policies/password: merge hibp add zxcvbn (#4001)

* initial zxcvbn Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add api and port tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * more tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add ui Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * update docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add api diff Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-11-14 14:42:43 +01:00
parent 40844c975f
commit 88594075b2
14 changed files with 1310 additions and 150 deletions
--- a/website/docs/releases/v2022.11.md
+++ b/website/docs/releases/v2022.11.md
@ -5,13 +5,702 @@ slug: "2022.11"

 ## Breaking changes

-   authentik now runs on Python 3.11
+-   Have I Been Pwned policy is deprecated
+
+    The policy has been merged with the password policy which provides the same functionality. Existing Have I Been Pwned policies will automatically be migrated.

 ## New features

+-   authentik now runs on Python 3.11
+-   Expanded password policy
+
+    The "Have I been Pwned" policy has been merged into the password policy, and additionally passwords can be checked using [zxcvbn](https://github.com/dropbox/zxcvbn) to provider concise feedback.
+
 ## API Changes

-_Insert output of `make gen-diff` here_
+#### What's Changed
+
+---
+
+##### `GET` /policies/password/{policy_uuid}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Added property `check_static_rules` (boolean)
+
+    -   Added property `check_have_i_been_pwned` (boolean)
+
+    -   Added property `check_zxcvbn` (boolean)
+
+    -   Added property `hibp_allowed_count` (integer)
+
+        > How many times the password hash is allowed to be on haveibeenpwned
+
+    -   Added property `zxcvbn_score_threshold` (integer)
+        > If the zxcvbn score is equal or less than this value, the policy will fail.
+
+##### `PUT` /policies/password/{policy_uuid}/
+
+###### Request:
+
+Changed content type : `application/json`
+
+-   Added property `check_static_rules` (boolean)
+
+-   Added property `check_have_i_been_pwned` (boolean)
+
+-   Added property `check_zxcvbn` (boolean)
+
+-   Added property `hibp_allowed_count` (integer)
+
+    > How many times the password hash is allowed to be on haveibeenpwned
+
+-   Added property `zxcvbn_score_threshold` (integer)
+    > If the zxcvbn score is equal or less than this value, the policy will fail.
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Added property `check_static_rules` (boolean)
+
+    -   Added property `check_have_i_been_pwned` (boolean)
+
+    -   Added property `check_zxcvbn` (boolean)
+
+    -   Added property `hibp_allowed_count` (integer)
+
+        > How many times the password hash is allowed to be on haveibeenpwned
+
+    -   Added property `zxcvbn_score_threshold` (integer)
+        > If the zxcvbn score is equal or less than this value, the policy will fail.
+
+##### `PATCH` /policies/password/{policy_uuid}/
+
+###### Request:
+
+Changed content type : `application/json`
+
+-   Added property `check_static_rules` (boolean)
+
+-   Added property `check_have_i_been_pwned` (boolean)
+
+-   Added property `check_zxcvbn` (boolean)
+
+-   Added property `hibp_allowed_count` (integer)
+
+    > How many times the password hash is allowed to be on haveibeenpwned
+
+-   Added property `zxcvbn_score_threshold` (integer)
+    > If the zxcvbn score is equal or less than this value, the policy will fail.
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Added property `check_static_rules` (boolean)
+
+    -   Added property `check_have_i_been_pwned` (boolean)
+
+    -   Added property `check_zxcvbn` (boolean)
+
+    -   Added property `hibp_allowed_count` (integer)
+
+        > How many times the password hash is allowed to be on haveibeenpwned
+
+    -   Added property `zxcvbn_score_threshold` (integer)
+        > If the zxcvbn score is equal or less than this value, the policy will fail.
+
+##### `GET` /core/tokens/{identifier}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `user_obj` (object)
+
+        > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `PUT` /core/tokens/{identifier}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `user_obj` (object)
+
+        > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `PATCH` /core/tokens/{identifier}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `user_obj` (object)
+
+        > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `GET` /core/users/{id}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `groups_obj` (array)
+
+        Changed items (object): > Simplified Group Serializer for user's groups
+
+        New optional properties:
+
+        -   `users_obj`
+
+        *   Deleted property `users` (array)
+
+        *   Deleted property `users_obj` (array)
+
+##### `PUT` /core/users/{id}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `groups_obj` (array)
+
+        Changed items (object): > Simplified Group Serializer for user's groups
+
+        New optional properties:
+
+        -   `users_obj`
+
+        *   Deleted property `users` (array)
+
+        *   Deleted property `users_obj` (array)
+
+##### `PATCH` /core/users/{id}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `groups_obj` (array)
+
+        Changed items (object): > Simplified Group Serializer for user's groups
+
+        New optional properties:
+
+        -   `users_obj`
+
+        *   Deleted property `users` (array)
+
+        *   Deleted property `users_obj` (array)
+
+##### `GET` /policies/bindings/{policy_binding_uuid}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `user_obj` (object)
+
+        > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `PUT` /policies/bindings/{policy_binding_uuid}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `user_obj` (object)
+
+        > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `PATCH` /policies/bindings/{policy_binding_uuid}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `user_obj` (object)
+
+        > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `POST` /policies/password/
+
+###### Request:
+
+Changed content type : `application/json`
+
+-   Added property `check_static_rules` (boolean)
+
+-   Added property `check_have_i_been_pwned` (boolean)
+
+-   Added property `check_zxcvbn` (boolean)
+
+-   Added property `hibp_allowed_count` (integer)
+
+    > How many times the password hash is allowed to be on haveibeenpwned
+
