public inbox for pbs-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pbs-devel] [PATCH proxmox-backup 0/3] implement a minimum length of 8 characters for new passwords
@ 2024-10-04 13:40 Shannon Sterz
  2024-10-04 13:40 ` [pbs-devel] [PATCH proxmox-backup 1/3] api: ignore password parameter in the update_user endpoint Shannon Sterz
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Shannon Sterz @ 2024-10-04 13:40 UTC (permalink / raw)
  To: pbs-devel

this patch series aims to implement a minimum length of 8 characters for
new passwords. this is more in line with NIST's current recommendations
[1].

the first patch in this series also ignores the `password` parameter in
the update user endpoint, as it is currently redundant. see the commit
for more info.

[1]: https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver

Shannon Sterz (3):
  api: ignore password parameter in the update_user endpoint
  api: enforce minimum character limit of 8 on new passwords
  ui: set min length for new passwords to 8

 pbs-api-types/src/lib.rs |  2 +-
 src/api2/access/mod.rs   |  4 ++--
 src/api2/access/user.rs  | 32 +++++++++++---------------------
 www/config/UserView.js   |  1 +
 www/window/UserEdit.js   |  2 +-
 5 files changed, 16 insertions(+), 25 deletions(-)

--
2.39.5



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pbs-devel] [PATCH proxmox-backup 1/3] api: ignore password parameter in the update_user endpoint
  2024-10-04 13:40 [pbs-devel] [PATCH proxmox-backup 0/3] implement a minimum length of 8 characters for new passwords Shannon Sterz
@ 2024-10-04 13:40 ` Shannon Sterz
  2024-10-04 13:40 ` [pbs-devel] [PATCH proxmox-backup 2/3] api: enforce minimum character limit of 8 on new passwords Shannon Sterz
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Shannon Sterz @ 2024-10-04 13:40 UTC (permalink / raw)
  To: pbs-devel

currently if a password is provided, we check whether the user that is
going to be updated can authenticate with it. later on, the password
is then set as the same password. this means that the password here
can only be changed if it is the exact same one that is already used.

so in essence, the password cannot be changed through this endpoint
already. remove all of this logic here in favor of the
`PUT /access/password` endpoint.

to keep the api stable for now, just ignore the parameter and add a
description that explains what to use instead.

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 src/api2/access/user.rs | 32 +++++++++++---------------------
 1 file changed, 11 insertions(+), 21 deletions(-)

diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs
index 1b4adaf8..6101d5f1 100644
--- a/src/api2/access/user.rs
+++ b/src/api2/access/user.rs
@@ -12,8 +12,8 @@ use proxmox_tfa::api::TfaConfig;
 
 use pbs_api_types::{
     ApiToken, Authid, Tokenname, User, UserUpdater, UserWithTokens, Userid, ENABLE_USER_SCHEMA,
-    EXPIRE_USER_SCHEMA, PBS_PASSWORD_SCHEMA, PRIV_PERMISSIONS_MODIFY, PRIV_SYS_AUDIT,
-    PROXMOX_CONFIG_DIGEST_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA,
+    EXPIRE_USER_SCHEMA, PASSWORD_FORMAT, PBS_PASSWORD_SCHEMA, PRIV_PERMISSIONS_MODIFY,
+    PRIV_SYS_AUDIT, PROXMOX_CONFIG_DIGEST_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA,
 };
 use pbs_config::token_shadow;
 
@@ -223,7 +223,11 @@ pub enum DeletableProperty {
                 flatten: true,
             },
             password: {
-                schema: PBS_PASSWORD_SCHEMA,
+                type: String,
+                description: "This parameter is ignored, please use 'PUT /access/password' to change a user's password",
+                min_length: 1,
+                max_length: 1024,
+                format: &PASSWORD_FORMAT,
                 optional: true,
             },
             delete: {
@@ -247,7 +251,7 @@ pub enum DeletableProperty {
         ]),
     },
 )]
-/// Update user configuration.
+/// Update user configuration. To change a user's password use the 'PUT /access/password' endpoint.
 #[allow(clippy::too_many_arguments)]
 pub async fn update_user(
     userid: Userid,
@@ -255,11 +259,10 @@ pub async fn update_user(
     password: Option<String>,
     delete: Option<Vec<DeletableProperty>>,
     digest: Option<String>,
-    rpcenv: &mut dyn RpcEnvironment,
 ) -> Result<(), Error> {
-    if password.is_some() {
-        super::user_update_auth(rpcenv, &userid, password.as_deref(), false).await?;
-    }
+    // ignore password here, updating passwords should happen through 'PUT /access/password'
+    // TODO: Remove with PBS 4
+    let _ = password;
 
     let _lock = pbs_config::user::lock_config()?;
 
