From b3b69581c460fa574b96218c10b901c16c0ccddf Mon Sep 17 00:00:00 2001 From: Roman Perekhod Date: Mon, 8 Jan 2024 16:55:51 +0100 Subject: [PATCH] rework disabling the password policy --- .../disabled-password-policy-rework.md | 7 +++ services/frontend/README.md | 2 + services/frontend/pkg/revaconfig/config.go | 50 +++++++++++------- services/sharing/pkg/revaconfig/config.go | 52 ++++++++++++------- 4 files changed, 74 insertions(+), 37 deletions(-) create mode 100644 changelog/unreleased/disabled-password-policy-rework.md diff --git a/changelog/unreleased/disabled-password-policy-rework.md b/changelog/unreleased/disabled-password-policy-rework.md new file mode 100644 index 0000000000..b5e85b38a8 --- /dev/null +++ b/changelog/unreleased/disabled-password-policy-rework.md @@ -0,0 +1,7 @@ +Enhancement: Disable the password policy + +We reworked and moved disabling the password policy logic from the reva to the ocis. + +https://github.com/owncloud/ocis/pull/8152 +https://github.com/cs3org/reva/pull/4453 +https://github.com/owncloud/ocis/issues/7916 diff --git a/services/frontend/README.md b/services/frontend/README.md index 11db15e717..83b395348b 100644 --- a/services/frontend/README.md +++ b/services/frontend/README.md @@ -75,6 +75,8 @@ When setting the `FRONTEND_AUTO_ACCEPT_SHARES` to `true`, all incoming shares wi Note that the password policy currently impacts only **public link password validation**. +In Infinite Scale, the password policy is always enabled because the max-length restriction is always applying and should be taken into account by the clients. + With the password policy, mandatory criteria for the password can be defined via the environment variables listed below. Generally, a password can contain any UTF-8 characters, however some characters are regarded as special since they are not used in ordinary texts. Which characters should be treated as special is defined by "The OWASP® Foundation" [password-special-characters](https://owasp.org/www-community/password-special-characters) (between double quotes): " !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~" diff --git a/services/frontend/pkg/revaconfig/config.go b/services/frontend/pkg/revaconfig/config.go index 0dfdcbc370..51c4138560 100644 --- a/services/frontend/pkg/revaconfig/config.go +++ b/services/frontend/pkg/revaconfig/config.go @@ -25,14 +25,10 @@ func FrontendConfigFromStruct(cfg *config.Config, logger log.Logger) (map[string webURL.Path = path.Join(webURL.Path, "external") webOpenInAppURL := webURL.String() - var bannedPasswordsList map[string]struct{} - if cfg.PasswordPolicy.BannedPasswordsList != "" { - bannedPasswordsList, err = readMultilineFile(cfg.PasswordPolicy.BannedPasswordsList) - if err != nil { - err = fmt.Errorf("failed to load the banned passwords from a file %s: %w", cfg.PasswordPolicy.BannedPasswordsList, err) - logger.Err(err).Send() - return nil, err - } + passwordPolicyCfg, err := passwordPolicyConfig(cfg) + if err != nil { + logger.Err(err).Send() + return nil, err } archivers := []map[string]interface{}{ @@ -327,16 +323,7 @@ func FrontendConfigFromStruct(cfg *config.Config, logger log.Logger) (map[string }, }, }, - "password_policy": map[string]interface{}{ - "max_characters": 72, - "disabled": cfg.PasswordPolicy.Disabled, - "min_characters": cfg.PasswordPolicy.MinCharacters, - "min_lowercase_characters": cfg.PasswordPolicy.MinLowerCaseCharacters, - "min_uppercase_characters": cfg.PasswordPolicy.MinUpperCaseCharacters, - "min_digits": cfg.PasswordPolicy.MinDigits, - "min_special_characters": cfg.PasswordPolicy.MinSpecialCharacters, - "banned_passwords_list": bannedPasswordsList, - }, + "password_policy": passwordPolicyCfg, "notifications": map[string]interface{}{ "endpoints": []string{"list", "get", "delete"}, }, @@ -385,3 +372,30 @@ func fileExists(path string) bool { } return !info.IsDir() } + +func passwordPolicyConfig(cfg *config.Config) (map[string]interface{}, error) { + _maxCharacters := 72 + if cfg.PasswordPolicy.Disabled { + return