Merge pull request #4168 from betagouv/issue/3928_check_complexity_when_admin_edit_pwd

Check complexity when editing admin password
This commit is contained in:
Nicolas Bouilleaud 2019-08-01 17:25:29 +02:00 committed by GitHub
commit a181210651
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
40 changed files with 284 additions and 112 deletions

View file

@ -312,8 +312,8 @@
}
.explication {
margin-bottom: 2 * $default-padding;
padding: $default-padding;
margin-bottom: $default-padding;
padding: $default-padding / 2;
background-color: $light-grey;
p:not(:last-child) {

View file

@ -2,33 +2,39 @@
@import "constants";
$strength-bg: #EEEEEE;
$weak-strength-color: $lighter-red;
$medium-strength-color: $orange;
$strong-strength-color: $green;
$strength-color-0: $lighter-red;
$strength-color-1: #FF5000;
$strength-color-2: $orange;
$strength-color-3: #FFD000;
$strength-color-4: $green;
.password-strength {
margin-top: -24px;
width: 100%;
min-height: 22px;
height: 12px;
background: $strength-bg;
display: block;
margin-bottom: $default-spacer;
text-align: center;
border-radius: 8px;
&.strength-0 {
background: linear-gradient(to right, $strength-color-0 00%, $strength-bg 20%);
}
&.strength-1 {
background: linear-gradient(to right, $weak-strength-color 0%, $weak-strength-color 25%, $strength-bg 25%, $strength-bg 100%);
background: linear-gradient(to right, $strength-color-1 20%, $strength-bg 40%);
}
&.strength-2 {
background: linear-gradient(to right, $medium-strength-color 0%, $medium-strength-color 50%, $strength-bg 50%, $strength-bg 100%);
background: linear-gradient(to right, $strength-color-2 40%, $strength-bg 60%);
}
&.strength-3 {
background: linear-gradient(to right, $medium-strength-color 0%, $medium-strength-color 75%, $strength-bg 75%, $strength-bg 100%);
background: linear-gradient(to right, $strength-color-3 60%, $strength-bg 80%);
}
&.strength-4 {
background: $strong-strength-color;
color: #FFFFFF;
background: $strength-color-4;
}
}

View file

@ -1,5 +1,3 @@
require 'zxcvbn'
class Administrateurs::ActivateController < ApplicationController
include TrustedDeviceConcern
@ -34,10 +32,6 @@ class Administrateurs::ActivateController < ApplicationController
end
end
def test_password_strength
@score = Zxcvbn.test(params[:administrateur][:password], [], ZXCVBN_DICTIONNARIES).score
end
private
def update_administrateur_params

View file

@ -0,0 +1,69 @@
class Administrateurs::PasswordsController < Devise::PasswordsController
after_action :try_to_authenticate_user, only: [:update]
after_action :try_to_authenticate_gestionnaire, only: [:update]
# GET /resource/password/new
# def new
# super
# end
# POST /resource/password
# def create
# super
# end
# GET /resource/password/edit?reset_password_token=abcdef
# def edit
# super
# end
# PUT /resource/password
# def update
# # params[:user][:password_confirmation] = params[:user][:password]
# super
# end
# protected
# def after_resetting_password_path_for(resource)
# super(resource)
# end
# The path used after sending reset password instructions
# def after_sending_reset_password_instructions_path_for(resource_name)
# super(resource_name)
# end
def try_to_authenticate_user
if administrateur_signed_in?
user = User.find_by(email: current_administrateur.email)
if user
sign_in user
end
end
end
def try_to_authenticate_gestionnaire
if administrateur_signed_in?
gestionnaire = Gestionnaire.find_by(email: current_administrateur.email)
if gestionnaire
sign_in gestionnaire
end
end
end
def test_strength
@score, @words, @length = ZxcvbnService.new(password_params[:password]).complexity
@min_length = PASSWORD_MIN_LENGTH
@min_complexity = PASSWORD_COMPLEXITY_FOR_ADMIN
render 'shared/password/test_strength'
end
private
def password_params
params.require(:administrateur).permit(:reset_password_token, :password)
end
end

