Skip to content

Commit

Permalink
CB-4264 password policy configuration (#2301)
Browse files Browse the repository at this point in the history
* CB-4491 password policy config api

* CB-4491 move policy config to sm

* CB-4491 cb config fix

* CB-4264 add password policy

* CB-4491 deserialization fix

* CB-4491 deserialization fix

* CB-4264 add title

* CB-4264 rename params

* CB-4264 fix naming

* CB-4264 accept any language

---------

Co-authored-by: naumov <[email protected]>
Co-authored-by: Daria Marutkina <[email protected]>
  • Loading branch information
3 people authored Jan 17, 2024
1 parent 0544547 commit 8ba0eb6
Show file tree
Hide file tree
Showing 31 changed files with 326 additions and 21 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,13 @@
enableBruteForceProtection: "${CLOUDBEAVER_BRUTE_FORCE_PROTECTION_ENABLED:true}",
maxFailedLogin: "${CLOUDBEAVER_MAX_FAILED_LOGINS:10}",
minimumLoginTimeout: "${CLOUDBEAVER_MINIMUM_LOGIN_TIMEOUT:1}",
blockLoginPeriod: "${CLOUDBEAVER_BLOCK_PERIOD:300}"
blockLoginPeriod: "${CLOUDBEAVER_BLOCK_PERIOD:300}",
passwordPolicy: {
minLength: "${CLOUDBEAVER_POLICY_MIN_LENGTH:8}",
requireMixedCase: "${CLOUDBEAVER_POLICY_REQUIRE_MIXED_CASE:true}",
minNumberCount: "${CLOUDBEAVER_POLICY_MIN_NUMBER_COUNT:1}",
minSymbolCount: "${CLOUDBEAVER_POLICY_MIN_SYMBOL_COUNT:0}"
}
},

database: {
Expand Down
12 changes: 12 additions & 0 deletions config/sample-databases/SQLiteConfiguration/cloudbeaver.conf
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,18 @@
maxConnections: 100,
validationQuery: "SELECT 1"
}
},
sm: {
enableBruteForceProtection: "${CLOUDBEAVER_BRUTE_FORCE_PROTECTION_ENABLED:true}",
maxFailedLogin: "${CLOUDBEAVER_MAX_FAILED_LOGINS:10}",
minimumLoginTimeout: "${CLOUDBEAVER_MINIMUM_LOGIN_TIMEOUT:1}",
blockLoginPeriod: "${CLOUDBEAVER_BLOCK_PERIOD:300}",
passwordPolicy: {
minLength: "${CLOUDBEAVER_POLICY_MIN_LENGTH:8}",
requireMixedCase: "${CLOUDBEAVER_POLICY_REQUIRE_MIXED_CASE:true}",
minNumberCount: "${CLOUDBEAVER_POLICY_MIN_NUMBER_COUNT:1}",
minSymbolCount: "${CLOUDBEAVER_POLICY_MIN_SYMBOL_COUNT:0}"
}
}

},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,13 @@ type WebServiceConfig {
bundleVersion: String!
}

type PasswordPolicyConfig @since(version: "23.3.3") {
minLength: Int!
minNumberCount: Int!
minSymbolCount: Int!
requireMixedCase: Boolean!
}

type ProductInfo {
id: ID!
version: String!
Expand Down Expand Up @@ -152,6 +159,7 @@ type ServerConfig {
defaultNavigatorSettings: NavigatorSettings!
disabledDrivers: [ID!]!
resourceQuotas: Object!
passwordPolicyConfiguration: PasswordPolicyConfig! @since(version: "23.3.3")
}

type SessionInfo {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
import io.cloudbeaver.registry.WebServiceRegistry;
import io.cloudbeaver.server.CBApplication;
import io.cloudbeaver.server.CBPlatform;
import io.cloudbeaver.service.security.PasswordPolicyConfiguration;
import org.jkiss.dbeaver.model.meta.Property;
import org.jkiss.dbeaver.model.navigator.DBNBrowseSettings;
import org.jkiss.dbeaver.registry.language.PlatformLanguageDescriptor;
Expand Down Expand Up @@ -217,4 +218,9 @@ public String getDefaultAuthRole() {
public String getDefaultUserTeam() {
return application.getAppConfiguration().getDefaultUserTeam();
}

