[open-ils-commits] r16149 - in branches/rel_1_6/Open-ILS: examples/apache src/extras src/perlmods/OpenILS/Application src/perlmods/OpenILS/WWW src/templates/password-reset (dbs)

svn at svn.open-ils.org svn at svn.open-ils.org
Wed Apr 7 01:17:16 EDT 2010 

Author: dbs
Date: 2010-04-07 01:17:13 -0400 (Wed, 07 Apr 2010)
New Revision: 16149

Modified:
   branches/rel_1_6/Open-ILS/examples/apache/eg_vhost.conf
   branches/rel_1_6/Open-ILS/src/extras/ils_events.xml
   branches/rel_1_6/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm
   branches/rel_1_6/Open-ILS/src/perlmods/OpenILS/WWW/PasswordReset.pm
   branches/rel_1_6/Open-ILS/src/templates/password-reset/strings.en-US
Log:
Implement complex password checking on self-serve password resets.
Add a new text code for weak passwords and a corresponding reset failure message.


Modified: branches/rel_1_6/Open-ILS/examples/apache/eg_vhost.conf
===================================================================
--- branches/rel_1_6/Open-ILS/examples/apache/eg_vhost.conf	2010-04-07 03:24:20 UTC (rev 16148)
+++ branches/rel_1_6/Open-ILS/examples/apache/eg_vhost.conf	2010-04-07 05:17:13 UTC (rev 16149)
@@ -176,7 +176,6 @@
     # Force clients to use HTTPS
     RewriteEngine On
     RewriteCond %{HTTPS} !=on [NC]
-    RewriteCond %{REQUEST_URI} ^/opac/password(/.*)?
     RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
 </Location>
 

Modified: branches/rel_1_6/Open-ILS/src/extras/ils_events.xml
===================================================================
--- branches/rel_1_6/Open-ILS/src/extras/ils_events.xml	2010-04-07 03:24:20 UTC (rev 16148)
+++ branches/rel_1_6/Open-ILS/src/extras/ils_events.xml	2010-04-07 05:17:13 UTC (rev 16149)
@@ -833,6 +833,9 @@
     <event code='7026' textcode='PATRON_NOT_AN_ACTIVE_PASSWORD_RESET_REQUEST'>
         <desc xml:lang='en-US'>The user attempted to update their password using a stale or inactive password reset request session.</desc>
     </event>
+    <event code='7027' textcode='PATRON_PASSWORD_WAS_NOT_STRONG'>
+        <desc xml:lang='en-US'>The user attempted to set their password to a weak value.</desc>
+    </event>
 
 
 	<!-- ================================================================ -->

Modified: branches/rel_1_6/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm
===================================================================
--- branches/rel_1_6/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm	2010-04-07 03:24:20 UTC (rev 16148)
+++ branches/rel_1_6/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm	2010-04-07 05:17:13 UTC (rev 16149)
@@ -35,6 +35,7 @@
 use OpenILS::Utils::Penalty;
 
 use UUID::Tiny qw/:std/;
+use JavaScript::SpiderMonkey;
 
 sub initialize {
 	OpenILS::Application::Actor::Container->initialize();
@@ -3513,8 +3514,52 @@
         return OpenILS::Event->new('PATRON_NOT_AN_ACTIVE_PASSWORD_RESET_REQUEST');
     }
 
-    # TODO Check complexity of password against OU-defined regex
+    # Check complexity of password against OU-defined regex
+    my $pw_regex = $U->ou_ancestor_setting_value($user->home_ou, 'global.password_regex');
 
