mirror of
https://github.com/element-hq/synapse.git
synced 2024-12-15 17:51:10 +00:00
Allow server admins to define and enforce a password policy (MSC2000). (#7118)
This commit is contained in:
parent
1c1242acba
commit
e8e2ddb60a
11 changed files with 437 additions and 0 deletions
1
changelog.d/7118.feature
Normal file
1
changelog.d/7118.feature
Normal file
|
@ -0,0 +1 @@
|
|||
Allow server admins to define and enforce a password policy (MSC2000).
|
|
@ -1482,6 +1482,41 @@ password_config:
|
|||
#
|
||||
#pepper: "EVEN_MORE_SECRET"
|
||||
|
||||
# Define and enforce a password policy. Each parameter is optional.
|
||||
# This is an implementation of MSC2000.
|
||||
#
|
||||
policy:
|
||||
# Whether to enforce the password policy.
|
||||
# Defaults to 'false'.
|
||||
#
|
||||
#enabled: true
|
||||
|
||||
# Minimum accepted length for a password.
|
||||
# Defaults to 0.
|
||||
#
|
||||
#minimum_length: 15
|
||||
|
||||
# Whether a password must contain at least one digit.
|
||||
# Defaults to 'false'.
|
||||
#
|
||||
#require_digit: true
|
||||
|
||||
# Whether a password must contain at least one symbol.
|
||||
# A symbol is any character that's not a number or a letter.
|
||||
# Defaults to 'false'.
|
||||
#
|
||||
#require_symbol: true
|
||||
|
||||
# Whether a password must contain at least one lowercase letter.
|
||||
# Defaults to 'false'.
|
||||
#
|
||||
#require_lowercase: true
|
||||
|
||||
# Whether a password must contain at least one lowercase letter.
|
||||
# Defaults to 'false'.
|
||||
#
|
||||
#require_uppercase: true
|
||||
|
||||
|
||||
# Configuration for sending emails from Synapse.
|
||||
#
|
||||
|
|
|
@ -64,6 +64,13 @@ class Codes(object):
|
|||
INCOMPATIBLE_ROOM_VERSION = "M_INCOMPATIBLE_ROOM_VERSION"
|
||||
WRONG_ROOM_KEYS_VERSION = "M_WRONG_ROOM_KEYS_VERSION"
|
||||
EXPIRED_ACCOUNT = "ORG_MATRIX_EXPIRED_ACCOUNT"
|
||||
PASSWORD_TOO_SHORT = "M_PASSWORD_TOO_SHORT"
|
||||
PASSWORD_NO_DIGIT = "M_PASSWORD_NO_DIGIT"
|
||||
PASSWORD_NO_UPPERCASE = "M_PASSWORD_NO_UPPERCASE"
|
||||
PASSWORD_NO_LOWERCASE = "M_PASSWORD_NO_LOWERCASE"
|
||||
PASSWORD_NO_SYMBOL = "M_PASSWORD_NO_SYMBOL"
|
||||
PASSWORD_IN_DICTIONARY = "M_PASSWORD_IN_DICTIONARY"
|
||||
WEAK_PASSWORD = "M_WEAK_PASSWORD"
|
||||
INVALID_SIGNATURE = "M_INVALID_SIGNATURE"
|
||||
USER_DEACTIVATED = "M_USER_DEACTIVATED"
|
||||
BAD_ALIAS = "M_BAD_ALIAS"
|
||||
|
@ -439,6 +446,20 @@ class IncompatibleRoomVersionError(SynapseError):
|
|||
return cs_error(self.msg, self.errcode, room_version=self._room_version)
|
||||
|
||||
|
||||
class PasswordRefusedError(SynapseError):
|
||||
"""A password has been refused, either during password reset/change or registration.
|
||||
"""
|
||||
|
||||
def __init__(
|
||||
self,
|
||||
msg="This password doesn't comply with the server's policy",
|
||||
errcode=Codes.WEAK_PASSWORD,
|
||||
):
|
||||
super(PasswordRefusedError, self).__init__(
|
||||
code=400, msg=msg, errcode=errcode,
|
||||
)
|
||||
|
||||
|
||||
class RequestSendFailed(RuntimeError):
|
||||
"""Sending a HTTP request over federation failed due to not being able to
|
||||
talk to the remote server for some reason.
