From e7e3b581f22c4727f64cf27fb92ac72c4a8db8d9 Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Thu, 14 Feb 2008 17:37:02 +0000
Subject: [PATCH] added password policies

---
 lam/lib/modules/inetOrgPerson.inc | 16 ++++++-
 lam/lib/modules/posixAccount.inc  | 24 ++++++++---
 lam/lib/modules/posixGroup.inc    |  8 +++-
 lam/lib/security.inc              | 71 +++++++++++++++++++++++++++++++
 4 files changed, 110 insertions(+), 9 deletions(-)

diff --git a/lam/lib/modules/inetOrgPerson.inc b/lam/lib/modules/inetOrgPerson.inc
index d3430e4c..b264010b 100644
--- a/lam/lib/modules/inetOrgPerson.inc
+++ b/lam/lib/modules/inetOrgPerson.inc
@@ -682,7 +682,13 @@ class inetOrgPerson extends baseModule {
 					$errors[] = $this->messages['userPassword'][1];
 				}
 				else {
-					$this->attributes['userPassword'][0] = pwd_hash($_POST['userPassword'], true, 'SSHA');
+					$pwdPolicyResult = checkPasswordStrength($_POST['userPassword']);
+					if ($pwdPolicyResult === true) {
+						$this->attributes['userPassword'][0] = pwd_hash($_POST['userPassword'], true, 'SSHA');
+					}
+					else {
+						$errors[] = array('ERROR', $pwdPolicyResult);
+					}
 				}
 			}
 		}
@@ -956,7 +962,13 @@ class inetOrgPerson extends baseModule {
 				$messages[] = $this->messages['userPassword'][1];
 			}
 			else {
-				$this->attributes['userPassword'][0] = pwd_hash($_POST['userPassword'], true, 'SSHA');
+				$pwdPolicyResult = checkPasswordStrength($_POST['userPassword']);
+				if ($pwdPolicyResult === true) {
+					$this->attributes['userPassword'][0] = pwd_hash($_POST['userPassword'], true, 'SSHA');
+				}
+				else {
+					$messages[] = array('ERROR', $pwdPolicyResult);
+				}
 			}
 		}
 		return $messages;
diff --git a/lam/lib/modules/posixAccount.inc b/lam/lib/modules/posixAccount.inc
index 792f996a..8b632675 100644
--- a/lam/lib/modules/posixAccount.inc
+++ b/lam/lib/modules/posixAccount.inc
@@ -913,8 +913,14 @@ class posixAccount extends baseModule {
 				$errors[] = $this->messages['userPassword'][1];
 			}
 			else {
-				$this->clearTextPassword = $_POST['userPassword'];
-				$this->attributes['userPassword'][0] = pwd_hash($_POST['userPassword'], true, $this->moduleSettings['posixAccount_pwdHash'][0]);
+				$pwdPolicyResult = checkPasswordStrength($_POST['userPassword']);
+				if ($pwdPolicyResult === true) {
+					$this->clearTextPassword = $_POST['userPassword'];
+					$this->attributes['userPassword'][0] = pwd_hash($_POST['userPassword'], true, $this->moduleSettings['posixAccount_pwdHash'][0]);
+				}
+				else {
+					$errors[] = array('ERROR', $pwdPolicyResult);
+				}
 			}
 		}
 		return $errors;
@@ -1729,11 +1735,17 @@ class posixAccount extends baseModule {
 						$return['messages'][] = $this->messages['userPassword'][1];
 					}
 					else {
-						$return['mod']['userPassword'][0] = pwd_hash($_POST['posixAccount_password'], true, $this->selfServiceSettings['posixAccount_pwdHash'][0]);
-						if (isset($attributes['shadowLastChange'])) {
-							$return['mod']['shadowLastChange'][0] = intval(time()/3600/24);
+						$pwdPolicyResult = checkPasswordStrength($_POST['posixAccount_password']);
+						if ($pwdPolicyResult === true) {
+							$return['mod']['userPassword'][0] = pwd_hash($_POST['posixAccount_password'], true, $this->selfServiceSettings['posixAccount_pwdHash'][0]);
+							if (isset($attributes['shadowLastChange'])) {
+								$return['mod']['shadowLastChange'][0] = intval(time()/3600/24);
+							}
+							$_SESSION['selfService_clientPasswordNew'] = $_POST['posixAccount_password'];
+						}
+						else {
+							$return['messages'][] = array('ERROR', $pwdPolicyResult);
 						}
-						$_SESSION['selfService_clientPasswordNew'] = $_POST['posixAccount_password'];
 					}
 				}
 			}
diff --git a/lam/lib/modules/posixGroup.inc b/lam/lib/modules/posixGroup.inc
index 9f8c9d0a..ede55582 100644
--- a/lam/lib/modules/posixGroup.inc
+++ b/lam/lib/modules/posixGroup.inc
@@ -675,7 +675,13 @@ class posixGroup extends baseModule {
 				$errors[] = $this->messages['userPassword'][1];
 			}
 			else {
-				$this->attributes['userPassword'][0] = pwd_hash($_POST['userPassword'], true, $this->moduleSettings['posixAccount_pwdHash'][0]);
+				$pwdPolicyResult = checkPasswordStrength($_POST['userPassword']);
+				if ($pwdPolicyResult === true) {
+					$this->attributes['userPassword'][0] = pwd_hash($_POST['userPassword'], true, $this->moduleSettings['posixAccount_pwdHash'][0]);
+				}
+				else {
+					$errors[] = array('ERROR', $pwdPolicyResult);
+				}
 			}
 		return $errors;
 	}
diff --git a/lam/lib/security.inc b/lam/lib/security.inc
index c3e56290..086ac9f0 100644
--- a/lam/lib/security.inc
+++ b/lam/lib/security.inc
@@ -209,4 +209,75 @@ function checkIfPasswordChangeIsAllowed() {
 	return false;
 }
 