@@ -300,19 +303,6 @@ pub async fn update_user(
         data.expire = if expire > 0 { Some(expire) } else { None };
     }
 
-    if let Some(password) = password {
-        let user_info = CachedUserInfo::new()?;
-        let current_auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
-        let self_service = current_auth_id.user() == &userid;
-        let target_realm = userid.realm();
-        if !self_service && target_realm == "pam" && !user_info.is_superuser(&current_auth_id) {
-            bail!("only superuser can edit pam credentials!");
-        }
-        let authenticator = crate::auth::lookup_authenticator(userid.realm())?;
-        let client_ip = rpcenv.get_client_ip().map(|sa| sa.ip());
-        authenticator.store_password(userid.name(), &password, client_ip.as_ref())?;
-    }
-
     if let Some(firstname) = update.firstname {
         data.firstname = if firstname.is_empty() {
             None
-- 
2.39.5



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pbs-devel] [PATCH proxmox-backup 2/3] api: enforce minimum character limit of 8 on new passwords
  2024-10-04 13:40 [pbs-devel] [PATCH proxmox-backup 0/3] implement a minimum length of 8 characters for new passwords Shannon Sterz
  2024-10-04 13:40 ` [pbs-devel] [PATCH proxmox-backup 1/3] api: ignore password parameter in the update_user endpoint Shannon Sterz
@ 2024-10-04 13:40 ` Shannon Sterz
  2024-10-04 13:40 ` [pbs-devel] [PATCH proxmox-backup 3/3] ui: set min length for new passwords to 8 Shannon Sterz
  2024-11-25 14:53 ` [pbs-devel] applied-series: [PATCH proxmox-backup 0/3] implement a minimum length of 8 characters for new passwords Thomas Lamprecht
  3 siblings, 0 replies; 5+ messages in thread
From: Shannon Sterz @ 2024-10-04 13:40 UTC (permalink / raw)
  To: pbs-devel

we already have two different password schemas, `PBS_PASSWORD_SCHEMA`
being the stricter one, which ensures a minimum length of new
passwords. however, this wasn't used on the change password endpoint
before, so add it there too. this is also in-line with NIST's latest
recommendations [1].

[1]: https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 pbs-api-types/src/lib.rs | 2 +-
 src/api2/access/mod.rs   | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs
index 635292a5..acc2e65a 100644
--- a/pbs-api-types/src/lib.rs
+++ b/pbs-api-types/src/lib.rs
@@ -208,7 +208,7 @@ pub const OPENSSL_CIPHERS_TLS_1_3_SCHEMA: Schema =
 
 pub const PBS_PASSWORD_SCHEMA: Schema = StringSchema::new("User Password.")
     .format(&PASSWORD_FORMAT)
-    .min_length(5)
+    .min_length(8)
     .max_length(64)
     .schema();
 
diff --git a/src/api2/access/mod.rs b/src/api2/access/mod.rs
index a60f0f86..832cdc66 100644
--- a/src/api2/access/mod.rs
+++ b/src/api2/access/mod.rs
@@ -13,7 +13,7 @@ use proxmox_schema::api;
 use proxmox_sortable_macro::sortable;
 
 use pbs_api_types::{
-    Authid, User, Userid, ACL_PATH_SCHEMA, PASSWORD_FORMAT, PASSWORD_SCHEMA, PRIVILEGES,
+    Authid, User, Userid, ACL_PATH_SCHEMA, PASSWORD_FORMAT, PBS_PASSWORD_SCHEMA, PRIVILEGES,
     PRIV_PERMISSIONS_MODIFY, PRIV_SYS_AUDIT,
 };
 use pbs_config::acl::AclTreeNode;
@@ -75,7 +75,7 @@ async fn user_update_auth<S: AsRef<str>>(
                 type: Userid,
             },
             password: {
-                schema: PASSWORD_SCHEMA,
+                schema: PBS_PASSWORD_SCHEMA,
             },
             "confirmation-password": {
                 type: String,
-- 
2.39.5



