diff options
author | jooseong lee <jooseong.lee@samsung.com> | 2016-08-05 16:23:17 +0900 |
---|---|---|
committer | jooseong lee <jooseong.lee@samsung.com> | 2016-08-05 17:08:28 +0900 |
commit | 743345202f417b7e7c2bc8161795480717dc4bac (patch) | |
tree | 99d579f5d226a2b9a2c236a9aea0540d848bc3f7 | |
parent | 2d8749a59c19bd76e15162f93deba01056b7417b (diff) | |
download | auth-fw-743345202f417b7e7c2bc8161795480717dc4bac.tar.gz auth-fw-743345202f417b7e7c2bc8161795480717dc4bac.tar.bz2 auth-fw-743345202f417b7e7c2bc8161795480717dc4bac.zip |
Add new API - auth_passwd_check_passwd_available()
This API checks only if typed string fulfills password policies.
App could use this API during typing a letter for new password and
notify user of helper message before calling password setting API.
To support kind helper message, we provide several error type for
each password policies.
* AUTH_PASSWD_API_ERROR_INVALID_MIN_LENGTH
* AUTH_PASSWD_API_ERROR_INVALID_MIN_COMPLEX_CHAR_NUM
* AUTH_PASSWD_API_ERROR_INVALID_MAX_CHAR_OCCURENCES
* AUTH_PASSWD_API_ERROR_INVALID_MAX_NUM_SEQ_LENGTH
* AUTH_PASSWD_API_ERROR_INVALID_FORBIDDEN_PASSWORDS
* AUTH_PASSWD_API_ERROR_INVALID_QUALITY_TYPE
* AUTH_PASSWD_API_ERROR_INVALID_PATTERN
Also, AUTH_PASSWD_API_ERROR_PASSWORD_INVALID is removed.
Change-Id: Ie7727ceb2c5fa095632b4c38e23c8d6daaae322a
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
-rw-r--r-- | src/client/client-password.cpp | 29 | ||||
-rw-r--r-- | src/common/include/protocols.h | 1 | ||||
-rw-r--r-- | src/include/auth-passwd-error.h | 34 | ||||
-rw-r--r-- | src/include/auth-passwd.h | 51 | ||||
-rw-r--r-- | src/server/service/password.cpp | 36 | ||||
-rw-r--r-- | src/server/service/policy-manager.cpp | 38 |
6 files changed, 148 insertions, 41 deletions
diff --git a/src/client/client-password.cpp b/src/client/client-password.cpp index 600534b..11fd9ad 100644 --- a/src/client/client-password.cpp +++ b/src/client/client-password.cpp @@ -149,6 +149,35 @@ int auth_passwd_check_passwd_state(password_type passwd_type, } AUTH_PASSWD_API +int auth_passwd_check_passwd_available(password_type passwd_type, const char *passwd) +{ + using namespace AuthPasswd; + return try_catch([&] { + if (NULL == passwd) { + LogError("Wrong input param"); + return AUTH_PASSWD_API_ERROR_INPUT_PARAM; + } + + MessageBuffer send, recv; + + Serialization::Serialize(send, static_cast<int>(PasswordHdrs::HDR_CHK_PASSWD_AVAILABLE)); + Serialization::Serialize(send, passwd_type); + Serialization::Serialize(send, std::string(passwd)); + + int retCode = sendToServer(SERVICE_SOCKET_PASSWD_CHECK, send.Pop(), recv); + + if (AUTH_PASSWD_API_SUCCESS != retCode) { + LogDebug("Error in sendToServer. Error code: " << retCode); + return retCode; + } + + Deserialization::Deserialize(recv, retCode); + + return retCode; + }); +} + +AUTH_PASSWD_API int auth_passwd_check_passwd_reused(password_type passwd_type, const char *passwd, int *is_reused) diff --git a/src/common/include/protocols.h b/src/common/include/protocols.h index 23e1429..2ec4e3b 100644 --- a/src/common/include/protocols.h +++ b/src/common/include/protocols.h @@ -49,6 +49,7 @@ extern char const *const SERVICE_SOCKET_PASSWD_POLICY; enum class PasswordHdrs { HDR_CHK_PASSWD, HDR_CHK_PASSWD_STATE, + HDR_CHK_PASSWD_AVAILABLE, HDR_CHK_PASSWD_REUSED, HDR_SET_PASSWD, HDR_SET_PASSWD_RECOVERY, diff --git a/src/include/auth-passwd-error.h b/src/include/auth-passwd-error.h index 1abdf39..e21f5b5 100644 --- a/src/include/auth-passwd-error.h +++ b/src/include/auth-passwd-error.h @@ -63,23 +63,41 @@ /*! \brief indicating password mismatch */ #define AUTH_PASSWD_API_ERROR_PASSWORD_MISMATCH -12 -/*! \brief indicating password dose not meet password policies */ -#define AUTH_PASSWD_API_ERROR_PASSWORD_INVALID -13 - /*! \brief indicating password retry timeout is not occurred yet */ -#define AUTH_PASSWD_API_ERROR_PASSWORD_RETRY_TIMER -14 +#define AUTH_PASSWD_API_ERROR_PASSWORD_RETRY_TIMER -13 /*! \brief indicating no other attempts are possible */ -#define AUTH_PASSWD_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED -15 +#define AUTH_PASSWD_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED -14 /*! \brief indicating password is expired */ -#define AUTH_PASSWD_API_ERROR_PASSWORD_EXPIRED -16 +#define AUTH_PASSWD_API_ERROR_PASSWORD_EXPIRED -15 /*! \brief indicating password is reused */ -#define AUTH_PASSWD_API_ERROR_PASSWORD_REUSED -17 +#define AUTH_PASSWD_API_ERROR_PASSWORD_REUSED -16 /*! \brief indicating password recovery is restricted because max attempts policy is set */ -#define AUTH_PASSWD_API_ERROR_RECOVERY_PASSWORD_RESTRICTED -18 +#define AUTH_PASSWD_API_ERROR_RECOVERY_PASSWORD_RESTRICTED -17 + +/*! \brief indicating password does not meet password min length policy */ +#define AUTH_PASSWD_API_ERROR_INVALID_MIN_LENGTH -18 + +/*! \brief indicating password does not meet min complex character number policy */ +#define AUTH_PASSWD_API_ERROR_INVALID_MIN_COMPLEX_CHAR_NUM -19 + +/*! \brief indicating password does not meet max character occurences policy */ +#define AUTH_PASSWD_API_ERROR_INVALID_MAX_CHAR_OCCURENCES -20 + +/*! \brief indicating password does not meet max number sequence length policy */ +#define AUTH_PASSWD_API_ERROR_INVALID_MAX_NUM_SEQ_LENGTH -21 + +/*! \brief indicating password does not meet forbidden passwords policy */ +#define AUTH_PASSWD_API_ERROR_INVALID_FORBIDDEN_PASSWORDS -22 + +/*! \brief indicating password does not meet quality type policy */ +#define AUTH_PASSWD_API_ERROR_INVALID_QUALITY_TYPE -23 + +/*! \brief indicating password does not meet pattern policy */ +#define AUTH_PASSWD_API_ERROR_INVALID_PATTERN -24 /*! \brief indicating the error with unknown reason */ #define AUTH_PASSWD_API_ERROR_UNKNOWN -255 diff --git a/src/include/auth-passwd.h b/src/include/auth-passwd.h index 08aee2f..24be828 100644 --- a/src/include/auth-passwd.h +++ b/src/include/auth-passwd.h @@ -207,6 +207,57 @@ int auth_passwd_check_passwd_state(password_type passwd_type, unsigned int *valid_secs); /** + * + * \par Description: + * This API checks only if typed string fulfills password policies. + * + * \par Purpose: + * This API should be used by setting application during typing a letter for new password. + * + * \par Typical use case: + * App could check whether typed password is available and notify user of helper message + * before calling password setting API. + * + * \par Method of function operation: + * Sends a check request to auth-fw and auth-fw replies with password availability. + * + * \par Sync (or) Async: + * This is a Synchronous API. + * + * \par Important notes: + * You can't check password reusability. + * + * \param[in] passwd_type Password type, such as normal(lock) password, recovery password and so on. + * \param[in] passwd Null terminated inputted password string. + * + * \return AUTH_PASSWD_API_SUCCESS + * \return AUTH_PASSWD_API_ERROR_ACCESS_DENIED + * \return AUTH_PASSWD_API_ERROR_SOCKET + * \return AUTH_PASSWD_API_ERROR_INVALID_MIN_LENGTH + * Typed string doesn't fulfill min length policy. + * \return AUTH_PASSWD_API_ERROR_INVALID_MIN_COMPLEX_CHAR_NUM + * Typed string doesn't fulfill min complex character number policy. + * \return AUTH_PASSWD_API_ERROR_INVALID_MAX_CHAR_OCCURENCES + * Typed string doesn't fulfill max character occurences policy. + * \return AUTH_PASSWD_API_ERROR_INVALID_MAX_NUM_SEQ_LENGTH + * Typed string doesn't fulfill max number sequence length policy. + * \return AUTH_PASSWD_API_ERROR_INVALID_FORBIDDEN_PASSWORDS + * Typed string doesn't fulfill forbidden passwords policy. + * \return AUTH_PASSWD_API_ERROR_INVALID_QUALITY_TYPE + * Typed string doesn't fulfill qulity type policy + * \return AUTH_PASSWD_API_ERROR_INVALID_PATTERN + * Typed string doesn't fulfill pattern policy. + * \par Known issues/bugs: + * None + * + * \pre None + * + * \post None + * + */ +int auth_passwd_check_passwd_available(password_type passwd_type, const char *passwd); + +/** * \par Description: * This API checks if password was used before. * diff --git a/src/server/service/password.cpp b/src/server/service/password.cpp index a44c3a9..85e1cba 100644 --- a/src/server/service/password.cpp +++ b/src/server/service/password.cpp @@ -121,10 +121,10 @@ int PasswordService::processCheckFunctions(PasswordHdrs hdr, MessageBuffer &buff unsigned int &max_att, unsigned int &exp_time) { int result = AUTH_PASSWD_API_ERROR_SERVER_ERROR; + unsigned int passwdType = 0; switch (hdr) { case PasswordHdrs::HDR_CHK_PASSWD: { - unsigned int passwdType = 0; std::string challenge; Deserialization::Deserialize(buffer, passwdType); Deserialization::Deserialize(buffer, challenge); @@ -134,12 +134,18 @@ int PasswordService::processCheckFunctions(PasswordHdrs hdr, MessageBuffer &buff } case PasswordHdrs::HDR_CHK_PASSWD_STATE: { - unsigned int passwdType = 0; Deserialization::Deserialize(buffer, passwdType); result = m_pwdManager.isPwdValid(passwdType, cur_user, cur_att, max_att, exp_time); break; } + case PasswordHdrs::HDR_CHK_PASSWD_AVAILABLE: { + std::string challenge; + Deserialization::Deserialize(buffer, passwdType); + Deserialization::Deserialize(buffer, challenge); + result = m_policyManager.checkPolicy(passwdType, NO_PASSWORD, challenge, cur_user); + } + default: LogError("Unknown msg header."); Throw(Exception::IncorrectHeader); @@ -338,18 +344,20 @@ bool PasswordService::processOne(const ConnectionID &conn, MessageBuffer &buffer //Returning additional information should occur only when checking functions //are called, and under certain return values if (interfaceID == SOCKET_ID_CHECK) { - switch (retCode) { - case AUTH_PASSWD_API_ERROR_PASSWORD_MISMATCH: - case AUTH_PASSWD_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED: - case AUTH_PASSWD_API_ERROR_PASSWORD_EXPIRED: - case AUTH_PASSWD_API_SUCCESS: - Serialization::Serialize(sendBuffer, cur_att); - Serialization::Serialize(sendBuffer, max_att); - Serialization::Serialize(sendBuffer, exp_time); - break; - - default: - break; + if (hdr != PasswordHdrs::HDR_CHK_PASSWD_AVAILABLE) { + switch (retCode) { + case AUTH_PASSWD_API_ERROR_PASSWORD_MISMATCH: + case AUTH_PASSWD_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED: + case AUTH_PASSWD_API_ERROR_PASSWORD_EXPIRED: + case AUTH_PASSWD_API_SUCCESS: + Serialization::Serialize(sendBuffer, cur_att); + Serialization::Serialize(sendBuffer, max_att); + Serialization::Serialize(sendBuffer, exp_time); + break; + + default: + break; + } } } else if (interfaceID == SOCKET_ID_SET) { if (hdr == PasswordHdrs::HDR_CHK_PASSWD_REUSED && retCode == AUTH_PASSWD_API_SUCCESS) diff --git a/src/server/service/policy-manager.cpp b/src/server/service/policy-manager.cpp index f999496..e6139b3 100644 --- a/src/server/service/policy-manager.cpp +++ b/src/server/service/policy-manager.cpp @@ -83,37 +83,37 @@ int PolicyManager::checkPolicy(unsigned int passwdType, if (!itPolicy->second.checkMinLength(newPassword)) { LogError("new passwd's minLength is invalid"); - return AUTH_PASSWD_API_ERROR_PASSWORD_INVALID; + return AUTH_PASSWD_API_ERROR_INVALID_MIN_LENGTH; } if (!itPolicy->second.checkMinComplexCharNumber(newPassword)) { LogError("new passwd's minComplexCharNumber is invalid"); - return AUTH_PASSWD_API_ERROR_PASSWORD_INVALID; + return AUTH_PASSWD_API_ERROR_INVALID_MIN_COMPLEX_CHAR_NUM; } if (!itPolicy->second.checkMaxCharOccurrences(newPassword)) { LogError("new passwd's maxCharOccurrences is invalid"); - return AUTH_PASSWD_API_ERROR_PASSWORD_INVALID; + return AUTH_PASSWD_API_ERROR_INVALID_MAX_CHAR_OCCURENCES; } if (!itPolicy->second.checkMaxNumSeqLength(newPassword)) { LogError("new passwd's maxNumSeqLength is invalid"); - return AUTH_PASSWD_API_ERROR_PASSWORD_INVALID; + return AUTH_PASSWD_API_ERROR_INVALID_MAX_NUM_SEQ_LENGTH; + } + + if (!itPolicy->second.checkForbiddenPasswds(newPassword)) { + LogError("new passwd is forbiddenPasswd"); + return AUTH_PASSWD_API_ERROR_INVALID_FORBIDDEN_PASSWORDS; } if (!itPolicy->second.checkQualityType(newPassword)) { LogError("new passwd's qualityType is invalid"); - return AUTH_PASSWD_API_ERROR_PASSWORD_INVALID; + return AUTH_PASSWD_API_ERROR_INVALID_QUALITY_TYPE; } if (!itPolicy->second.checkPattern(newPassword)) { LogError("new passwd's pattern is invalid"); - return AUTH_PASSWD_API_ERROR_PASSWORD_INVALID; - } - - if (!itPolicy->second.checkForbiddenPasswds(newPassword)) { - LogError("new passwd is forbiddenPasswd"); - return AUTH_PASSWD_API_ERROR_PASSWORD_INVALID; + return AUTH_PASSWD_API_ERROR_INVALID_PATTERN; } return AUTH_PASSWD_API_SUCCESS; @@ -185,6 +185,9 @@ int PolicyManager::setPolicy(Policy policy) break; + case POLICY_FORBIDDEN_PASSWDS: + break; + case POLICY_QUALITY_TYPE: if (policy.qualityType > AUTH_PWD_QUALITY_LAST) { LogError("Incorrect input param."); @@ -201,9 +204,6 @@ int PolicyManager::setPolicy(Policy policy) break; - case POLICY_FORBIDDEN_PASSWDS: - break; - default: LogError("Not supported policy type."); return AUTH_PASSWD_API_ERROR_INPUT_PARAM; @@ -248,6 +248,11 @@ int PolicyManager::setPolicy(Policy policy) itPolicy->second.setMaxNumSeqLength(policy.maxNumSeqLength); break; + case POLICY_FORBIDDEN_PASSWDS: + LogSecureDebug("forbiddenPasswds number: " << policy.forbiddenPasswds.size()); + itPolicy->second.setForbiddenPasswds(policy.forbiddenPasswds); + break; + case POLICY_QUALITY_TYPE: LogSecureDebug("qualityType: " << policy.qualityType); itPolicy->second.setQualityType(policy.qualityType); @@ -258,11 +263,6 @@ int PolicyManager::setPolicy(Policy policy) itPolicy->second.setPattern(policy.pattern); break; - case POLICY_FORBIDDEN_PASSWDS: - LogSecureDebug("forbiddenPasswds number: " << policy.forbiddenPasswds.size()); - itPolicy->second.setForbiddenPasswds(policy.forbiddenPasswds); - break; - default: LogError("Not supported policy type."); return AUTH_PASSWD_API_ERROR_INPUT_PARAM; |