CB-4264 password policy configuration

config/sample-databases/DefaultConfiguration/cloudbeaver.conf

@@ -23,7 +23,13 @@
             enableBruteForceProtection: "${CLOUDBEAVER_BRUTE_FORCE_PROTECTION_ENABLED:true}",
             maxFailedLogin: "${CLOUDBEAVER_MAX_FAILED_LOGINS:10}",
             minimumLoginTimeout: "${CLOUDBEAVER_MINIMUM_LOGIN_TIMEOUT:1}",
-            blockLoginPeriod: "${CLOUDBEAVER_BLOCK_PERIOD:300}"
+            blockLoginPeriod: "${CLOUDBEAVER_BLOCK_PERIOD:300}",
+            passwordPolicy: {
+                minLength: "${CLOUDBEAVER_POLICY_MIN_LENGTH:8}",
+                requireMixedCase: "${CLOUDBEAVER_POLICY_REQUIRE_MIXED_CASE:true}",
+                minNumberCount: "${CLOUDBEAVER_POLICY_MIN_NUMBER_COUNT:1}",
+                minSymbolCount: "${CLOUDBEAVER_POLICY_MIN_SYMBOL_COUNT:0}"
+            }
         },
 
         database: {

config/sample-databases/SQLiteConfiguration/cloudbeaver.conf

@@ -27,6 +27,18 @@
                 maxConnections: 100,
                 validationQuery: "SELECT 1"
             }
+        },
+        sm: {
+            enableBruteForceProtection: "${CLOUDBEAVER_BRUTE_FORCE_PROTECTION_ENABLED:true}",
+            maxFailedLogin: "${CLOUDBEAVER_MAX_FAILED_LOGINS:10}",
+            minimumLoginTimeout: "${CLOUDBEAVER_MINIMUM_LOGIN_TIMEOUT:1}",
+            blockLoginPeriod: "${CLOUDBEAVER_BLOCK_PERIOD:300}",
+            passwordPolicy: {
+                minLength: "${CLOUDBEAVER_POLICY_MIN_LENGTH:8}",
+                requireMixedCase: "${CLOUDBEAVER_POLICY_REQUIRE_MIXED_CASE:true}",
+                minNumberCount: "${CLOUDBEAVER_POLICY_MIN_NUMBER_COUNT:1}",
+                minSymbolCount: "${CLOUDBEAVER_POLICY_MIN_SYMBOL_COUNT:0}"
+            }
         }
 
     },

server/bundles/io.cloudbeaver.server/schema/service.core.graphqls

@@ -99,6 +99,13 @@ type WebServiceConfig {
     bundleVersion: String!
 }
 
+type PasswordPolicyConfig @since(version: "23.3.3") {
+    minLength: Int!
+    minNumberCount: Int!
+    minSymbolCount: Int!
+    requireMixedCase: Boolean!
+}
+
 type ProductInfo {
     id: ID!
     version: String!
@@ -152,6 +159,7 @@ type ServerConfig {
     defaultNavigatorSettings: NavigatorSettings!
     disabledDrivers: [ID!]!
     resourceQuotas: Object!
+    passwordPolicyConfiguration: PasswordPolicyConfig! @since(version: "23.3.3")
 }
 
 type SessionInfo {

server/bundles/io.cloudbeaver.server/src/io/cloudbeaver/model/WebServerConfig.java

@@ -20,6 +20,7 @@
 import io.cloudbeaver.registry.WebServiceRegistry;
 import io.cloudbeaver.server.CBApplication;
 import io.cloudbeaver.server.CBPlatform;
+import io.cloudbeaver.service.security.PasswordPolicyConfiguration;
 import org.jkiss.dbeaver.model.meta.Property;
 import org.jkiss.dbeaver.model.navigator.DBNBrowseSettings;
 import org.jkiss.dbeaver.registry.language.PlatformLanguageDescriptor;
@@ -217,4 +218,9 @@ public String getDefaultAuthRole() {
     public String getDefaultUserTeam() {
         return application.getAppConfiguration().getDefaultUserTeam();
     }
+
+    @Property
+    public PasswordPolicyConfiguration getPasswordPolicyConfiguration() {
+        return application.getSecurityManagerConfiguration().getPasswordPolicyConfiguration();
+    }
 }

server/bundles/io.cloudbeaver.server/src/io/cloudbeaver/server/CBApplication.java

@@ -22,6 +22,7 @@
 import io.cloudbeaver.WebServiceUtils;
 import io.cloudbeaver.auth.CBAuthConstants;
 import io.cloudbeaver.auth.NoAuthCredentialsProvider;
+import io.cloudbeaver.service.security.PasswordPolicyConfiguration;
 import io.cloudbeaver.model.app.BaseWebApplication;
 import io.cloudbeaver.model.app.WebAuthApplication;
 import io.cloudbeaver.model.app.WebAuthConfiguration;
@@ -231,6 +232,10 @@ public Map<String, Object> getProductConfiguration() {
         return productConfiguration;
     }
 
+    public SMControllerConfiguration getSecurityManagerConfiguration() {
+        return securityManagerConfiguration;
+    }
+
     public SMAdminController getSecurityController() {
         return securityController;
     }
@@ -592,7 +597,7 @@ protected void parseConfiguration(Map<String, Object> configProps) throws DBExce
                 enableSecurityManager);
             //SM config
             gson.fromJson(
-                gson.toJsonTree(JSONUtils.getObject(serverConfig, CBConstants.PARAM_SM_CONFIGURATION)),
+                gson.toJson(JSONUtils.getObject(serverConfig, CBConstants.PARAM_SM_CONFIGURATION)),
                 SMControllerConfiguration.class
             );
             // App config
@@ -772,11 +777,14 @@ protected GsonBuilder getGsonBuilder() {
         InstanceCreator<CBAppConfig> appConfigCreator = type -> appConfiguration;
         InstanceCreator<DataSourceNavigatorSettings> navSettingsCreator = type -> (DataSourceNavigatorSettings) appConfiguration.getDefaultNavigatorSettings();
         InstanceCreator<SMControllerConfiguration> smConfigCreator = type -> securityManagerConfiguration;
+        InstanceCreator<PasswordPolicyConfiguration> smPasswordPoliceConfigCreator =
+            type -> securityManagerConfiguration.getPasswordPolicyConfiguration();
         return new GsonBuilder()
             .setLenient()
             .registerTypeAdapter(CBAppConfig.class, appConfigCreator)
             .registerTypeAdapter(DataSourceNavigatorSettings.class, navSettingsCreator)
-            .registerTypeAdapter(SMControllerConfiguration.class, smConfigCreator);
+            .registerTypeAdapter(SMControllerConfiguration.class, smConfigCreator)
+            .registerTypeAdapter(PasswordPolicyConfiguration.class, smPasswordPoliceConfigCreator);
     }
 
     protected void readAdditionalConfiguration(Map<String, Object> rootConfig) throws DBException {
@@ -1042,6 +1050,7 @@ protected Map<String, Object> collectConfigurationProperties(
                 }
                 serverConfigProperties.put(CBConstants.PARAM_DB_CONFIGURATION, databaseConfigProperties);
             }
+            savePasswordPolicyConfig(originServerConfig, serverConfigProperties);
         }
         {
             var appConfigProperties = new LinkedHashMap<String, Object>();
@@ -1151,6 +1160,30 @@ protected Map<String, Object> collectConfigurationProperties(
         return rootConfig;
     }
 
+    private void savePasswordPolicyConfig(Map<String, Object> originServerConfig, LinkedHashMap<String, Object> serverConfigProperties) {
+        // save password policy configuration
+        var passwordPolicyProperties = new LinkedHashMap<String, Object>();
+
+        var oldRuntimePasswordPolicyConfig = JSONUtils.getObject(
+            JSONUtils.getObject(originServerConfig, CBConstants.PARAM_SM_CONFIGURATION),
+            CBConstants.PARAM_PASSWORD_POLICY_CONFIGURATION
+        );
+        Gson gson = getGson();
+        Map<String, Object> passwordPolicyConfig = gson.fromJson(
+            gson.toJsonTree(securityManagerConfiguration.getPasswordPolicyConfiguration()),
+            JSONUtils.MAP_TYPE_TOKEN
+        );
+        if (!CommonUtils.isEmpty(passwordPolicyConfig) && !isDistributed()) {
+            for (Map.Entry<String, Object> mp : passwordPolicyConfig.entrySet()) {
+                copyConfigValue(oldRuntimePasswordPolicyConfig, passwordPolicyProperties, mp.getKey(), mp.getValue());
+            }
+            serverConfigProperties.put(
+                CBConstants.PARAM_SM_CONFIGURATION,
+                Map.of(CBConstants.PARAM_PASSWORD_POLICY_CONFIGURATION, passwordPolicyProperties)
+            );
+        }
+    }
+
     ////////////////////////////////////////////////////////////////////////
     // License management
 