View file

@ -8,9 +8,19 @@ class Users::PasswordsController < Devise::PasswordsController
# end
# POST /resource/password
# def create
# super
# end
def create
# Check the credentials associated to the mail to generate a correct reset link
email = params[:user][:email]
if Administrateur.find_by(email: email)
@devise_mapping = Devise.mappings[:administrateur]
params[:administrateur] = params[:user]
# uncomment to check password complexity for Gestionnaire
# elsif Gestionnaire.find_by(email: email)
# @devise_mapping = Devise.mappings[:gestionnaire]
# params[:gestionnaire] = params[:user]
end
super
end
# GET /resource/password/edit?reset_password_token=abcdef
# def edit
@ -19,6 +29,7 @@ class Users::PasswordsController < Devise::PasswordsController
# PUT /resource/password
# def update
# # params[:user][:password_confirmation] = params[:user][:password]
# super
# end
@ -52,4 +63,15 @@ class Users::PasswordsController < Devise::PasswordsController
end
end
end
def test_strength
@score, @words, @length = ZxcvbnService.new(password_params[:password]).complexity
@min_length = PASSWORD_MIN_LENGTH
@min_complexity = PASSWORD_COMPLEXITY_FOR_USER
render 'shared/password/test_strength'
end
def password_params
params.require(:user).permit(:reset_password_token, :password)
end
end

View file

@ -20,11 +20,8 @@ class Administrateur < ApplicationRecord
validate :password_complexity, if: Proc.new { |a| Devise.password_length.include?(a.password.try(:size)) }
def password_complexity
if password.present?
score = Zxcvbn.test(password, [], ZXCVBN_DICTIONNARIES).score
if score < 4
errors.add(:password, :not_strength)
end
if password.present? && ZxcvbnService.new(password).score < PASSWORD_COMPLEXITY_FOR_ADMIN
errors.add(:password, :not_strong)
end
end

View file

@ -0,0 +1,23 @@
class ZxcvbnService
def initialize(password)
@password = password
end
def complexity
wxcvbn = compute_zxcvbn
score = wxcvbn.score
length = @password.blank? ? 0 : @password.length
vulnerabilities = wxcvbn.match_sequence.map { |m| m.matched_word.nil? ? m.token : m.matched_word }.select { |s| s.length > 2 }.join(', ')
[score, vulnerabilities, length]
end
def score
compute_zxcvbn.score
end
private
def compute_zxcvbn
Zxcvbn.test(@password, [], ZXCVBN_DICTIONNARIES)
end
end

View file

@ -1,5 +0,0 @@
#strength-bar.password-strength{ class: "strength-#{score}" }
- if score < 4
Mot de passe pas assez complexe
- else
Mot de passe suffisamment complexe

View file

@ -3,27 +3,4 @@
- content_for :footer do
= render partial: "root/footer"
.container.devise-container
.one-column-centered
= form_for @administrateur, url: { controller: 'administrateurs/activate', action: :create }, html: { class: "form" } do |f|
%br
%h1
Choix du mot de passe
= f.label :email, "Email"
= f.text_field :email, disabled: true
= f.label :password do
Mot de passe
= f.password_field :password, placeholder: 'Mot de passe', data: { remote: true, url: admin_activate_test_password_strength_path }
#strength-bar.password-strength
&nbsp;
.explication
%strong Aide :
Une courte phrase peut être un mot de passe très sécurisé.
= f.hidden_field :reset_password_token, value: params[:token]
= f.submit 'Continuer', class: 'button large primary expand', id: "submit-password", data: { disable_with: "Envoi..." }
= render 'shared/password/new', object: @administrateur, controller: 'administrateurs/activate', test_password_strength: administrateurs_password_test_strength_path

View file

@ -1 +0,0 @@
<%= render_to_element('#strength-bar', partial: 'password_strength', outer: true, locals: { score: @score }) %>

View file

@ -0,0 +1,6 @@
- content_for(:title, 'Changement de mot de passe')
- content_for :footer do
= render partial: 'root/footer'
= render 'shared/password/edit', test_password_strength: administrateurs_password_test_strength_path

View file

@ -0,0 +1,21 @@
- content_for(:title, 'Changement de mot de passe')
- content_for :footer do
= render partial: 'root/footer'
.container.devise-container
.one-column-centered
= devise_error_messages!
= form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :patch, class: 'form' }) do |f|
%h1 Changement de mot de passe
= f.hidden_field :reset_password_token, value: params[:token]
= f.label 'Nouveau mot de passe'
= render partial 'shared/password/edit_password', locals: { form: f, controller: controller }
= f.submit 'Changer le mot de passe', class: 'button large primary expand', id: "submit-password", data: { disable_with: "Envoi..." }

