use local password policy feature from ltb-common (#119)

.gitignore

@@ -5,3 +5,6 @@ docs/_build
 /htdocs/vendor/bootstrap/
 composer.lock
 tests/.phpunit.result.cache
+htdocs/js/ppolicy.js
+htdocs/css/ppolicy.css
+templates/policy.tpl

composer.json

@@ -32,7 +32,11 @@
             "rm -rf htdocs/vendor/font-awesome/*",
             "cp -R vendor/fortawesome/font-awesome/css htdocs/vendor/font-awesome",
             "cp -R vendor/fortawesome/font-awesome/webfonts htdocs/vendor/font-awesome",
-            "rm -rf vendor/fortawesome/font-awesome"
+            "rm -rf vendor/fortawesome/font-awesome",
+
+            "cp -f vendor/ltb-project/ltb-common/src/ppolicy/html/policy.tpl templates/policy.tpl",
+            "cp -f vendor/ltb-project/ltb-common/src/ppolicy/js/ppolicy.js htdocs/js/ppolicy.js",
+            "cp -f vendor/ltb-project/ltb-common/src/ppolicy/css/ppolicy.css htdocs/css/ppolicy.css"
         ]
     },
     "require-dev": {

conf/config.inc.php

@@ -118,6 +118,53 @@
 $use_searchidle = true;
 $idledays = 60;
 
+
+# Local password policy
+# This is applied before directory password policy
+# Minimal length
+$pwd_min_length = 0;
+# Maximal length
+$pwd_max_length = 0;
+# Minimal lower characters
+$pwd_min_lower = 0;
+# Minimal upper characters
+$pwd_min_upper = 0;
+# Minimal digit characters
+$pwd_min_digit = 0;
+# Minimal special characters
+$pwd_min_special = 0;
+# Definition of special characters
+$pwd_special_chars = "^a-zA-Z0-9";
+# Forbidden characters
+#$pwd_forbidden_chars = "@%";
+# Check that password is different than login
+$pwd_diff_login = true;
+# Forbidden words which must not appear in the password
+$pwd_forbidden_words = array();
+# Forbidden ldap fields
+# Respective values of the user's entry must not appear in the password
+# example: $pwd_forbidden_ldap_fields = array('cn', 'givenName', 'sn', 'mail');
+$pwd_forbidden_ldap_fields = array();
+# Complexity: number of different class of character required
+$pwd_complexity = 0;
+# use pwnedpasswords api v2 to securely check if the password has been on a leak
+$use_pwnedpasswords = false;
+# show password entropy bar (require php zxcvbn module)
+$pwd_display_entropy = false;
+# enforce password entropy check
+$pwd_check_entropy = false;
+# minimum entropy level required (when $pwd_check_entropy enabled)
+$pwd_min_entropy = 3;
+# Show policy constraints message:
+# always
+# never
+# onerror
+$pwd_show_policy = "never";
+# Position of password policy constraints message:
+# above - the form
+# below - the form
+$pwd_show_policy_pos = "above";
+
 ## Mail
 # LDAP mail attribute
 $mail_attributes = array( "mail", "gosaMailAlternateAddress", "proxyAddresses" );

docs/index.rst

@@ -19,6 +19,7 @@ LDAP Tool Box Service Desk documentation
    configuration-nginx.rst
    general-parameters.rst
    ldap-parameters.rst
+   ppolicy.rst
    attributes.rst
    search-parameters.rst
    display-parameters.rst

docs/ppolicy.rst

@@ -0,0 +1,139 @@
+Password policy
+===============
+
+Size
+----
+
+Set minimal and maximal length in ``$pwd_min_length`` and
+``$pwd_max_length``:
+
+.. code-block:: php
+
+   $pwd_min_length = 4;
+   $pwd_max_length = 8;
+
+.. tip:: Set ``0`` in ``$pwd_max_length`` to disable maximal length
+  checking.
+
+Characters
+----------
+
+You can set the minimal number of lower, upper, digit and special
+characters:
+
+.. code-block:: php
+
+   $pwd_min_lower = 3;
+   $pwd_min_upper = 1;
+   $pwd_min_digit = 1;
+   $pwd_min_special = 1;
+
+Special characters are defined with a regular expression, by default:
+
+.. code-block:: php
+
+   $pwd_special_chars = "^a-zA-Z0-9";
+
+This means special characters are all characters except alphabetical
+letters and digits.
+
+You can check that these special characters are not at beginning or end
+of the password:
+
+.. code-block:: php
+
+   $pwd_no_special_at_ends = true;
+
+You can also disallow characters from being in password, with
+``$pwd_forbidden_chars``:
+
+.. code-block:: php
+
+   $pwd_forbidden_chars = "@%";
+
+This means that ``@`` and ``%`` could not be present in a password.
+
+You can define how many different class of characters (lower, upper,
+digit, special) are needed in the password:
+
+.. code-block:: php
+
+   $pwd_complexity = 2;
+
+Pwned Passwords
+---------------
+
+Allows to check if the password was already compromised, using
+https://haveibeenpwned.com/ database:
+
+.. code-block:: php
+
+   $use_pwnedpasswords = true;
+
+Forbidden words
+---------------
+
+Give a list of forbidden words that the password should not contain:
+
+.. code-block:: php
+
+   $pwd_forbidden_words = array("azerty", "qwerty", "password");
+
+Forbidden LDAP fields
+---------------------
+
+Give a list of LDAP fields which values should not be present in the password:
+
+.. code-block:: php
+
+   $pwd_forbidden_ldap_fields = array('cn', 'givenName', 'sn', 'mail');
+
+Show policy
+-----------
+
+Password policy can be displayed to user by configuring
+``$pwd_show_policy``. Three values are accepted:
+
+-  ``always``: policy is always displayed
+-  ``never``: policy is never displayed
+-  ``onerror``: policy is only displayed if password is rejected because
+   of it, and the user provided his old password correctly.
+
+.. code-block:: php
+
+   $pwd_show_policy = "never";
+
+You can also configure if the policy will be displayed above or below
+the form:
+
+.. code-block:: php
+
+   $pwd_show_policy_pos = "above";
+
+Entropy
+-------
+
+When the user is typing his new password, you can enable an entropy bar,
+showing the strength of the password.
+
+.. code-block:: php
+
+    $pwd_display_entropy = true;
+
+You can also require the entropy bar to hit a minimum level for the
+password to be accepted:
+
+.. code-block:: php
+
+    # enforce password entropy check
+    $pwd_check_entropy = true;
+
+    # minimum entropy level required (when $pwd_check_entropy enabled)
+    $pwd_min_entropy = 3;
+
+``$pwd_min_entropy`` must be an integer between 0 (very risky) and 4 (very strong).
+
+.. tip:: The entropy check is computed by the
+         `zxcvbn library <https://github.com/dropbox/zxcvbn>`_
+
+

docs/upgrade.rst

@@ -29,6 +29,20 @@ Please take in consideration that ``config.inc.php`` is now replaced systematica
 
 Avoid as much as possible editing the ``/etc/service-desk/config.inc.php`` file. Prefer modifying the ``/etc/service-desk/config.inc.local.php``.
 
