* UI: password are now validated against
$c->config->{security}{password}{web_max_age_days} (unless it's 0)
and if the password is expired the user is redirected automatically
to /changepassword page, and after successful password change back
to the original page.
* API: if password is expired all API requests will be returning
403 Forbidden "Password expired", except PUT/PATCH to /api/admins
or /api/subscribers with the new password in place.
* successful login on the UI now redirects to /dashboard instead of
/ (to prevent unintended redirect to v2)
Change-Id: I075f8e17cc9b0658d6b3b3d526ca5b379d050ce4
* perform_subscriber_auth(): check if domain is undefined
and use only $user, otherwise $user . @ . $domain.
Change-Id: I3d342fb2c4768c2b7b3e0c08ea41e429b83e9683
* users are now progressively banned.
* ban_min_time is used to ban a user for the first time.
* consecutive ban is ban_min_time + ban_increment * ban_increment_stage
* ban_max_time is the absolute maximum ban time that is not increased
any further.
* a successful login resets the ban_increment_stage.
Change-Id: I4d7e1a93d7a21d21a0dcf69d856a872d2ed75ea0
* users for admin/subscriber realms are now banned if failed
to login X amount of times (UI/API).
* rework Redis connection and it's now a Catalyst plugin NGCP::Redis
accessed by $c->redis_get_connection({database => 19}), the connection
per database, per worker process is established only once and then
reused (with auto built-in reconnect support).
* remove Utils::Redis.pm as it does not have any code/logic anymore.
* ban values are taken from $config->{security}{login} as
- ban_enable: 1
- ban_expire_time: 3600 ban expire time in seconds
- max_attempts: 5
* if max_attempts set to 0, the ban functionality is disabled as it
requires to be at least 1 to work.
* upon successful login or ban, the failed attempts counter is removed
* the failed attempts counter is also removed automatically with the
expire time equals "ban_expire_time" or otherwise 3600 seconds.
* user bans are logged into panel.log
* banned user receives exactly the same return page/codes as per
invalid logic.
Change-Id: I05cc68c623ee289488fc64f1af50527004dcaae1
* passwords are now validated based on
- minlen
- maxlen
- min lower case chars
- min uppper case chars
- min digits
- min special chars
* Data::Password::zxcvbn is used to calculate
password score and reject passwords with score < 3 as weak
(this library is ported from the Dropbox password validation)
* Add password journals and check last used passwords in the journals
* Improve password generator javascript function to generate a password
with at least 4 of each of the char group types.
* Currently affected are subcriber and admin entry creation or
modification via UI/API
* NGCP::Utils::Auth add optional bcrypt_cost support as last argument
for generate_salted_hash and get_usr_salted_pass
Change-Id: I100c25107d91741d5101bc58d29a3fa558b0b017
when ignore_auth_realm is "yes", it should no longer
be required to provide the domain part for subscriber
logins.
Change-Id: I346f94278c9b0d9a598858c24d797b03217123d4
for deployments that expose panel/csc via a proxy,
the auto-generated base url printed in emails can
be unreachable. we therefore introduce the option
to explicitly specify a base url to use.
it will support an sprintf pattern with individual
params for eg.:
- protocol scheme
- domain part
- port
- base url path
Change-Id: I6a9ca23126c669d249ef7f3e092cae0161235ebe
this fix addresses regression reported by dominik:
* $resource{_password}/{_webpassword} cannot be set before the
form validation as they are effectively removed by it,
causing /api/susbcribers returning no passwords at
all for 'subscriber' roles
* Having them after the patch makes no sense either as next
resource_from_item call will effectively remove them again (in PATCH)
(cherry picked from commit 5e9066c4fb)
Change-Id: I88c9ec40843f1e9a6983952b96c0b0e70fbb1bb1
This reverts commit 5e9066c4fb.
This implementation breaks:
* $resource{_password}/{_webpassword} cannot be set before the
form validation as they are effectively removed by it,
causing /api/susbcribers returning no passwords at
all for 'subscriber' roles
* Having them after the patch makes no sense either as next
resource_from_item call will effectively remove them again (in PATCH)
Change-Id: I0e8389e8ab34ad72f1b87a684daba77f1030f8ba
a multitude of issues popped after introducing bcrypted
webpasswords in the database. most recently the PATCH /api/susbcribers
rail was reported to reset the webpassword unintentionally.
subscriber login fails afterwards, which is a severe issue.
the bugs are adressed by this refactorings. the change also
introduces a global variable
$NGCP::Panel::Utils::Auth::ENCRYPT_SUBSCRIBER_WEBPASSWORDS
to control encrypting webpasswords. it is still enabled as of now,
but it's worth to consider disabling it. there other ways to have
a "cost" for an authentication request, eg. adding a simple
sleep(1sec).
Change-Id: I2d47d54a2d83568546ffdd2b211337a5f56be3a2
* 'webpassword' field is now also validated for invalid
(non-ascii) characters
* Fix multiple APP input field validation erros to comma joined.
* Adjust 'webpassword' field validation errors to have better
readability when there are multiple validation errors
Change-Id: I21536f97a4da78cc5192a3abd8cd5adef1b819ec
* Login CSC v2 button is shown on the subscriber's master
data page if www_admin.http_csc.csc_js_enable == 1 or 2
* When the login is triggered an auth token
is generated internally followed by a redirect to
CSC as /?a=auth_token
* move generate_auth_token() into Utils/Auth
* improve generate_auth_token() arguments support
* add /api/authtokens error handling
Change-Id: Idd65400bf8ce6ce48979c736f6a199fb567ffaa4
* The new endpoint will only accept POSTs
* The request body should have two parameters
called 'new_password' and 'token'
* First, look for the token in redis (for admins),
if not found, look for it in DB (for subscribers),
if neither is found, return
Change-Id: I4163a0d5bd886961317b21aeca20c8ccfdeab0dd
* The new endpoint will only accept POSTs
* The request body should have two parameters
called 'type', 'username' and 'domain'
* 'type' will accept either 'administrator',
in which case only 'username' is needed,
or 'subscriber', in which case 'username'
and 'domain' will be needed
* The regular password reset email will be sent
to either the admin or the subscriber
Change-Id: If1457c8c625a95295e5e93b6637927e3905698d9
* Add check for existence of webpassword on subscriber
log in to prevent the code from trying to use the
undefined password
* Subscribers with no webpassword cannot log in the old CSC
Change-Id: I7b82c014fa5f70fa36ee7282db94a747e54ce2ae
* Change the way webpassword is handled accross
NGCP Panel UI/API to comply with new password
encryption
* At login, if password is not encrypted with
high cost due to the ngcp-bcrypt-webpassword
script, encrypt it with proper cost
* Accept old password format as well until all
webpasswords are encrypted
Change-Id: Iefa9584a62ab4b7d2a224d10bdd415e9cbb8dfb5
Kirill Solomko
Rene Krenn
Flaviu Mates
Andreas Granig