View file

@ -0,0 +1,10 @@
= form.password_field :password, autofocus: true, autocomplete: 'off', placeholder: 'Mot de passe', data: { remote: true, url: url_for(controller: controller, action: 'test_strength') }
#strength-bar.password-strength
&nbsp;
.explication
#strength-label{ style: 'font-weight: bold' }
Inscrivez un mot de passe.
Une courte phrase avec ponctuation peut être un mot de passe très sécurisé.

View file

@ -0,0 +1,18 @@
.container.devise-container
.one-column-centered
- controller_action = defined?(action) ? action : :create
= form_for object, url: { controller: controller, action: controller_action }, html: { class: "form" } do |f|
%br
%h1
Choix du mot de passe
= f.hidden_field :reset_password_token, value: object.reset_password_token
= f.label :email, "Email"
= f.text_field :email, disabled: true
= f.label :password do
Mot de passe
= render partial: 'shared/password/edit_password', locals: { form: f, controller: controller }
= f.submit 'Continuer', class: 'button large primary expand', id: "submit-password", data: { disable_with: "Envoi..." }

View file

@ -0,0 +1 @@
#strength-bar.password-strength{ class: "strength-#{@length < @min_length ? @score/2 : @score}" }

View file

@ -0,0 +1,16 @@
#strength-label{ style: 'font-weight: bold' }
- if @length > 0
- if @length < @min_length
Le mot de passe doit faire au moins #{@min_length} caractères.
- else
- case @score
- when 0..1
Mot de passe très vulnérable.
- when 2...@min_complexity
Mot de passe vulnérable.
- when @min_complexity...4
Mot de passe acceptable. Vous pouvez valider...<br> ou améliorer votre mot de passe.
- else
Félicitations ! Mot de passe suffisamment fort et sécurisé.
- else
Inscrivez un mot de passe.

View file

@ -0,0 +1,3 @@
<%= render_to_element('#strength-label', partial: 'shared/password/password_strength_label', outer: true) %>
<%= render_to_element('#strength-bar', partial: 'shared/password/password_strength', outer: true) %>
<%= raw("document.querySelector('#submit-password').disabled = #{@score < @min_complexity || @length < @min_length};") %>

View file

@ -80,6 +80,6 @@
"note": "`column` and `order` come from the model, which is validated to prevent injection attacks. Furthermore, the sql injection attack on `column` would need to survive the `to_i`"
}
],
"updated": "2019-07-17 16:03:11 +0200",
"updated": "2019-07-02 11:23:21 -1000",
"brakeman_version": "4.3.1"
}

View file

@ -1,4 +1,5 @@
require_relative "contacts"
require_relative 'contacts'
require_relative 'passwords'
# Use this hook to configure devise mailer, warden hooks and so forth.
# Many of these configuration options can be set straight in your model.
@ -142,7 +143,7 @@ Devise.setup do |config|
# ==> Configuration for :validatable
# Range for password length.
config.password_length = 8..128
config.password_length = PASSWORD_MIN_LENGTH..128
# Email regex used to validate email formats. It simply asserts that
# one (and only one) @ exists in the given string. This is mainly

View file

@ -0,0 +1,9 @@
# complexity of the required password for the three kinds of users (user, gestionnaire, admnistrateur)
# valid values are from 0 to 4, 0 means very simple, 4 means high level of complexity.
if !defined?(PASSWORD_MIN_LENGTH)
# PASSWORD_COMPLEXITY_FOR_USER = ENV.fetch('PASSWORD_COMPLEXITY_FOR_USER', '2').to_i
# PASSWORD_COMPLEXITY_FOR_GESTIONNAIRE = ENV.fetch('PASSWORD_COMPLEXITY_FOR_GESTIONNAIRE', '3').to_i
PASSWORD_COMPLEXITY_FOR_ADMIN = ENV.fetch('PASSWORD_COMPLEXITY_FOR_ADMIN', '4').to_i
# password minimum length
PASSWORD_MIN_LENGTH = ENV.fetch('PASSWORD_MIN_LENGTH', '8').to_i
end