server/bundles/io.cloudbeaver.server/src/io/cloudbeaver/server/CBConstants.java

@@ -50,6 +50,7 @@ public class CBConstants {
     public static final String PARAM_DEVEL_MODE = "develMode";
     public static final String PARAM_SECURITY_MANAGER = "enableSecurityManager";
     public static final String PARAM_SM_CONFIGURATION = "sm";
+    public static final String PARAM_PASSWORD_POLICY_CONFIGURATION = "passwordPolicy";
 
     public static final int DEFAULT_SERVER_PORT = 8080;
     //public static final String DEFAULT_SERVER_NAME = "CloudBeaver Web Server";

server/bundles/io.cloudbeaver.service.security/src/io/cloudbeaver/service/security/PasswordPolicyConfiguration.java

@@ -0,0 +1,50 @@
+/*
+ * DBeaver - Universal Database Manager
+ * Copyright (C) 2010-2024 DBeaver Corp and others
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.cloudbeaver.service.security;
+
+import org.jkiss.dbeaver.model.meta.Property;
+
+public class PasswordPolicyConfiguration {
+    private static final int DEFAULT_MIN_LENGTH = 8;
+    private static final int DEFAULT_MIN_DIGITS = 1;
+    private static final int DEFAULT_MIN_SPECIAL_CHARACTERS = 0;
+    private static final boolean DEFAULT_REQUIRES_UPPER_LOWER_CASE = true;
+    private int minLength = DEFAULT_MIN_LENGTH;
+    private int minNumberCount = DEFAULT_MIN_DIGITS;
+    private int minSymbolCount = DEFAULT_MIN_SPECIAL_CHARACTERS;
+    private boolean requireMixedCase = DEFAULT_REQUIRES_UPPER_LOWER_CASE;
+
+    @Property
+    public int getMinLength() {
+        return minLength;
+    }
+
+    @Property
+    public int getMinNumberCount() {
+        return minNumberCount;
+    }
+
+    @Property
+    public int getMinSymbolCount() {
+        return minSymbolCount;
+    }
+
+    @Property
+    public boolean isRequireMixedCase() {
+        return requireMixedCase;
+    }
+}

server/bundles/io.cloudbeaver.service.security/src/io/cloudbeaver/service/security/SMControllerConfiguration.java

@@ -36,6 +36,7 @@ public class SMControllerConfiguration {
     private int maxFailedLogin = DEFAULT_MAX_FAILED_LOGIN;
     private int minimumLoginTimeout = DEFAULT_MINIMUM_LOGIN_TIMEOUT;
     private int blockLoginPeriod = DEFAULT_BLOCK_LOGIN_PERIOD;
+    private final PasswordPolicyConfiguration passwordPolicy = new PasswordPolicyConfiguration();
 
     public int getAccessTokenTtl() {
         return accessTokenTtl;
@@ -92,4 +93,8 @@ public void setMinimumLoginTimeout(int minimumTimeout) {
     public void setBlockLoginPeriod(int blockPeriod) {
         this.blockLoginPeriod = blockPeriod;
     }
+
+    public PasswordPolicyConfiguration getPasswordPolicyConfiguration() {
+        return passwordPolicy;
+    }
 }

