[Koha-bugs] [Bug 18298] Enforce password complexity

2017-10-13 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Tomás Cohen Arazi  changed:

   What|Removed |Added

 Status|Signed Off  |Passed QA

--- Comment #66 from Tomás Cohen Arazi  ---
Great job Jonathan!

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-10-13 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Tomás Cohen Arazi  changed:

   What|Removed |Added

  Attachment #68097|0   |1
is obsolete||

--- Comment #63 from Tomás Cohen Arazi  ---
Created attachment 68104
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=68104&action=edit
Bug 18298: minPasswordLength should not be used as the default password length

The length of the passwords generated for a patron should not be as long
as the value of minPasswordLength.
It is the minimum required size of a password, not the maximum!
So let's fix it to 8 if the minPasswordLength if < 8, that sounds
reasonable and less risky for patrons.

Signed-off-by: Marc Véron 
Signed-off-by: Tomas Cohen Arazi 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-10-13 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Tomás Cohen Arazi  changed:

   What|Removed |Added

  Attachment #68098|0   |1
is obsolete||

--- Comment #64 from Tomás Cohen Arazi  ---
Created attachment 68105
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=68105&action=edit
Bug 18298: Add server-side checks and refactor stuffs

Now that we have a check client-side, nothing prevents us from a smart guy to
bypass it and force an invalid password.
This patch adds two new subroutines to Koha::AuthUtils to check the
validity of passwords and generate a password server-side. It is used
only once (self-registration) but could be useful later.

Moreover the 3 different cases of password rejection (too leak, too
short, contains leading or trailing whitespaces) were not tested
everywhere. Now they are!

This patch makes things consistent everywhere and clean up some code.

Signed-off-by: Marc Véron 
Signed-off-by: Tomas Cohen Arazi 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-10-13 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #65 from Tomás Cohen Arazi  ---
Created attachment 68106
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=68106&action=edit
Bug 18298: (QA followup) Use Koha.Preference on the template

Signed-off-by: Tomas Cohen Arazi 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-10-13 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Tomás Cohen Arazi  changed:

   What|Removed |Added

  Attachment #66623|0   |1
is obsolete||

--- Comment #61 from Tomás Cohen Arazi  ---
Created attachment 68102
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=68102&action=edit
Bug 18298: Move password generation to template side

This patch removes a really ugly way to generate a password: the whole
template was sent and parsed to retrieve the "#defaultnewpassfield" node.
To avoid the password to be sent plain text it is certainly better to
generate it client-side.
The same kind of passwords will be generated: 0-9a-zA-Z
The while loop prevents to get an invalid generated password.

Signed-off-by: Marc Véron 
Signed-off-by: Tomas Cohen Arazi 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-10-13 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Tomás Cohen Arazi  changed:

   What|Removed |Added

  Attachment #68096|0   |1
is obsolete||

--- Comment #62 from Tomás Cohen Arazi  ---
Created attachment 68103
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=68103&action=edit
Bug 18298: minPaswordLength should not be < 3

Indeed if RequireStrongPassword is set we need at least 3 characters to
match 1 upper, 1 lower and 1 digit.
We could make things more complicated to allow minPasswordLength < 3
but, really, 3 is already too low...

Signed-off-by: Marc Véron 
Signed-off-by: Tomas Cohen Arazi 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-10-13 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Tomás Cohen Arazi  changed:

   What|Removed |Added

  Attachment #66622|0   |1
is obsolete||

--- Comment #60 from Tomás Cohen Arazi  ---
Created attachment 68101
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=68101&action=edit
Bug 18298: Use the validate jQuery plugin

To validate password fields we need to use the validate jQuery plugin.
To make things reusable this patch adds a new include file
'password_check.inc' at the intranet and opac sides, it creates 3 new
validation methods:
- password_strong => make sure the passwords are strong enough according
to the values of the RequireStrongPassword and minPasswordLength prefs
- password_no_spaces => prevent passwords to be entered with leading or
trailing spaces
- password_match => make sure both password fields match

Signed-off-by: Marc Véron 
Signed-off-by: Tomas Cohen Arazi 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-10-13 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Tomás Cohen Arazi  changed:

   What|Removed |Added

  Attachment #66621|0   |1
is obsolete||

--- Comment #59 from Tomás Cohen Arazi  ---
Created attachment 68100
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=68100&action=edit
Bug 18298: Enforce password complexity

This patchset prevents users to enter too leak password, controlled by
a new syspref RequireStrongPassword. If set the staff and patrons will have
to enter a strong password.
The strongness cannot be modified, it has been arbitrarily set (by the
author of this enhancement) to at least 1 lowercase, 1 uppercase and 1
digit. This can be inforce by increasing the value of the existing
minPasswordLength pref.

I decided to turn this feature on, it cannot hurt! For existing installs
it will have to be turned on manually.

Writing these patches I found a lot of inconsistencies all around the
password checks and decided to refactor everything to make things
consistent and more robust.
Now the password validity is check at only one place (subroutine
covered by tests).

