start integration of local ppolicy in sd (#119)

ltb-project · Sep 9, 2024 · 92798ed · 92798ed
1 parent 3ee36eb
commit 92798ed
Show file tree

Hide file tree

Showing 8 changed files with 146 additions and 8 deletions.
diff --git a/.gitignore b/.gitignore
@@ -5,3 +5,5 @@ docs/_build
 /htdocs/vendor/bootstrap/
 composer.lock
 tests/.phpunit.result.cache
+htdocs/js/ppolicy.js
+templates/policy.tpl
diff --git a/composer.json b/composer.json
@@ -4,7 +4,7 @@
         "datatables.net/datatables.net-bs5": "2.0.8",
         "datatables.net/datatables.net-buttons-bs5": "3.0.2",
         "fortawesome/font-awesome": "v6.5.2",
-        "ltb-project/ltb-common": "dev-main",
+        "ltb-project/ltb-common": "dev-36-add-password-policy",
         "twbs/bootstrap": "v5.3.2"
     },
     "scripts": {
@@ -32,7 +32,10 @@
             "rm -rf htdocs/vendor/font-awesome/*",
             "cp -R vendor/fortawesome/font-awesome/css htdocs/vendor/font-awesome",
             "cp -R vendor/fortawesome/font-awesome/webfonts htdocs/vendor/font-awesome",
-            "rm -rf vendor/fortawesome/font-awesome"
+            "rm -rf vendor/fortawesome/font-awesome",
+
+            "cp -f vendor/ltb-project/ltb-common/src/ppolicy/html/policy.tpl templates/policy.tpl",
+            "cp -f vendor/ltb-project/ltb-common/src/ppolicy/js/ppolicy.js htdocs/js/ppolicy.js"
         ]
     },
     "require-dev": {

diff --git a/conf/config.inc.php b/conf/config.inc.php
@@ -118,6 +118,57 @@
 $use_searchidle = true;
 $idledays = 60;
 
+
+# Local password policy
+# This is applied before directory password policy
+# Minimal length
+$pwd_min_length = 0;
+# Maximal length
+$pwd_max_length = 0;
+# Minimal lower characters
+$pwd_min_lower = 0;
+# Minimal upper characters
+$pwd_min_upper = 0;
+# Minimal digit characters
+$pwd_min_digit = 0;
+# Minimal special characters
+$pwd_min_special = 0;
+# Definition of special characters
+$pwd_special_chars = "^a-zA-Z0-9";
+# Forbidden characters
+#$pwd_forbidden_chars = "@%";
+# Don't reuse the same password as currently
+$pwd_no_reuse = true;
+# Check that password is different than login
+$pwd_diff_login = true;
+# Check new passwords differs from old one - minimum characters count
+$pwd_diff_last_min_chars = 0;
+# Forbidden words which must not appear in the password
+$pwd_forbidden_words = array();
+# Forbidden ldap fields
+# Respective values of the user's entry must not appear in the password
+# example: $pwd_forbidden_ldap_fields = array('cn', 'givenName', 'sn', 'mail');
+$pwd_forbidden_ldap_fields = array();
+# Complexity: number of different class of character required
+$pwd_complexity = 0;
+# use pwnedpasswords api v2 to securely check if the password has been on a leak
+$use_pwnedpasswords = false;
+# show password entropy bar (require php zxcvbn module)
+$pwd_display_entropy = false;
+# enforce password entropy check
+$pwd_check_entropy = false;
+# minimum entropy level required (when $pwd_check_entropy enabled)
+$pwd_min_entropy = 3;
+# Show policy constraints message:
+# always
+# never
+# onerror
+$pwd_show_policy = "never";
+# Position of password policy constraints message:
+# above - the form
+# below - the form
+$pwd_show_policy_pos = "above";
+
 ## Mail
 # LDAP mail attribute
 $mail_attributes = array( "mail", "gosaMailAlternateAddress", "proxyAddresses" );

diff --git a/htdocs/checkentropy.php b/htdocs/checkentropy.php
@@ -0,0 +1,16 @@
+<?php
+
+require_once '../vendor/autoload.php';
+
+// new password sent in the url, base64 encoded
+$newpass = htmlspecialchars($_POST["password"]);
+$entropy_response = \Ltb\Ppolicy::checkEntropyJSON($newpass);
+if ($debug) {
+    error_log("checkEntropy: ".$entropy_response);
+}
+
+print $entropy_response;
+exit(0);
+
+?>
+
diff --git a/htdocs/display.php b/htdocs/display.php
@@ -126,9 +126,26 @@
             }
 
             # Lock
-            $pwdLockout = strtolower($ppolicy_entry[0]['pwdlockout'][0]) == "true" ? true : false;
-            $pwdLockoutDuration = $ppolicy_entry[0]['pwdlockoutduration'][0];
-            $pwdAccountLockedTime = $entry[0]['pwdaccountlockedtime'][0];
+            if(isset($ppolicy_entry[0]['pwdlockout'][0]))
+            {
+                $pwdLockout = strtolower($ppolicy_entry[0]['pwdlockout'][0]) == "true" ? true : false;
+            }
+            else
+            {
+                $pwdLockout = false;
+            }
+            if(isset($ppolicy_entry[0]['pwdlockoutduration'][0]))
+            {
+                $pwdLockoutDuration = $ppolicy_entry[0]['pwdlockoutduration'][0];
+            }
+            if(isset($entry[0]['pwdaccountlockedtime'][0]))
+            {
+                $pwdAccountLockedTime = $entry[0]['pwdaccountlockedtime'][0];
+            }
+            else
+            {
+                $pwdAccountLockedTime = null;
+            }
 
             if ( $pwdAccountLockedTime === "000001010000Z" ) {
                 $isLocked = true;
@@ -146,8 +163,14 @@
             }
 
