policies/password: merge hibp add zxcvbn (#4001)

* initial zxcvbn

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add api and port tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* more tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add ui

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* update docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add api diff

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens L
2022-11-14 14:42:43 +01:00
committed by GitHub
parent 40844c975f
commit 88594075b2
14 changed files with 1310 additions and 150 deletions

View File

@ -7,17 +7,33 @@ import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
import { t } from "@lingui/macro";
import { TemplateResult, html } from "lit";
import { customElement } from "lit/decorators.js";
import { customElement, state } from "lit/decorators.js";
import { ifDefined } from "lit/directives/if-defined.js";
import { PasswordPolicy, PoliciesApi } from "@goauthentik/api";
@customElement("ak-policy-password-form")
export class PasswordPolicyForm extends ModelForm<PasswordPolicy, string> {
@state()
showStatic = true;
@state()
showHIBP = false;
@state()
showZxcvbn = false;
loadInstance(pk: string): Promise<PasswordPolicy> {
return new PoliciesApi(DEFAULT_CONFIG).policiesPasswordRetrieve({
policyUuid: pk,
});
return new PoliciesApi(DEFAULT_CONFIG)
.policiesPasswordRetrieve({
policyUuid: pk,
})
.then((policy) => {
this.showStatic = policy.checkStaticRules || false;
this.showHIBP = policy.checkHaveIBeenPwned || false;
this.showZxcvbn = policy.checkZxcvbn || false;
return policy;
});
}
getSuccessMessage(): string {
@ -41,6 +57,168 @@ export class PasswordPolicyForm extends ModelForm<PasswordPolicy, string> {
}
};
renderStaticRules(): TemplateResult {
return html` <ak-form-group>
<span slot="header"> ${t`Static rules`} </span>
<div slot="body" class="pf-c-form">
<ak-form-element-horizontal
label=${t`Minimum length`}
?required=${true}
name="lengthMin"
>
<input
type="number"
value="${first(this.instance?.lengthMin, 10)}"
class="pf-c-form-control"
required
/>
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${t`Minimum amount of Uppercase Characters`}
?required=${true}
name="amountUppercase"
>
<input
type="number"
value="${first(this.instance?.amountUppercase, 2)}"
class="pf-c-form-control"
required
/>
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${t`Minimum amount of Lowercase Characters`}
?required=${true}
name="amountLowercase"
>
<input
type="number"
value="${first(this.instance?.amountLowercase, 2)}"
class="pf-c-form-control"
required
/>
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${t`Minimum amount of Digits`}
?required=${true}
name="amountDigits"
>
<input
type="number"
value="${first(this.instance?.amountDigits, 2)}"
class="pf-c-form-control"
required
/>
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${t`Minimum amount of Symbols Characters`}
?required=${true}
name="amountSymbols"
>
<input
type="number"
value="${first(this.instance?.amountSymbols, 2)}"
class="pf-c-form-control"
required
/>
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${t`Error message`}
?required=${true}
name="errorMessage"
>
<input
type="text"
value="${ifDefined(this.instance?.errorMessage)}"
class="pf-c-form-control"
required
/>
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${t`Symbol charset`}
?required=${true}
name="symbolCharset"
>
<input
type="text"
value="${ifDefined(
this.instance?.symbolCharset || "!\\\"#$%&'()*+,-./:;<=>?@[]^_`{|}~ ",
)}"
class="pf-c-form-control"
required
/>
<p class="pf-c-form__helper-text">
${t`Characters which are considered as symbols.`}
</p>
</ak-form-element-horizontal>
</div>
</ak-form-group>`;
}
renderHIBP(): TemplateResult {
return html`
<ak-form-group .expanded=${true}>
<span slot="header"> ${t`HaveIBeenPwned settings`} </span>
<div slot="body" class="pf-c-form">
<ak-form-element-horizontal
label=${t`Allowed count`}
?required=${true}
name="hibpAllowedCount"
>
<input
type="number"
value="${first(this.instance?.hibpAllowedCount, 0)}"
class="pf-c-form-control"
required
/>
<p class="pf-c-form__helper-text">
${t`Allow up to N occurrences in the HIBP database.`}
</p>
</ak-form-element-horizontal>
</div>
</ak-form-group>
`;
}
renderZxcvbn(): TemplateResult {
return html`
<ak-form-group .expanded=${true}>
<span slot="header"> ${t`zxcvbn settings`} </span>
<div slot="body" class="pf-c-form">
<ak-form-element-horizontal
label=${t`Score threshold`}
?required=${true}
name="zxcvbnScoreThreshold"
>
<input
type="number"
value="${first(this.instance?.zxcvbnScoreThreshold, 0)}"
class="pf-c-form-control"
required
/>
<p class="pf-c-form__helper-text">
${t`If the password's score is less than or equal this value, the policy will fail.`}
</p>
<p class="pf-c-form__helper-text">
${t`0: Too guessable: risky password. (guesses < 10^3)`}
</p>
<p class="pf-c-form__helper-text">
${t`1: Very guessable: protection from throttled online attacks. (guesses < 10^6)`}
</p>
<p class="pf-c-form__helper-text">
${t`2: Somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8)`}