Test plan:
We have several places where a password can be change/created:
a. Editing a patron (members/memberentry.pl)
b. Changing the password of a patron (members/member-password.pl)
c. Changing your own password at the opac (opac/opac-passwd.pl).
OpacPasswordChange needs to be set
d. Reseting your own password at the opac
(opac/opac-password-recovery.pl). OpacResetPassword needs to be set,
see "Forgot your password?" link when you are not logged in
e. Self registration feature, PatronSelfRegistration needs to be set.

You will also need to add 'password' to
PatronSelfRegistrationBorrowerMandatoryField.

Note that '' is considered by Koha internally that the password is
not changed (existing behavior).

To fully test this patch you will need to test the different
combinations of RequireStrongPassword and minPasswordLength.

Signed-off-by: Marc Véron 
Signed-off-by: Tomas Cohen Arazi 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-10-13 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #56 from Jonathan Druart  
---
Created attachment 68097
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=68097&action=edit
Bug 18298: minPasswordLength should not be used as the default password length

The length of the passwords generated for a patron should not be as long
as the value of minPasswordLength.
It is the minimum required size of a password, not the maximum!
So let's fix it to 8 if the minPasswordLength if < 8, that sounds
reasonable and less risky for patrons.

Signed-off-by: Marc Véron 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-10-13 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #57 from Jonathan Druart  
---
Created attachment 68098
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=68098&action=edit
Bug 18298: Add server-side checks and refactor stuffs

Now that we have a check client-side, nothing prevents us from a smart guy to
bypass it and force an invalid password.
This patch adds two new subroutines to Koha::AuthUtils to check the
validity of passwords and generate a password server-side. It is used
only once (self-registration) but could be useful later.

Moreover the 3 different cases of password rejection (too leak, too
short, contains leading or trailing whitespaces) were not tested
everywhere. Now they are!

This patch makes things consistent everywhere and clean up some code.

Signed-off-by: Marc Véron 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-10-13 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #58 from Jonathan Druart  
---
Very easy conflict with bug 18777 fixed.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-10-13 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #66624|0   |1
is obsolete||
  Attachment #66625|0   |1
is obsolete||
  Attachment #66626|0   |1
is obsolete||

--- Comment #55 from Jonathan Druart  
---
Created attachment 68096
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=68096&action=edit
Bug 18298: minPaswordLength should not be < 3

Indeed if RequireStrongPassword is set we need at least 3 characters to
match 1 upper, 1 lower and 1 digit.
We could make things more complicated to allow minPasswordLength < 3
but, really, 3 is already too low...

Signed-off-by: Marc Véron 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-10-13 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Tomás Cohen Arazi  changed:

   What|Removed |Added

   Severity|enhancement |new feature
 CC||tomasco...@gmail.com

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-10-13 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Tomás Cohen Arazi  changed:

   What|Removed |Added

 QA Contact|testo...@bugs.koha-communit |tomasco...@gmail.com
   |y.org   |

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-10-10 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

jdem...@roseville.ca.us  changed:

   What|Removed |Added

 CC||jdem...@roseville.ca.us

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-09-06 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Jonathan Druart  changed:

   What|Removed |Added

   See Also||https://bugs.koha-community
   ||.org/bugzilla3/show_bug.cgi
   ||?id=9920

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-08-30 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #54 from Jonathan Druart  
---
Created attachment 66626
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=66626&action=edit
Bug 18298: Add server-side checks and refactor stuffs

Now that we have a check client-side, nothing prevents us from a smart guy to
bypass it and force an invalid password.
This patch adds two new subroutines to Koha::AuthUtils to check the
validity of passwords and generate a password server-side. It is used
only once (self-registration) but could be useful later.

Moreover the 3 different cases of password rejection (too leak, too
short, contains leading or trailing whitespaces) were not tested
everywhere. Now they are!

This patch makes things consistent everywhere and clean up some code.

Signed-off-by: Marc Véron 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-08-30 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #53 from Jonathan Druart  
---
Created attachment 66625
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=66625&action=edit
Bug 18298: minPasswordLength should not be used as the default password length

The length of the passwords generated for a patron should not be as long
as the value of minPasswordLength.
It is the minimum required size of a password, not the maximum!
So let's fix it to 8 if the minPasswordLength if < 8, that sounds
reasonable and less risky for patrons.

Signed-off-by: Marc Véron 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-08-30 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #52 from Jonathan Druart  
---
Created attachment 66624
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=66624&action=edit
Bug 18298: minPaswordLength should not be < 3

Indeed if RequireStrongPassword is set we need at least 3 characters to
match 1 upper, 1 lower and 1 digit.
We could make things more complicated to allow minPasswordLength < 3
but, really, 3 is already too low...

Signed-off-by: Marc Véron 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-08-30 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #51 from Jonathan Druart  
---
Created attachment 66623
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=66623&action=edit
Bug 18298: Move password generation to template side

This patch removes a really ugly way to generate a password: the whole
template was sent and parsed to retrieve the "#defaultnewpassfield" node.
To avoid the password to be sent plain text it is certainly better to
generate it client-side.
The same kind of passwords will be generated: 0-9a-zA-Z
The while loop prevents to get an invalid generated password.

