FOUR-11415 Password Policy Configuration

ProcessMaker/Http/Controllers/Auth/LoginController.php

@@ -38,6 +38,8 @@ class LoginController extends Controller
      */
     protected $redirectTo = '/';
 
+    protected $maxAttempts;
+
     /**
      * Create a new controller instance.
      *
@@ -46,6 +48,7 @@ class LoginController extends Controller
     public function __construct()
     {
         $this->middleware('guest')->except(['logout', 'beforeLogout', 'keepAlive']);
+        $this->maxAttempts = (int) config('password-policies.login_attempts');
     }
 
     /**

ProcessMaker/Models/User.php

@@ -8,12 +8,12 @@
 use Illuminate\Foundation\Auth\User as Authenticatable;
 use Illuminate\Notifications\Notifiable;
 use Illuminate\Validation\Rule;
+use Illuminate\Validation\Rules\Password;
 use Laravel\Passport\HasApiTokens;
 use ProcessMaker\Models\EmptyModel;
 use ProcessMaker\Notifications\ResetPassword as ResetPasswordNotification;
 use ProcessMaker\Query\Traits\PMQL;
 use ProcessMaker\Rules\StringHasAtLeastOneUpperCaseCharacter;
-use ProcessMaker\Rules\StringHasNumberOrSpecialCharacter;
 use ProcessMaker\Traits\Exportable;
 use ProcessMaker\Traits\HasAuthorization;
 use ProcessMaker\Traits\HideSystemResources;
@@ -183,13 +183,28 @@ public static function rules(self $existing = null)
      */
     public static function passwordRules(self $existing = null)
     {
-        return array_filter([
+        // Mandatory policies
+        $passwordPolicies = [
             'required',
             $existing ? 'sometimes' : '',
-            'min:8',
-            new StringHasNumberOrSpecialCharacter(),
-            new StringHasAtLeastOneUpperCaseCharacter(),
-        ]);
+        ];
+        // Configurable policies
+        $passwordRules = Password::min(config('password-policies.minimum_length'));
+        if (config('password-policies.maximum_length')) {
+            $passwordPolicies[] = 'max:' . config('password-policies.maximum_length');
+        }
+        if (config('password-policies.numbers')) {
+            $passwordRules->numbers();
+        }
+        if (config('password-policies.uppercase')) {
+            $passwordPolicies[] = new StringHasAtLeastOneUpperCaseCharacter();
+        }
+        if (config('password-policies.special')) {
+            $passwordRules->symbols();
+        }
+        $passwordPolicies[] = $passwordRules;
+
+        return $passwordPolicies;
     }
 
     /**

config/password-policies.php

@@ -0,0 +1,11 @@
+<?php
+
+return [
+    'minimum_length' => env('PASSWORD_POLICY_MINIMUM_LENGTH', 8),
+    'maximum_length' => env('PASSWORD_POLICY_MAXIMUM_LENGTH', null),
+    'numbers' => env('PASSWORD_POLICY_NUMBERS', true),
+    'uppercase' => env('PASSWORD_POLICY_UPPERCASE', true),
+    'special' => env('PASSWORD_POLICY_SPECIAL', true),
+    //'expiration_days' => env('PASSWORD_POLICY_EXPIRATION_DAYS', 0), // 0 never expires
+    'login_attempts' => env('PASSWORD_POLICY_LOGIN_ATTEMPTS', 5),
+];

resources/views/admin/users/edit.blade.php

@@ -396,12 +396,6 @@
               delete this.formData.password;
               return true
             }
-            if (this.formData.password.trim().length > 0 && this.formData.password.trim().length < 8) {
-              this.errors.password = ['Password must be at least 8 characters']
-              this.password = ''
-              this.submitted = false
-              return false
-            }
             if (this.formData.password !== this.formData.confPassword) {
               this.errors.password = ['Passwords must match']
               this.password = ''

resources/views/auth/passwords/change.blade.php

@@ -45,7 +45,7 @@
                                     'v-bind:class' => '{\'form-control\':true, \'is-invalid\':errors.password}']) !!}
                                 </div>
                             </vue-password>
-                            <small v-if="errors && errors.password && errors.password.length" class="text-danger">@{{ errors.password[0] }}</small>
+                            <small v-for="(error, index) in errors.password" class="text-danger">@{{ error }}</small>
                         </div>
                         <div class="form-group">
                             {!!Form::label('confpassword', __('Confirm Password'))!!}<small class="ml-1">*</small>
@@ -94,11 +94,6 @@
                 });
             },
             validatePassword() {
-                if (this.$refs.passwordStrength.strength.score < 2) {
-                    this.errors.password = ['Password is too weak']
-                    return false
-                }
-
                 if (!this.formData.password && !this.formData.confpassword) {
                     return false;
                 }
@@ -107,12 +102,6 @@
                     return false
                 }
 