+    my $is_strong = 'false';
+    if (!$pw_regex) {
+        # Use the default set of checks
+        if ((length($password) < 7)
+                or ($password !~ m/.*\d+.*/)
+                or ($password !~ m/.*[A-Za-z]+.*/)) {
+            # Still false!
+        } else {
+            $is_strong = 'true';
+        }
+    } else {
+        # The password regex is for JavaScript, so we have to use SpiderMonkey to eval it
+        my $js = JavaScript::SpiderMonkey->new();
+        $js->init();
+        $js->property_by_path('pw.is_strong', 'false');
+        $js->property_by_path('pw.password', $password);
+        $js->property_by_path('pw.regex', $pw_regex || 'blank');
+
+        my $pw_script = << 'PWCHECK';
+            if (pw.regex != 'blank') {
+                if (pw.password.match(new RegExp(pwregex))) {
+                    pw.is_strong = 'true';
+                }
+            } else {
+                } while(0);
+            }
+PWCHECK
+
+        my $rc = $js->eval($pw_script);
+        if (!$rc) {
+            $logger->error("Error interpreting JavaScript while checking password strength: %s", $@);
+        }
+
+        # Get the value of a property set in JS
+        $is_strong = $js->property_get('pw.is_strong');
+        $js->destroy();
+    }
+
+    if ($is_strong eq 'false') {
+        $e->die_event;
+        return OpenILS::Event->new('PATRON_PASSWORD_WAS_NOT_STRONG');
+    }
+
     # All is well; update the password
     $user->passwd($password);
     $e->update_actor_user($user);

Modified: branches/rel_1_6/Open-ILS/src/perlmods/OpenILS/WWW/PasswordReset.pm
===================================================================
--- branches/rel_1_6/Open-ILS/src/perlmods/OpenILS/WWW/PasswordReset.pm	2010-04-07 03:24:20 UTC (rev 16148)
+++ branches/rel_1_6/Open-ILS/src/perlmods/OpenILS/WWW/PasswordReset.pm	2010-04-07 05:17:13 UTC (rev 16149)
@@ -119,15 +119,23 @@
 
     if ($password_1 and $password_2 and ($password_1 eq $password_2)) {
         my $response = $actor->request('open-ils.actor.patron.password_reset.commit', $uuid, $password_1)->gather();
-        if (ref($response) && 
-                $response->{'textcode'} && 
-                $response->{'textcode'} eq 'PATRON_NOT_AN_ACTIVE_PASSWORD_RESET_REQUEST') {
+        if (ref($response) && $response->{'textcode'}) {
             $apache->status(Apache2::Const::DECLINED);
-            $ctx->{'status'} = { 
-                style => 'error',
-                msg => $ctx->{'i18n'}{'NOT_ACTIVE'}
 
-            };
+            if ($response->{'textcode'} eq 'PATRON_NOT_AN_ACTIVE_PASSWORD_RESET_REQUEST') {
+                $ctx->{'status'} = { 
+                    style => 'error',
+                    msg => $ctx->{'i18n'}{'NOT_ACTIVE'}
+
+                };
+            }
+            if ($response->{'textcode'} eq 'PATRON_PASSWORD_WAS_NOT_STRONG') {
+                $ctx->{'status'} = { 
+                    style => 'error',
+                    msg => $ctx->{'i18n'}{'NOT_STRONG'}
+
+                };
+            }
             $tt->process('password-reset/reset-form.tt2', $ctx)
                 || die $tt->error();
             return Apache2::Const::OK;

Modified: branches/rel_1_6/Open-ILS/src/templates/password-reset/strings.en-US
===================================================================
--- branches/rel_1_6/Open-ILS/src/templates/password-reset/strings.en-US	2010-04-07 03:24:20 UTC (rev 16148)
+++ branches/rel_1_6/Open-ILS/src/templates/password-reset/strings.en-US	2010-04-07 05:17:13 UTC (rev 16149)
@@ -7,6 +7,7 @@
 NO_SESSION=Could not find the requested password reset session.
 NO_MATCH=Passwords did not match. Please try again
 NOT_ACTIVE=This was not an active password reset request. Your password has not been reset.
+NOT_STRONG=The password you chose was not considered complex enough to protect your account. Your password has not been reset.
 SUCCESS=Password has been reset.
 TITLE=Library system password reset
 PASSWORD_PROMPT=New password:

More information about the open-ils-commits mailing list