             # Expiration
-            $pwdMaxAge = $ppolicy_entry[0]['pwdmaxage'][0];
-            $pwdChangedTime = $entry[0]['pwdchangedtime'][0];
+            if(isset($ppolicy_entry[0]['pwdmaxage'][0]))
+            {
+                $pwdMaxAge = $ppolicy_entry[0]['pwdmaxage'][0];
+            }
+            if(isset($entry[0]['pwdchangedtime'][0]))
+            {
+                $pwdChangedTime = $entry[0]['pwdchangedtime'][0];
+            }
 
             if (isset($pwdChangedTime) and isset($pwdMaxAge) and ($pwdMaxAge > 0)) {
                 $changedDate = ldapDate2phpDate($pwdChangedTime);

diff --git a/htdocs/index.php b/htdocs/index.php
@@ -63,10 +63,41 @@
                                  isset($ldap_bindpw) ? $ldap_bindpw : null,
                                  isset($ldap_network_timeout) ? $ldap_network_timeout : null,
                                  $ldap_user_base,
-                                 null,
+                                 isset($ldap_size_limit) ? $ldap_size_limit : 0,
                                  isset($ldap_krb5ccname) ? $ldap_krb5ccname : null
                              );
 
+#==============================================================================
+# Other default values
+#==============================================================================
+if (!isset($pwd_forbidden_chars)) { $pwd_forbidden_chars = ""; }
+
+# Password policy array
+$pwd_policy_config = array(
+    "pwd_show_policy"           => $pwd_show_policy,
+    "pwd_min_length"            => $pwd_min_length,
+    "pwd_max_length"            => $pwd_max_length,
+    "pwd_min_lower"             => $pwd_min_lower,
+    "pwd_min_upper"             => $pwd_min_upper,
+    "pwd_min_digit"             => $pwd_min_digit,
+    "pwd_min_special"           => $pwd_min_special,
+    "pwd_special_chars"         => $pwd_special_chars,
+    "pwd_forbidden_chars"       => $pwd_forbidden_chars,
+    "pwd_no_reuse"              => $pwd_no_reuse,
+    "pwd_diff_last_min_chars"   => $pwd_diff_last_min_chars,
+    "pwd_diff_login"            => $pwd_diff_login,
+    "pwd_complexity"            => $pwd_complexity,
+    "use_pwnedpasswords"        => $use_pwnedpasswords,
+    "pwd_no_special_at_ends"    => $pwd_no_special_at_ends,
+    "pwd_forbidden_words"       => $pwd_forbidden_words,
+    "pwd_forbidden_ldap_fields" => $pwd_forbidden_ldap_fields,
+    "pwd_display_entropy"       => $pwd_display_entropy,
+    "pwd_check_entropy"         => $pwd_check_entropy,
+    "pwd_min_entropy"           => $pwd_min_entropy
+);
+
+if (!isset($pwd_show_policy_pos)) { $pwd_show_policy_pos = "above"; }
+
 #==============================================================================
 # Smarty
 #==============================================================================
@@ -134,6 +165,7 @@
 $smarty->assign('use_showauditlog',$use_showauditlog);
 $smarty->assign('fake_password_inputs',$fake_password_inputs);
 
+
 # Assign messages
 $smarty->assign('lang',$lang);
 foreach ($messages as $key => $message) {
@@ -193,6 +225,8 @@
 if ( file_exists($page.".php") ) { require_once($page.".php"); }
 $smarty->assign('page',$page);
 
+\Ltb\Ppolicy::smarty_assign_ppolicy($smarty, $pwd_show_policy_pos, $pwd_show_policy, $result, $pwd_policy_config);
+
 if ($result) {
     $smarty->assign('error',$messages[$result]);
 } else {

diff --git a/templates/display.tpl b/templates/display.tpl
@@ -164,6 +164,9 @@
                      {if $posthookresult}
                      <div class="alert alert-warning"><i class="fa fa-fw fa-exclamation-triangle"></i> {$posthookresult}</div>
                      {/if}
+                     {if $pwd_show_policy !== "never" and $pwd_show_policy_pos === 'above'}
+                        {include file="policy.tpl"}
+                     {/if}
                      <input type="hidden" name="dn" value="{$dn}" />
                      <div class="input-group mb-3">
                         <span class="input-group-text"><i class="fa fa-fw fa-lock"></i></span>
@@ -188,6 +191,9 @@
                      <button type="submit" class="btn btn-success">
                         <i class="fa fa-fw fa-check-square-o"></i> {$msg_submit}
                      </button>
+                     {if $pwd_show_policy !== "never" and $pwd_show_policy_pos === 'below'}
+                        {include file="policy.tpl"}
+                     {/if}
                 </form>
             </div>
         </div>

diff --git a/templates/footer.tpl b/templates/footer.tpl
@@ -4,13 +4,16 @@
 <div id="footer">LDAP Tool Box Service Desk - version {$version}</div>
 {/if}
 
+<div id="ltb-component" hidden>sd</div>
+
 <script src="vendor/jquery/js/jquery.min.js"></script>
 <script src="vendor/bootstrap/js/bootstrap.bundle.min.js"></script>
 <script src="vendor/datatables/dataTables.min.js"></script>
 <script src="vendor/datatables/dataTables.bootstrap5.min.js"></script>
 <script src="vendor/datatables/dataTables.buttons.min.js"></script>
 <script src="vendor/datatables/buttons.bootstrap5.min.js"></script>
 <script src="js/service-desk.js"></script>
+<script src="js/ppolicy.js"></script>
 
 {literal}
     <script type="text/javascript">