Bug 1265066 - improve password check

Add support for zxcvbn password validation. Change-Id: I1b51d6d114ef04cb5d36a7295dd08f8b028dad37
author: Jeff Fearn <jfearn@redhat.com> 2022-09-01 14:38:30 +1000
committer: Jeff Fearn <jfearn@redhat.com> 2022-09-01 14:38:30 +1000
commit: b83197296e620b94a12c1e74c7bfab6762467741 (patch)
tree: 5c18b1ba69c2c448b4a060f6d05cc8715cfd54d6 /template/en
parent: Bug 1910215 - Allow using name with Agile.Pool.get API call (diff)
download: bugzilla-b83197296e620b94a12c1e74c7bfab6762467741.tar.gz
bugzilla-b83197296e620b94a12c1e74c7bfab6762467741.tar.bz2
bugzilla-b83197296e620b94a12c1e74c7bfab6762467741.zip
9 files changed, 163 insertions, 7 deletions
diff --git a/template/en/default/account/email/confirm-new.html.tmpl b/template/en/default/account/email/confirm-new.html.tmpl
index 386c03242..950db7b58 100644
--- a/template/en/default/account/email/confirm-new.html.tmpl
+++ b/template/en/default/account/email/confirm-new.html.tmpl
@@ -12,9 +12,20 @@
   # expiration_ts: expiration date of the token.
   #%]
 
+[% javascript_urls = ['js/util.js', 'js/field.js'] %]
+
+[%# REDHAT EXTENSION START 1265066 %]
+[% IF feature_enabled('zxcvbn_passwords') %]
+  [% javascript_urls.push('js/zxcvbn-ts/core.js') %]
+  [% javascript_urls.push('js/zxcvbn-ts/language-common.js') %]
+  [% javascript_urls.push('js/zxcvbn-ts/language-en.js') %]
+[% END %]
+[%# REDHAT EXTENSION END 1265066 %]
+
 [% title = BLOCK %]Create a new user account for '[% email FILTER html %]'[% END %]
 [% PROCESS "global/header.html.tmpl"
            title = title
+           javascript_urls = javascript_urls
 %]
 
 [% password_complexity = Param('password_complexity') %]
@@ -38,10 +49,36 @@
       <td><input id="realname" name="realname" autofocus></td>
     </tr>
     [% IF Bugzilla.can_use_password(email) %]
+
+    [%# REDHAT EXTENSION START 1265066 %]
+    [% IF feature_enabled('zxcvbn_passwords') &&
+          password_complexity == 'zxcvbn' %]
+    <tr>
+      <th>Note</th>
+      <td>
+
+        <p>[% terms.Bugzilla %] is using zxcvbn, a realistic password strength
+        estimator, to estimate password strength. As you enter your password
+        below the strength meter will update to indicate the strength of your
+        password. The strength needs to be 'Strong' to be accepted.</p>
+
+        <p>The client and server have slightly different implementations of this
+        feature. It is possible that some passwords that are rated strong in the
+        client are rated good on the server. In such cases you will need to make
+        your password slightly more complex for it to be accepted on the
+        server.</p>
+
+      </td>
+
+    </tr>
+    [% END %]
+    [%# REDHAT EXTENSION END 1265066 %]
     <tr>
       <th><label for="passwd1">Type your password</label>:</th>
       <td>
         <input type="password" id="passwd1" name="passwd1" value="" required>
+      [% IF !feature_enabled('zxcvbn_passwords') ||
+           password_complexity != 'zxcvbn' %]
         (Password should be a minimum of [% constants.USER_PASSWORD_MIN_LENGTH FILTER none %] characters long
         [% IF password_complexity == "mixed_letters" %]
           and must contain at least one UPPER and one lowercase letter
@@ -51,8 +88,12 @@
           and must contain at least one letter, a number and a special character
         [% END ~%]
         .)
+      [% END %]
       </td>
     </tr>
+
+    [% PROCESS 'account/zxcvbn-check.html.tmpl' password_id = 'passwd1' %]
+
     <tr>
       <th><label for="passwd2">Confirm your password</label>:</th>
       <td><input type="password" id="passwd2" name="passwd2" value="" required></td>
diff --git a/template/en/default/account/password/set-forgotten-password.html.tmpl b/template/en/default/account/password/set-forgotten-password.html.tmpl
index eca11174f..4826118e1 100644
--- a/template/en/default/account/password/set-forgotten-password.html.tmpl
+++ b/template/en/default/account/password/set-forgotten-password.html.tmpl
@@ -6,12 +6,39 @@
   # defined by the Mozilla Public License, v. 2.0.
   #%]
 
