From ca6d87103e69b5d824fcf5b84e55bd2d9a18f5ba Mon Sep 17 00:00:00 2001 From: Michael Barz Date: Wed, 6 Dec 2023 14:30:54 +0100 Subject: [PATCH] feat: use global variables for password policy --- .../oc10_ocis_parallel/docker-compose.yml | 2 +- .../examples/ocis_hello/docker-compose.yml | 2 +- .../examples/ocis_keycloak/docker-compose.yml | 2 +- .../examples/ocis_ldap/docker-compose.yml | 2 +- deployments/examples/ocis_s3/docker-compose.yml | 2 +- .../examples/ocis_traefik/docker-compose.yml | 2 +- services/frontend/README.md | 16 +++++++++------- 7 files changed, 15 insertions(+), 13 deletions(-) diff --git a/deployments/examples/oc10_ocis_parallel/docker-compose.yml b/deployments/examples/oc10_ocis_parallel/docker-compose.yml index b677db97a..8ddcc380c 100644 --- a/deployments/examples/oc10_ocis_parallel/docker-compose.yml +++ b/deployments/examples/oc10_ocis_parallel/docker-compose.yml @@ -125,7 +125,7 @@ services: # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect) PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}" # password policies - FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt" + OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt" volumes: - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt - ./config/ocis/proxy.yaml:/etc/ocis/proxy.yaml diff --git a/deployments/examples/ocis_hello/docker-compose.yml b/deployments/examples/ocis_hello/docker-compose.yml index 724c99676..587b48fed 100644 --- a/deployments/examples/ocis_hello/docker-compose.yml +++ b/deployments/examples/ocis_hello/docker-compose.yml @@ -72,7 +72,7 @@ services: # demo users IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}" # password policies - FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt" + OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt" volumes: - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt - ./config/ocis/proxy.yaml:/etc/ocis/proxy.yaml diff --git a/deployments/examples/ocis_keycloak/docker-compose.yml b/deployments/examples/ocis_keycloak/docker-compose.yml index 0b1969770..fe4e94546 100644 --- a/deployments/examples/ocis_keycloak/docker-compose.yml +++ b/deployments/examples/ocis_keycloak/docker-compose.yml @@ -78,7 +78,7 @@ services: GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false" GRAPH_USERNAME_MATCH: "none" # password policies - FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt" + OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt" volumes: - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt - ocis-config:/etc/ocis diff --git a/deployments/examples/ocis_ldap/docker-compose.yml b/deployments/examples/ocis_ldap/docker-compose.yml index 7e51575f5..ad54fa23f 100644 --- a/deployments/examples/ocis_ldap/docker-compose.yml +++ b/deployments/examples/ocis_ldap/docker-compose.yml @@ -89,7 +89,7 @@ services: # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect) PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}" # password policies - FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt" + OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt" volumes: - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt - ocis-config:/etc/ocis diff --git a/deployments/examples/ocis_s3/docker-compose.yml b/deployments/examples/ocis_s3/docker-compose.yml index a02bdc8ee..a8d187b5b 100644 --- a/deployments/examples/ocis_s3/docker-compose.yml +++ b/deployments/examples/ocis_s3/docker-compose.yml @@ -79,7 +79,7 @@ services: # demo users IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}" # password policies - FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt" + OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt" volumes: - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt - ocis-config:/etc/ocis diff --git a/deployments/examples/ocis_traefik/docker-compose.yml b/deployments/examples/ocis_traefik/docker-compose.yml index 8ee9c1b5c..10ef85702 100644 --- a/deployments/examples/ocis_traefik/docker-compose.yml +++ b/deployments/examples/ocis_traefik/docker-compose.yml @@ -75,7 +75,7 @@ services: NOTIFICATIONS_SMTP_USERNAME: notifications@${OCIS_DOMAIN:-ocis.owncloud.test} NOTIFICATIONS_SMTP_INSECURE: "true" # the mail catcher uses self signed certificates # password policies - FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt" + OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt" volumes: - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt - ocis-config:/etc/ocis diff --git a/services/frontend/README.md b/services/frontend/README.md index 424bcb33d..82f1efa27 100644 --- a/services/frontend/README.md +++ b/services/frontend/README.md @@ -72,23 +72,25 @@ With the password policy, mandatory criteria for the password can be defined via Generally, a password can contain any UTF-8 characters, however some characters are regarded as special since they are not used in ordinary texts. Which characters should be treated as special is defined by "The OWASP® Foundation" [password-special-characters](https://owasp.org/www-community/password-special-characters) (between double quotes): " !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~" -The validation against the banned passwords list can be configured via a text file with words separated by new lines. If a user tries to set a password listed in the banned passwords list, the password can not be used (is invalid) even if the other mandatory criteria are passed. The admin can define the path of the banned passwords list file. If the file doesn't exist in a location, Infinite Scale tries to load a file from the `OCIS_CONFIG_DIR/FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`. An option will be enabled when the file has been loaded successfully. +The validation against the banned passwords list can be configured via a text file with words separated by new lines. If a user tries to set a password listed in the banned passwords list, the password can not be used (is invalid) even if the other mandatory criteria are passed. The admin can define the path of the banned passwords list file. If the file doesn't exist in a location, Infinite Scale tries to load a file from the `OCIS_CONFIG_DIR/OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`. An option will be enabled when the file has been loaded successfully. Following environment variables can be set to define the password policy behaviour: -- `FRONTEND_PASSWORD_POLICY_MIN_CHARACTERS` +- `OCIS_PASSWORD_POLICY_MIN_CHARACTERS` Define the minimum password length. -- `FRONTEND_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS` +- `OCIS_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS` Define the minimum number of uppercase letters. -- `FRONTEND_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS` +- `OCIS_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS` Define the minimum number of lowercase letters. -- `FRONTEND_PASSWORD_POLICY_MIN_DIGITS` +- `OCIS_PASSWORD_POLICY_MIN_DIGITS` Define the minimum number of digits. -- `FRONTEND_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS` +- `OCIS_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS` Define the minimum number of special characters. -- `FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST` +- `OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST` Path to the 'banned passwords list' file. +These variables are global ocis variables because they are used not only in the frontend service, but also in the sharing service. + Note that a password can have a maximum length of **72 bytes**. Depending on the alphabet used, a character is encoded by 1 to 4 bytes, defining the maximum length of a password indirectly. While US-ASCII will only need one byte, Latin alphabets and also Greek or Cyrillic ones need two bytes. Three bytes are needed for characters in Chinese, Japanese and Korean etc. ### The password policy capability