|
||||
|
|
|
@ -31,6 +31,10 @@ class PasswordConfig(Config):
|
|||
self.password_localdb_enabled = password_config.get("localdb_enabled", True)
|
||||
self.password_pepper = password_config.get("pepper", "")
|
||||
|
||||
# Password policy
|
||||
self.password_policy = password_config.get("policy") or {}
|
||||
self.password_policy_enabled = self.password_policy.get("enabled", False)
|
||||
|
||||
def generate_config_section(self, config_dir_path, server_name, **kwargs):
|
||||
return """\
|
||||
password_config:
|
||||
|
@ -48,4 +52,39 @@ class PasswordConfig(Config):
|
|||
# DO NOT CHANGE THIS AFTER INITIAL SETUP!
|
||||
#
|
||||
#pepper: "EVEN_MORE_SECRET"
|
||||
|
||||
# Define and enforce a password policy. Each parameter is optional.
|
||||
# This is an implementation of MSC2000.
|
||||
#
|
||||
policy:
|
||||
# Whether to enforce the password policy.
|
||||
# Defaults to 'false'.
|
||||
#
|
||||
#enabled: true
|
||||
|
||||
# Minimum accepted length for a password.
|
||||
# Defaults to 0.
|
||||
#
|
||||
#minimum_length: 15
|
||||
|
||||
# Whether a password must contain at least one digit.
|
||||
# Defaults to 'false'.
|
||||
#
|
||||
#require_digit: true
|
||||
|
||||
# Whether a password must contain at least one symbol.
|
||||
# A symbol is any character that's not a number or a letter.
|
||||
# Defaults to 'false'.
|
||||
#
|
||||
#require_symbol: true
|
||||
|
||||
# Whether a password must contain at least one lowercase letter.
|
||||
# Defaults to 'false'.
|
||||
#
|
||||
#require_lowercase: true
|
||||
|
||||
# Whether a password must contain at least one lowercase letter.
|
||||
# Defaults to 'false'.
|
||||
#
|
||||
#require_uppercase: true
|
||||
"""
|
||||
|
|
93
synapse/handlers/password_policy.py
Normal file
93
synapse/handlers/password_policy.py
Normal file
|
@ -0,0 +1,93 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
# Copyright 2019 New Vector Ltd
|
||||
# Copyright 2019 The Matrix.org Foundation C.I.C.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
import logging
|
||||
import re
|
||||
|
||||
from synapse.api.errors import Codes, PasswordRefusedError
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class PasswordPolicyHandler(object):
|
||||
def __init__(self, hs):
|
||||
self.policy = hs.config.password_policy
|
||||
self.enabled = hs.config.password_policy_enabled
|
||||
|
||||
# Regexps for the spec'd policy parameters.
|
||||
self.regexp_digit = re.compile("[0-9]")
|
||||
self.regexp_symbol = re.compile("[^a-zA-Z0-9]")
|
||||
self.regexp_uppercase = re.compile("[A-Z]")
|
||||
self.regexp_lowercase = re.compile("[a-z]")
|
||||
|
||||
def validate_password(self, password):
|
||||
"""Checks whether a given password complies with the server's policy.
|
||||
|
||||
Args:
|
||||
password (str): The password to check against the server's policy.
|
||||
|
||||
Raises:
|
||||
PasswordRefusedError: The password doesn't comply with the server's policy.