webapp/packages/core-authentication/src/PasswordPolicyService.ts

@@ -0,0 +1,75 @@
+/*
+ * CloudBeaver - Cloud Database Manager
+ * Copyright (C) 2020-2024 DBeaver Corp and others
+ *
+ * Licensed under the Apache License, Version 2.0.
+ * you may not use this file except in compliance with the License.
+ */
+import { computed, makeObservable } from 'mobx';
+
+import { injectable } from '@cloudbeaver/core-di';
+import { LocalizationService } from '@cloudbeaver/core-localization';
+import { ServerConfigResource } from '@cloudbeaver/core-root';
+import type { PasswordPolicyConfig } from '@cloudbeaver/core-sdk';
+
+const DEFAULT_PASSWORD_POLICY: PasswordPolicyConfig = {
+  minLength: 8,
+  minNumberCount: 0,
+  minSymbolCount: 0,
+  requireMixedCase: false,
+};
+
+type ValidationResult = { isValid: true; errorMessage: null } | { isValid: false; errorMessage: string };
+
+@injectable()
+export class PasswordPolicyService {
+  get config(): PasswordPolicyConfig {
+    return {
+      minLength: this.serverConfigResource.data?.passwordPolicyConfiguration?.minLength || DEFAULT_PASSWORD_POLICY.minLength,
+      minNumberCount: this.serverConfigResource.data?.passwordPolicyConfiguration?.minNumberCount || DEFAULT_PASSWORD_POLICY.minNumberCount,
+      minSymbolCount: this.serverConfigResource.data?.passwordPolicyConfiguration?.minSymbolCount || DEFAULT_PASSWORD_POLICY.minSymbolCount,
+      requireMixedCase: this.serverConfigResource.data?.passwordPolicyConfiguration?.requireMixedCase || DEFAULT_PASSWORD_POLICY.requireMixedCase,
+    };
+  }
+
+  constructor(private readonly serverConfigResource: ServerConfigResource, private readonly localizationService: LocalizationService) {
+    makeObservable(this, {
+      config: computed,
+    });
+  }
+
+  validatePassword(password: string): ValidationResult {
+    const trimmedPassword = password.trim();
+
+    if (trimmedPassword.length < this.config.minLength) {
+      return {
+        isValid: false,
+        errorMessage: this.localizationService.translate('core_authentication_password_policy_min_length', undefined, { min: this.config.minLength }),
+      };
+    }
+
+    if (this.config.requireMixedCase && !(/\p{Ll}/u.test(trimmedPassword) && /\p{Lu}/u.test(trimmedPassword))) {
+      return { isValid: false, errorMessage: this.localizationService.translate('core_authentication_password_policy_upper_lower_case') };
+    }
+
+    if ((trimmedPassword.match(/\d/g) || []).length < this.config.minNumberCount) {
+      return {
+        isValid: false,
+        errorMessage: this.localizationService.translate('core_authentication_password_policy_min_digits', undefined, {
+          min: this.config.minNumberCount,
+        }),
+      };
+    }
+
+    if ((trimmedPassword.match(/[!@#$%^&*(),.?":{}|<>]/g) || []).length < this.config.minSymbolCount) {
+      return {
+        isValid: false,
+        errorMessage: this.localizationService.translate('core_authentication_password_policy_min_special_characters', undefined, {
+          min: this.config.minSymbolCount,
+        }),
+      };
+    }
+
+    return { isValid: true, errorMessage: null };
+  }
+}

webapp/packages/core-authentication/src/index.ts

@@ -20,3 +20,5 @@ export * from './UsersResource';
 export * from './TeamMetaParametersResource';
 export * from './EAdminPermission';
 export * from './AUTH_SETTINGS_GROUP';
+export * from './PasswordPolicyService';
+export * from './usePasswordPolicy';

webapp/packages/core-authentication/src/locales/en.ts

@@ -2,4 +2,9 @@ export default [
   ['settings_authentication', 'Authentication'],
   ['settings_authentication_disable_anonymous_access_name', 'Disable anonymous access'],
   ['settings_authentication_disable_anonymous_access_description', 'Disable anonymous access function'],
+
+  ['core_authentication_password_policy_min_length', 'Password must be at least {arg:min} characters long'],
+  ['core_authentication_password_policy_upper_lower_case', 'Password must contain both upper and lower case letters'],
+  ['core_authentication_password_policy_min_digits', 'Password must contain at least {arg:min} digits'],
+  ['core_authentication_password_policy_min_special_characters', 'Password must contain at least {arg:min} special characters'],
 ];

