Skip to content

Implement password policy with hook#5419

Open
JolienTrog wants to merge 50 commits intomainfrom
password-policy
Open

Implement password policy with hook#5419
JolienTrog wants to merge 50 commits intomainfrom
password-policy

Conversation

@JolienTrog
Copy link
Contributor

@JolienTrog JolienTrog commented Aug 26, 2025

Ref #4401

@JolienTrog JolienTrog requested a review from Al2Klimov August 26, 2025 09:22
@cla-bot cla-bot bot added the cla/signed label Aug 26, 2025
Al2Klimov
Al2Klimov requested changes Aug 26, 2025
View reviewed changes
Copy link
Member

@Al2Klimov Al2Klimov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fix your code style as told by the failing Github actions.

Al2Klimov
Al2Klimov reviewed Aug 26, 2025
View reviewed changes
Copy link
Member

@Al2Klimov Al2Klimov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please push without -f for now. This eases it for me to keep track of your changes.

@JolienTrog JolienTrog requested a review from Al2Klimov August 26, 2025 15:21
Al2Klimov
Al2Klimov reviewed Aug 26, 2025
View reviewed changes
@JolienTrog JolienTrog requested a review from Al2Klimov August 27, 2025 07:53
Al2Klimov
Al2Klimov reviewed Aug 27, 2025
View reviewed changes
Al2Klimov
Al2Klimov reviewed Aug 27, 2025
View reviewed changes
Al2Klimov
Al2Klimov reviewed Aug 27, 2025
View reviewed changes
Al2Klimov
Al2Klimov reviewed Aug 27, 2025
View reviewed changes
@JolienTrog JolienTrog requested a review from Al2Klimov August 28, 2025 08:35
Al2Klimov
Al2Klimov reviewed Aug 28, 2025
View reviewed changes
@JolienTrog JolienTrog requested a review from Al2Klimov August 28, 2025 11:05
Al2Klimov
Al2Klimov reviewed Aug 28, 2025
View reviewed changes
@JolienTrog JolienTrog requested a review from Al2Klimov August 28, 2025 13:15
Al2Klimov
Al2Klimov reviewed Aug 28, 2025
View reviewed changes
@JolienTrog JolienTrog requested a review from Al2Klimov August 28, 2025 14:05
Al2Klimov
Al2Klimov reviewed Aug 28, 2025
View reviewed changes
@JolienTrog JolienTrog requested a review from Al2Klimov August 28, 2025 15:26
Al2Klimov
Al2Klimov reviewed Aug 28, 2025
View reviewed changes
Copy link
Member

@Al2Klimov Al2Klimov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

During setup, the wizard prompts me for a username and password "to configure your first administrative account". This should enforce the chosen password policy.

@JolienTrog JolienTrog force-pushed the password-policy branch 2 times, most recently from 97e07ad to 39bbc53 Compare September 2, 2025 10:24
sukhwinder33445
sukhwinder33445 requested changes Sep 2, 2025
View reviewed changes
sukhwinder33445
sukhwinder33445 reviewed Sep 2, 2025
View reviewed changes
sukhwinder33445
sukhwinder33445 reviewed Sep 2, 2025
View reviewed changes
@lippserd
Copy link
Member

lippserd commented Dec 3, 2025

💡

@lippserd What do you think about this:

ChangePasswordForm already has the old and new password. So PasswordPolicy can take both.

It would cost us nothing, but admins could implement #5417 by themselves. They could also use e.g Levenshtein distance and/or A.I to prevent the "smartest" users from using passwords similar to their current ones.

That's a good idea! @JolienTrog Could you please adjust the implementation so that the validation function accepts both $newPassword and $oldPassword, where the latter may be null?