Signed-off-by: Marc Véron 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-08-30 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #50 from Jonathan Druart  
---
Created attachment 66622
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=66622&action=edit
Bug 18298: Use the validate jQuery plugin

To validate password fields we need to use the validate jQuery plugin.
To make things reusable this patch adds a new include file
'password_check.inc' at the intranet and opac sides, it creates 3 new
validation methods:
- password_strong => make sure the passwords are strong enough according
to the values of the RequireStrongPassword and minPasswordLength prefs
- password_no_spaces => prevent passwords to be entered with leading or
trailing spaces
- password_match => make sure both password fields match

Signed-off-by: Marc Véron 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-08-30 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #62976|0   |1
is obsolete||
  Attachment #62977|0   |1
is obsolete||
  Attachment #62978|0   |1
is obsolete||
  Attachment #62979|0   |1
is obsolete||
  Attachment #62980|0   |1
is obsolete||
  Attachment #62981|0   |1
is obsolete||

--- Comment #49 from Jonathan Druart  
---
Created attachment 66621
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=66621&action=edit
Bug 18298: Enforce password complexity

This patchset prevents users to enter too leak password, controlled by
a new syspref RequireStrongPassword. If set the staff and patrons will have
to enter a strong password.
The strongness cannot be modified, it has been arbitrarily set (by the
author of this enhancement) to at least 1 lowercase, 1 uppercase and 1
digit. This can be inforce by increasing the value of the existing
minPasswordLength pref.

I decided to turn this feature on, it cannot hurt! For existing installs
it will have to be turned on manually.

Writing these patches I found a lot of inconsistencies all around the
password checks and decided to refactor everything to make things
consistent and more robust.
Now the password validity is check at only one place (subroutine
covered by tests).

Test plan:
We have several places where a password can be change/created:
a. Editing a patron (members/memberentry.pl)
b. Changing the password of a patron (members/member-password.pl)
c. Changing your own password at the opac (opac/opac-passwd.pl).
OpacPasswordChange needs to be set
d. Reseting your own password at the opac
(opac/opac-password-recovery.pl). OpacResetPassword needs to be set,
see "Forgot your password?" link when you are not logged in
e. Self registration feature, PatronSelfRegistration needs to be set.

You will also need to add 'password' to
PatronSelfRegistrationBorrowerMandatoryField.

Note that '' is considered by Koha internally that the password is
not changed (existing behavior).

To fully test this patch you will need to test the different
combinations of RequireStrongPassword and minPasswordLength.

Signed-off-by: Marc Véron 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-07-09 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #48 from Katrin Fischer  ---
Hm, I can see the point in differentiating between staff and patrons would be
nice. But worried to have this one stuck.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-06-20 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #47 from Olli-Antti Kivilahti  ---
(In reply to Jonathan Druart from comment #41)
> (In reply to Olli-Antti Kivilahti from comment #38)
> > Did you know that there is already a bug for this feature?
> 
> How do you want us to know about it?
> Status is "New", patches have been submitted 2 years ago and do no longer
> applied, changes are not covered by tests, etc.

Now you know.
Shouldn't be a biggie to take the DB and GUI changes and rebase to work with
this feature.

There are way too many sysprefs already.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-06-20 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #46 from Olli-Antti Kivilahti  ---
However we need password 1234 for our borrowers so they can use their pin-code
with the self-service automats.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-06-20 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #45 from Olli-Antti Kivilahti  ---
(In reply to Magnus Enger from comment #42)
> (In reply to Katrin Fischer from comment #40)
> > Why would one want different policies per patron category? I don't feel this
> > level of granularity would be necessary here - I'd prefer a global setting.
> 
> You could demand really difficult passwords for staff?

This is what we do. No more 1234

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-06-14 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #44 from Jonathan Druart  
---
(In reply to Jacek Ablewicz from comment #43)
> The concept of "upper and lower case characters" implemented by this
> patchset may be a bit limited - for many non-english-speaking countries, and
> especially for the countries which don't use latin-derived alphabets.
> 
> Replacing [a-z] with \p{Ll} and [A-Z] with \p{Lu} will probably work just
> fine in the perl regexps, but would it work in the javascript / jQuery
> validation related  code parts as well?

Yes you are totally right. That's how I started to implement this feature, but
I switched back to the naive way when I did not found a JS equivalent.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-06-14 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Jacek Ablewicz  changed:

   What|Removed |Added

 CC||a...@biblos.pk.edu.pl

--- Comment #43 from Jacek Ablewicz  ---
The concept of "upper and lower case characters" implemented by this patchset
may be a bit limited - for many non-english-speaking countries, and especially
for the countries which don't use latin-derived alphabets.

Replacing [a-z] with \p{Ll} and [A-Z] with \p{Lu} will probably work just fine
in the perl regexps, but would it work in the javascript / jQuery validation
related  code parts as well?

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-06-13 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #42 from Magnus Enger  ---
(In reply to Katrin Fischer from comment #40)
> Why would one want different policies per patron category? I don't feel this
> level of granularity would be necessary here - I'd prefer a global setting.

You could demand really difficult passwords for staff?

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-06-13 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #41 from Jonathan Druart  
---
(In reply to Olli-Antti Kivilahti from comment #38)
> Did you know that there is already a bug for this feature?