webapp/packages/core-authentication/src/locales/it.ts

@@ -2,4 +2,9 @@ export default [
   ['settings_authentication', 'Authentication'],
   ['settings_authentication_disable_anonymous_access_name', 'Disable anonymous access'],
   ['settings_authentication_disable_anonymous_access_description', 'Disable anonymous access function'],
+
+  ['core_authentication_password_policy_min_length', 'Password must be at least {arg:min} characters long'],
+  ['core_authentication_password_policy_upper_lower_case', 'Password must contain both upper and lower case letters'],
+  ['core_authentication_password_policy_min_digits', 'Password must contain at least {arg:min} digits'],
+  ['core_authentication_password_policy_min_special_characters', 'Password must contain at least {arg:min} special characters'],
 ];

webapp/packages/core-authentication/src/locales/ru.ts

@@ -2,4 +2,9 @@ export default [
   ['settings_authentication', 'Аутентификация'],
   ['settings_authentication_disable_anonymous_access_name', 'Отключить анонимный доступ'],
   ['settings_authentication_disable_anonymous_access_description', 'Отключить функцию анонимного доступа'],
+
+  ['core_authentication_password_policy_min_length', 'Пароль должен быть не менее {arg:min} символов'],
+  ['core_authentication_password_policy_upper_lower_case', 'Пароль должен содержать как заглавные, так и строчные буквы'],
+  ['core_authentication_password_policy_min_digits', 'Пароль должен содержать не менее {arg:min} цифр'],
+  ['core_authentication_password_policy_min_special_characters', 'Пароль должен содержать не менее {arg:min} специальных символов'],
 ];

webapp/packages/core-authentication/src/locales/zh.ts

@@ -2,4 +2,9 @@ export default [
   ['settings_authentication', 'Authentication'],
   ['settings_authentication_disable_anonymous_access_name', 'Disable anonymous access'],
   ['settings_authentication_disable_anonymous_access_description', 'Disable anonymous access function'],
+
+  ['core_authentication_password_policy_min_length', 'Password must be at least {arg:min} characters long'],
+  ['core_authentication_password_policy_upper_lower_case', 'Password must contain both upper and lower case letters'],
+  ['core_authentication_password_policy_min_digits', 'Password must contain at least {arg:min} digits'],
+  ['core_authentication_password_policy_min_special_characters', 'Password must contain at least {arg:min} special characters'],
 ];

webapp/packages/core-authentication/src/manifest.ts

@@ -16,6 +16,7 @@ import { AuthProvidersResource } from './AuthProvidersResource';
 import { AuthRolesResource } from './AuthRolesResource';
 import { AuthSettingsService } from './AuthSettingsService';
 import { LocaleService } from './LocaleService';
+import { PasswordPolicyService } from './PasswordPolicyService';
 import { TeamMetaParametersResource } from './TeamMetaParametersResource';
 import { TeamsManagerService } from './TeamsManagerService';
 import { TeamsResource } from './TeamsResource';
@@ -47,6 +48,7 @@ export const coreAuthenticationManifest: PluginManifest = {
     UserConfigurationBootstrap,
     AuthRolesResource,
     TeamMetaParametersResource,
+    PasswordPolicyService,
     LocaleService,
   ],
 };

webapp/packages/core-authentication/src/usePasswordPolicy.ts

@@ -0,0 +1,22 @@
+/*
+ * CloudBeaver - Cloud Database Manager
+ * Copyright (C) 2020-2024 DBeaver Corp and others
+ *
+ * Licensed under the Apache License, Version 2.0.
+ * you may not use this file except in compliance with the License.
+ */
+import { useCustomInputValidation } from '@cloudbeaver/core-blocks';
+import { useService } from '@cloudbeaver/core-di';
+
+import { PasswordPolicyService } from './PasswordPolicyService';
+
+export function usePasswordPolicy() {
+  const passwordPolicyService = useService(PasswordPolicyService);
+
+  const ref = useCustomInputValidation<string>(value => {
+    const validation = passwordPolicyService.validatePassword(value);
+    return validation.isValid ? null : validation.errorMessage;
+  });
+
+  return ref;
+}