@jrauh01 jrauh01 mentioned this pull request Dec 11, 2025
Open
@Al2Klimov Al2Klimov removed their request for review December 17, 2025 15:30
Al2Klimov
Al2Klimov reviewed Jan 26, 2026
View reviewed changes
library/Icinga/Authentication/PasswordPolicyHelper.php Outdated
Comment on lines +45 to +47
// if($oldPassword !== null) {
$form->getElement($oldPassword);
// }
Copy link
Member

@Al2Klimov Al2Klimov Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does this code even do?

Copy link
Contributor Author

@JolienTrog JolienTrog Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I forgot to delete this part.

Copy link
Member

@lippserd lippserd Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is indeed necessary to do something with the element for the old password, as your introduced validator expects the old password element to be named old_password, which may not be the case. This shows that it also makes sense to introduce test cases for an actual form that implements password elements, a policy, and the validator.

lippserd
lippserd requested changes Jan 27, 2026
View reviewed changes
Copy link
Member

@lippserd lippserd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In addition to the changes requested, please revert anything related to 81e6859. This does not look like a necessary change.

doc/05-Authentication.md Outdated
Comment on lines +166 to +167
By default, no password policy is enforced ('Any').
Icinga Web provides a built-in policy called 'Common' with the following requirements:
Copy link
Member

@lippserd lippserd Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please annotate Any and Common as code.

library/Icinga/Application/Hook/PasswordPolicyHook.php Outdated
use Icinga\Authentication\PasswordPolicy;

/**
* This class connects with the PasswordPolicy interface to use it as hook
Copy link
Member

@lippserd lippserd Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* This class connects with the PasswordPolicy interface to use it as hook
* Base class for hookable password policies

library/Icinga/Application/Hook/PasswordPolicyHook.php Outdated
abstract class PasswordPolicyHook implements PasswordPolicy
{
/**
* Registers Hook as Password Policy
Copy link
Member

@lippserd lippserd Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* Registers Hook as Password Policy
* Register password policy

library/Icinga/Application/Hook/PasswordPolicyHook.php Outdated
*/
public static function register(): void
{
Hook::register('PasswordPolicy', static::class, static::class);
Copy link
Member

@lippserd lippserd Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PasswordPolicy could be a protected const, e.g., HOOK_NAME.

library/Icinga/Application/Hook/PasswordPolicyHook.php Outdated
}

/**
* Returns all registered password policies sorted by
Copy link
Member

@lippserd lippserd Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* Returns all registered password policies sorted by
* Return all registered password policies sorted by name

test/php/library/Icinga/Application/AnyPasswordPolicyTest.php Outdated

class AnyPasswordPolicyTest extends TestCase
{
private PasswordPolicy $instance;
Copy link
Member

@lippserd lippserd Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please rename to passwordPolicy, as everywhere else in the code.

test/php/library/Icinga/Application/CommonPasswordPolicyTest.php Outdated

class CommonPasswordPolicyTest extends TestCase
{
protected PasswordPolicy $instance;
Copy link
Member

@lippserd lippserd Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please rename to passwordPolicy, as everywhere else in the code.

test/php/library/Icinga/Application/CommonPasswordPolicyTest.php Outdated
);
}

public function testMethodValidatePasswordAlwaysReturnAnEmptyArray(): void
Copy link
Member

@lippserd lippserd Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
public function testMethodValidatePasswordAlwaysReturnAnEmptyArray(): void
public function testValidatePasswordValid(): void

test/php/library/Icinga/Application/CommonPasswordPolicyTest.php Outdated
Comment on lines +90 to +95

public function testValidatePasswordWithManyCharacters(): void
{
$longPassword = str_repeat('a', 1000);
$this->assertCount(3, $this->instance->validate($longPassword, 'null'));
}
Copy link
Member

@lippserd lippserd Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test is not very useful.

