French', 'Français', array(
 	'Class:UserLocal+' => 'Utilisateur authentifié par iTop',
 	'Class:UserLocal/Attribute:password' => 'Mot de passe',
 	'Class:UserLocal/Attribute:password+' => '',
+
+	'Error:UserLocalPasswordValidator:UserPasswordPolicyRegex/validation_failed' => 'Le mot de passe ne respecte pas la politique de mot de passe.',
 ));

datamodels/2.x/authent-local/model.authent-local.php

@@ -26,8 +26,48 @@
  */
 
 
+class UserLocalPasswordValidity
+{
+	/** @var bool */
+	protected $m_bPasswordValidity;
+	/** @var string|null */
+	protected $m_sPasswordValidityMessage;
+
+	/**
+	 * UserLocalPasswordValidity constructor.
+	 *
+	 * @param bool $m_bPasswordValidity
+	 * @param string $m_sPasswordValidityMessage
+	 */
+	public function __construct($m_bPasswordValidity, $m_sPasswordValidityMessage = null)
+	{
+		$this->m_bPasswordValidity = $m_bPasswordValidity;
+		$this->m_sPasswordValidityMessage = $m_sPasswordValidityMessage;
+	}
+
+	/**
+	 * @return bool
+	 */
+	public function isPasswordValid()
+	{
+		return $this->m_bPasswordValidity;
+	}
+
+
+	/**
+	 * @return string
+	 */
+	public function getPasswordValidityMessage()
+	{
+		return $this->m_sPasswordValidityMessage;
+	}
+}
+
 class UserLocal extends UserInternal
 {
+	/** @var UserLocalPasswordValidity|null */
+	protected $m_oPasswordValidity = null;
+
 	public static function Init()
 	{
 		$aParams = array
@@ -82,13 +122,14 @@ class UserLocal extends UserInternal
 
 	public function ChangePassword($sOldPassword, $sNewPassword)
 	{
-		$oPassword = $this->Get('password'); // ormPassword object
+		/** @var \ormPassword $oPassword */
+		$oPassword = $this->Get('password');
 		// Cannot compare directly the values since they are hashed, so
 		// Let's ask the password to compare the hashed values
 		if ($oPassword->CheckPassword($sOldPassword))
 		{
 			$this->SetPassword($sNewPassword);
-			return true;
+			return $this->IsPasswordValid();
 		}
 		return false;
 	}
@@ -102,6 +143,92 @@ class UserLocal extends UserInternal
 		$this->DBUpdate();
 	}
 