|
||||
"""
|
||||
|
||||
if not self.enabled:
|
||||
return
|
||||
|
||||
minimum_accepted_length = self.policy.get("minimum_length", 0)
|
||||
if len(password) < minimum_accepted_length:
|
||||
raise PasswordRefusedError(
|
||||
msg=(
|
||||
"The password must be at least %d characters long"
|
||||
% minimum_accepted_length
|
||||
),
|
||||
errcode=Codes.PASSWORD_TOO_SHORT,
|
||||
)
|
||||
|
||||
if (
|
||||
self.policy.get("require_digit", False)
|
||||
and self.regexp_digit.search(password) is None
|
||||
):
|
||||
raise PasswordRefusedError(
|
||||
msg="The password must include at least one digit",
|
||||
errcode=Codes.PASSWORD_NO_DIGIT,
|
||||
)
|
||||
|
||||
if (
|
||||
self.policy.get("require_symbol", False)
|
||||
and self.regexp_symbol.search(password) is None
|
||||
):
|
||||
raise PasswordRefusedError(
|
||||
msg="The password must include at least one symbol",
|
||||
errcode=Codes.PASSWORD_NO_SYMBOL,
|
||||
)
|
||||
|
||||
if (
|
||||
self.policy.get("require_uppercase", False)
|
||||
and self.regexp_uppercase.search(password) is None
|
||||
):
|
||||
raise PasswordRefusedError(
|
||||
msg="The password must include at least one uppercase letter",
|
||||
errcode=Codes.PASSWORD_NO_UPPERCASE,
|
||||
)
|
||||
|
||||
if (
|
||||
self.policy.get("require_lowercase", False)
|
||||
and self.regexp_lowercase.search(password) is None
|
||||
):
|
||||
raise PasswordRefusedError(
|
||||
msg="The password must include at least one lowercase letter",
|
||||
errcode=Codes.PASSWORD_NO_LOWERCASE,
|
||||
)
|
|
@ -32,6 +32,7 @@ class SetPasswordHandler(BaseHandler):
|
|||
super(SetPasswordHandler, self).__init__(hs)
|
||||
self._auth_handler = hs.get_auth_handler()
|
||||
self._device_handler = hs.get_device_handler()
|
||||
self._password_policy_handler = hs.get_password_policy_handler()
|
||||
|
||||
@defer.inlineCallbacks
|
||||
def set_password(
|
||||
|
@ -44,6 +45,7 @@ class SetPasswordHandler(BaseHandler):
|
|||
if not self.hs.config.password_localdb_enabled:
|
||||
raise SynapseError(403, "Password change disabled", errcode=Codes.FORBIDDEN)
|
||||
|
||||
self._password_policy_handler.validate_password(new_password)
|
||||
password_hash = yield self._auth_handler.hash(new_password)
|
||||
|
||||
try:
|
||||
|
|
|
@ -41,6 +41,7 @@ from synapse.rest.client.v2_alpha import (
|
|||
keys,
|
||||
notifications,
|
||||
openid,
|
||||
password_policy,
|
||||
read_marker,
|
||||
receipts,
|
||||
register,
|
||||
|
@ -118,6 +119,7 @@ class ClientRestResource(JsonResource):
|
|||
capabilities.register_servlets(hs, client_resource)
|
||||
account_validity.register_servlets(hs, client_resource)
|
||||
relations.register_servlets(hs, client_resource)
|
||||
password_policy.register_servlets(hs, client_resource)
|
||||
|
||||
# moving to /_synapse/admin
|
||||
synapse.rest.admin.register_servlets_for_client_rest_resource(
|
||||
|
|
58
synapse/rest/client/v2_alpha/password_policy.py
Normal file
58
synapse/rest/client/v2_alpha/password_policy.py
Normal file
|
@ -0,0 +1,58 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
# Copyright 2019 The Matrix.org Foundation C.I.C.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
import logging
|
||||
|
||||
from synapse.http.servlet import RestServlet
|
||||
|
||||
from ._base import client_patterns
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class PasswordPolicyServlet(RestServlet):
|
||||
PATTERNS = client_patterns("/password_policy$")
|
||||
|
||||
def __init__(self, hs):
|
||||
"""
|
||||
Args:
|
||||
hs (synapse.server.HomeServer): server
|
||||
"""
|
||||
super(PasswordPolicyServlet, self).__init__()
|
||||
|
||||
self.policy = hs.config.password_policy
|
||||
self.enabled = hs.config.password_policy_enabled
|
||||
|
||||
def on_GET(self, request):
|
||||
if not self.enabled or not self.policy:
|
||||
return (200, {})
|
||||
|
||||
policy = {}
|
||||
|
||||
for param in [
|
||||
"minimum_length",
|
||||
"require_digit",
|
||||
"require_symbol",
|
||||
"require_lowercase",
|
||||
"require_uppercase",
|
||||
]:
|
||||
if param in self.policy:
|
||||
policy["m.%s" % param] = self.policy[param]
|
||||
|
||||
return (200, policy)
|
||||
|
||||
|
||||
def register_servlets(hs, http_server):
|
||||