+password policy
+~~~~~~~~~~~~~~~
+
+When you change the password for a user, you can now configure a local password policy for ensuring the password strength is sufficient.
+
+Most of the criteria are checked dynamically, while the password is being typed, and they are also enforced at server side.
+
+You can give a look to the :doc:`password policy documentation <ppolicy>` for more information.
+
+.. tip::
+
+   The local password policy is now defined in a library: `ltb-common <https://github.com/ltb-project/ltb-common>`_.
+
+
 cache cleaning
 ~~~~~~~~~~~~~~
 
@@ -62,6 +76,28 @@ Bundled dependencies:
 * fontawesome-fonts has been updated from version 4.7.0 to version 6.5.2
 * php-ltb-project-ltb-common has been updated from version 0.1 to version 0.3.0
 * php-phpmailer has been updated from version 6.8.0 to version v6.9.1
+* php-bjeavons-zxcvbn-php version 1.3.1 has been added
+* php-guzzlehttp-guzzle version 7.8.1 has been added
+* php-guzzlehttp-promises version 2.0.2 has been added
+* php-guzzlehttp-psr7 version 2.6.2 has been added
+* php-mxrxdxn-pwned-passwords version 2.1.0 has been added
+* php-phpmailer version 6.9.1 has been added
+* php-psr-http-client version 1.0.3 has been added
+* php-psr-http-factory version 1.0.2 has been added
+* php-psr-http-message version 2.0 has been added
+* php-ralouphie-getallheaders version 3.0.3 has been added
+* php-symfony-deprecation-contracts version 2.5.1 has been added
+* php-symfony-finder version 7.0.0 has been added
+* php-symfony-polyfill version v1.31.0 has been added
+* php-symfony-deprecation-contracts version v2.5.3 has been added
+* php-symfony-var-exporter version v5.4.40 has been added
+* php-psr-container version 1.1.2 has been added
+* php-symfony-service-contracts version v2.5.3 has been added
+* php-psr-cache version 1.0.1 has been added
+* php-symfony-cache-contracts version v2.5.3 has been added
+* php-psr-log version 1.1.4 has been added
+* php-symfony-cache version v5.4.42 has been added
+* php-predis-predis version v2.2.2 has been added
 
 Removed bundled dependencies:
 

htdocs/checkentropy.php

@@ -0,0 +1,16 @@
+<?php
+
+require_once '../vendor/autoload.php';
+
+// new password sent in the url, base64 encoded
+$newpass = htmlspecialchars($_POST["password"]);
+$entropy_response = \Ltb\Ppolicy::checkEntropyJSON($newpass);
+if ($debug) {
+    error_log("checkEntropy: ".$entropy_response);
+}
+
+print $entropy_response;
+exit(0);
+
+?>
+

htdocs/display.php

@@ -126,9 +126,26 @@
             }
 
             # Lock
-            $pwdLockout = strtolower($ppolicy_entry[0]['pwdlockout'][0]) == "true" ? true : false;
-            $pwdLockoutDuration = $ppolicy_entry[0]['pwdlockoutduration'][0];
-            $pwdAccountLockedTime = $entry[0]['pwdaccountlockedtime'][0];
+            if(isset($ppolicy_entry[0]['pwdlockout'][0]))
+            {
+                $pwdLockout = strtolower($ppolicy_entry[0]['pwdlockout'][0]) == "true" ? true : false;
+            }
+            else
+            {
+                $pwdLockout = false;
+            }
+            if(isset($ppolicy_entry[0]['pwdlockoutduration'][0]))
+            {
+                $pwdLockoutDuration = $ppolicy_entry[0]['pwdlockoutduration'][0];
+            }
+            if(isset($entry[0]['pwdaccountlockedtime'][0]))
+            {
+                $pwdAccountLockedTime = $entry[0]['pwdaccountlockedtime'][0];
+            }
+            else
+            {
+                $pwdAccountLockedTime = null;
+            }
 
             if ( $pwdAccountLockedTime === "000001010000Z" ) {
                 $isLocked = true;
@@ -146,8 +163,14 @@
             }
 
             # Expiration
-            $pwdMaxAge = $ppolicy_entry[0]['pwdmaxage'][0];
-            $pwdChangedTime = $entry[0]['pwdchangedtime'][0];
+            if(isset($ppolicy_entry[0]['pwdmaxage'][0]))
+            {
+                $pwdMaxAge = $ppolicy_entry[0]['pwdmaxage'][0];
+            }
+            if(isset($entry[0]['pwdchangedtime'][0]))
+            {
+                $pwdChangedTime = $entry[0]['pwdchangedtime'][0];
+            }
 
             if (isset($pwdChangedTime) and isset($pwdMaxAge) and ($pwdMaxAge > 0)) {
                 $changedDate = ldapDate2phpDate($pwdChangedTime);
@@ -186,4 +209,12 @@
 $smarty->assign("prehookresult", $prehookresult);
 $smarty->assign("posthookresult", $posthookresult);
 if ($pwdLockout == false) $smarty->assign("use_lockaccount", $pwdLockout);
+if(isset($messages[$resetpasswordresult]))
+{
+    $smarty->assign('msg_resetpasswordresult',$messages[$resetpasswordresult]);
+}
+else
+{
+    $smarty->assign('msg_resetpasswordresult','');
+}
 ?>