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pbs-devel] [PATCH proxmox-backup 3/3] ui: set min length for new passwords to 8
  2024-10-04 13:40 [pbs-devel] [PATCH proxmox-backup 0/3] implement a minimum length of 8 characters for new passwords Shannon Sterz
  2024-10-04 13:40 ` [pbs-devel] [PATCH proxmox-backup 1/3] api: ignore password parameter in the update_user endpoint Shannon Sterz
  2024-10-04 13:40 ` [pbs-devel] [PATCH proxmox-backup 2/3] api: enforce minimum character limit of 8 on new passwords Shannon Sterz
@ 2024-10-04 13:40 ` Shannon Sterz
  2024-11-25 14:53 ` [pbs-devel] applied-series: [PATCH proxmox-backup 0/3] implement a minimum length of 8 characters for new passwords Thomas Lamprecht
  3 siblings, 0 replies; 5+ messages in thread
From: Shannon Sterz @ 2024-10-04 13:40 UTC (permalink / raw)
  To: pbs-devel

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 www/config/UserView.js | 1 +
 www/window/UserEdit.js | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/www/config/UserView.js b/www/config/UserView.js
index 812cad39..418dc122 100644
--- a/www/config/UserView.js
+++ b/www/config/UserView.js
@@ -61,6 +61,7 @@ Ext.define('PBS.config.UserView', {
 	    Ext.create('Proxmox.window.PasswordEdit', {
 		userid: selection[0].data.userid,
 		confirmCurrentPassword: Proxmox.UserName !== 'root@pam',
+		minLength: 8,
 	    }).show();
 	},
 
diff --git a/www/window/UserEdit.js b/www/window/UserEdit.js
index d2f4b316..bdedb6fc 100644
--- a/www/window/UserEdit.js
+++ b/www/window/UserEdit.js
@@ -91,7 +91,7 @@ Ext.define('PBS.window.UserEdit', {
 		xtype: 'textfield',
 		inputType: 'password',
 		fieldLabel: gettext('Password'),
-		minLength: 5,
+		minLength: 8,
 		allowBlank: false,
 		name: 'password',
 		listeners: {
-- 
2.39.5



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pbs-devel] applied-series: [PATCH proxmox-backup 0/3] implement a minimum length of 8 characters for new passwords
  2024-10-04 13:40 [pbs-devel] [PATCH proxmox-backup 0/3] implement a minimum length of 8 characters for new passwords Shannon Sterz
                   ` (2 preceding siblings ...)
  2024-10-04 13:40 ` [pbs-devel] [PATCH proxmox-backup 3/3] ui: set min length for new passwords to 8 Shannon Sterz
@ 2024-11-25 14:53 ` Thomas Lamprecht
  3 siblings, 0 replies; 5+ messages in thread
From: Thomas Lamprecht @ 2024-11-25 14:53 UTC (permalink / raw)
  To: Proxmox Backup Server development discussion, Shannon Sterz

Am 04.10.24 um 15:40 schrieb Shannon Sterz:
> this patch series aims to implement a minimum length of 8 characters for
> new passwords. this is more in line with NIST's current recommendations
> [1].
> 
> the first patch in this series also ignores the `password` parameter in
> the update user endpoint, as it is currently redundant. see the commit
> for more info.
> 
> [1]: https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver
> 
> Shannon Sterz (3):
>   api: ignore password parameter in the update_user endpoint
>   api: enforce minimum character limit of 8 on new passwords
>   ui: set min length for new passwords to 8
> 
>  pbs-api-types/src/lib.rs |  2 +-
>  src/api2/access/mod.rs   |  4 ++--
>  src/api2/access/user.rs  | 32 +++++++++++---------------------
>  www/config/UserView.js   |  1 +
>  www/window/UserEdit.js   |  2 +-
>  5 files changed, 16 insertions(+), 25 deletions(-)
> 
> --
> 2.39.5
> 

applied, thanks!


_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2024-11-25 14:53 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-10-04 13:40 [pbs-devel] [PATCH proxmox-backup 0/3] implement a minimum length of 8 characters for new passwords Shannon Sterz
2024-10-04 13:40 ` [pbs-devel] [PATCH proxmox-backup 1/3] api: ignore password parameter in the update_user endpoint Shannon Sterz
2024-10-04 13:40 ` [pbs-devel] [PATCH proxmox-backup 2/3] api: enforce minimum character limit of 8 on new passwords Shannon Sterz
2024-10-04 13:40 ` [pbs-devel] [PATCH proxmox-backup 3/3] ui: set min length for new passwords to 8 Shannon Sterz
2024-11-25 14:53 ` [pbs-devel] applied-series: [PATCH proxmox-backup 0/3] implement a minimum length of 8 characters for new passwords Thomas Lamprecht

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal