Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
wiki.techinc.nl/includes/password/PasswordPolicyChecks.php

164 lines
5.3 KiB
PHP
Raw Normal View History

Password validity by policy per group Make password policies defined in a configurable policy, which is defined by group. A user's password policy will be the maximum of each group policy that the user belongs to. Bug: T94774 Change-Id: Iad8e49ffcffed38df6293db0ef31a227d3962003
2015-04-23 01:48:48 +00:00
<?php
/**
* Password policy checks
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* http://www.gnu.org/copyleft/gpl.html
*
* @file
*/
Add support for blacklisting common passwords This changes the default config to not allow the top 25 passwords to be used by Sysop/Crats. This should almost certainly be set to a higher number, but I think its best to wait until after this is comitted to argue over what the best value is. I would expect that once this is comitted, there would be a config change for wmf wikis, so that there is no change until this has been discussed with the community. The included common password file was generated from the first 10000 entries of https://github.com/danielmiessler/SecLists/blob/master/Passwords/rockyou.txt?raw=true 10,000 was chosen based on csteipp's suggestion. Change-Id: I26a9e8f2318a1eed33d7638b125695e8de3a9796
2015-11-22 07:45:02 +00:00
use \Cdb\Reader as CdbReader;
Password validity by policy per group Make password policies defined in a configurable policy, which is defined by group. A user's password policy will be the maximum of each group policy that the user belongs to. Bug: T94774 Change-Id: Iad8e49ffcffed38df6293db0ef31a227d3962003
2015-04-23 01:48:48 +00:00
/**
* Functions to check passwords against a policy requirement
* @since 1.26
*/
class PasswordPolicyChecks {
/**
* Check password is longer than minimum, not fatal
* @param int $policyVal minimal length
* @param User $user
* @param string $password
* @return Status error if $password is shorter than $policyVal
*/
public static function checkMinimalPasswordLength( $policyVal, User $user, $password ) {
$status = Status::newGood();
if ( $policyVal > strlen( $password ) ) {
$status->error( 'passwordtooshort', $policyVal );
}
return $status;
}
/**
* Check password is longer than minimum, fatal
* @param int $policyVal minimal length
* @param User $user
* @param string $password
* @return Status fatal if $password is shorter than $policyVal
*/
public static function checkMinimumPasswordLengthToLogin( $policyVal, User $user, $password ) {
$status = Status::newGood();
if ( $policyVal > strlen( $password ) ) {
$status->fatal( 'passwordtooshort', $policyVal );
}
return $status;
}
/**
* Check password is shorter than maximum, fatal
* @param int $policyVal maximum length
* @param User $user
* @param string $password
* @return Status fatal if $password is shorter than $policyVal
*/
public static function checkMaximalPasswordLength( $policyVal, User $user, $password ) {
$status = Status::newGood();
if ( $policyVal < strlen( $password ) ) {
$status->fatal( 'passwordtoolong', $policyVal );
}
return $status;
}
/**
* Check if username and password match
* @param bool $policyVal true to force compliance.
* @param User $user
* @param string $password
* @return Status error if username and password match, and policy is true
*/
public static function checkPasswordCannotMatchUsername( $policyVal, User $user, $password ) {
global $wgContLang;
$status = Status::newGood();
$username = $user->getName();
if ( $policyVal && $wgContLang->lc( $password ) === $wgContLang->lc( $username ) ) {
$status->error( 'password-name-match' );
}
return $status;
}
/**
* Check if username and password are on a blacklist
* @param bool $policyVal true to force compliance.
* @param User $user
* @param string $password
* @return Status error if username and password match, and policy is true
*/
public static function checkPasswordCannotMatchBlacklist( $policyVal, User $user, $password ) {
static $blockedLogins = array(
'Useruser' => 'Passpass', 'Useruser1' => 'Passpass1', # r75589
'Apitestsysop' => 'testpass', 'Apitestuser' => 'testpass' # r75605
);
$status = Status::newGood();
$username = $user->getName();
if ( $policyVal
&& isset( $blockedLogins[$username] )
&& $password == $blockedLogins[$username]
) {
$status->error( 'password-login-forbidden' );
}
return $status;
}
Add support for blacklisting common passwords This changes the default config to not allow the top 25 passwords to be used by Sysop/Crats. This should almost certainly be set to a higher number, but I think its best to wait until after this is comitted to argue over what the best value is. I would expect that once this is comitted, there would be a config change for wmf wikis, so that there is no change until this has been discussed with the community. The included common password file was generated from the first 10000 entries of https://github.com/danielmiessler/SecLists/blob/master/Passwords/rockyou.txt?raw=true 10,000 was chosen based on csteipp's suggestion. Change-Id: I26a9e8f2318a1eed33d7638b125695e8de3a9796
2015-11-22 07:45:02 +00:00
/**
* Ensure that password isn't in top X most popular passwords
*
* @param $policyVal int Cut off to use. Will automatically shrink to the max
* supported for error messages if set to more than max number of passwords on file,
* so you can use the PHP_INT_MAX constant here safely.
* @param $user User
* @param $password String
* @since 1.27
* @return Status
*/
public static function checkPopularPasswordBlacklist( $policyVal, User $user, $password ) {
global $wgPopularPasswordFile, $wgSitename;
$status = Status::newGood();
if ( $policyVal > 0 ) {
$langEn = Language::factory( 'en' );
$passwordKey = $langEn->lc( trim( $password ) );
// People often use the name of the current site, which won't be
// in the common password file. Also check '' for people who use
// just whitespace.
$sitename = $langEn->lc( trim( $wgSitename ) );
$hardcodedCommonPasswords = array( '', 'wiki', 'mediawiki', $sitename );
if ( in_array( $passwordKey, $hardcodedCommonPasswords ) ) {
$status->error( 'passwordtoopopular' );
return $status;
}
// This could throw an exception, but there's not a good way
// of failing gracefully, if say the file is missing, so just
// let the exception fall through.
// Format of cdb file is mapping password => popularity rank.
// See maintenance/createCommonPasswordCdb.php
$db = CdbReader::open( $wgPopularPasswordFile );
$res = $db->get( $passwordKey );
if ( $res && (int)$res <= $policyVal ) {
// Note: If you want to find the true number of common
// passwords stored (for reporting the error), you have to take
// the max of the policyVal and $db->get( '_TOTALENTRIES' ).
$status->error( 'passwordtoopopular' );
}
}
return $status;
}
Password validity by policy per group Make password policies defined in a configurable policy, which is defined by group. A user's password policy will be the maximum of each group policy that the user belongs to. Bug: T94774 Change-Id: Iad8e49ffcffed38df6293db0ef31a227d3962003
2015-04-23 01:48:48 +00:00
}
Reference in a new issue Copy permalink