policies/password: merge hibp add zxcvbn (#4001)

* initial zxcvbn Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add api and port tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * more tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add ui Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * update docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add api diff Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-11-14 14:42:43 +01:00
parent 40844c975f
commit 88594075b2
14 changed files with 1310 additions and 150 deletions
--- a/website/docs/policies/index.md
+++ b/website/docs/policies/index.md
@ -12,6 +12,9 @@ See [Expression Policy](expression.mdx).

 ## Have I Been Pwned Policy

+:::info
+This policy is deprecated since authentik 2022.11.0, as this can be done with the password policy now.
+:::
 This policy checks the hashed password against the [Have I Been Pwned](https://haveibeenpwned.com/) API. This only sends the first 5 characters of the hashed password. The remaining comparison is done within authentik.

 ## Password-Expiry Policy
@ -29,6 +32,11 @@ The following rules can be set:
 -   Minimum length.
 -   Symbol charset (define which characters are counted as symbols).

+Starting with authentik 2022.11.0, the following checks can also be done with this policy:
+
+-   Check the password hash against the database of [Have I Been Pwned](https://haveibeenpwned.com/). Only the first 5 characters of the hashed password are transmitted, the rest is compared in authentik
+-   Check the password against the password complexity checker [zxcvbn](https://github.com/dropbox/zxcvbn), which detects weak password on various metrics.
+
 ## Reputation Policy

 authentik keeps track of failed login attempts by source IP and attempted username. These values are saved as scores. Each failed login decreases the score for the client IP as well as the targeted username by 1 (one).
--- a/website/docs/releases/v2022.11.md
+++ b/website/docs/releases/v2022.11.md
@ -5,13 +5,702 @@ slug: "2022.11"

 ## Breaking changes

-   authentik now runs on Python 3.11
+-   Have I Been Pwned policy is deprecated
+
+    The policy has been merged with the password policy which provides the same functionality. Existing Have I Been Pwned policies will automatically be migrated.

 ## New features

+-   authentik now runs on Python 3.11
+-   Expanded password policy
+
+    The "Have I been Pwned" policy has been merged into the password policy, and additionally passwords can be checked using [zxcvbn](https://github.com/dropbox/zxcvbn) to provider concise feedback.
+
 ## API Changes