@Property
public PasswordPolicyConfiguration getPasswordPolicyConfiguration() {
return application.getSecurityManagerConfiguration().getPasswordPolicyConfiguration();
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
import io.cloudbeaver.WebServiceUtils;
import io.cloudbeaver.auth.CBAuthConstants;
import io.cloudbeaver.auth.NoAuthCredentialsProvider;
import io.cloudbeaver.service.security.PasswordPolicyConfiguration;
import io.cloudbeaver.model.app.BaseWebApplication;
import io.cloudbeaver.model.app.WebAuthApplication;
import io.cloudbeaver.model.app.WebAuthConfiguration;
Expand Down Expand Up @@ -231,6 +232,10 @@ public Map<String, Object> getProductConfiguration() {
return productConfiguration;
}

public SMControllerConfiguration getSecurityManagerConfiguration() {
return securityManagerConfiguration;
}

public SMAdminController getSecurityController() {
return securityController;
}
Expand Down Expand Up @@ -592,7 +597,7 @@ protected void parseConfiguration(Map<String, Object> configProps) throws DBExce
enableSecurityManager);
//SM config
gson.fromJson(
gson.toJsonTree(JSONUtils.getObject(serverConfig, CBConstants.PARAM_SM_CONFIGURATION)),
gson.toJson(JSONUtils.getObject(serverConfig, CBConstants.PARAM_SM_CONFIGURATION)),
SMControllerConfiguration.class
);
// App config
Expand Down Expand Up @@ -772,11 +777,14 @@ protected GsonBuilder getGsonBuilder() {
InstanceCreator<CBAppConfig> appConfigCreator = type -> appConfiguration;
InstanceCreator<DataSourceNavigatorSettings> navSettingsCreator = type -> (DataSourceNavigatorSettings) appConfiguration.getDefaultNavigatorSettings();
InstanceCreator<SMControllerConfiguration> smConfigCreator = type -> securityManagerConfiguration;
InstanceCreator<PasswordPolicyConfiguration> smPasswordPoliceConfigCreator =
type -> securityManagerConfiguration.getPasswordPolicyConfiguration();
return new GsonBuilder()
.setLenient()
.registerTypeAdapter(CBAppConfig.class, appConfigCreator)
.registerTypeAdapter(DataSourceNavigatorSettings.class, navSettingsCreator)
.registerTypeAdapter(SMControllerConfiguration.class, smConfigCreator);
.registerTypeAdapter(SMControllerConfiguration.class, smConfigCreator)
.registerTypeAdapter(PasswordPolicyConfiguration.class, smPasswordPoliceConfigCreator);
}

protected void readAdditionalConfiguration(Map<String, Object> rootConfig) throws DBException {
Expand Down Expand Up @@ -1042,6 +1050,7 @@ protected Map<String, Object> collectConfigurationProperties(
}
serverConfigProperties.put(CBConstants.PARAM_DB_CONFIGURATION, databaseConfigProperties);
}
savePasswordPolicyConfig(originServerConfig, serverConfigProperties);
}
{
var appConfigProperties = new LinkedHashMap<String, Object>();
Expand Down Expand Up @@ -1151,6 +1160,30 @@ protected Map<String, Object> collectConfigurationProperties(
return rootConfig;
}

private void savePasswordPolicyConfig(Map<String, Object> originServerConfig, LinkedHashMap<String, Object> serverConfigProperties) {
// save password policy configuration
var passwordPolicyProperties = new LinkedHashMap<String, Object>();