Suggested change
public function testValidatePasswordWithManyCharacters(): void
{
$longPassword = str_repeat('a', 1000);
$this->assertCount(3, $this->instance->validate($longPassword, 'null'));
}

@JolienTrog JolienTrog requested a review from lippserd January 30, 2026 08:43
Al2Klimov
Al2Klimov requested changes Feb 16, 2026
View reviewed changes
@Al2Klimov Al2Klimov mentioned this pull request Mar 4, 2026
Open
@Al2Klimov Al2Klimov mentioned this pull request Mar 19, 2026
Open
lippserd
lippserd requested changes Mar 20, 2026
View reviewed changes
doc/05-Authentication.md Outdated

class PasswordPolicy extends PasswordPolicyHook
{
use Translation;
Copy link
Member

@lippserd lippserd Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You use the Translation trait only but never call $this->translate() on any of the strings.

library/Icinga/Authentication/PasswordPolicyHelper.php
return $passwordPolicy;
}

public static function addPasswordPolicyDescription(Form $form, PasswordPolicy $passwordPolicy): void
Copy link
Member

@lippserd lippserd Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PHPDoc missing.

JolienTrog and others added 17 commits March 20, 2026 11:42
@JolienTrog @lippserd
Update application/forms/Config/General/PasswordPolicyConfigForm.php
4dabe41 
Co-authored-by: Eric Lippmann <eric.lippmann@icinga.com>
@JolienTrog @lippserd
Update doc/05-Authentication.md
c29a90a 
Co-authored-by: Eric Lippmann <eric.lippmann@icinga.com>
@JolienTrog @lippserd
Update test/php/library/Icinga/Application/AnyPasswordPolicyTest.php
74e549d 
Co-authored-by: Eric Lippmann <eric.lippmann@icinga.com>
@JolienTrog @lippserd
Update library/Icinga/Authentication/PasswordPolicyValidator.php
ca5f843 
Co-authored-by: Eric Lippmann <eric.lippmann@icinga.com>
@JolienTrog @lippserd
Update library/Icinga/Authentication/PasswordPolicyValidator.php
812646e 
Co-authored-by: Eric Lippmann <eric.lippmann@icinga.com>
@JolienTrog @lippserd
Update library/Icinga/Authentication/PasswordPolicyValidator.php
315570f 
Co-authored-by: Eric Lippmann <eric.lippmann@icinga.com>
@JolienTrog @lippserd
Update doc/05-Authentication.md
b022b18 
Co-authored-by: Eric Lippmann <eric.lippmann@icinga.com>
@JolienTrog @lippserd
Update doc/05-Authentication.md
408f1e5 
Co-authored-by: Eric Lippmann <eric.lippmann@icinga.com>
@JolienTrog @lippserd
Update doc/05-Authentication.md
1380632 
Co-authored-by: Eric Lippmann <eric.lippmann@icinga.com>
@JolienTrog @lippserd
Update library/Icinga/Application/ProvidedHook/AnyPasswordPolicy.php
37e7ed6 
Co-authored-by: Eric Lippmann <eric.lippmann@icinga.com>
@JolienTrog @lippserd
Update library/Icinga/Application/ProvidedHook/CommonPasswordPolicy.php
5f229e1 
Co-authored-by: Eric Lippmann <eric.lippmann@icinga.com>
@JolienTrog @lippserd
Update library/Icinga/Authentication/PasswordPolicy.php
a71c4d8 
Co-authored-by: Eric Lippmann <eric.lippmann@icinga.com>
@JolienTrog @lippserd
Update library/Icinga/Authentication/PasswordPolicyHelper.php
2c197eb 
Co-authored-by: Eric Lippmann <eric.lippmann@icinga.com>
@JolienTrog @lippserd
Apply suggestions from code review
abef7e6 
Co-authored-by: Eric Lippmann <eric.lippmann@icinga.com>
@JolienTrog
Update ChangePasswordForm.php
d063739
@JolienTrog
Update UserForm.php
5ed97f1
@JolienTrog
Update 05-Authentication.md
42abffc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lippserd lippserd lippserd requested changes

@Al2Klimov Al2Klimov Al2Klimov requested changes

@sukhwinder33445 sukhwinder33445 sukhwinder33445 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

cla/signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@JolienTrog @lippserd @Al2Klimov @sukhwinder33445