Annotate

mod_password_policy/mod_password_policy.lua @ 4831:5a42cb84c8ee

mod_password_policy: Silence luacheck warning for intentional global
author Matthew Wild <mwild1@gmail.com>
date Wed, 22 Dec 2021 14:43:53 +0000
parent 4830:af6143cf7d22
child 4832:bfd4af4caddc
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
841
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
1 -- Password policy enforcement for Prosody
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
2 --
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
3 -- Copyright (C) 2012 Waqas Hussain
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
4 --
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
5 --
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
6 -- Configuration:
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
7 -- password_policy = {
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
8 -- length = 8;
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
9 -- }
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
10
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
11
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
12 local options = module:get_option("password_policy");
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
13
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
14 options = options or {};
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
15 options.length = options.length or 8;
4829
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
16 if options.exclude_username == nil then
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
17 options.exclude_username = true;
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
18 end
841
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
19
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
20 local st = require "util.stanza";
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
21
4829
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
22 function check_password(password, additional_info)
4830
af6143cf7d22 mod_password_policy: Hard failure on missing/empty passwords
Matthew Wild <mwild1@gmail.com>
parents: 4829
diff changeset
23 if not password or password == "" then
af6143cf7d22 mod_password_policy: Hard failure on missing/empty passwords
Matthew Wild <mwild1@gmail.com>
parents: 4829
diff changeset
24 return nil, "No password provided", "no-password";
af6143cf7d22 mod_password_policy: Hard failure on missing/empty passwords
Matthew Wild <mwild1@gmail.com>
parents: 4829
diff changeset
25 end
af6143cf7d22 mod_password_policy: Hard failure on missing/empty passwords
Matthew Wild <mwild1@gmail.com>
parents: 4829
diff changeset
26
3350
cb26d04b391c mod_password_policy: Return error as second result explaining failure reason
Matthew Wild <mwild1@gmail.com>
parents: 845
diff changeset
27 if #password < options.length then
4828
56eba4bca28f mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents: 3351
diff changeset
28 return nil, ("Password is too short (minimum %d characters)"):format(options.length), "length";
3350
cb26d04b391c mod_password_policy: Return error as second result explaining failure reason
Matthew Wild <mwild1@gmail.com>
parents: 845
diff changeset
29 end
4829
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
30
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
31 if additional_info then
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
32 local username = additional_info.username;
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
33 if username and password:lower():find(username:lower(), 1, true) then
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
34 return nil, "Password must not include your username", "username";
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
35 end
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
36 end
3350
cb26d04b391c mod_password_policy: Return error as second result explaining failure reason
Matthew Wild <mwild1@gmail.com>
parents: 845
diff changeset
37 return true;
841
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
38 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
39
4831
5a42cb84c8ee mod_password_policy: Silence luacheck warning for intentional global
Matthew Wild <mwild1@gmail.com>
parents: 4830
diff changeset
40 function get_policy() --luacheck: ignore 131/get_policy
3351
662f2722f745 mod_password_policy: Export function to get policy in use by the module
Matthew Wild <mwild1@gmail.com>
parents: 3350
diff changeset
41 return options;
662f2722f745 mod_password_policy: Export function to get policy in use by the module
Matthew Wild <mwild1@gmail.com>
parents: 3350
diff changeset
42 end
662f2722f745 mod_password_policy: Export function to get policy in use by the module
Matthew Wild <mwild1@gmail.com>
parents: 3350
diff changeset
43
841
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
44 function handler(event)
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
45 local origin, stanza = event.origin, event.stanza;
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
46
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
47 if stanza.attr.type == "set" then
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
48 local query = stanza.tags[1];
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
49
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
50 local passwords = {};
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
51
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
52 local dataform = query:get_child("x", "jabber:x:data");
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
53 if dataform then
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
54 for _,tag in ipairs(dataform.tags) do
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
55 if tag.attr.var == "password" then
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
56 table.insert(passwords, tag:get_child_text("value"));
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
57 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
58 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
59 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
60
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
61 table.insert(passwords, query:get_child_text("password"));
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
62
4829
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
63 local additional_info = {
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
64 username = origin.username;
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
65 };
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
66
841
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
67 for _,password in ipairs(passwords) do
4828
56eba4bca28f mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents: 3351
diff changeset
68 if password then
4829
caf7e88dc9e5 mod_password_policy: Add check that password doesn't contain username
Matthew Wild <mwild1@gmail.com>
parents: 4828
diff changeset
69 local pw_ok, pw_err, pw_failed_policy = check_password(password, additional_info);
4828
56eba4bca28f mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents: 3351
diff changeset
70 if not pw_ok then
56eba4bca28f mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents: 3351
diff changeset
71 module:log("debug", "Password failed check against '%s' policy", pw_failed_policy);
56eba4bca28f mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents: 3351
diff changeset
72 origin.send(st.error_reply(stanza, "cancel", "not-acceptable", pw_err));
56eba4bca28f mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents: 3351
diff changeset
73 return true;
56eba4bca28f mod_password_policy: Allow check_password() to indicate the policy that failed
Matthew Wild <mwild1@gmail.com>
parents: 3351
diff changeset
74 end
841
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
75 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
76 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
77 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
78 end
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
79
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
80 module:hook("iq/self/jabber:iq:register:query", handler, 10);
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
81 module:hook("iq/host/jabber:iq:register:query", handler, 10);
0649883de4d3 mod_password_policy: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
82 module:hook("stanza/iq/jabber:iq:register:query", handler, 10);