forked-synapse/synapse/handlers/password_policy.py

#
# This file is licensed under the Affero General Public License (AGPL) version 3.
#
# Copyright (C) 2023 New Vector, Ltd
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# See the GNU Affero General Public License for more details:
# <https://www.gnu.org/licenses/agpl-3.0.html>.
#
# Originally licensed under the Apache License, Version 2.0:
# <http://www.apache.org/licenses/LICENSE-2.0>.
#
# [This file includes modifications made by New Vector Limited]
#
#

import logging
import re
from typing import TYPE_CHECKING

from synapse.api.errors import Codes, PasswordRefusedError

if TYPE_CHECKING:
    from synapse.server import HomeServer

logger = logging.getLogger(__name__)


class PasswordPolicyHandler:
    def __init__(self, hs: "HomeServer"):
        self.policy = hs.config.auth.password_policy
        self.enabled = hs.config.auth.password_policy_enabled

        # Regexps for the spec'd policy parameters.
        self.regexp_digit = re.compile("[0-9]")
        self.regexp_symbol = re.compile("[^a-zA-Z0-9]")
        self.regexp_uppercase = re.compile("[A-Z]")
        self.regexp_lowercase = re.compile("[a-z]")

    def validate_password(self, password: str) -> None:
        """Checks whether a given password complies with the server's policy.

        Args:
            password: The password to check against the server's policy.

        Raises:
            PasswordRefusedError: The password doesn't comply with the server's policy.
        """

        if not self.enabled:
            return

        minimum_accepted_length = self.policy.get("minimum_length", 0)
        if len(password) < minimum_accepted_length:
            raise PasswordRefusedError(
                msg=(
                    "The password must be at least %d characters long"
                    % minimum_accepted_length
                ),
                errcode=Codes.PASSWORD_TOO_SHORT,
            )

        if (
            self.policy.get("require_digit", False)
            and self.regexp_digit.search(password) is None
        ):
            raise PasswordRefusedError(
                msg="The password must include at least one digit",
                errcode=Codes.PASSWORD_NO_DIGIT,
            )

        if (
            self.policy.get("require_symbol", False)
            and self.regexp_symbol.search(password) is None
        ):
            raise PasswordRefusedError(
                msg="The password must include at least one symbol",
                errcode=Codes.PASSWORD_NO_SYMBOL,
            )

        if (
            self.policy.get("require_uppercase", False)
            and self.regexp_uppercase.search(password) is None
        ):
            raise PasswordRefusedError(
                msg="The password must include at least one uppercase letter",
                errcode=Codes.PASSWORD_NO_UPPERCASE,
            )

        if (
            self.policy.get("require_lowercase", False)
            and self.regexp_lowercase.search(password) is None
        ):
            raise PasswordRefusedError(
                msg="The password must include at least one lowercase letter",
                errcode=Codes.PASSWORD_NO_LOWERCASE,
            )
Allow server admins to define and enforce a password policy (MSC2000). (#7118) 2020-03-26 12:51:13 -04:00			`#`
Update license headers 2023-11-21 15:29:58 -05:00			`# This file is licensed under the Affero General Public License (AGPL) version 3.`
			`#`
			`# Copyright (C) 2023 New Vector, Ltd`
			`#`
			`# This program is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU Affero General Public License as`
			`# published by the Free Software Foundation, either version 3 of the`
			`# License, or (at your option) any later version.`
			`#`
			`# See the GNU Affero General Public License for more details:`
			`# <https://www.gnu.org/licenses/agpl-3.0.html>.`
			`#`
			`# Originally licensed under the Apache License, Version 2.0:`
			`# <http://www.apache.org/licenses/LICENSE-2.0>.`
			`#`
			`# [This file includes modifications made by New Vector Limited]`
Allow server admins to define and enforce a password policy (MSC2000). (#7118) 2020-03-26 12:51:13 -04:00			`#`
			`#`

