Merge pull request #7897 from owncloud/change-deployments-docs

[docs-only] feat: use global variables for password policy
2026-01-01 18:01:28 -06:00 · 2023-12-06 15:23:28 +01:00
parent 1aa6112d1e ca6d87103e
commit 52bb1a1ffb
7 changed files with 15 additions and 13 deletions
--- a/deployments/examples/oc10_ocis_parallel/docker-compose.yml
+++ b/deployments/examples/oc10_ocis_parallel/docker-compose.yml
@@ -125,7 +125,7 @@ services:
      # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
      PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
      # password policies
-      FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
+      OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
    volumes:
      - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
      - ./config/ocis/proxy.yaml:/etc/ocis/proxy.yaml
--- a/deployments/examples/ocis_hello/docker-compose.yml
+++ b/deployments/examples/ocis_hello/docker-compose.yml
@@ -72,7 +72,7 @@ services:
      # demo users
      IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
      # password policies
-      FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
+      OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
    volumes:
      - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
      - ./config/ocis/proxy.yaml:/etc/ocis/proxy.yaml
--- a/deployments/examples/ocis_keycloak/docker-compose.yml
+++ b/deployments/examples/ocis_keycloak/docker-compose.yml
@@ -78,7 +78,7 @@ services:
      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
      GRAPH_USERNAME_MATCH: "none"
      # password policies
-      FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
+      OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
    volumes:
      - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
      - ocis-config:/etc/ocis
--- a/deployments/examples/ocis_ldap/docker-compose.yml
+++ b/deployments/examples/ocis_ldap/docker-compose.yml
@@ -89,7 +89,7 @@ services:
      # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
      PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
      # password policies
-      FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
+      OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
    volumes:
      - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
      - ocis-config:/etc/ocis
--- a/deployments/examples/ocis_s3/docker-compose.yml
+++ b/deployments/examples/ocis_s3/docker-compose.yml
@@ -79,7 +79,7 @@ services:
      # demo users
      IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
      # password policies
-      FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
+      OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
    volumes:
      - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
      - ocis-config:/etc/ocis
--- a/deployments/examples/ocis_traefik/docker-compose.yml
+++ b/deployments/examples/ocis_traefik/docker-compose.yml
@@ -75,7 +75,7 @@ services:
      NOTIFICATIONS_SMTP_USERNAME: notifications@${OCIS_DOMAIN:-ocis.owncloud.test}
      NOTIFICATIONS_SMTP_INSECURE: "true" # the mail catcher uses self signed certificates
      # password policies
-      FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
+      OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
    volumes:
      - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
      - ocis-config:/etc/ocis
--- a/services/frontend/README.md
+++ b/services/frontend/README.md
@@ -72,23 +72,25 @@ With the password policy, mandatory criteria for the password can be defined via

 Generally, a password can contain any UTF-8 characters, however some characters are regarded as special since they are not used in ordinary texts. Which characters should be treated as special is defined by "The OWASP® Foundation" [password-special-characters](https://owasp.org/www-community/password-special-characters) (between double quotes): " !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~"

-The validation against the banned passwords list can be configured via a text file with words separated by new lines. If a user tries to set a password listed in the banned passwords list, the password can not be used (is invalid) even if the other mandatory criteria are passed. The admin can define the path of the banned passwords list file. If the file doesn't exist in a location, Infinite Scale tries to load a file from the `OCIS_CONFIG_DIR/FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`. An option will be enabled when the file has been loaded successfully.
+The validation against the banned passwords list can be configured via a text file with words separated by new lines. If a user tries to set a password listed in the banned passwords list, the password can not be used (is invalid) even if the other mandatory criteria are passed. The admin can define the path of the banned passwords list file. If the file doesn't exist in a location, Infinite Scale tries to load a file from the `OCIS_CONFIG_DIR/OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`. An option will be enabled when the file has been loaded successfully.

 Following environment variables can be set to define the password policy behaviour:

-   `FRONTEND_PASSWORD_POLICY_MIN_CHARACTERS`
+-   `OCIS_PASSWORD_POLICY_MIN_CHARACTERS`
 Define the minimum password length.
-   `FRONTEND_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS`
+-   `OCIS_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS`
 Define the minimum number of uppercase letters.
-   `FRONTEND_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS`
+-   `OCIS_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS`
 Define the minimum number of lowercase letters.
-   `FRONTEND_PASSWORD_POLICY_MIN_DIGITS`
+-   `OCIS_PASSWORD_POLICY_MIN_DIGITS`
 Define the minimum number of digits.
-   `FRONTEND_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS`
+-   `OCIS_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS`
 Define the minimum number of special characters.
-   `FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`
+-   `OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`
 Path to the 'banned passwords list' file.

+These variables are global ocis variables because they are used not only in the frontend service, but also in the sharing service.
+
 Note that a password can have a maximum length of **72 bytes**. Depending on the alphabet used, a character is encoded by 1 to 4 bytes, defining the maximum length of a password indirectly. While US-ASCII will only need one byte, Latin alphabets and also Greek or Cyrillic ones need two bytes. Three bytes are needed for characters in Chinese, Japanese and Korean etc.

 ### The password policy capability