Implement password policy with hook #5419
Conversation
Al2Klimov
left a comment
Al2Klimov
left a comment
There was a problem hiding this comment.
Fix your code style as told by the failing Github actions.
Al2Klimov
left a comment
Al2Klimov
left a comment
There was a problem hiding this comment.
Please push without -f for now. This eases it for me to keep track of your changes.
library/Icinga/Application/ProvidedHook/DefaultPasswordPolicy.php
Outdated
Show resolved
Hide resolved
library/Icinga/Application/ProvidedHook/DefaultPasswordPolicy.php
Outdated
Show resolved
Hide resolved
library/Icinga/Application/ProvidedHook/DefaultPasswordPolicy.php
Outdated
Show resolved
Hide resolved
library/Icinga/Application/ProvidedHook/DefaultPasswordPolicy.php
Outdated
Show resolved
Hide resolved
library/Icinga/Application/ProvidedHook/DefaultPasswordPolicy.php
Outdated
Show resolved
Hide resolved
library/Icinga/Application/ProvidedHook/DefaultPasswordPolicy.php
Outdated
Show resolved
Hide resolved
library/Icinga/Application/ProvidedHook/DefaultPasswordPolicy.php
Outdated
Show resolved
Hide resolved
library/Icinga/Application/ProvidedHook/DefaultPasswordPolicy.php
Outdated
Show resolved
Hide resolved
library/Icinga/Application/ProvidedHook/DefaultPasswordPolicy.php
Outdated
Show resolved
Hide resolved
library/Icinga/Application/ProvidedHook/DefaultPasswordPolicy.php
Outdated
Show resolved
Hide resolved
Al2Klimov
left a comment
Al2Klimov
left a comment
There was a problem hiding this comment.
During setup, the wizard prompts me for a username and password "to configure your first administrative account". This should enforce the chosen password policy.
JolienTrog
force-pushed
the
password-policy
branch
2 times, most recently
from
97e07ad to
39bbc53
Compare
test/php/library/Icinga/Application/CommonPasswordPolicyTest.php
Outdated
Show resolved
Hide resolved
test/php/library/Icinga/Application/CommonPasswordPolicyTest.php
Outdated
Show resolved
Hide resolved
test/php/library/Icinga/Application/CommonPasswordPolicyTest.php
Outdated
Show resolved
Hide resolved
test/php/library/Icinga/Application/CommonPasswordPolicyTest.php
Outdated
Show resolved
Hide resolved
library/Icinga/Application/ProvidedHook/CommonPasswordPolicy.php
Outdated
Show resolved
Hide resolved
test/php/library/Icinga/Application/CommonPasswordPolicyTest.php
Outdated
Show resolved
Hide resolved
test/php/library/Icinga/Application/CommonPasswordPolicyTest.php
Outdated
Show resolved
Hide resolved
JolienTrog
force-pushed
the
password-policy
branch
from
59ff429 to
71090ae
Compare
Al2Klimov
left a comment
Al2Klimov
left a comment
There was a problem hiding this comment.
Not done yet:
Also, regarding #5419 (review): Situations where you push -f anyway, such as #5419 (comment), are good opportunities to squash at least commits which address only reviews and/or GitHub action failures.
| $instance = new $passwordPolicyClass; | ||
|
|
||
| if (class_exists($passwordPolicyClass) && ($instance instanceof PasswordPolicyHook)) { | ||
| $this->passwordPolicy = new $passwordPolicyClass(); |
There was a problem hiding this comment.
So if $instance instanceof PasswordPolicyHook is false, will $this->passwordPolicy stay empty? What about the other methods in this class relying on that property being set?
|
|
||
| namespace Icinga\Application\Hook; | ||
|
|
||
| interface PasswordPolicyHook |
There was a problem hiding this comment.
Given PHP has no multiple inheritance, I wanted to preventively avoid unnecessary base classes and instructed you to make an interface.