View file

@ -12,4 +12,4 @@ fr:
password:
too_short: 'est trop court'
blank: 'doit être rempli'
not_strength: "n'est pas assez complexe"
not_strong: "n'est pas assez complexe"

View file

@ -78,8 +78,9 @@ Rails.application.routes.draw do
}
devise_for :administrateurs, controllers: {
sessions: 'administrateurs/sessions'
}, skip: [:password, :registrations]
sessions: 'administrateurs/sessions',
passwords: 'administrateurs/passwords'
}, skip: [:registrations]
devise_for :gestionnaires, controllers: {
sessions: 'gestionnaires/sessions',
@ -108,6 +109,7 @@ Rails.application.routes.draw do
devise_scope :administrateur do
get '/administrateurs/sign_in/demo' => redirect("/users/sign_in")
get '/administrateurs/password/test_strength' => 'administrateurs/passwords#test_strength'
end
#
@ -176,7 +178,6 @@ Rails.application.routes.draw do
namespace :admin do
get 'activate' => '/administrateurs/activate#new'
patch 'activate' => '/administrateurs/activate#create'
get 'activate/test_password_strength' => '/administrateurs/activate#test_password_strength'
get 'sign_in' => '/administrateurs/sessions#new'
get 'procedures/archived' => 'procedures#archived'
get 'procedures/draft' => 'procedures#draft'

View file

@ -254,7 +254,7 @@ describe Gestionnaires::AvisController, type: :controller do
let(:dossier) { create(:dossier) }
let!(:avis) { create(:avis, email: invited_email, dossier: dossier) }
let(:avis_id) { avis.id }
let(:password) { '12345678' }
let(:password) { 'démarches-simplifiées-pwd' }
let(:created_gestionnaire) { Gestionnaire.find_by(email: invited_email) }
let(:invitations_email) { true }

View file

@ -7,8 +7,8 @@ describe Gestionnaires::PasswordsController, type: :controller do
describe "update" do
context "unified login" do
let(:user) { create(:user, email: 'unique@plop.com', password: 'un super mot de passe') }
let(:administrateur) { create(:administrateur, email: 'unique@plop.com', password: 'un super mot de passe') }
let(:user) { create(:user, email: 'unique@plop.com', password: 'démarches-simplifiées-pwd') }
let(:administrateur) { create(:administrateur, email: 'unique@plop.com', password: 'démarches-simplifiées-pwd') }
let(:gestionnaire) { administrateur.gestionnaire }
before do
@ -21,8 +21,8 @@ describe Gestionnaires::PasswordsController, type: :controller do
put :update, params: {
gestionnaire: {
reset_password_token: @token,
password: "supersecret",
password_confirmation: "supersecret"
password: "démarches-simplifiées-pwd",
password_confirmation: "démarches-simplifiées-pwd"
}
}
expect(subject.current_gestionnaire).to eq(gestionnaire)
@ -33,8 +33,8 @@ describe Gestionnaires::PasswordsController, type: :controller do
put :update, params: {
gestionnaire: {
reset_password_token: @token,
password: "supersecret",
password_confirmation: "supersecret"
password: "démarches-simplifiées-pwd",
password_confirmation: "démarches-simplifiées-pwd"
}
}
expect(subject.current_administrateur).to eq(administrateur)

View file

@ -3,7 +3,7 @@ describe Manager::AdministrateursController, type: :controller do
describe 'POST #create' do
let(:email) { 'plop@plop.com' }
let(:password) { 'password' }
let(:password) { 'démarches-simplifiées-pwd' }
before do
sign_in administration

View file

@ -1,6 +1,6 @@
describe Users::RegistrationsController, type: :controller do
let(:email) { 'test@octo.com' }
let(:password) { 'password' }
let(:password) { 'démarches-simplifiées-pwd' }
let(:user) { { email: email, password: password } }

