Software / code / prosody-modules
Annotate
mod_password_policy/mod_password_policy.lua @ 4831:5a42cb84c8ee
mod_password_policy: Silence luacheck warning for intentional global
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Wed, 22 Dec 2021 14:43:53 +0000 |
| parent | 4830:af6143cf7d22 |
| child | 4832:bfd4af4caddc |
| rev | line source |
|---|---|
|
841
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
1 -- Password policy enforcement for Prosody |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
2 -- |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
3 -- Copyright (C) 2012 Waqas Hussain |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
4 -- |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
5 -- |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
6 -- Configuration: |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
7 -- password_policy = { |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
8 -- length = 8; |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
9 -- } |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
10 |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
11 |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
12 local options = module:get_option("password_policy"); |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
13 |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
14 options = options or {}; |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
15 options.length = options.length or 8; |
|
4829
caf7e88dc9e5
mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents:
4828
diff
changeset
|
16 if options.exclude_username == nil then |
|
caf7e88dc9e5
mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents:
4828
diff
changeset
|
17 options.exclude_username = true; |
|
caf7e88dc9e5
mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents:
4828
diff
changeset
|
18 end |
|
841
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
19 |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
20 local st = require "util.stanza"; |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
21 |
|
4829
caf7e88dc9e5
mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents:
4828
diff
changeset
|
22 function check_password(password, additional_info) |
|
4830
af6143cf7d22
mod_password_policy: Hard failure on missing/empty passwords
Matthew Wild <mwild1@gmail.com>
parents:
4829
diff
changeset
|
23 if not password or password == "" then |
|
af6143cf7d22
mod_password_policy: Hard failure on missing/empty passwords
Matthew Wild <mwild1@gmail.com>
parents:
4829
diff
changeset
|
24 return nil, "No password provided", "no-password"; |
|
af6143cf7d22
mod_password_policy: Hard failure on missing/empty passwords
Matthew Wild <mwild1@gmail.com>
parents:
4829
diff
changeset
|
25 end |
|
af6143cf7d22
mod_password_policy: Hard failure on missing/empty passwords
Matthew Wild <mwild1@gmail.com>
parents:
4829
diff
changeset
|
26 |
|
3350
cb26d04b391c
mod_password_policy: Return error as second result explaining failure reason
Matthew Wild <mwild1@gmail.com>
parents:
845
diff
changeset
|
27 if #password < options.length then |
|
4828
56eba4bca28f
mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents:
3351
diff
changeset
|
28 return nil, ("Password is too short (minimum %d characters)"):format(options.length), "length"; |
|
3350
cb26d04b391c
mod_password_policy: Return error as second result explaining failure reason
Matthew Wild <mwild1@gmail.com>
parents:
845
diff
changeset
|
29 end |
|
4829
caf7e88dc9e5
mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents:
4828
diff
changeset
|
30 |
|
caf7e88dc9e5
mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents:
4828
diff
changeset
|
31 if additional_info then |
|
caf7e88dc9e5
mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents:
4828
diff
changeset
|
32 local username = additional_info.username; |
|
caf7e88dc9e5
mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents:
4828
diff
changeset
|
33 if username and password:lower():find(username:lower(), 1, true) then |
|
caf7e88dc9e5
mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents:
4828
diff
changeset
|
34 return nil, "Password must not include your username", "username"; |
|
caf7e88dc9e5
mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents:
4828
diff
changeset
|
35 end |
|
caf7e88dc9e5
mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents:
4828
diff
changeset
|
36 end |
|
3350
cb26d04b391c
mod_password_policy: Return error as second result explaining failure reason
Matthew Wild <mwild1@gmail.com>
parents:
845
diff
changeset
|
37 return true; |
|
841
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
38 end |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
39 |
|
4831
5a42cb84c8ee
mod_password_policy: Silence luacheck warning for intentional global
Matthew Wild <mwild1@gmail.com>
parents:
4830
diff
changeset
|
40 function get_policy() --luacheck: ignore 131/get_policy |
|
3351
662f2722f745
mod_password_policy: Export function to get policy in use by the module
Matthew Wild <mwild1@gmail.com>
parents:
3350
diff
changeset
|
41 return options; |
|
662f2722f745
mod_password_policy: Export function to get policy in use by the module
Matthew Wild <mwild1@gmail.com>
parents:
3350
diff
changeset
|
42 end |
|
662f2722f745
mod_password_policy: Export function to get policy in use by the module
Matthew Wild <mwild1@gmail.com>
parents:
3350
diff
changeset
|
43 |
|
841
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
44 function handler(event) |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
45 local origin, stanza = event.origin, event.stanza; |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
46 |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
47 if stanza.attr.type == "set" then |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
48 local query = stanza.tags[1]; |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
49 |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
50 local passwords = {}; |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
51 |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
52 local dataform = query:get_child("x", "jabber:x:data"); |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
53 if dataform then |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
54 for _,tag in ipairs(dataform.tags) do |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
55 if tag.attr.var == "password" then |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
56 table.insert(passwords, tag:get_child_text("value")); |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
57 end |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
58 end |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
59 end |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
60 |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
61 table.insert(passwords, query:get_child_text("password")); |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
62 |
|
4829
caf7e88dc9e5
mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents:
4828
diff
changeset
|
63 local additional_info = { |
|
caf7e88dc9e5
mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents:
4828
diff
changeset
|
64 username = origin.username; |
|
caf7e88dc9e5
mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents:
4828
diff
changeset
|
65 }; |
|
caf7e88dc9e5
mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents:
4828
diff
changeset
|
66 |
|
841
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
67 for _,password in ipairs(passwords) do |
|
4828
56eba4bca28f
mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents:
3351
diff
changeset
|
68 if password then |
|
4829
caf7e88dc9e5
mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents:
4828
diff
changeset
|
69 local pw_ok, pw_err, pw_failed_policy = check_password(password, additional_info); |
|
4828
56eba4bca28f
mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents:
3351
diff
changeset
|
70 if not pw_ok then |
|
56eba4bca28f
mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents:
3351
diff
changeset
|
71 module:log("debug", "Password failed check against '%s' policy", pw_failed_policy); |
|
56eba4bca28f
mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents:
3351
diff
changeset
|
72 origin.send(st.error_reply(stanza, "cancel", "not-acceptable", pw_err)); |
|
56eba4bca28f
mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents:
3351
diff
changeset
|
73 return true; |
|
56eba4bca28f
mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents:
3351
diff
changeset
|
74 end |
|
841
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
75 end |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
76 end |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
77 end |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
78 end |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
79 |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
80 module:hook("iq/self/jabber:iq:register:query", handler, 10); |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
81 module:hook("iq/host/jabber:iq:register:query", handler, 10); |
|
0649883de4d3
mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
82 module:hook("stanza/iq/jabber:iq:register:query", handler, 10); |