+	public function Set($sAttCode, $value)
+	{
+		$result = parent::Set($sAttCode, $value);
+
+		if ('password' == $sAttCode)
+		{
+			$this->ValidatePassword($value);
+		}
+
+		return $result;
+	}
+
+	public function IsPasswordValid()
+	{
+		return (isset($this->m_oPasswordValidity)) && ($this->m_oPasswordValidity->isPasswordValid());
+	}
+
+	/**
+	 * set the $m_oPasswordValidity
+	 *
+	 * @param string $proposedValue
+	 * @param \Config|null $config
+	 *
+	 * @return void
+	 */
+	public function ValidatePassword($proposedValue, $config = null)
+	{
+		if (null == $config)
+		{
+			$config =  MetaModel::GetConfig();
+		}
+
+		$aPasswordValidationClasses = $config->GetModuleSetting('authent-local', 'password_validation.classes');
+		if (empty($aPasswordValidationClasses))
+		{
+			$aPasswordValidationClasses = array();
+		}
+
+		$sUserPasswordPolicyRegexPattern = $config->GetModuleSetting('authent-local', 'password_validation.pattern');
+		if ($sUserPasswordPolicyRegexPattern)
+		{
+			if (array_key_exists('UserPasswordPolicyRegex', $aPasswordValidationClasses))
+			{
+				$this->m_oPasswordValidity = new UserLocalPasswordValidity(
+					false,
+					"Invalid configuration: 'UserPasswordPolicyRegex' was defined twice (once into UserLocal.password_validation_advanced, once into UserLocal.password_validation)."
+				);
+				return;
+			}
+
+			$aPasswordValidationClasses['UserPasswordPolicyRegex'] = array('pattern' => $sUserPasswordPolicyRegexPattern);
+		}
+
+		foreach ($aPasswordValidationClasses as $sClass => $aOptions)
+		{
+			if (!is_subclass_of($sClass, 'UserLocalPasswordValidator'))
+			{
+				$this->m_oPasswordValidity = new UserLocalPasswordValidity(
+					false,
+					"Invalid configuration: '{$sClass}' must implements ".UserLocalPasswordValidator::class
+				);
+				return;
+			}
+
+			/** @var \UserLocalPasswordValidator */
+			$oInstance = new $sClass();
+
+			$this->m_oPasswordValidity = $oInstance->ValidatePassword($proposedValue, $aOptions, $this);
+
+			if (!$this->m_oPasswordValidity->isPasswordValid())
+			{
+				return;
+			}
+		}
+	}
+
+	public function DoCheckToWrite()
+	{
+		if (! $this->IsPasswordValid())
+		{
+			$this->m_aCheckIssues[] = $this->m_oPasswordValidity->getPasswordValidityMessage();
+		}
+
+		parent::DoCheckToWrite();
+	}
+
 	/**
 	 * Returns the set of flags (OPT_ATT_HIDDEN, OPT_ATT_READONLY, OPT_ATT_MANDATORY...)
 	 * for the given attribute in the current state of the object
@@ -129,3 +256,72 @@ class UserLocal extends UserInternal
 	}
 }
 
+
+
+interface UserLocalPasswordValidator
+{
+	public function __construct();
+
+	/**
+	 * @param string $proposedValue
+	 * @param array $aOptions
+	 * @param UserLocal $oUserLocal
+	 *
+	 * @return UserLocalPasswordValidity
+	 */
+	public function ValidatePassword($proposedValue, $aOptions, UserLocal $oUserLocal);
+}
+
+class UserPasswordPolicyRegex implements UserLocalPasswordValidator
+{
+	public function __construct()
+	{
+	}
+
+	/**
+	 * @param string $proposedValue
+	 * @param array $aOptions
+	 * @param UserLocal $oUserLocal
+	 *
+	 * @return UserLocalPasswordValidity
+	 */
+	public function ValidatePassword($proposedValue, $aOptions, UserLocal $oUserLocal)
+	{
+
+		if (! array_key_exists('pattern', $aOptions) )
+		{
+			return new UserLocalPasswordValidity(
+				false,
+				"Invalid configuration: key 'pattern' is mandatory"
+			);
+		}
+
+		$sPattern = $aOptions['pattern'];
+		if ('' == $sPattern)
+		{
+			return new UserLocalPasswordValidity(true);
+		}
+
+		$isMatched = preg_match("/{$sPattern}/", $proposedValue);
+		if ($isMatched === false)
+		{
+			return new UserLocalPasswordValidity(
+				false,
+				'Unknown error : Failed to check the password, please verify the password\'s Data Model.'
+			);
+		}
+
+		if ($isMatched === 1)
+		{
+			return new UserLocalPasswordValidity(true);
+		}
+
+		$sMessage = Dict::S('Error:UserLocalPasswordValidator:UserPasswordPolicyRegex/validation_failed');
+
+		return new UserLocalPasswordValidity(
+			false,
+			$sMessage
+		);
+	}
+}
+

datamodels/2.x/authent-local/module.authent-local.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'authent-local/2.6.2',
+	'authent-local/2.7.0',
 	array(
 		// Identification
 		//
@@ -36,7 +36,9 @@ SetupWebPage::AddModule(
 
 		// Default settings
 		//
+
 		'settings' => array(
+			// see the './datamodel.authent-local.xml' for the default settings!
 		),
 	)
 );