var oldRuntimePasswordPolicyConfig = JSONUtils.getObject(
JSONUtils.getObject(originServerConfig, CBConstants.PARAM_SM_CONFIGURATION),
CBConstants.PARAM_PASSWORD_POLICY_CONFIGURATION
);
Gson gson = getGson();
Map<String, Object> passwordPolicyConfig = gson.fromJson(
gson.toJsonTree(securityManagerConfiguration.getPasswordPolicyConfiguration()),
JSONUtils.MAP_TYPE_TOKEN
);
if (!CommonUtils.isEmpty(passwordPolicyConfig) && !isDistributed()) {
for (Map.Entry<String, Object> mp : passwordPolicyConfig.entrySet()) {
copyConfigValue(oldRuntimePasswordPolicyConfig, passwordPolicyProperties, mp.getKey(), mp.getValue());
}
serverConfigProperties.put(
CBConstants.PARAM_SM_CONFIGURATION,
Map.of(CBConstants.PARAM_PASSWORD_POLICY_CONFIGURATION, passwordPolicyProperties)
);
}
}

////////////////////////////////////////////////////////////////////////
// License management

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ public class CBConstants {
public static final String PARAM_DEVEL_MODE = "develMode";
public static final String PARAM_SECURITY_MANAGER = "enableSecurityManager";
public static final String PARAM_SM_CONFIGURATION = "sm";
public static final String PARAM_PASSWORD_POLICY_CONFIGURATION = "passwordPolicy";

public static final int DEFAULT_SERVER_PORT = 8080;
//public static final String DEFAULT_SERVER_NAME = "CloudBeaver Web Server";
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
/*
* DBeaver - Universal Database Manager
* Copyright (C) 2010-2024 DBeaver Corp and others
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package io.cloudbeaver.service.security;

import org.jkiss.dbeaver.model.meta.Property;

public class PasswordPolicyConfiguration {
private static final int DEFAULT_MIN_LENGTH = 8;
private static final int DEFAULT_MIN_DIGITS = 1;
private static final int DEFAULT_MIN_SPECIAL_CHARACTERS = 0;
private static final boolean DEFAULT_REQUIRES_UPPER_LOWER_CASE = true;
private int minLength = DEFAULT_MIN_LENGTH;
private int minNumberCount = DEFAULT_MIN_DIGITS;
private int minSymbolCount = DEFAULT_MIN_SPECIAL_CHARACTERS;
private boolean requireMixedCase = DEFAULT_REQUIRES_UPPER_LOWER_CASE;

@Property
public int getMinLength() {
return minLength;
}

@Property
public int getMinNumberCount() {
return minNumberCount;
}

@Property
public int getMinSymbolCount() {
return minSymbolCount;
}

@Property
public boolean isRequireMixedCase() {
return requireMixedCase;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ public class SMControllerConfiguration {
private int maxFailedLogin = DEFAULT_MAX_FAILED_LOGIN;
private int minimumLoginTimeout = DEFAULT_MINIMUM_LOGIN_TIMEOUT;
private int blockLoginPeriod = DEFAULT_BLOCK_LOGIN_PERIOD;
private final PasswordPolicyConfiguration passwordPolicy = new PasswordPolicyConfiguration();

public int getAccessTokenTtl() {
return accessTokenTtl;
Expand Down Expand Up @@ -92,4 +93,8 @@ public void setMinimumLoginTimeout(int minimumTimeout) {
public void setBlockLoginPeriod(int blockPeriod) {
this.blockLoginPeriod = blockPeriod;
}

public PasswordPolicyConfiguration getPasswordPolicyConfiguration() {
return passwordPolicy;
}
}
75 changes: 75 additions & 0 deletions webapp/packages/core-authentication/src/PasswordPolicyService.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
/*
* CloudBeaver - Cloud Database Manager
* Copyright (C) 2020-2024 DBeaver Corp and others
*
* Licensed under the Apache License, Version 2.0.
* you may not use this file except in compliance with the License.
*/
import { computed, makeObservable } from 'mobx';