See how tables have turned: #5442 (comment) 🙈
There was a problem hiding this comment.
This comment from Alex doesn't read like an instruction, so here's the explanation:
We use arbitrary strings such as PasswordPolicy to register and load hooks, which makes it difficult to actually find hook usages. I would suggest making PasswordPolicyHook an abstract class that also provides the methods all() and register() so that the string PasswordPolicy only appears in the hook itself. Please then also adjust the documentation.
There was a problem hiding this comment.
I think I would also do the following to make it clean:
- Rename
PasswordPolicyHooktoPasswordPolicy(and move it to theAuthenticationnamespace). - Use the
PasswordPolicyinterface everywhere in the code where typing is required. This is better than using the hook as a type, since the hook is used to load the functionality. - Have the new abstract
PasswordPolicyHookimplementPasswordPolicy.
- Fix validator handeling - Adjust hook registration name
| $helper = new PasswordPolicyHelper(); | ||
| $validators[] = $helper->getPasswordValidator(); | ||
| $helper->addPasswordPolicyDescription($this); | ||
| } catch (\Throwable $e) { |
| $validators[] = $helper->getPasswordValidator(); | ||
| $helper->addPasswordPolicyDescription($this); | ||
| } catch (\Throwable $e) { | ||
| Logger::error($e); |
There was a problem hiding this comment.
I would adjust the log message so that it includes the topic, e.g., 'The configured password policy could not be loaded: %s', $e
| $helper->addPasswordPolicyDescription($this); | ||
| } catch (\Throwable $e) { | ||
| Logger::error($e); | ||
| Notification::error("The configured password policy could not be loaded."); |
There was a problem hiding this comment.
I want this information to be displayed permanently, so Notification should be avoided. If styling is required, there is a form element called Note that can be used instead. You can search for 'note' in the Icinga web codebase to find examples of how it is used. addDescription() can also be used. The message could then be changed to something like this: There was a problem loading the configured password policy. Please contact your administrator.
| @@ -0,0 +1,51 @@ | |||
| <?php | |||
| Please read [this chapter](20-Advanced-Topics.md#advanced-topics-authentication-tips-manual-user-database-auth) | ||
| in order to manually create users directly inside the database. | ||
|
|
||
| ### Password Policy <a id="authentication-password-policy"></a> |
There was a problem hiding this comment.
Please add newlines after headings and speak of Icinga Web not Icinga Web 2.
| { | ||
| $message = $this->passwordPolicyObject->validatePassword($value); | ||
|
|
||
| if (!empty($message)) { |
| use Icinga\Application\Hook\PasswordPolicyHook; | ||
| use Zend_Validate_Abstract; | ||
|
|
||
| class PasswordValidator extends Zend_Validate_Abstract |
There was a problem hiding this comment.
I would rename the class to PasswordPolicyValidator.
| * @return string[] Returns an empty array if the password is valid, | ||
| * otherwise returns error messages describing the violations | ||
| */ | ||
| public function validatePassword(string $password): array; |
|
|
||
| namespace Icinga\Application\Hook; | ||
|
|
||
| interface PasswordPolicyHook |
There was a problem hiding this comment.
I think I would also do the following to make it clean:
- Rename
PasswordPolicyHooktoPasswordPolicy(and move it to theAuthenticationnamespace). - Use the
PasswordPolicyinterface everywhere in the code where typing is required. This is better than using the hook as a type, since the hook is used to load the functionality. - Have the new abstract
PasswordPolicyHookimplementPasswordPolicy.
|
|
||
| public function testValidatePasswordTooShort(): void | ||
| { | ||
| $expectedResults = ['Password must be at least 12 characters long']; |
There was a problem hiding this comment.
Do we really need those variables? The signature of assert*() is $expected, $actual, so having the following is perfectly fine:
$this->assertSame(
expected,
actual
);And if you really need such variables, please use $expected and $actual.
Ref #4401