View file

@ -1,6 +1,6 @@
describe Users::SessionsController, type: :controller do
let(:email) { 'unique@plop.com' }
let(:password) { 'un super mot de passe' }
let(:password) { 'démarches-simplifiées-pwd' }
let(:loged_in_with_france_connect) { User.loged_in_with_france_connects.fetch(:particulier) }
let!(:user) { create(:user, email: email, password: password, loged_in_with_france_connect: loged_in_with_france_connect) }
@ -104,8 +104,8 @@ describe Users::SessionsController, type: :controller do
end
context "when associated gestionnaire" do
let(:user) { create(:user, email: 'unique@plop.com', password: 'password') }
let(:gestionnaire) { create(:gestionnaire, email: 'unique@plop.com', password: 'password') }
let(:user) { create(:user, email: 'unique@plop.com', password: 'démarches-simplifiées-pwd') }
let(:gestionnaire) { create(:gestionnaire, email: 'unique@plop.com', password: 'démarches-simplifiées-pwd') }
it 'signs user out' do
sign_in user

View file

@ -2,6 +2,6 @@ FactoryBot.define do
sequence(:administration_email) { |n| "plop#{n}@plop.com" }
factory :administration do
email { generate(:administration_email) }
password { 'password' }
password { 'démarches-simplifiées-pwd' }
end
end

View file

@ -2,6 +2,6 @@ FactoryBot.define do
sequence(:gestionnaire_email) { |n| "gest#{n}@gest.com" }
factory :gestionnaire do
email { generate(:gestionnaire_email) }
password { 'password' }
password { 'démarches-simplifiées-pwd' }
end
end

View file

@ -2,7 +2,7 @@ FactoryBot.define do
sequence(:user_email) { |n| "user#{n}@user.com" }
factory :user do
email { generate(:user_email) }
password { 'password' }
password { 'démarches-simplifiées-pwd' }
confirmed_at { Time.zone.now }
trait :unconfirmed do

View file

@ -3,7 +3,7 @@ require 'spec_helper'
feature 'The gestionnaire part' do
include ActiveJob::TestHelper
let(:password) { 'secret_password' }
let(:password) { 'démarches-simplifiées-pwd' }
let!(:gestionnaire) { create(:gestionnaire, password: password) }
let!(:procedure) { create(:procedure, :published, gestionnaires: [gestionnaire]) }
@ -237,7 +237,7 @@ feature 'The gestionnaire part' do
def avis_sign_up(avis, email)
visit sign_up_gestionnaire_avis_path(avis, email)
fill_in 'gestionnaire_password', with: 'a good password'
fill_in 'gestionnaire_password', with: 'démarches-simplifiées-pwd'
click_on 'Créer un compte'
expect(page).to have_current_path(gestionnaire_avis_index_path)
end

View file

@ -2,7 +2,7 @@ require 'spec_helper'
feature 'Signin in:' do
let!(:user) { create(:user, password: password) }
let(:password) { 'testpassword' }
let(:password) { 'démarches-simplifiées-pwd' }
scenario 'an existing user can sign-in' do
visit root_path

View file

@ -1,7 +1,7 @@
require 'rails_helper'
feature 'The user' do
let(:password) { 'secret_password' }
let(:password) { 'démarches-simplifiées-pwd' }
let!(:user) { create(:user, password: password) }
let!(:procedure) { create(:procedure, :published, :for_individual, :with_all_champs_mandatory) }

View file

@ -27,7 +27,7 @@ feature 'Invitations' do
context 'when inviting someone without an existing account' do
let(:invite) { create(:invite, dossier: dossier, user: nil) }
let(:user_password) { 'l33tus3r' }
let(:user_password) { 'démarches-simplifiées-pwd' }
scenario 'an invited user can register using the registration link sent in the invitation email' do
# Click the invitation link

View file

@ -1,7 +1,7 @@
require 'spec_helper'
feature 'linked dropdown lists' do
let(:password) { 'secret_password' }
let(:password) { 'démarches-simplifiées-pwd' }
let!(:user) { create(:user, password: password) }
let(:list_items) do

View file

@ -2,7 +2,7 @@ require 'spec_helper'
feature 'Signing up:' do
let(:user_email) { generate :user_email }
let(:user_password) { 'testpassword' }
let(:user_password) { 'démarches-simplifiées-pwd' }
scenario 'a new user can sign-up' do
visit root_path