How do you want us to know about it?
Status is "New", patches have been submitted 2 years ago and do no longer
applied, changes are not covered by tests, etc.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-06-13 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #40 from Katrin Fischer  ---
Why would one want different policies per patron category? I don't feel this
level of granularity would be necessary here - I'd prefer a global setting.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-06-13 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #39 from Olli-Antti Kivilahti  ---
The important thing is that one doesn't add any more sysprefs. There are too
many as is.

Add a borrower category parameter, 'passwordpolicy' and configure the password
policy per borrower category. Maybe even the password minSize can be set there.
Much more flexible.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-06-13 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Olli-Antti Kivilahti  changed:

   What|Removed |Added

   See Also||https://bugs.koha-community
   ||.org/bugzilla3/show_bug.cgi
   ||?id=12617

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-06-13 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Olli-Antti Kivilahti  changed:

   What|Removed |Added

 CC||olli-antti.kivila...@jns.fi

--- Comment #38 from Olli-Antti Kivilahti  ---
Did you know that there is already a bug for this feature?

Bug 12617

And it allows configuring the password type per borrower category.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-05-10 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Jonathan Druart  changed:

   What|Removed |Added

   See Also||https://bugs.koha-community
   ||.org/bugzilla3/show_bug.cgi
   ||?id=17006

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-05-02 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #33 from Jonathan Druart  
---
Created attachment 62977
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62977&action=edit
Bug 18298: Use the validate jQuery plugin

To validate password fields we need to use the validate jQuery plugin.
To make things reusable this patch adds a new include file
'password_check.inc' at the intranet and opac sides, it creates 3 new
validation methods:
- password_strong => make sure the passwords are strong enough according
to the values of the RequireStrongPassword and minPasswordLength prefs
- password_no_spaces => prevent passwords to be entered with leading or
trailing spaces
- password_match => make sure both password fields match

Signed-off-by: Marc Véron 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-05-02 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #36 from Jonathan Druart  
---
Created attachment 62980
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62980&action=edit
Bug 18298: minPasswordLength should not be used as the default password length

The length of the passwords generated for a patron should not be as long
as the value of minPasswordLength.
It is the minimum required size of a password, not the maximum!
So let's fix it to 8 if the minPasswordLength if < 8, that sounds
reasonable and less risky for patrons.

Signed-off-by: Marc Véron 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-05-02 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #37 from Jonathan Druart  
---
Created attachment 62981
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62981&action=edit
Bug 18298: Add server-side checks and refactor stuffs

Now that we have a check client-side, nothing prevents us from a smart guy to
bypass it and force an invalid password.
This patch adds two new subroutines to Koha::AuthUtils to check the
validity of passwords and generate a password server-side. It is used
only once (self-registration) but could be useful later.

Moreover the 3 different cases of password rejection (too leak, too
short, contains leading or trailing whitespaces) were not tested
everywhere. Now they are!

This patch makes things consistent everywhere and clean up some code.

Signed-off-by: Marc Véron 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-05-02 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #35 from Jonathan Druart  
---
Created attachment 62979
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62979&action=edit
Bug 18298: minPaswordLength should not be < 3

Indeed if RequireStrongPassword is set we need at least 3 characters to
match 1 upper, 1 lower and 1 digit.
We could make things more complicated to allow minPasswordLength < 3
but, really, 3 is already too low...

Signed-off-by: Marc Véron 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-05-02 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #61331|0   |1
is obsolete||
  Attachment #61332|0   |1
is obsolete||
  Attachment #61333|0   |1
is obsolete||
  Attachment #61334|0   |1
is obsolete||
  Attachment #61335|0   |1
is obsolete||
  Attachment #61336|0   |1
is obsolete||

--- Comment #32 from Jonathan Druart  
---
Created attachment 62976
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62976&action=edit
Bug 18298: Enforce password complexity

This patchset prevents users to enter too leak password, controlled by
a new syspref RequireStrongPassword. If set the staff and patrons will have
to enter a strong password.
The strongness cannot be modified, it has been arbitrarily set (by the
author of this enhancement) to at least 1 lowercase, 1 uppercase and 1
digit. This can be inforce by increasing the value of the existing
minPasswordLength pref.

I decided to turn this feature on, it cannot hurt! For existing installs
it will have to be turned on manually.

Writing these patches I found a lot of inconsistencies all around the
password checks and decided to refactor everything to make things
consistent and more robust.
Now the password validity is check at only one place (subroutine
covered by tests).

Test plan:
We have several places where a password can be change/created:
a. Editing a patron (members/memberentry.pl)
b. Changing the password of a patron (members/member-password.pl)
c. Changing your own password at the opac (opac/opac-passwd.pl).
OpacPasswordChange needs to be set
d. Reseting your own password at the opac
(opac/opac-password-recovery.pl). OpacResetPassword needs to be set,
see "Forgot your password?" link when you are not logged in
e. Self registration feature, PatronSelfRegistration needs to be set.

You will also need to add 'password' to
PatronSelfRegistrationBorrowerMandatoryField.

Note that '' is considered by Koha internally that the password is
not changed (existing behavior).

To fully test this patch you will need to test the different
combinations of RequireStrongPassword and minPasswordLength.

Signed-off-by: Marc Véron 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-05-02 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #34 from Jonathan Druart  
---
Created attachment 62978
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62978&action=edit
Bug 18298: Move password generation to template side

This patch removes a really ugly way to generate a password: the whole
template was sent and parsed to retrieve the "#defaultnewpassfield" node.
To avoid the password to be sent plain text it is certainly better to
generate it client-side.
The same kind of passwords will be generated: 0-9a-zA-Z
The while loop prevents to get an invalid generated password.

Signed-off-by: Marc Véron 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-05-02 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Alex Sassmannshausen  changed:

   What|Removed |Added

 CC||alex.sassmannshausen@ptfs-e
   ||urope.com

--- Comment #31 from Alex Sassmannshausen 
 ---
(In reply to Jonathan Druart from comment #30)
> (In reply to Martin Renvoize from comment #29)
> > > Maybe we could just have different strength settings? Instead of
> > > "RequireStrongPassword" we could name this PasswordStrength and then have
> > > the current and alphanumeric+digits as first two options.
> > 
> > Are you ok to provide this last followup Jonathan?
> 
> To me it's outside the scope of this bug report. I consider this as an
> improvement of this new feature.

Hi Jonathan,

I was hoping to sign this off once more to confirm it is ready for inclusion,
but it doesn't currently apply.

Best wishes,

Alex

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-04-12 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Marc Véron  changed:

   What|Removed |Added

 Blocks||18424


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18424
[Bug 18424] Implement different password strength settings
-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-30 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #30 from Jonathan Druart  
---
(In reply to Martin Renvoize from comment #29)
> > Maybe we could just have different strength settings? Instead of
> > "RequireStrongPassword" we could name this PasswordStrength and then have
> > the current and alphanumeric+digits as first two options.
> 
> Are you ok to provide this last followup Jonathan?

To me it's outside the scope of this bug report. I consider this as an
improvement of this new feature.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-30 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Martin Renvoize  changed:

   What|Removed |Added

 CC||martin.renvoize@ptfs-europe
   ||.com

--- Comment #29 from Martin Renvoize  ---
> Maybe we could just have different strength settings? Instead of
> "RequireStrongPassword" we could name this PasswordStrength and then have
> the current and alphanumeric+digits as first two options.

Are you ok to provide this last followup Jonathan?

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-22 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Jonathan Druart  changed:

   What|Removed |Added

   See Also||https://bugs.koha-community
   ||.org/bugzilla3/show_bug.cgi
   ||?id=18314

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-22 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #28 from Marcel de Rooy  ---
(In reply to Katrin Fischer from comment #26)
> Maybe we could just have different strength settings? Instead of
> "RequireStrongPassword" we could name this PasswordStrength and then have
> the current and alphanumeric+digits as first two options.

Yes, I like that idea too. Would be a good excuse to postpone the special char
to another report ;)

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-22 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #27 from Marc Véron  ---
(In reply to Katrin Fischer from comment #26)
> Maybe we could just have different strength settings? Instead of
> "RequireStrongPassword" we could name this PasswordStrength and then have
> the current and alphanumeric+digits as first two options.

+1
Marc

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-22 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #26 from Katrin Fischer  ---
Maybe we could just have different strength settings? Instead of
"RequireStrongPassword" we could name this PasswordStrength and then have the
current and alphanumeric+digits as first two options.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-21 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #25 from Marcel de Rooy  ---
(In reply to Jonathan Druart from comment #24)
> In any cases I would prefer to deal with it on another bug report.
> Actually my concern is that some people could find it is a too strong
> requirement.
> Indeed you can have a very strong password without any special characters.
> It could lead to user frustration.
> And libraries will turn it off.

Dont give up too quickly :)
Yes, a3bXyYzQ looks stronger than Myname@1 But b4_Xz#43Y may be stronger again.
User experience and security may often generate some friction. Security also
means education of the users.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-21 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #24 from Jonathan Druart  
---
(In reply to Marcel de Rooy from comment #23)
> (In reply to Jonathan Druart from comment #20)
> > I am in discussion with the sponsor about the special character. In any
> > cases that will be dealt on another bug report.
> Well, I have quite a strong opinion on that one..

In any cases I would prefer to deal with it on another bug report.
Actually my concern is that some people could find it is a too strong
requirement.
Indeed you can have a very strong password without any special characters. It
could lead to user frustration.
And libraries will turn it off.

> > > "Now that we have a check client-side, nothing prevents us from a smart 
> > > guy
> > > to
> > > bypass it and force an invalid password."
> > > And this is an issue. How do you want to resolve that one?
> > 
> > Hum? I added server-side checks everywhere.
> If so, the commit message is confusing.

It says: "Now that we have a check client-side, nothing prevents us from a
smart guy to bypass it and force an invalid password.
This patch adds two new subroutines to Koha::AuthUtils to check the
validity of passwords and generate a password server-side."

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-21 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #23 from Marcel de Rooy  ---
(In reply to Jonathan Druart from comment #20)
> I am in discussion with the sponsor about the special character. In any
> cases that will be dealt on another bug report.
Well, I have quite a strong opinion on that one..

> > I saw several constructs like:
> > my $minpw = C4::Context->preference('minPasswordLength');
> > $minpw = 3 if not $minpw or $minpw < 3;
> > We could call a function in C4/Auth to get the password length and not check
> > the pref everywhere. And increase 3 of course.
> 
> See the whole patch set, this is fixed in the last patch.
OK Sorry, I didnt see.

> > "Now that we have a check client-side, nothing prevents us from a smart guy
> > to
> > bypass it and force an invalid password."
> > And this is an issue. How do you want to resolve that one?
> 
> Hum? I added server-side checks everywhere.
If so, the commit message is confusing.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-21 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #22 from Marcel de Rooy  ---
(In reply to Jonathan Druart from comment #21)
> (In reply to Marcel de Rooy from comment #19)
> > Also: The default for minPasswordLength should really be 8. If people want
> > to make it three characters after install, which they should not do, we
> > could argue that this is their own responsibility. Or we could just not
> > allow it.
> 
> This should be discussed on its own bug report.

Agreed

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-21 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Jonathan Druart  changed:

   What|Removed |Added

   See Also||https://bugs.koha-community
   ||.org/bugzilla3/show_bug.cgi
   ||?id=18308

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-21 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #21 from Jonathan Druart  
---
(In reply to Marcel de Rooy from comment #19)
> Also: The default for minPasswordLength should really be 8. If people want
> to make it three characters after install, which they should not do, we
> could argue that this is their own responsibility. Or we could just not
> allow it.

This should be discussed on its own bug report.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-21 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #20 from Jonathan Druart  
---
(In reply to Marcel de Rooy from comment #19)
> In order to call a password "strong", we should definitely not allow a
> password length less than 8 characters (not to talk about 12-14). And we
> should enforce a special character too. (Enforcing uc,lc,digits is
> definitely an improvement btw!)
> When you enable RequireStrongPassword, you should just raise
> minPasswordLength. You cannot enable it and have strong passwords of 3
> chars. Impossible!

I am in discussion with the sponsor about the special character. In any cases
that will be dealt on another bug report.

> I saw several constructs like:
> my $minpw = C4::Context->preference('minPasswordLength');
> $minpw = 3 if not $minpw or $minpw < 3;
> We could call a function in C4/Auth to get the password length and not check
> the pref everywhere. And increase 3 of course.

See the whole patch set, this is fixed in the last patch.

> "To avoid the password to be sent plain text it is certainly better to
> generate it client-side."
> And then send it back to the server plain text?
> Or should we just say: use https and we trust that transmission?

Yes indeed, it is still passing plain text unless using https.

> "Now that we have a check client-side, nothing prevents us from a smart guy
> to
> bypass it and force an invalid password."
> And this is an issue. How do you want to resolve that one?

Hum? I added server-side checks everywhere.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-21 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #19 from Marcel de Rooy  ---
In order to call a password "strong", we should definitely not allow a password
length less than 8 characters (not to talk about 12-14). And we should enforce
a special character too. (Enforcing uc,lc,digits is definitely an improvement
btw!)
When you enable RequireStrongPassword, you should just raise minPasswordLength.
You cannot enable it and have strong passwords of 3 chars. Impossible!

Also: The default for minPasswordLength should really be 8. If people want to
make it three characters after install, which they should not do, we could
argue that this is their own responsibility. Or we could just not allow it.

I saw several constructs like:
my $minpw = C4::Context->preference('minPasswordLength');
$minpw = 3 if not $minpw or $minpw < 3;
We could call a function in C4/Auth to get the password length and not check
the pref everywhere. And increase 3 of course.

"To avoid the password to be sent plain text it is certainly better to
generate it client-side."
And then send it back to the server plain text?
Or should we just say: use https and we trust that transmission?

"Now that we have a check client-side, nothing prevents us from a smart guy to
bypass it and force an invalid password."
And this is an issue. How do you want to resolve that one?

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-20 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Katrin Fischer  changed:

   What|Removed |Added

 CC||katrin.fisc...@bsz-bw.de

--- Comment #18 from Katrin Fischer  ---
We got the same problem - a library with self check hardware that doesn't allow
for alpha-numeric passwords. I think turning it on by default for new
installations is a good idea. If we turn it off, everything will be like
before?

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-20 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Marc Véron  changed:

   What|Removed |Added

 Status|Needs Signoff   |Signed Off

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-20 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Marc Véron  changed:

   What|Removed |Added

  Attachment #61231|0   |1
is obsolete||

--- Comment #16 from Marc Véron  ---
Created attachment 61335
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=61335&action=edit
Bug 18298: minPasswordLength should not be used as the default password length

The length of the passwords generated for a patron should not be as long
as the value of minPasswordLength.
It is the minimum required size of a password, not the maximum!
So let's fix it to 8 if the minPasswordLength if < 8, that sounds
reasonable and less risky for patrons.