-_Insert output of `make gen-diff` here_
+#### What's Changed
+
+---
+
+##### `GET` /policies/password/{policy_uuid}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Added property `check_static_rules` (boolean)
+
+    -   Added property `check_have_i_been_pwned` (boolean)
+
+    -   Added property `check_zxcvbn` (boolean)
+
+    -   Added property `hibp_allowed_count` (integer)
+
+        > How many times the password hash is allowed to be on haveibeenpwned
+
+    -   Added property `zxcvbn_score_threshold` (integer)
+        > If the zxcvbn score is equal or less than this value, the policy will fail.
+
+##### `PUT` /policies/password/{policy_uuid}/
+
+###### Request:
+
+Changed content type : `application/json`
+
+-   Added property `check_static_rules` (boolean)
+
+-   Added property `check_have_i_been_pwned` (boolean)
+
+-   Added property `check_zxcvbn` (boolean)
+
+-   Added property `hibp_allowed_count` (integer)
+
+    > How many times the password hash is allowed to be on haveibeenpwned
+
+-   Added property `zxcvbn_score_threshold` (integer)
+    > If the zxcvbn score is equal or less than this value, the policy will fail.
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Added property `check_static_rules` (boolean)
+
+    -   Added property `check_have_i_been_pwned` (boolean)
+
+    -   Added property `check_zxcvbn` (boolean)
+
+    -   Added property `hibp_allowed_count` (integer)
+
+        > How many times the password hash is allowed to be on haveibeenpwned
+
+    -   Added property `zxcvbn_score_threshold` (integer)
+        > If the zxcvbn score is equal or less than this value, the policy will fail.
+
+##### `PATCH` /policies/password/{policy_uuid}/
+
+###### Request:
+
+Changed content type : `application/json`
+
+-   Added property `check_static_rules` (boolean)
+
+-   Added property `check_have_i_been_pwned` (boolean)
+
+-   Added property `check_zxcvbn` (boolean)
+
+-   Added property `hibp_allowed_count` (integer)
+
+    > How many times the password hash is allowed to be on haveibeenpwned
+
+-   Added property `zxcvbn_score_threshold` (integer)
+    > If the zxcvbn score is equal or less than this value, the policy will fail.
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Added property `check_static_rules` (boolean)
+
+    -   Added property `check_have_i_been_pwned` (boolean)
+
+    -   Added property `check_zxcvbn` (boolean)
+
+    -   Added property `hibp_allowed_count` (integer)
+
+        > How many times the password hash is allowed to be on haveibeenpwned
+
+    -   Added property `zxcvbn_score_threshold` (integer)
+        > If the zxcvbn score is equal or less than this value, the policy will fail.
+
+##### `GET` /core/tokens/{identifier}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `user_obj` (object)
+
+        > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `PUT` /core/tokens/{identifier}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `user_obj` (object)
+
+        > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `PATCH` /core/tokens/{identifier}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `user_obj` (object)
+
+        > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `GET` /core/users/{id}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `groups_obj` (array)
+
+        Changed items (object): > Simplified Group Serializer for user's groups
+
+        New optional properties:
+
+        -   `users_obj`
+
+        *   Deleted property `users` (array)
+
+        *   Deleted property `users_obj` (array)
+
+##### `PUT` /core/users/{id}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `groups_obj` (array)
+
+        Changed items (object): > Simplified Group Serializer for user's groups
+
+        New optional properties:
+
+        -   `users_obj`
+
+        *   Deleted property `users` (array)
+
+        *   Deleted property `users_obj` (array)
+
+##### `PATCH` /core/users/{id}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `groups_obj` (array)
+
+        Changed items (object): > Simplified Group Serializer for user's groups
+
+        New optional properties:
+
+        -   `users_obj`
+
+        *   Deleted property `users` (array)
+
+        *   Deleted property `users_obj` (array)
+
+##### `GET` /policies/bindings/{policy_binding_uuid}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `user_obj` (object)
+
+        > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `PUT` /policies/bindings/{policy_binding_uuid}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `user_obj` (object)
+
+        > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `PATCH` /policies/bindings/{policy_binding_uuid}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `user_obj` (object)
+
+        > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `POST` /policies/password/
+
+###### Request:
+
+Changed content type : `application/json`
+
+-   Added property `check_static_rules` (boolean)
+
+-   Added property `check_have_i_been_pwned` (boolean)
+
+-   Added property `check_zxcvbn` (boolean)
+
+-   Added property `hibp_allowed_count` (integer)
+
+    > How many times the password hash is allowed to be on haveibeenpwned
+
+-   Added property `zxcvbn_score_threshold` (integer)
+    > If the zxcvbn score is equal or less than this value, the policy will fail.
+
+###### Return Type:
+
+Changed response : **201 Created**
+
+-   Changed content type : `application/json`
+
+    -   Added property `check_static_rules` (boolean)
+
+    -   Added property `check_have_i_been_pwned` (boolean)
+
+    -   Added property `check_zxcvbn` (boolean)
+
+    -   Added property `hibp_allowed_count` (integer)