</p>
<p class="pf-c-form__helper-text">
${t`3: Safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10)`}
</p>
<p class="pf-c-form__helper-text">
${t`4: Very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10)`}
</p>
</ak-form-element-horizontal>
</div>
</ak-form-group>
`;
}
renderForm(): TemplateResult {
return html`<form class="pf-c-form pf-m-horizontal">
<div class="form-help-text">
@ -67,122 +245,77 @@ export class PasswordPolicyForm extends ModelForm<PasswordPolicy, string> {
${t`When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged.`}
</p>
</ak-form-element-horizontal>
<ak-form-group .expanded=${true}>
<span slot="header"> ${t`Policy-specific settings`} </span>
<div slot="body" class="pf-c-form">
<ak-form-element-horizontal
label=${t`Password field`}
?required=${true}
name="passwordField"
>
<input
type="text"
value="${ifDefined(this.instance?.passwordField || "password")}"
class="pf-c-form-control"
required
/>
<p class="pf-c-form__helper-text">
${t`Field key to check, field keys defined in Prompt stages are available.`}
</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${t`Password field`}
?required=${true}
name="passwordField"
>
<input
type="text"
value="${ifDefined(this.instance?.passwordField || "password")}"
class="pf-c-form-control"
required
/>
<p class="pf-c-form__helper-text">
${t`Field key to check, field keys defined in Prompt stages are available.`}
</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${t`Minimum length`}
?required=${true}
name="lengthMin"
>
<input
type="number"
value="${first(this.instance?.lengthMin, 10)}"
class="pf-c-form-control"
required
/>
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${t`Minimum amount of Uppercase Characters`}
?required=${true}
name="amountUppercase"
>
<input
type="number"
value="${first(this.instance?.amountUppercase, 2)}"
class="pf-c-form-control"
required
/>
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${t`Minimum amount of Lowercase Characters`}
?required=${true}
name="amountLowercase"
>
<input
type="number"
value="${first(this.instance?.amountLowercase, 2)}"
class="pf-c-form-control"
required
/>
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${t`Minimum amount of Digits`}
?required=${true}
name="amountDigits"
>
<input
type="number"
value="${first(this.instance?.amountDigits, 2)}"
class="pf-c-form-control"
required
/>
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${t`Minimum amount of Symbols Characters`}
?required=${true}
name="amountSymbols"
>
<input
type="number"
value="${first(this.instance?.amountSymbols, 2)}"
class="pf-c-form-control"
required
/>
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${t`Error message`}
?required=${true}
name="errorMessage"
>
<input
type="text"
value="${ifDefined(this.instance?.errorMessage)}"
class="pf-c-form-control"
required
/>
</ak-form-element-horizontal>
<ak-form-element-horizontal name="checkStaticRules">
<div class="pf-c-check">
<input
type="checkbox"
class="pf-c-check__input"
?checked=${first(this.instance?.checkStaticRules, true)}
@change=${(ev: Event) => {
const el = ev.target as HTMLInputElement;
this.showStatic = el.checked;
}}
/>
<label class="pf-c-check__label"> ${t`Check static rules`} </label>
</div>
</ak-form-group>
<ak-form-group>
<span slot="header"> ${t`Advanced settings`} </span>
<div slot="body" class="pf-c-form">
<ak-form-element-horizontal
label=${t`Symbol charset`}
?required=${true}
name="symbolCharset"
>
<input
type="text"
value="${ifDefined(
this.instance?.symbolCharset ||
"!\\\"#$%&'()*+,-./:;<=>?@[]^_`{|}~ ",
)}"
class="pf-c-form-control"
required
/>
<p class="pf-c-form__helper-text">
${t`Characters which are considered as symbols.`}
</p>
</ak-form-element-horizontal>
</ak-form-element-horizontal>
<ak-form-element-horizontal name="checkHaveIBeenPwned">
<div class="pf-c-check">
<input
type="checkbox"
class="pf-c-check__input"
?checked=${first(this.instance?.checkHaveIBeenPwned, true)}
@change=${(ev: Event) => {
const el = ev.target as HTMLInputElement;
this.showHIBP = el.checked;
}}
/>
<label class="pf-c-check__label"> ${t`Check haveibeenpwned.com`} </label>
</div>
</ak-form-group>
<p class="pf-c-form__helper-text">
${t`For more info see:`}
<a href="https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange"
>haveibeenpwned.com</a
>
</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal name="checkZxcvbn">
<div class="pf-c-check">
<input
type="checkbox"
class="pf-c-check__input"
?checked=${first(this.instance?.checkZxcvbn, true)}
@change=${(ev: Event) => {
const el = ev.target as HTMLInputElement;
this.showZxcvbn = el.checked;
}}
/>
<label class="pf-c-check__label"> ${t`Check zxcvbn`} </label>
</div>
<p class="pf-c-form__helper-text">
${t`Password strength estimator created by Dropbox, see:`}
<a href="https://github.com/dropbox/zxcvbn#readme">dropbox/zxcvbn</a>
</p>
</ak-form-element-horizontal>
${this.showStatic ? this.renderStaticRules() : html``}
${this.showHIBP ? this.renderHIBP() : html``}
${this.showZxcvbn ? this.renderZxcvbn() : html``}
</form>`;
}
}

