annotate mod_password_policy/mod_password_policy.lua @ 5424:b45d9a81b3da

mod_http_oauth2: Revert role selector, going to try something else Back out f2c7bb3af600 Allowing only a single role to be encoded into the grant takes away the possibility of having multiple roles in the grant, one of which is selected when issuing an access token. It also takes away the ability to have zero roles granted, which could be useful e.g. when you only need OIDC scopes.
author Kim Alvefur <zash@zash.se>
date Sun, 07 May 2023 19:40:57 +0200
parents bfd4af4caddc
children d3b69859553a
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
841
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
1 -- Password policy enforcement for Prosody
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
2 --
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
3 -- Copyright (C) 2012 Waqas Hussain
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
4 --
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
5 --
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
6 -- Configuration:
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
7 -- password_policy = {
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
8 -- length = 8;
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
9 -- }
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
10
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
11
4832
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
12 local it = require "util.iterators";
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
13 local set = require "util.set";
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
14 local st = require "util.stanza";
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
15
841
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
16 local options = module:get_option("password_policy");
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
17
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
18 options = options or {};
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
19 options.length = options.length or 8;
4829
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
20 if options.exclude_username == nil then
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
21 options.exclude_username = true;
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
22 end
841
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
23
4832
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
24 local builtin_policies = set.new({ "length", "exclude_username" });
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
25 local extra_policies = set.new(it.to_array(it.keys(options))) - builtin_policies;
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
26
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
27 local extra_policy_handlers = {};
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
28
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
29 module:handle_items("password-policy-provider", function (event)
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
30 -- Password policy handler added
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
31 local item = event.item;
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
32 module:log("error", "Adding password policy handler '%s'", item.name);
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
33 extra_policy_handlers[item.name] = item.check_password;
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
34 end, function (event)
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
35 -- Password policy handler removed
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
36 local item = event.item;
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
37 extra_policy_handlers[item.name] = nil;
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
38 end);
841
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
39
4829
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
40 function check_password(password, additional_info)
4830
af6143cf7d22 mod_password_policy: Hard failure on missing/empty passwords
Matthew Wild <mwild1@gmail.com>
parents: 4829
diff changeset
41 if not password or password == "" then
af6143cf7d22 mod_password_policy: Hard failure on missing/empty passwords
Matthew Wild <mwild1@gmail.com>
parents: 4829
diff changeset
42 return nil, "No password provided", "no-password";
af6143cf7d22 mod_password_policy: Hard failure on missing/empty passwords
Matthew Wild <mwild1@gmail.com>
parents: 4829
diff changeset
43 end
af6143cf7d22 mod_password_policy: Hard failure on missing/empty passwords
Matthew Wild <mwild1@gmail.com>
parents: 4829
diff changeset
44
3350
cb26d04b391c mod_password_policy: Return error as second result explaining failure reason
Matthew Wild <mwild1@gmail.com>
parents: 845
diff changeset
45 if #password < options.length then
4828
56eba4bca28f mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents: 3351
diff changeset
46 return nil, ("Password is too short (minimum %d characters)"):format(options.length), "length";
3350
cb26d04b391c mod_password_policy: Return error as second result explaining failure reason
Matthew Wild <mwild1@gmail.com>
parents: 845
diff changeset
47 end
4829
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
48
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
49 if additional_info then
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
50 local username = additional_info.username;
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
51 if username and password:lower():find(username:lower(), 1, true) then
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
52 return nil, "Password must not include your username", "username";
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
53 end
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
54 end
4832
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
55
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
56 for policy in extra_policies do
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
57 local handler = extra_policy_handlers[policy];
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
58 if not handler then
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
59 module:log("error", "No policy handler found for '%s' (typo, or module not loaded?)", policy);
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
60 return nil, "Internal error while verifying password", "internal";
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
61 end
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
62 local ok, reason_text, reason_name = handler(password, options[policy], additional_info);
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
63 if ok ~= true then
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
64 return nil, reason_text or ("Password failed %s check"):format(policy), reason_name or policy;
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
65 end
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
66 end
bfd4af4caddc mod_password_policy: Support for additional policies provided by other modules
Matthew Wild <mwild1@gmail.com>
parents: 4831
diff changeset
67
3350
cb26d04b391c mod_password_policy: Return error as second result explaining failure reason
Matthew Wild <mwild1@gmail.com>
parents: 845
diff changeset
68 return true;
841
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
69 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
70
4831
5a42cb84c8ee mod_password_policy: Silence luacheck warning for intentional global
Matthew Wild <mwild1@gmail.com>
parents: 4830
diff changeset
71 function get_policy() --luacheck: ignore 131/get_policy
3351
662f2722f745 mod_password_policy: Export function to get policy in use by the module
Matthew Wild <mwild1@gmail.com>
parents: 3350
diff changeset
72 return options;
662f2722f745 mod_password_policy: Export function to get policy in use by the module
Matthew Wild <mwild1@gmail.com>
parents: 3350
diff changeset
73 end
662f2722f745 mod_password_policy: Export function to get policy in use by the module
Matthew Wild <mwild1@gmail.com>
parents: 3350
diff changeset
74
841
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
75 function handler(event)
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
76 local origin, stanza = event.origin, event.stanza;
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
77
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
78 if stanza.attr.type == "set" then
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
79 local query = stanza.tags[1];
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
80
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
81 local passwords = {};
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
82
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
83 local dataform = query:get_child("x", "jabber:x:data");
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
84 if dataform then
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
85 for _,tag in ipairs(dataform.tags) do
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
86 if tag.attr.var == "password" then
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
87 table.insert(passwords, tag:get_child_text("value"));
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
88 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
89 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
90 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
91
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
92 table.insert(passwords, query:get_child_text("password"));
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
93
4829
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
94 local additional_info = {
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
95 username = origin.username;
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
96 };
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
97
841
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
98 for _,password in ipairs(passwords) do
4828
56eba4bca28f mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents: 3351
diff changeset
99 if password then
4829
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
100 local pw_ok, pw_err, pw_failed_policy = check_password(password, additional_info);
4828
56eba4bca28f mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents: 3351
diff changeset
101 if not pw_ok then
56eba4bca28f mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents: 3351
diff changeset
102 module:log("debug", "Password failed check against '%s' policy", pw_failed_policy);
56eba4bca28f mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents: 3351
diff changeset
103 origin.send(st.error_reply(stanza, "cancel", "not-acceptable", pw_err));
56eba4bca28f mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents: 3351
diff changeset
104 return true;
56eba4bca28f mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents: 3351
diff changeset
105 end
841
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
106 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
107 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
108 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
109 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
110
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
111 module:hook("iq/self/jabber:iq:register:query", handler, 10);
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
112 module:hook("iq/host/jabber:iq:register:query", handler, 10);
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
113 module:hook("stanza/iq/jabber:iq:register:query", handler, 10);