PasswordPolicyServlet(hs).register(http_server)
|
|
@ -373,6 +373,7 @@ class RegisterRestServlet(RestServlet):
|
|||
self.room_member_handler = hs.get_room_member_handler()
|
||||
self.macaroon_gen = hs.get_macaroon_generator()
|
||||
self.ratelimiter = hs.get_registration_ratelimiter()
|
||||
self.password_policy_handler = hs.get_password_policy_handler()
|
||||
self.clock = hs.get_clock()
|
||||
|
||||
self._registration_flows = _calculate_registration_flows(
|
||||
|
@ -420,6 +421,7 @@ class RegisterRestServlet(RestServlet):
|
|||
or len(body["password"]) > 512
|
||||
):
|
||||
raise SynapseError(400, "Invalid password")
|
||||
self.password_policy_handler.validate_password(body["password"])
|
||||
|
||||
desired_username = None
|
||||
if "username" in body:
|
||||
|
|
|
@ -66,6 +66,7 @@ from synapse.handlers.groups_local import GroupsLocalHandler, GroupsLocalWorkerH
|
|||
from synapse.handlers.initial_sync import InitialSyncHandler
|
||||
from synapse.handlers.message import EventCreationHandler, MessageHandler
|
||||
from synapse.handlers.pagination import PaginationHandler
|
||||
from synapse.handlers.password_policy import PasswordPolicyHandler
|
||||
from synapse.handlers.presence import PresenceHandler
|
||||
from synapse.handlers.profile import BaseProfileHandler, MasterProfileHandler
|
||||
from synapse.handlers.read_marker import ReadMarkerHandler
|
||||
|
@ -199,6 +200,7 @@ class HomeServer(object):
|
|||
"account_validity_handler",
|
||||
"saml_handler",
|
||||
"event_client_serializer",
|
||||
"password_policy_handler",
|
||||
"storage",
|
||||
"replication_streamer",
|
||||
]
|
||||
|
@ -535,6 +537,9 @@ class HomeServer(object):
|
|||
def build_event_client_serializer(self):
|
||||
return EventClientSerializer(self)
|
||||
|
||||
def build_password_policy_handler(self):
|
||||
return PasswordPolicyHandler(self)
|
||||
|
||||
def build_storage(self) -> Storage:
|
||||
return Storage(self, self.datastores)
|
||||
|
||||
|
|
179
tests/rest/client/v2_alpha/test_password_policy.py
Normal file
179
tests/rest/client/v2_alpha/test_password_policy.py
Normal file
|
@ -0,0 +1,179 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
# Copyright 2019 The Matrix.org Foundation C.I.C.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
import json
|
||||
|
||||
from synapse.api.constants import LoginType
|
||||
from synapse.api.errors import Codes
|
||||
from synapse.rest import admin
|
||||
from synapse.rest.client.v1 import login
|
||||
from synapse.rest.client.v2_alpha import account, password_policy, register
|
||||
|
||||
from tests import unittest
|
||||
|
||||
|
||||
class PasswordPolicyTestCase(unittest.HomeserverTestCase):
|
||||
"""Tests the password policy feature and its compliance with MSC2000.
|
||||
|
||||
When validating a password, Synapse does the necessary checks in this order:
|
||||
|
||||
1. Password is long enough
|
||||
2. Password contains digit(s)
|
||||
3. Password contains symbol(s)
|
||||
4. Password contains uppercase letter(s)
|
||||
5. Password contains lowercase letter(s)
|
||||
|
||||
For each test below that checks whether a password triggers the right error code,
|
||||
that test provides a password good enough to pass the previous tests, but not the
|
||||
one it is currently testing (nor any test that comes afterward).
|
||||
"""
|
||||
|
||||
servlets = [
|
||||
admin.register_servlets_for_client_rest_resource,
|
||||
login.register_servlets,
|
||||
register.register_servlets,
|
||||
password_policy.register_servlets,
|
||||
account.register_servlets,
|
||||
]
|
||||
|
||||
def make_homeserver(self, reactor, clock):
|
||||
self.register_url = "/_matrix/client/r0/register"
|
||||
self.policy = {
|
||||
"enabled": True,
|
||||
"minimum_length": 10,
|
||||
"require_digit": True,
|
||||
"require_symbol": True,
|
||||
"require_lowercase": True,
|
||||
"require_uppercase": True,
|
||||
}
|
||||
|
||||
config = self.default_config()
|
||||
config["password_config"] = {
|
||||
"policy": self.policy,
|
||||
}
|
||||
|
||||
hs = self.setup_test_homeserver(config=config)
|
||||
return hs
|
||||
|
||||
def test_get_policy(self):
|
||||
"""Tests if the /password_policy endpoint returns the configured policy."""