+-   Added property `zxcvbn_score_threshold` (integer)
+    > If the zxcvbn score is equal or less than this value, the policy will fail.
+
+###### Return Type:
+
+Changed response : **201 Created**
+
+-   Changed content type : `application/json`
+
+    -   Added property `check_static_rules` (boolean)
+
+    -   Added property `check_have_i_been_pwned` (boolean)
+
+    -   Added property `check_zxcvbn` (boolean)
+
+    -   Added property `hibp_allowed_count` (integer)
+
+        > How many times the password hash is allowed to be on haveibeenpwned
+
+    -   Added property `zxcvbn_score_threshold` (integer)
+        > If the zxcvbn score is equal or less than this value, the policy will fail.
+
+##### `GET` /policies/password/
+
+###### Parameters:
+
+Added: `check_have_i_been_pwned` in `query`
+
+Added: `check_static_rules` in `query`
+
+Added: `check_zxcvbn` in `query`
+
+Added: `hibp_allowed_count` in `query`
+
+Added: `zxcvbn_score_threshold` in `query`
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `results` (array)
+
+        Changed items (object): > Password Policy Serializer
+
+        -   Added property `check_static_rules` (boolean)
+
+        -   Added property `check_have_i_been_pwned` (boolean)
+
+        -   Added property `check_zxcvbn` (boolean)
+
+        -   Added property `hibp_allowed_count` (integer)
+
+            > How many times the password hash is allowed to be on haveibeenpwned
+
+        -   Added property `zxcvbn_score_threshold` (integer)
+            > If the zxcvbn score is equal or less than this value, the policy will fail.
+
+##### `POST` /core/tokens/
+
+###### Return Type:
+
+Changed response : **201 Created**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `user_obj` (object)
+
+        > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `GET` /core/tokens/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `results` (array)
+
+        Changed items (object): > Token Serializer
+
+        -   Changed property `user_obj` (object)
+
+            > User Serializer
+
+            -   Changed property `groups_obj` (array)
+
+                Changed items (object): > Simplified Group Serializer for user's groups
+
+                New optional properties:
+
+                -   `users_obj`
+
+                *   Deleted property `users` (array)
+
+                *   Deleted property `users_obj` (array)
+
+##### `GET` /core/user_consent/{id}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `user` (object)
+
+        > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `POST` /core/users/
+
+###### Return Type:
+
+Changed response : **201 Created**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `groups_obj` (array)
+
+        Changed items (object): > Simplified Group Serializer for user's groups
+
+        New optional properties:
+
+        -   `users_obj`
+
+        *   Deleted property `users` (array)
+
+        *   Deleted property `users_obj` (array)
+
+##### `GET` /core/users/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `results` (array)
+
+        Changed items (object): > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `GET` /oauth2/authorization_codes/{id}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `user` (object)
+
+        > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `GET` /oauth2/refresh_tokens/{id}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `user` (object)
+
+        > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `POST` /policies/bindings/
+
+###### Return Type:
+
+Changed response : **201 Created**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `user_obj` (object)
+
+        > User Serializer
+
+        -   Changed property `groups_obj` (array)
+
+            Changed items (object): > Simplified Group Serializer for user's groups
+
+            New optional properties:
+
+            -   `users_obj`
+
+            *   Deleted property `users` (array)
+
+            *   Deleted property `users_obj` (array)
+
+##### `GET` /policies/bindings/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `results` (array)
+
+        Changed items (object): > PolicyBinding Serializer
+
+        -   Changed property `user_obj` (object)
+
+            > User Serializer
+
+            -   Changed property `groups_obj` (array)
+
+                Changed items (object): > Simplified Group Serializer for user's groups
+
+                New optional properties:
+
+                -   `users_obj`
+
+                *   Deleted property `users` (array)
+
+                *   Deleted property `users_obj` (array)
+
+##### `GET` /core/user_consent/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `results` (array)
+
+        Changed items (object): > UserConsent Serializer
+
+        -   Changed property `user` (object)
+
+            > User Serializer
+
+            -   Changed property `groups_obj` (array)
+
+                Changed items (object): > Simplified Group Serializer for user's groups
+
+                New optional properties:
+
+                -   `users_obj`
+
+                *   Deleted property `users` (array)
+
+                *   Deleted property `users_obj` (array)
+
+##### `GET` /oauth2/authorization_codes/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `results` (array)
+
+        Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant
+
+        -   Changed property `user` (object)
+
+            > User Serializer
+
+            -   Changed property `groups_obj` (array)
+
+                Changed items (object): > Simplified Group Serializer for user's groups
+
+                New optional properties:
+
+                -   `users_obj`
+
+                *   Deleted property `users` (array)
+
+                *   Deleted property `users_obj` (array)
+
+##### `GET` /oauth2/refresh_tokens/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+-   Changed content type : `application/json`
+
+    -   Changed property `results` (array)
+
+        Changed items (object): > Serializer for BaseGrantModel and RefreshToken
+
+        -   Changed property `user` (object)
+
+            > User Serializer
+
+            -   Changed property `groups_obj` (array)
+
+                Changed items (object): > Simplified Group Serializer for user's groups
+
+                New optional properties:
+
+                -   `users_obj`
+
+                *   Deleted property `users` (array)
+
+                *   Deleted property `users_obj` (array)

 ## Minor changes/fixes