View File

@ -9,7 +9,7 @@ import { t } from "@lingui/macro";
import { CSSResult, css } from "lit";
import { TemplateResult, html } from "lit";
import { customElement, property } from "lit/decorators.js";
import { customElement, state } from "lit/decorators.js";
import { ifDefined } from "lit/directives/if-defined.js";
import { until } from "lit/directives/until.js";
@ -56,10 +56,10 @@ export class ProxyProviderFormPage extends ModelForm<ProxyProvider, number> {
});
}
@property({ type: Boolean })
@state()
showHttpBasic = true;
@property({ attribute: false })
@state()
mode: ProxyMode = ProxyMode.Proxy;
getSuccessMessage(): string {
@ -85,9 +85,6 @@ export class ProxyProviderFormPage extends ModelForm<ProxyProvider, number> {
};
renderHttpBasic(): TemplateResult {
if (!this.showHttpBasic) {
return html``;
}
return html`<ak-form-element-horizontal
label=${t`HTTP-Basic Username Key`}
name="basicAuthUserAttribute"
@ -442,7 +439,7 @@ ${this.instance?.skipPathRegex}</textarea
${t`Set a custom HTTP-Basic Authentication header based on values from authentik.`}
</p>
</ak-form-element-horizontal>
${this.renderHttpBasic()}
${this.showHttpBasic ? this.renderHttpBasic() : html``}
</div>
</ak-form-group>
</form>`;