import { injectable } from '@cloudbeaver/core-di';
import { LocalizationService } from '@cloudbeaver/core-localization';
import { ServerConfigResource } from '@cloudbeaver/core-root';
import type { PasswordPolicyConfig } from '@cloudbeaver/core-sdk';

const DEFAULT_PASSWORD_POLICY: PasswordPolicyConfig = {
minLength: 8,
minNumberCount: 0,
minSymbolCount: 0,
requireMixedCase: false,
};

type ValidationResult = { isValid: true; errorMessage: null } | { isValid: false; errorMessage: string };

@injectable()
export class PasswordPolicyService {
get config(): PasswordPolicyConfig {
return {
minLength: this.serverConfigResource.data?.passwordPolicyConfiguration?.minLength || DEFAULT_PASSWORD_POLICY.minLength,
minNumberCount: this.serverConfigResource.data?.passwordPolicyConfiguration?.minNumberCount || DEFAULT_PASSWORD_POLICY.minNumberCount,
minSymbolCount: this.serverConfigResource.data?.passwordPolicyConfiguration?.minSymbolCount || DEFAULT_PASSWORD_POLICY.minSymbolCount,
requireMixedCase: this.serverConfigResource.data?.passwordPolicyConfiguration?.requireMixedCase || DEFAULT_PASSWORD_POLICY.requireMixedCase,
};
}

constructor(private readonly serverConfigResource: ServerConfigResource, private readonly localizationService: LocalizationService) {
makeObservable(this, {
config: computed,
});
}

validatePassword(password: string): ValidationResult {
const trimmedPassword = password.trim();

if (trimmedPassword.length < this.config.minLength) {
return {
isValid: false,
errorMessage: this.localizationService.translate('core_authentication_password_policy_min_length', undefined, { min: this.config.minLength }),
};
}

if (this.config.requireMixedCase && !(/\p{Ll}/u.test(trimmedPassword) && /\p{Lu}/u.test(trimmedPassword))) {
return { isValid: false, errorMessage: this.localizationService.translate('core_authentication_password_policy_upper_lower_case') };
}

if ((trimmedPassword.match(/\d/g) || []).length < this.config.minNumberCount) {
return {
isValid: false,
errorMessage: this.localizationService.translate('core_authentication_password_policy_min_digits', undefined, {
min: this.config.minNumberCount,
}),
};
}

if ((trimmedPassword.match(/[!@#$%^&*(),.?":{}|<>]/g) || []).length < this.config.minSymbolCount) {
return {
isValid: false,
errorMessage: this.localizationService.translate('core_authentication_password_policy_min_special_characters', undefined, {
min: this.config.minSymbolCount,
}),
};
}

return { isValid: true, errorMessage: null };
}
}
2 changes: 2 additions & 0 deletions webapp/packages/core-authentication/src/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,5 @@ export * from './UsersResource';
export * from './TeamMetaParametersResource';
export * from './EAdminPermission';
export * from './AUTH_SETTINGS_GROUP';
export * from './PasswordPolicyService';
export * from './usePasswordPolicy';
5 changes: 5 additions & 0 deletions webapp/packages/core-authentication/src/locales/en.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,9 @@ export default [
['settings_authentication', 'Authentication'],
['settings_authentication_disable_anonymous_access_name', 'Disable anonymous access'],
['settings_authentication_disable_anonymous_access_description', 'Disable anonymous access function'],

['core_authentication_password_policy_min_length', 'Password must be at least {arg:min} characters long'],
['core_authentication_password_policy_upper_lower_case', 'Password must contain both upper and lower case letters'],
['core_authentication_password_policy_min_digits', 'Password must contain at least {arg:min} digits'],
['core_authentication_password_policy_min_special_characters', 'Password must contain at least {arg:min} special characters'],
];
5 changes: 5 additions & 0 deletions webapp/packages/core-authentication/src/locales/it.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,9 @@ export default [
['settings_authentication', 'Authentication'],
['settings_authentication_disable_anonymous_access_name', 'Disable anonymous access'],
['settings_authentication_disable_anonymous_access_description', 'Disable anonymous access function'],