Signed-off-by: Marc Véron 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-20 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Marc Véron  changed:

   What|Removed |Added

  Attachment #61232|0   |1
is obsolete||

--- Comment #17 from Marc Véron  ---
Created attachment 61336
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=61336&action=edit
Bug 18298: Add server-side checks and refactor stuffs

Now that we have a check client-side, nothing prevents us from a smart guy to
bypass it and force an invalid password.
This patch adds two new subroutines to Koha::AuthUtils to check the
validity of passwords and generate a password server-side. It is used
only once (self-registration) but could be useful later.

Moreover the 3 different cases of password rejection (too leak, too
short, contains leading or trailing whitespaces) were not tested
everywhere. Now they are!

This patch makes things consistent everywhere and clean up some code.

Signed-off-by: Marc Véron 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-20 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Marc Véron  changed:

   What|Removed |Added

  Attachment #61230|0   |1
is obsolete||

--- Comment #15 from Marc Véron  ---
Created attachment 61334
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=61334&action=edit
Bug 18298: minPaswordLength should not be < 3

Indeed if RequireStrongPassword is set we need at least 3 characters to
match 1 upper, 1 lower and 1 digit.
We could make things more complicated to allow minPasswordLength < 3
but, really, 3 is already too low...

Signed-off-by: Marc Véron 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-20 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Marc Véron  changed:

   What|Removed |Added

  Attachment #61229|0   |1
is obsolete||

--- Comment #14 from Marc Véron  ---
Created attachment 61333
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=61333&action=edit
Bug 18298: Move password generation to template side

This patch removes a really ugly way to generate a password: the whole
template was sent and parsed to retrieve the "#defaultnewpassfield" node.
To avoid the password to be sent plain text it is certainly better to
generate it client-side.
The same kind of passwords will be generated: 0-9a-zA-Z
The while loop prevents to get an invalid generated password.

Signed-off-by: Marc Véron 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-20 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Marc Véron  changed:

   What|Removed |Added

  Attachment #61228|0   |1
is obsolete||

--- Comment #13 from Marc Véron  ---
Created attachment 61332
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=61332&action=edit
Bug 18298: Use the validate jQuery plugin

To validate password fields we need to use the validate jQuery plugin.
To make things reusable this patch adds a new include file
'password_check.inc' at the intranet and opac sides, it creates 3 new
validation methods:
- password_strong => make sure the passwords are strong enough according
to the values of the RequireStrongPassword and minPasswordLength prefs
- password_no_spaces => prevent passwords to be entered with leading or
trailing spaces
- password_match => make sure both password fields match

Signed-off-by: Marc Véron 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-20 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Marc Véron  changed:

   What|Removed |Added

  Attachment #61227|0   |1
is obsolete||

--- Comment #12 from Marc Véron  ---
Created attachment 61331
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=61331&action=edit
Bug 18298: Enforce password complexity

This patchset prevents users to enter too leak password, controlled by
a new syspref RequireStrongPassword. If set the staff and patrons will have
to enter a strong password.
The strongness cannot be modified, it has been arbitrarily set (by the
author of this enhancement) to at least 1 lowercase, 1 uppercase and 1
digit. This can be inforce by increasing the value of the existing
minPasswordLength pref.

I decided to turn this feature on, it cannot hurt! For existing installs
it will have to be turned on manually.

Writing these patches I found a lot of inconsistencies all around the
password checks and decided to refactor everything to make things
consistent and more robust.
Now the password validity is check at only one place (subroutine
covered by tests).

Test plan:
We have several places where a password can be change/created:
a. Editing a patron (members/memberentry.pl)
b. Changing the password of a patron (members/member-password.pl)
c. Changing your own password at the opac (opac/opac-passwd.pl).
OpacPasswordChange needs to be set
d. Reseting your own password at the opac
(opac/opac-password-recovery.pl). OpacResetPassword needs to be set,
see "Forgot your password?" link when you are not logged in
e. Self registration feature, PatronSelfRegistration needs to be set.

You will also need to add 'password' to
PatronSelfRegistrationBorrowerMandatoryField.

Note that '' is considered by Koha internally that the password is
not changed (existing behavior).

To fully test this patch you will need to test the different
combinations of RequireStrongPassword and minPasswordLength.

Signed-off-by: Marc Véron 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-20 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #11 from Jonathan Druart  
---
(In reply to Marc Véron from comment #7)
> Created attachment 61237 [details]
> Screenshots of passwort hints on OPAC self registration
> 
> Tested following plan in comment #1, works great.
> 
> One small thing: Hints for wrong password do not display properly on OPAC
> self registration, see screenshots.

That sounds like an existing issue, I'll deal with it on another bug report.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-20 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #10 from Magnus Enger  ---
(In reply to Jonathan Druart from comment #9)
> Nope, the strongness is not configurable.
> But since the patches refactor all the password code it would be much more
> easy to improve it.

Ah, good to hear!

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-20 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #9 from Jonathan Druart  
---
(In reply to Magnus Enger from comment #8)
> Sadly, some libraries need to enforce weak passwords = PINs (4 digit
> "passwords"). The reason for this is hardwear that only has a numerical
> keyboard, and where patrons have to enter a pin in order to do things like
> self service checkouts. Will this patch make it possible to enforce a
> password of 4 digits?