			`import logging`
			`import re`
Add type hints to some handlers (#8505) 2020-10-09 07:20:51 -04:00			`from typing import TYPE_CHECKING`
Allow server admins to define and enforce a password policy (MSC2000). (#7118) 2020-03-26 12:51:13 -04:00
			`from synapse.api.errors import Codes, PasswordRefusedError`

Add type hints to some handlers (#8505) 2020-10-09 07:20:51 -04:00			`if TYPE_CHECKING:`
Import HomeServer from the proper module. (#9665) 2021-03-23 07:12:48 -04:00			`from synapse.server import HomeServer`
Add type hints to some handlers (#8505) 2020-10-09 07:20:51 -04:00
Allow server admins to define and enforce a password policy (MSC2000). (#7118) 2020-03-26 12:51:13 -04:00			`logger = logging.getLogger(__name__)`


Stop sub-classing object (#8249) 2020-09-04 06:54:56 -04:00			`class PasswordPolicyHandler:`
Add type hints to some handlers (#8505) 2020-10-09 07:20:51 -04:00			`def __init__(self, hs: "HomeServer"):`
Use direct references for some configuration variables (part 3) (#10885) This avoids the overhead of searching through the various configuration classes by directly referencing the class that the attributes are in. It also improves type hints since mypy can now resolve the types of the configuration variables. 2021-09-23 07:13:34 -04:00			`self.policy = hs.config.auth.password_policy`
			`self.enabled = hs.config.auth.password_policy_enabled`
Allow server admins to define and enforce a password policy (MSC2000). (#7118) 2020-03-26 12:51:13 -04:00
			`# Regexps for the spec'd policy parameters.`
			`self.regexp_digit = re.compile("[0-9]")`
			`self.regexp_symbol = re.compile("[^a-zA-Z0-9]")`
			`self.regexp_uppercase = re.compile("[A-Z]")`
			`self.regexp_lowercase = re.compile("[a-z]")`

Add type hints to some handlers (#8505) 2020-10-09 07:20:51 -04:00			`def validate_password(self, password: str) -> None:`
Allow server admins to define and enforce a password policy (MSC2000). (#7118) 2020-03-26 12:51:13 -04:00			`"""Checks whether a given password complies with the server's policy.`

			`Args:`
Add type hints to some handlers (#8505) 2020-10-09 07:20:51 -04:00			`password: The password to check against the server's policy.`
Allow server admins to define and enforce a password policy (MSC2000). (#7118) 2020-03-26 12:51:13 -04:00
			`Raises:`
			`PasswordRefusedError: The password doesn't comply with the server's policy.`
			`"""`

			`if not self.enabled:`
			`return`

			`minimum_accepted_length = self.policy.get("minimum_length", 0)`
			`if len(password) < minimum_accepted_length:`
			`raise PasswordRefusedError(`
			`msg=(`
			`"The password must be at least %d characters long"`
			`% minimum_accepted_length`
			`),`
			`errcode=Codes.PASSWORD_TOO_SHORT,`
			`)`

			`if (`
			`self.policy.get("require_digit", False)`
			`and self.regexp_digit.search(password) is None`
			`):`
			`raise PasswordRefusedError(`
			`msg="The password must include at least one digit",`
			`errcode=Codes.PASSWORD_NO_DIGIT,`
			`)`

			`if (`
			`self.policy.get("require_symbol", False)`
			`and self.regexp_symbol.search(password) is None`
			`):`
			`raise PasswordRefusedError(`
			`msg="The password must include at least one symbol",`
			`errcode=Codes.PASSWORD_NO_SYMBOL,`
			`)`

			`if (`
			`self.policy.get("require_uppercase", False)`
			`and self.regexp_uppercase.search(password) is None`
			`):`
			`raise PasswordRefusedError(`
			`msg="The password must include at least one uppercase letter",`
			`errcode=Codes.PASSWORD_NO_UPPERCASE,`
			`)`

			`if (`
			`self.policy.get("require_lowercase", False)`
			`and self.regexp_lowercase.search(password) is None`
			`):`
			`raise PasswordRefusedError(`
			`msg="The password must include at least one lowercase letter",`
			`errcode=Codes.PASSWORD_NO_LOWERCASE,`
			`)`