+/**
+ * Checks if the password fulfills the password policies.
+ * 
+ * @param string $password password
+ * @return mixed true if ok, string with error message if not valid
+ */
+function checkPasswordStrength($password) {
+	if ($password == null) {
+		$password = "";
+	}
+	if (isset($_SESSION['cfgMain'])) $cfg = $_SESSION['cfgMain'];
+	else $cfg = new LAMCfgMain();
+	// check length
+	if (strlen($password) < $cfg->passwordMinLength) {
+		return sprintf(_('The password is too short. You have to enter at least %s characters.'), $cfg->passwordMinLength);
+	}
+	// get number of characers per character class
+	$lower = 0;
+	$upper = 0;
+	$numeric = 0;
+	$symbols = 0;
+	for ($i = 0; $i < strlen($password); $i++) {
+		if (ereg("[a-z]", $password[$i])) {
+			$lower++;
+		}
+		if (ereg("[A-Z]", $password[$i])) {
+			$upper++;
+		}
+		if (ereg("[0-9]", $password[$i])) {
+			$numeric++;
+		}
+		if (eregi("[^a-z0-9]", $password[$i])) {
+			$symbols++;
+		}
+	}
+	// check lower case
+	if ($lower < $cfg->passwordMinLower) {
+		return sprintf(_('The password is too weak. You have to enter at least %s lower case characters.'), $cfg->passwordMinLower);
+	}
+	// check upper case
+	if ($upper < $cfg->passwordMinUpper) {
+		return sprintf(_('The password is too weak. You have to enter at least %s upper case characters.'), $cfg->passwordMinUpper);
+	}
+	// check numeric
+	if ($numeric < $cfg->passwordMinNumeric) {
+		return sprintf(_('The password is too weak. You have to enter at least %s numeric characters.'), $cfg->passwordMinNumeric);
+	}
+	// check symbols
+	if ($symbols < $cfg->passwordMinSymbol) {
+		return sprintf(_('The password is too weak. You have to enter at least %s symbolic characters.'), $cfg->passwordMinSymbol);
+	}
+	// check classes
+	$classes = 0;
+	if ($lower > 0) {
+		$classes++;
+	}
+	if ($upper > 0) {
+		$classes++;
+	}
+	if ($numeric > 0) {
+		$classes++;
+	}
+	if ($symbols > 0) {
+		$classes++;
+	}
+	if ($classes < $cfg->passwordMinClasses) {
+		return sprintf(_('The password is too weak. You have to enter at least %s different character classes (upper/lower case, numbers and symbols).'), $cfg->passwordMinClasses);
+	}
+	return true;
+}
+
 ?>
\ No newline at end of file