Nope, the strongness is not configurable.
But since the patches refactor all the password code it would be much more easy
to improve it.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-20 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Magnus Enger  changed:

   What|Removed |Added

 CC||mag...@libriotech.no

--- Comment #8 from Magnus Enger  ---
Sadly, some libraries need to enforce weak passwords = PINs (4 digit
"passwords"). The reason for this is hardwear that only has a numerical
keyboard, and where patrons have to enter a pin in order to do things like self
service checkouts. Will this patch make it possible to enforce a password of 4
digits?

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-20 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Josef Moravec  changed:

   What|Removed |Added

 CC||josef.mora...@gmail.com

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-18 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Marcel de Rooy  changed:

   What|Removed |Added

 CC||m.de.r...@rijksmuseum.nl

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-18 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Marc Véron  changed:

   What|Removed |Added

 CC||ve...@veron.ch

--- Comment #7 from Marc Véron  ---
Created attachment 61237
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=61237&action=edit
Screenshots of passwort hints on OPAC self registration

Tested following plan in comment #1, works great.

One small thing: Hints for wrong password do not display properly on OPAC self
registration, see screenshots.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-17 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Jonathan Druart  changed:

   What|Removed |Added

  Change sponsored?|--- |Sponsored

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-17 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #4 from Jonathan Druart  
---
Created attachment 61230
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=61230&action=edit
Bug 18298: minPaswordLength should not be < 3

Indeed if RequireStrongPassword is set we need at least 3 characters to
match 1 upper, 1 lower and 1 digit.
We could make things more complicated to allow minPasswordLength < 3
but, really, 3 is already too low...

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-17 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #6 from Jonathan Druart  
---
Created attachment 61232
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=61232&action=edit
Bug 18298: Add server-side checks and refactor stuffs

Now that we have a check client-side, nothing prevents us from a smart guy to
bypass it and force an invalid password.
This patch adds two new subroutines to Koha::AuthUtils to check the
validity of passwords and generate a password server-side. It is used
only once (self-registration) but could be useful later.

Moreover the 3 different cases of password rejection (too leak, too
short, contains leading or trailing whitespaces) were not tested
everywhere. Now they are!

This patch makes things consistent everywhere and clean up some code.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-17 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #5 from Jonathan Druart  
---
Created attachment 61231
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=61231&action=edit
Bug 18298: minPasswordLength should not be used as the default password length

The length of the passwords generated for a patron should not be as long
as the value of minPasswordLength.
It is the minimum required size of a password, not the maximum!
So let's fix it to 8 if the minPasswordLength if < 8, that sounds
reasonable and less risky for patrons.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-17 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #3 from Jonathan Druart  
---
Created attachment 61229
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=61229&action=edit
Bug 18298: Move password generation to template side

This patch removes a really ugly way to generate a password: the whole
template was sent and parsed to retrieve the "#defaultnewpassfield" node.
To avoid the password to be sent plain text it is certainly better to
generate it client-side.
The same kind of passwords will be generated: 0-9a-zA-Z
The while loop prevents to get an invalid generated password.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-17 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #2 from Jonathan Druart  
---
Created attachment 61228
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=61228&action=edit
Bug 18298: Use the validate jQuery plugin

To validate password fields we need to use the validate jQuery plugin.
To make things reusable this patch adds a new include file
'password_check.inc' at the intranet and opac sides, it creates 3 new
validation methods:
- password_strong => make sure the passwords are strong enough according
to the values of the RequireStrongPassword and minPasswordLength prefs
- password_no_spaces => prevent passwords to be entered with leading or
trailing spaces
- password_match => make sure both password fields match

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-17 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

Jonathan Druart  changed:

   What|Removed |Added

 Status|ASSIGNED|Needs Signoff

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 18298] Enforce password complexity

2017-03-17 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #1 from Jonathan Druart  
---
Created attachment 61227
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=61227&action=edit
Bug 18298: Enforce password complexity

This patchset prevents users to enter too leak password, controlled by
a new syspref RequireStrongPassword. If set the staff and patrons will have
to enter a strong password.
The strongness cannot be modified, it has been arbitrarily set (by the
author of this enhancement) to at least 1 lowercase, 1 uppercase and 1
digit. This can be inforce by increasing the value of the existing
minPasswordLength pref.

I decided to turn this feature on, it cannot hurt! For existing installs
it will have to be turned on manually.

Writing these patches I found a lot of inconsistencies all around the
password checks and decided to refactor everything to make things
consistent and more robust.
Now the password validity is check at only one place (subroutine
covered by tests).

Test plan:
We have several places where a password can be change/created:
a. Editing a patron (members/memberentry.pl)
b. Changing the password of a patron (members/member-password.pl)
c. Changing your own password at the opac (opac/opac-passwd.pl).
OpacPasswordChange needs to be set
d. Reseting your own password at the opac
(opac/opac-password-recovery.pl). OpacResetPassword needs to be set,
see "Forgot your password?" link when you are not logged in
e. Self registration feature, PatronSelfRegistration needs to be set.

You will also need to add 'password' to
PatronSelfRegistrationBorrowerMandatoryField.

Note that '' is considered by Koha internally that the password is
not changed (existing behavior).

To fully test this patch you will need to test the different
combinations of RequireStrongPassword and minPasswordLength.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/