['core_authentication_password_policy_min_length', 'Password must be at least {arg:min} characters long'],
['core_authentication_password_policy_upper_lower_case', 'Password must contain both upper and lower case letters'],
['core_authentication_password_policy_min_digits', 'Password must contain at least {arg:min} digits'],
['core_authentication_password_policy_min_special_characters', 'Password must contain at least {arg:min} special characters'],
];
5 changes: 5 additions & 0 deletions webapp/packages/core-authentication/src/locales/ru.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,9 @@ export default [
['settings_authentication', 'Аутентификация'],
['settings_authentication_disable_anonymous_access_name', 'Отключить анонимный доступ'],
['settings_authentication_disable_anonymous_access_description', 'Отключить функцию анонимного доступа'],

['core_authentication_password_policy_min_length', 'Пароль должен быть не менее {arg:min} символов'],
['core_authentication_password_policy_upper_lower_case', 'Пароль должен содержать как заглавные, так и строчные буквы'],
['core_authentication_password_policy_min_digits', 'Пароль должен содержать не менее {arg:min} цифр'],
['core_authentication_password_policy_min_special_characters', 'Пароль должен содержать не менее {arg:min} специальных символов'],
];
5 changes: 5 additions & 0 deletions webapp/packages/core-authentication/src/locales/zh.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,9 @@ export default [
['settings_authentication', 'Authentication'],
['settings_authentication_disable_anonymous_access_name', 'Disable anonymous access'],
['settings_authentication_disable_anonymous_access_description', 'Disable anonymous access function'],

['core_authentication_password_policy_min_length', 'Password must be at least {arg:min} characters long'],
['core_authentication_password_policy_upper_lower_case', 'Password must contain both upper and lower case letters'],
['core_authentication_password_policy_min_digits', 'Password must contain at least {arg:min} digits'],
['core_authentication_password_policy_min_special_characters', 'Password must contain at least {arg:min} special characters'],
];
2 changes: 2 additions & 0 deletions webapp/packages/core-authentication/src/manifest.ts
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import { AuthProvidersResource } from './AuthProvidersResource';
import { AuthRolesResource } from './AuthRolesResource';
import { AuthSettingsService } from './AuthSettingsService';
import { LocaleService } from './LocaleService';
import { PasswordPolicyService } from './PasswordPolicyService';
import { TeamMetaParametersResource } from './TeamMetaParametersResource';
import { TeamsManagerService } from './TeamsManagerService';
import { TeamsResource } from './TeamsResource';
Expand Down Expand Up @@ -47,6 +48,7 @@ export const coreAuthenticationManifest: PluginManifest = {
UserConfigurationBootstrap,
AuthRolesResource,
TeamMetaParametersResource,
PasswordPolicyService,
LocaleService,
],
};
22 changes: 22 additions & 0 deletions webapp/packages/core-authentication/src/usePasswordPolicy.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
/*
* CloudBeaver - Cloud Database Manager
* Copyright (C) 2020-2024 DBeaver Corp and others
*
* Licensed under the Apache License, Version 2.0.
* you may not use this file except in compliance with the License.
*/
import { useCustomInputValidation } from '@cloudbeaver/core-blocks';
import { useService } from '@cloudbeaver/core-di';

import { PasswordPolicyService } from './PasswordPolicyService';

export function usePasswordPolicy() {
const passwordPolicyService = useService(PasswordPolicyService);

const ref = useCustomInputValidation<string>(value => {
const validation = passwordPolicyService.validatePassword(value);
return validation.isValid ? null : validation.errorMessage;
});

return ref;
}
Loading

0 comments on commit 8ba0eb6

Please sign in to comment.