+[% javascript_urls = ['js/util.js', 'js/field.js'] %]
+
+[% IF feature_enabled('zxcvbn_passwords') %]
+  [% javascript_urls.push('js/zxcvbn-ts/core.js') %]
+  [% javascript_urls.push('js/zxcvbn-ts/language-common.js') %]
+  [% javascript_urls.push('js/zxcvbn-ts/language-en.js') %]
+[% END %]
+
 [% title = "Change Password" %]
-[% PROCESS global/header.html.tmpl %]
+[% PROCESS global/header.html.tmpl
+  javascript_urls = javascript_urls
+%]
 [% password_complexity = Param('password_complexity') %]
 <p>
   To change your password, enter a new password twice:<br>
 </p>
+
+[%# REDHAT EXTENSION START 1265066 %]
+[% IF feature_enabled('zxcvbn_passwords') &&
+      password_complexity == 'zxcvbn' %]
+
+<p>[% terms.Bugzilla %] is using zxcvbn, a realistic password strength
+estimator, to estimate password strength. As you enter your password below the
+strength meter will update to indicate the strength of your password. The
+strength needs to be 'Strong' to be accepted.</p>
+
+<p>The client and server have slightly different implementations of this
+feature. It is possible that some passwords that are rated strong in the client
+are rated good on the server. In such cases you will need to make your password
+slightly more complex for it to be accepted on the server.</p>
+
+[% ELSE %]
+[%# REDHAT EXTENSION END 1265066 %]
 <ul>
   <li>Password must be at least [% constants.USER_PASSWORD_MIN_LENGTH FILTER none %] characters long.</li>
   [% IF password_complexity == "mixed_letters" %] 
@@ -22,6 +49,7 @@
   <li>Password must contain at least one letter, a number and a special character.</li>
   [% END %]
 </ul>
+[% END %]
 
 <form method="post" action="token.cgi">
   <input type="hidden" name="t" value="[% token FILTER html %]">
@@ -30,10 +58,12 @@
     <tr>
       <th>New password:</th>
       <td>
-        <input type="password" name="password" required>
+        <input type="password" name="password" id="password" required>
       </td>
     </tr>
-    
+
+    [% PROCESS 'account/zxcvbn-check.html.tmpl' password_id = 'password' %]
+
     <tr>
       <th>Confirm new password:</th>
       <td>
diff --git a/template/en/default/account/prefs/account.html.tmpl b/template/en/default/account/prefs/account.html.tmpl
index 5341dfb11..62f3b03d6 100644
--- a/template/en/default/account/prefs/account.html.tmpl
+++ b/template/en/default/account/prefs/account.html.tmpl
@@ -33,19 +33,46 @@
   [% END %]
 
   [% IF change_user.can_change_password %]
+    [%# REDHAT EXTENSION START 1265066 %]
+    [% IF feature_enabled('zxcvbn_passwords') &&
+          Param('password_complexity') == 'zxcvbn' %]
+    <tr>
+      <th>Note</th>
+      <td>
+
+        <p>[% terms.Bugzilla %] is using zxcvbn, a realistic password strength
+        estimator, to estimate password strength. As you enter your password
+        below the strength meter will update to indicate the strength of your
+        password. The strength needs to be 'Strong' to be accepted.</p>
+
+        <p>The client and server have slightly different implementations of this
+        feature. It is possible that some passwords that are rated strong in the
+        client are rated good on the server. In such cases you will need to make
+        your password slightly more complex for it to be accepted on the
+        server.</p> </td>
+
+    </tr>
+    [% END %]
+    [%# REDHAT EXTENSION END 1265066 %]
+
     <tr>
       <th>New password:</th>
       <td>
-        <input type="password" name="new_password1">
+        <input type="password" name="new_password1" id="new_password1">
       </td>
     </tr>
 
+    [% PROCESS 'account/zxcvbn-check.html.tmpl' password_id = 'new_password1' %]
+
     <tr>
       <th>Confirm new password:</th>
       <td>
         <input type="password" name="new_password2">
       </td>
     </tr>
+    <tr>
+      <td colspan="2"><hr></td>
+    </tr>
   [% END %]
 
   <tr>
diff --git a/template/en/default/account/prefs/prefs.html.tmpl b/template/en/default/account/prefs/prefs.html.tmpl
index 40168462e..14150133d 100644
--- a/template/en/default/account/prefs/prefs.html.tmpl
+++ b/template/en/default/account/prefs/prefs.html.tmpl
@@ -131,12 +131,22 @@
   [% END %]
 [% END %]
 