-                if (this.formData.password.trim().length > 0 && this.formData.password.trim().length < 8) {
-                    this.errors.password = ['Password must be at least 8 characters']
-                    this.formData.password = ''
-                    return false
-                }
-
                 if (this.formData.password !== this.formData.confpassword) {
                     this.errors.password = ['Passwords must match']
                     return false

resources/views/profile/edit.blade.php

@@ -151,12 +151,6 @@
                         delete this.formData.password;
                         return true
                     }
-					if (this.formData.password.trim().length > 0 && this.formData.password.trim().length < 8) {
-						this.errors.password = ['Password must be at least 8 characters']
-                        this.password = ''
-                        this.submitted = false
-                        return false
-					}
                     if (this.formData.password !== this.formData.confPassword) {
                         this.errors.password = ['Passwords must match']
                         this.password = ''

resources/views/shared/users/sidebar.blade.php

@@ -22,8 +22,8 @@
         </div>
     </div>
     <div class="card card-body mt-3">
-        <fieldset :disabled="{{ \Auth::user()->hasPermission('edit-user-and-password') || \Auth::user()->is_administrator ? 'false' : 'true' }}">  
-            <legend> 
+        <fieldset :disabled="{{ \Auth::user()->hasPermission('edit-user-and-password') || \Auth::user()->is_administrator ? 'false' : 'true' }}">
+            <legend>
                 <h5 class="mb-3 font-weight-bold">{{__('Login Information')}}</h5>
             </legend>
             <div class="form-group">
@@ -54,7 +54,8 @@
                 {!! Form::label('confPassword', __('Confirm Password')) !!}
                 {!! Form::password('confPassword', ['id' => 'confPassword', 'rows' => 4, 'class'=> 'form-control', 'v-model'
                 => 'formData.confPassword', 'autocomplete' => 'new-password', 'v-bind:class' => '{\'form-control\':true, \'is-invalid\':errors.password}']) !!}
-                <div class="invalid-feedback" :style="{display: (errors.password) ? 'block' : 'none' }" role="alert" v-if="errors.password">@{{errors.password[0]}}</div>
+                <div class="invalid-feedback" :style="{display: (errors.password) ? 'block' : 'none' }" role="alert"
+                     v-for="(error, index) in errors.password">@{{error}}</div>
             </div>
             @cannot('edit-user-and-password')
                 <div class="form-group">

tests/Feature/Api/ChangePasswordTest.php

@@ -45,8 +45,9 @@ public function testUserPasswordChangeWithInvalidPassword()
             'confpassword' => 'ProcessMaker',
         ]);
 
-        $response->assertStatus(422)
-                 ->assertSeeText('The password must contain either a number or a special character');
+        $response->assertStatus(422);
+        $json = $response->json();
+        $this->assertTrue(in_array('The Password field must contain at least one symbol.', $json['errors']['password']));
 
         // Validate updated user password changed
         $updatedUser = User::where('id', $user->id)->first();
@@ -72,8 +73,8 @@ public function testUserChangePasswordMustSetFlagToFalse()
 
         // Post data with new password
         $response = $this->apiCall('PUT', self::API_TEST_URL, [
-            'password' => 'ProcessMaker1',
-            'confpassword' => 'ProcessMaker1',
+            'password' => 'ProcessMaker1_',
+            'confpassword' => 'ProcessMaker1_',
         ]);
 
         // Validate the header status code

tests/Feature/Api/UsersTest.php

@@ -61,7 +61,7 @@ public function getUpdatedData()
             'timezone' => $faker->timezone(),
             'status' => $faker->randomElement(['ACTIVE', 'INACTIVE']),
             'birthdate' => $faker->dateTimeThisCentury()->format('Y-m-d'),
-            'password' => $faker->sentence(10),
+            'password' => $faker->sentence(8) . 'A_' . '1',
         ];
     }
 
@@ -100,7 +100,7 @@ public function testCreateUser()
             'lastname' => 'name',
             'email' => $faker->email(),
             'status' => $faker->randomElement(['ACTIVE', 'INACTIVE']),
-            'password' => $faker->sentence(10),
+            'password' => $faker->password(8) . 'A_' . '1',
         ]);
 
         // Validate the header status code
@@ -602,9 +602,9 @@ public function testCreateWithoutPassword()
         $response = $this->apiCall('POST', self::API_TEST_URL, $payload);
         $response->assertStatus(422);
         $json = $response->json();
-        $this->assertEquals('The Password field must be at least 8 characters.', $json['errors']['password'][0]);
+        $this->assertTrue(in_array('The Password field must be at least 8 characters.', $json['errors']['password']));
 
-        $payload['password'] = 'Abc12345';
+        $payload['password'] = 'Abc12345_';
         $response = $this->apiCall('POST', self::API_TEST_URL, $payload);
         $response->assertStatus(201);
         $json = $response->json();
@@ -616,9 +616,9 @@ public function testCreateWithoutPassword()
         $response = $this->apiCall('PUT', route('api.users.update', $userId), $payload);
         $response->assertStatus(422);
         $json = $response->json();
-        $this->assertEquals('The Password field must be at least 8 characters.', $json['errors']['password'][0]);
+        $this->assertTrue(in_array('The Password field must be at least 8 characters.', $json['errors']['password']));
 
-        $payload['password'] = 'Abc12345';
+        $payload['password'] = 'Abc12345_';
         $response = $this->apiCall('PUT', route('api.users.update', $userId), $payload);
         $response->assertStatus(204);
 
@@ -673,7 +673,7 @@ public function testCreateUserValidateUsername()
                 'lastname' => $faker->lastName(),
                 'email' => $faker->email(),
                 'status' => $faker->randomElement(['ACTIVE', 'INACTIVE']),
-                'password' => $faker->sentence(10),
+                'password' => $faker->sentence(8) . 'A_' . '1',
             ]);
             // Validate the header status code
             $response->assertStatus(201);