map[string]interface{}{ + "max_characters": _maxCharacters, + "banned_passwords_list": nil, + }, nil + } + var bannedPasswordsList map[string]struct{} + var err error + if cfg.PasswordPolicy.BannedPasswordsList != "" { + bannedPasswordsList, err = readMultilineFile(cfg.PasswordPolicy.BannedPasswordsList) + if err != nil { + return nil, fmt.Errorf("failed to load the banned passwords from a file %s: %w", cfg.PasswordPolicy.BannedPasswordsList, err) + } + } + return map[string]interface{}{ + "max_characters": _maxCharacters, + "min_digits": cfg.PasswordPolicy.MinDigits, + "min_characters": cfg.PasswordPolicy.MinCharacters, + "min_lowercase_characters": cfg.PasswordPolicy.MinLowerCaseCharacters, + "min_uppercase_characters": cfg.PasswordPolicy.MinUpperCaseCharacters, + "min_special_characters": cfg.PasswordPolicy.MinSpecialCharacters, + "banned_passwords_list": bannedPasswordsList, + }, nil +} diff --git a/services/sharing/pkg/revaconfig/config.go b/services/sharing/pkg/revaconfig/config.go index 3854d9b5bc..b1f7e0d46a 100644 --- a/services/sharing/pkg/revaconfig/config.go +++ b/services/sharing/pkg/revaconfig/config.go @@ -14,15 +14,10 @@ import ( // SharingConfigFromStruct will adapt an oCIS config struct into a reva mapstructure to start a reva service. func SharingConfigFromStruct(cfg *config.Config, logger log.Logger) (map[string]interface{}, error) { - var bannedPasswordsList map[string]struct{} - var err error - if cfg.PasswordPolicy.BannedPasswordsList != "" { - bannedPasswordsList, err = readMultilineFile(cfg.PasswordPolicy.BannedPasswordsList) - if err != nil { - err = fmt.Errorf("failed to load the banned passwords from a file %s: %w", cfg.PasswordPolicy.BannedPasswordsList, err) - logger.Err(err).Send() - return nil, err - } + passwordPolicyCfg, err := passwordPolicyConfig(cfg) + if err != nil { + logger.Err(err).Send() + return nil, err } rcfg := map[string]interface{}{ "shared": map[string]interface{}{ @@ -94,16 +89,8 @@ func SharingConfigFromStruct(cfg *config.Config, logger log.Logger) (map[string] "gateway_addr": cfg.Reva.Address, "writeable_share_must_have_password": cfg.WriteableShareMustHavePassword, "public_share_must_have_password": cfg.PublicShareMustHavePassword, - "password_policy": map[string]interface{}{ - "disabled": cfg.PasswordPolicy.Disabled, - "min_digits": cfg.PasswordPolicy.MinDigits, - "min_characters": cfg.PasswordPolicy.MinCharacters, - "min_lowercase_characters": cfg.PasswordPolicy.MinLowerCaseCharacters, - "min_uppercase_characters": cfg.PasswordPolicy.MinUpperCaseCharacters, - "min_special_characters": cfg.PasswordPolicy.MinSpecialCharacters, - "banned_passwords_list": bannedPasswordsList, - }, - "driver": cfg.PublicSharingDriver, + "password_policy": passwordPolicyCfg, + "driver": cfg.PublicSharingDriver, "drivers": map[string]interface{}{ "json": map[string]interface{}{ "file": cfg.PublicSharingDrivers.JSON.File, @@ -185,3 +172,30 @@ func fileExists(path string) bool { } return !info.IsDir() } + +func passwordPolicyConfig(cfg *config.Config) (map[string]interface{}, error) { + _maxCharacters := 72 + if cfg.PasswordPolicy.Disabled { + return map[string]interface{}{ + "max_characters": _maxCharacters, + "banned_passwords_list": nil, + }, nil + } + var bannedPasswordsList map[string]struct{} + var err error + if cfg.PasswordPolicy.BannedPasswordsList != "" { + bannedPasswordsList, err = readMultilineFile(cfg.PasswordPolicy.BannedPasswordsList) + if err != nil { + return nil, fmt.Errorf("failed to load the banned passwords from a file %s: %w", cfg.PasswordPolicy.BannedPasswordsList, err) + } + } + return map[string]interface{}{ + "max_characters": _maxCharacters, + "min_digits": cfg.PasswordPolicy.MinDigits, + "min_characters": cfg.PasswordPolicy.MinCharacters, + "min_lowercase_characters": cfg.PasswordPolicy.MinLowerCaseCharacters, + "min_uppercase_characters": cfg.PasswordPolicy.MinUpperCaseCharacters, + "min_special_characters": cfg.PasswordPolicy.MinSpecialCharacters, + "banned_passwords_list": bannedPasswordsList, + }, nil +}