Mercurial > prosody-modules

annotate mod_password_policy/mod_password_policy.lua @ 4829:caf7e88dc9e5

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_password_policy: Add check that password doesn't contain username
author Matthew Wild <mwild1@gmail.com>
date Wed, 22 Dec 2021 14:03:25 +0000
parents 56eba4bca28f
children af6143cf7d22
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
841
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
1 -- Password policy enforcement for Prosody
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
2 --
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
3 -- Copyright (C) 2012 Waqas Hussain
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
4 --
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
5 --
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
6 -- Configuration:
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
7 -- password_policy = {
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
8 -- length = 8;
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
9 -- }
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
10
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
11
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
12 local options = module:get_option("password_policy");
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
13
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
14 options = options or {};
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
15 options.length = options.length or 8;
4829
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
16 if options.exclude_username == nil then
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
17 options.exclude_username = true;
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
18 end
841
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
19
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
20 local st = require "util.stanza";
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
21
4829
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
22 function check_password(password, additional_info)
3350
cb26d04b391c mod_password_policy: Return error as second result explaining failure reason
Matthew Wild <mwild1@gmail.com>
parents: 845
diff changeset
23 if #password < options.length then
4828
56eba4bca28f mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents: 3351
diff changeset
24 return nil, ("Password is too short (minimum %d characters)"):format(options.length), "length";
3350
cb26d04b391c mod_password_policy: Return error as second result explaining failure reason
Matthew Wild <mwild1@gmail.com>
parents: 845
diff changeset
25 end
4829
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
26
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
27 if additional_info then
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
28 local username = additional_info.username;
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
29 if username and password:lower():find(username:lower(), 1, true) then
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
30 return nil, "Password must not include your username", "username";
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
31 end
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
32 end
3350
cb26d04b391c mod_password_policy: Return error as second result explaining failure reason
Matthew Wild <mwild1@gmail.com>
parents: 845
diff changeset
33 return true;
841
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
34 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
35
3351
662f2722f745 mod_password_policy: Export function to get policy in use by the module
Matthew Wild <mwild1@gmail.com>
parents: 3350
diff changeset
36 function get_policy()
662f2722f745 mod_password_policy: Export function to get policy in use by the module
Matthew Wild <mwild1@gmail.com>
parents: 3350
diff changeset
37 return options;
662f2722f745 mod_password_policy: Export function to get policy in use by the module
Matthew Wild <mwild1@gmail.com>
parents: 3350
diff changeset
38 end
662f2722f745 mod_password_policy: Export function to get policy in use by the module
Matthew Wild <mwild1@gmail.com>
parents: 3350
diff changeset
39
841
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
40 function handler(event)
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
41 local origin, stanza = event.origin, event.stanza;
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
42
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
43 if stanza.attr.type == "set" then
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
44 local query = stanza.tags[1];
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
45
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
46 local passwords = {};
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
47
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
48 local dataform = query:get_child("x", "jabber:x:data");
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
49 if dataform then
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
50 for _,tag in ipairs(dataform.tags) do
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
51 if tag.attr.var == "password" then
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
52 table.insert(passwords, tag:get_child_text("value"));
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
53 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
54 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
55 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
56
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
57 table.insert(passwords, query:get_child_text("password"));
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
58
4829
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
59 local additional_info = {
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
60 username = origin.username;
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
61 };
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
62
841
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
63 for _,password in ipairs(passwords) do
4828
56eba4bca28f mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents: 3351
diff changeset
64 if password then
4829
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
65 local pw_ok, pw_err, pw_failed_policy = check_password(password, additional_info);
4828
56eba4bca28f mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents: 3351
diff changeset
66 if not pw_ok then
56eba4bca28f mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents: 3351
diff changeset
67 module:log("debug", "Password failed check against '%s' policy", pw_failed_policy);
56eba4bca28f mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents: 3351
diff changeset
68 origin.send(st.error_reply(stanza, "cancel", "not-acceptable", pw_err));
56eba4bca28f mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents: 3351
diff changeset
69 return true;
56eba4bca28f mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents: 3351
diff changeset
70 end
841
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
71 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
72 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
73 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
74 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
75
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
76 module:hook("iq/self/jabber:iq:register:query", handler, 10);
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
77 module:hook("iq/host/jabber:iq:register:query", handler, 10);
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
78 module:hook("stanza/iq/jabber:iq:register:query", handler, 10);