View file

@ -72,29 +72,33 @@ describe Administrateur, type: :model do
it { expect(administrateur.feature_enabled?(:test_a)).to be_truthy }
end
describe "#password_complexity" do
let(:administrateur) { build(:administrateur, password: password) }
describe '#password_complexity' do
let(:email) { 'mail@beta.gouv.fr' }
let(:passwords) { ['pass', '12pass23', 'démarches ', 'démarches-simple', 'démarches-simplifiées-pwd'] }
let(:administrateur) { build(:administrateur, email: email, password: password) }
let(:min_complexity) { PASSWORD_COMPLEXITY_FOR_ADMIN }
subject do
administrateur.save
administrateur.errors[:password]
administrateur.errors.full_messages
end
context "with a strong password" do
let(:password) { "la démat c'est simple" }
context 'when password is too short' do
let(:password) { 's' * (PASSWORD_MIN_LENGTH - 1) }
it { expect(subject).to eq(["Le mot de passe est trop court"]) }
end
context 'when password is too simple' do
let(:password) { passwords[min_complexity - 1] }
it { expect(subject).to eq(["Le mot de passe n'est pas assez complexe"]) }
end
context 'when password is acceptable' do
let(:password) { passwords[min_complexity] }
it { expect(subject).to eq([]) }
end
context "with a weak password" do
let(:password) { "12345678" }
it { expect(subject).to include "n'est pas assez complexe" }
it { expect(subject).not_to include "est trop court" }
end
context "with a short password" do
let(:password) { "1" }
it { expect(subject).to include "est trop court" }
it { expect(subject).not_to include "n'est pas assez complexe" }
end
end
end

View file

@ -146,21 +146,21 @@ describe Gestionnaire, type: :model do
gestionnaire = create(:gestionnaire)
user = create(:user, email: gestionnaire.email)
gestionnaire.update(email: 'whoami@plop.com', password: 'super secret')
gestionnaire.update(email: 'whoami@plop.com', password: 'démarches-simplifiées-pwd')
user.reload
expect(user.email).to eq('whoami@plop.com')
expect(user.valid_password?('super secret')).to be(true)
expect(user.valid_password?('démarches-simplifiées-pwd')).to be(true)
end
it 'syncs credentials to associated administrateur' do
admin = create(:administrateur)
gestionnaire = admin.gestionnaire
gestionnaire.update(password: 'super secret')
gestionnaire.update(password: 'démarches-simplifiées-pwd')
admin.reload
expect(admin.valid_password?('super secret')).to be(true)
expect(admin.valid_password?('démarches-simplifiées-pwd')).to be(true)
end
end

View file

@ -3,12 +3,12 @@ require 'spec_helper'
describe User, type: :model do
describe '#after_confirmation' do
let(:email) { 'mail@beta.gouv.fr' }
let!(:invite) { create(:invite, email: email) }
let!(:invite) { create(:invite, email: email) }
let!(:invite2) { create(:invite, email: email) }
let(:user) do
create(:user,
email: email,
password: 'a good password',
password: 'démarches-simplifiées-pwd',
confirmation_token: '123',
confirmed_at: nil)
end
@ -106,24 +106,24 @@ describe User, type: :model do
user = create(:user)
gestionnaire = create(:gestionnaire, email: user.email)
user.update(email: 'whoami@plop.com', password: 'super secret')
user.update(email: 'whoami@plop.com', password: 'démarches-simplifiées2')
user.confirm
gestionnaire.reload
expect(gestionnaire.email).to eq('whoami@plop.com')
expect(gestionnaire.valid_password?('super secret')).to be(true)
expect(gestionnaire.valid_password?('démarches-simplifiées2')).to be(true)
end
it 'syncs credentials to associated administrateur' do
user = create(:user)
admin = create(:administrateur, email: user.email)
user.update(email: 'whoami@plop.com', password: 'super secret')
user.update(email: 'whoami@plop.com', password: 'démarches-simplifiées2')
user.confirm
admin.reload
expect(admin.email).to eq('whoami@plop.com')
expect(admin.valid_password?('super secret')).to be(true)
expect(admin.valid_password?('démarches-simplifiées2')).to be(true)
end
end
end

View file

@ -35,7 +35,7 @@ module FeatureHelpers
end
end
def sign_up_with(email, password = 'testpassword')
def sign_up_with(email, password = 'démarches-simplifiées-pwd')
fill_in :user_email, with: email
fill_in :user_password, with: password