+[% javascript_urls = ['js/util.js', 'js/field.js', 'js/TUI.js'] %]
+
+[%# REDHAT EXTENSION START 1265066 %]
+[% IF feature_enabled('zxcvbn_passwords') %]
+  [% javascript_urls.push('js/zxcvbn-ts/core.js') %]
+  [% javascript_urls.push('js/zxcvbn-ts/language-common.js') %]
+  [% javascript_urls.push('js/zxcvbn-ts/language-en.js') %]
+[% END %]
+[%# REDHAT EXTENSION END 1265066 %]
+
 [% PROCESS global/header.html.tmpl
    title = current_tab.label
    subheader = filtered_login
    generate_api_token = 1
    style_urls = ['skins/standard/admin.css']
-   javascript_urls = ['js/util.js', 'js/field.js', 'js/TUI.js']
+   javascript_urls = javascript_urls
    doc_section = current_tab.doc_section
    doc_title = current_tab.doc_title
    yui = ['autocomplete']
diff --git a/template/en/default/account/zxcvbn-check.html.tmpl b/template/en/default/account/zxcvbn-check.html.tmpl
new file mode 100644
index 000000000..bbb36b6da
--- /dev/null
+++ b/template/en/default/account/zxcvbn-check.html.tmpl
@@ -0,0 +1,26 @@
+[%# This Source Code Form is subject to the terms of the Mozilla Public
+  # License, v. 2.0. If a copy of the MPL was not distributed with this
+  # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+  #%]
+
+[%# INTERFACE:
+  # password_id: string. The ID of the password field to check.
+  #%]
+
+[%# REDHAT EXTENSION 1265066 %]
+
+[% IF feature_enabled('zxcvbn_passwords') &&
+          Param('password_complexity') == 'zxcvbn' %]
+    <tr>
+      <th>Password strength:</th>
+      <td>
+        <progress id="password_progress" value="0" max="100"></progress>
+        <span id="password_strength"></span>
+<script>
+$(document).ready(function() {
+    zxcvbnts_init('#[% password_id FILTER js %]', '#password_progress', '#password_strength');
+});
+</script>
+      </td>
+    </tr>
+[% END %]
diff --git a/template/en/default/admin/params/auth.html.tmpl b/template/en/default/admin/params/auth.html.tmpl
index 902d2fc82..d01b3adfa 100644
--- a/template/en/default/admin/params/auth.html.tmpl
+++ b/template/en/default/admin/params/auth.html.tmpl
@@ -132,7 +132,9 @@
     "<li>letters_numbers - Passwords must contain at least one UPPER and one " _
     "lower case letter and a number.</li>" _
     "<li>letters_numbers_specialchars - Passwords must contain at least one " _
-    "letter, a number and a special character.</li></ul>"
+    "letter, a number and a special character.</li>" _
+    "<li>zxcvbn - Passwords must be complex.</li>" _
+    "</ul>",
 
   password_check_on_login =>
     "If set, $terms.Bugzilla will check that the password meets the current " _
diff --git a/template/en/default/admin/params/editparams.html.tmpl b/template/en/default/admin/params/editparams.html.tmpl
index bee47c760..61b0f722f 100644
--- a/template/en/default/admin/params/editparams.html.tmpl
+++ b/template/en/default/admin/params/editparams.html.tmpl
@@ -89,7 +89,7 @@
 
         [%# CONTENT PANEL %]
         <form id="edit_params" method="post" action="editparams.cgi">
-         <fieldset disabled>
+         <fieldset [% IF Param('disable_admin_ui') %] disabled [% END %]>
           [% PROCESS admin/params/common.html.tmpl panel = current_panel %]
           <input type="hidden" name="section" value="[% current_panel.name FILTER html %]">
           <input type="hidden" name="action" value="save">
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index 617bb5cb7..19a136e0d 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -1544,6 +1544,21 @@
       request a new password</a> in order to log in again.
     [% END %]
 
+
+  [%# REDHAT EXTENSION START 1265066 %]
+  [% ELSIF error == "password_not_strong" %]
+    [% title = "Password Fails Requirements" %]
+
+    [% terms.Bugzilla %] is using zxcvbn, a realistic password strength
+    esitmator, to estimate password strength. According to zxcvbn your password
+    is not strong enough.
+
+    [% IF locked_user %]
+      You must <a href="token.cgi?a=reqpw&amp;loginname=[% locked_user.email FILTER uri %]&amp;token=[% issue_hash_token(['reqpw']) FILTER uri %]">
+      request a new password</a> in order to log in again.
+    [% END %]
+  [%# REDHAT EXTENSION END 1265066 %]
+
   [% ELSIF error == "product_access_denied" %]
     [% title = "Product Access Denied" %]
     Either the product 
diff --git a/template/en/default/setup/strings.txt.pl b/template/en/default/setup/strings.txt.pl
index a00743c7f..8b5f2d8c1 100644
--- a/template/en/default/setup/strings.txt.pl
+++ b/template/en/default/setup/strings.txt.pl
@@ -429,6 +429,11 @@ END
 WARNING: Dependency graph images are not accessible.
 Delete ##dir##/.htaccess and re-run checksetup.pl.
 END
+
+    ## REDHAT EXTENSION START 1265066
+    feature_zxcvbn_passwords => q{Dropbox's password strength estimation
+    library, zxcvbn},
+    ## REDHAT EXTENSION END 1265066
 );
 
 1;
author	Jeff Fearn <jfearn@redhat.com>	2022-09-01 14:38:30 +1000
committer	Jeff Fearn <jfearn@redhat.com>	2022-09-01 14:38:30 +1000
commit	b83197296e620b94a12c1e74c7bfab6762467741 (patch)
tree	5c18b1ba69c2c448b4a060f6d05cc8715cfd54d6 /template/en
parent	Bug 1910215 - Allow using name with Agile.Pool.get API call (diff)
download	bugzilla-b83197296e620b94a12c1e74c7bfab6762467741.tar.gz bugzilla-b83197296e620b94a12c1e74c7bfab6762467741.tar.bz2 bugzilla-b83197296e620b94a12c1e74c7bfab6762467741.zip