|
||||
|
||||
request, channel = self.make_request(
|
||||
"GET", "/_matrix/client/r0/password_policy"
|
||||
)
|
||||
self.render(request)
|
||||
|
||||
self.assertEqual(channel.code, 200, channel.result)
|
||||
self.assertEqual(
|
||||
channel.json_body,
|
||||
{
|
||||
"m.minimum_length": 10,
|
||||
"m.require_digit": True,
|
||||
"m.require_symbol": True,
|
||||
"m.require_lowercase": True,
|
||||
"m.require_uppercase": True,
|
||||
},
|
||||
channel.result,
|
||||
)
|
||||
|
||||
def test_password_too_short(self):
|
||||
request_data = json.dumps({"username": "kermit", "password": "shorty"})
|
||||
request, channel = self.make_request("POST", self.register_url, request_data)
|
||||
self.render(request)
|
||||
|
||||
self.assertEqual(channel.code, 400, channel.result)
|
||||
self.assertEqual(
|
||||
channel.json_body["errcode"], Codes.PASSWORD_TOO_SHORT, channel.result,
|
||||
)
|
||||
|
||||
def test_password_no_digit(self):
|
||||
request_data = json.dumps({"username": "kermit", "password": "longerpassword"})
|
||||
request, channel = self.make_request("POST", self.register_url, request_data)
|
||||
self.render(request)
|
||||
|
||||
self.assertEqual(channel.code, 400, channel.result)
|
||||
self.assertEqual(
|
||||
channel.json_body["errcode"], Codes.PASSWORD_NO_DIGIT, channel.result,
|
||||
)
|
||||
|
||||
def test_password_no_symbol(self):
|
||||
request_data = json.dumps({"username": "kermit", "password": "l0ngerpassword"})
|
||||
request, channel = self.make_request("POST", self.register_url, request_data)
|
||||
self.render(request)
|
||||
|
||||
self.assertEqual(channel.code, 400, channel.result)
|
||||
self.assertEqual(
|
||||
channel.json_body["errcode"], Codes.PASSWORD_NO_SYMBOL, channel.result,
|
||||
)
|
||||
|
||||
def test_password_no_uppercase(self):
|
||||
request_data = json.dumps({"username": "kermit", "password": "l0ngerpassword!"})
|
||||
request, channel = self.make_request("POST", self.register_url, request_data)
|
||||
self.render(request)
|
||||
|
||||
self.assertEqual(channel.code, 400, channel.result)
|
||||
self.assertEqual(
|
||||
channel.json_body["errcode"], Codes.PASSWORD_NO_UPPERCASE, channel.result,
|
||||
)
|
||||
|
||||
def test_password_no_lowercase(self):
|
||||
request_data = json.dumps({"username": "kermit", "password": "L0NGERPASSWORD!"})
|
||||
request, channel = self.make_request("POST", self.register_url, request_data)
|
||||
self.render(request)
|
||||
|
||||
self.assertEqual(channel.code, 400, channel.result)
|
||||
self.assertEqual(
|
||||
channel.json_body["errcode"], Codes.PASSWORD_NO_LOWERCASE, channel.result,
|
||||
)
|
||||
|
||||
def test_password_compliant(self):
|
||||
request_data = json.dumps({"username": "kermit", "password": "L0ngerpassword!"})
|
||||
request, channel = self.make_request("POST", self.register_url, request_data)
|
||||
self.render(request)
|
||||
|
||||
# Getting a 401 here means the password has passed validation and the server has
|
||||
# responded with a list of registration flows.
|
||||
self.assertEqual(channel.code, 401, channel.result)
|
||||
|
||||
def test_password_change(self):
|
||||
"""This doesn't test every possible use case, only that hitting /account/password
|
||||
triggers the password validation code.
|
||||
"""
|
||||
compliant_password = "C0mpl!antpassword"
|
||||
not_compliant_password = "notcompliantpassword"
|
||||
|
||||
user_id = self.register_user("kermit", compliant_password)
|
||||
tok = self.login("kermit", compliant_password)
|
||||
|
||||
request_data = json.dumps(
|
||||
{
|
||||
"new_password": not_compliant_password,
|
||||
"auth": {
|
||||
"password": compliant_password,
|
||||
"type": LoginType.PASSWORD,
|
||||
"user": user_id,
|
||||
},
|
||||
}
|
||||
)
|
||||
request, channel = self.make_request(
|
||||
"POST",
|
||||
"/_matrix/client/r0/account/password",
|
||||
request_data,
|
||||
access_token=tok,
|
||||
)
|
||||
self.render(request)
|
||||
|
||||
self.assertEqual(channel.code, 400, channel.result)
|
||||
self.assertEqual(channel.json_body["errcode"], Codes.PASSWORD_NO_DIGIT)
|
Loading…
Reference in a new issue