+
+        > How many times the password hash is allowed to be on haveibeenpwned
+
+    -   Added property `zxcvbn_score_threshold` (integer)
+        > If the zxcvbn score is equal or less than this value, the policy will fail.
+
+##### `GET` /policies/password/
+
+###### Parameters:
+
+Added: `check_have_i_been_pwned` in `query`
+
+Added: `check_static_rules` in `query`
+
+Added: `check_zxcvbn` in `query`
+
+Added: `hibp_allowed_count` in `query`
+
+Added: `zxcvbn_score_threshold` in `query`
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `results` (array)
+
+        Changed items (object): > Password Policy Serializer
+
+        -   Added property `check_static_rules` (boolean)
+
+        -   Added property `check_have_i_been_pwned` (boolean)
+
+        -   Added property `check_zxcvbn` (boolean)
+
+        -   Added property `hibp_allowed_count` (integer)
+
+            > How many times the password hash is allowed to be on haveibeenpwned
+
+        -   Added property `zxcvbn_score_threshold` (integer)
+            > If the zxcvbn score is equal or less than this value, the policy will fail.
+
+##### `POST` /core/tokens/
+
+###### Return Type:
+
+Changed response : **201 Created**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `user_obj` (object)
+
+        > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `GET` /core/tokens/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `results` (array)
+
+        Changed items (object): > Token Serializer
+
+        -   Changed property `user_obj` (object)
+
+            > User Serializer
+
+            -   Changed property `groups_obj` (array)
+
+                Changed items (object): > Simplified Group Serializer for user's groups
+
+                New optional properties:
+
+                -   `users_obj`
+
+                *   Deleted property `users` (array)
+
+                *   Deleted property `users_obj` (array)
+
+##### `GET` /core/user_consent/{id}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `user` (object)
+
+        > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `POST` /core/users/
+
+###### Return Type:
+
+Changed response : **201 Created**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `groups_obj` (array)
+
+        Changed items (object): > Simplified Group Serializer for user's groups
+
+        New optional properties:
+
+        -   `users_obj`
+
+        *   Deleted property `users` (array)
+
+        *   Deleted property `users_obj` (array)
+
+##### `GET` /core/users/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `results` (array)
+
+        Changed items (object): > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `GET` /oauth2/authorization_codes/{id}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `user` (object)
+
+        > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `GET` /oauth2/refresh_tokens/{id}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `user` (object)
+
+        > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `POST` /policies/bindings/
+
+###### Return Type:
+
+Changed response : **201 Created**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `user_obj` (object)
+
+        > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `GET` /policies/bindings/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `results` (array)
+
+        Changed items (object): > PolicyBinding Serializer
+
+        -   Changed property `user_obj` (object)
+
+            > User Serializer
+
+            -   Changed property `groups_obj` (array)
+
+                Changed items (object): > Simplified Group Serializer for user's groups
+
+                New optional properties:
+
+                -   `users_obj`
+
+                *   Deleted property `users` (array)
+
+                *   Deleted property `users_obj` (array)
+
+##### `GET` /core/user_consent/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `results` (array)
+
+        Changed items (object): > UserConsent Serializer
+
+        -   Changed property `user` (object)
+
+            > User Serializer
+
+            -   Changed property `groups_obj` (array)
+
+                Changed items (object): > Simplified Group Serializer for user's groups
+
+                New optional properties:
+
+                -   `users_obj`
+
+                *   Deleted property `users` (array)
+
+                *   Deleted property `users_obj` (array)
+
+##### `GET` /oauth2/authorization_codes/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `results` (array)
+
+        Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant
+
+        -   Changed property `user` (object)
+
+            > User Serializer
+
+            -   Changed property `groups_obj` (array)
+
+                Changed items (object): > Simplified Group Serializer for user's groups
+
+                New optional properties:
+
+                -   `users_obj`
+
+                *   Deleted property `users` (array)
+
+                *   Deleted property `users_obj` (array)
+
+##### `GET` /oauth2/refresh_tokens/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `results` (array)
+
+        Changed items (object): > Serializer for BaseGrantModel and RefreshToken
+
+        -   Changed property `user` (object)
+
+            > User Serializer
+
+            -   Changed property `groups_obj` (array)
+
+                Changed items (object): > Simplified Group Serializer for user's groups
+
+                New optional properties:
+
+                -   `users_obj`
+
+                *   Deleted property `users` (array)
+
+                *   Deleted property `users_obj` (array)

 ## Minor changes/fixes