Validate passwords against compromised password lists (librenms#18380)

* Validate passwords against compromised password lists

* Revamp the user:add command WIP

* Working, but not a form

* Actual good implementation

* Improve validatePromptInput by returning a callable

* Apply fixes from StyleCI

* Add password.uncompromised setting

---------

Co-authored-by: StyleCI Bot <[email protected]>

Author: murrant

app/Console/Commands/AddUserCommand.php

@@ -29,76 +29,148 @@
 use App\Console\LnmsCommand;
 use App\Facades\LibrenmsConfig;
 use App\Models\User;
+use Illuminate\Support\Facades\Validator;
 use Illuminate\Validation\Rule;
-use LibreNMS\Authentication\LegacyAuth;
+use Illuminate\Validation\Rules\Password;
+use Illuminate\Validation\ValidationException;
 use Spatie\Permission\Models\Role;
 use Symfony\Component\Console\Input\InputArgument;
 use Symfony\Component\Console\Input\InputOption;
 
+use function Laravel\Prompts\form;
+
 class AddUserCommand extends LnmsCommand
 {
     protected $name = 'user:add';
 
-    /**
-     * Create a new command instance.
-     *
-     * @return void
-     */
     public function __construct()
     {
         parent::__construct();
 
         $this->setDescription(__('commands.user:add.description'));
-
-        $this->addArgument('username', InputArgument::REQUIRED);
+        $this->addArgument('username', InputArgument::OPTIONAL);
         $this->addOption('password', 'p', InputOption::VALUE_REQUIRED);
-        $this->addOption('role', 'r', InputOption::VALUE_REQUIRED | InputOption::VALUE_IS_ARRAY, __('commands.user:add.options.role', ['roles' => '[user, global-read, admin]']), ['user']);
+        $this->addOption('role', 'r', InputOption::VALUE_REQUIRED | InputOption::VALUE_IS_ARRAY,
+            __('commands.user:add.options.role', ['roles' => '[user, global-read, admin]']), default: ['user']);
         $this->addOption('email', 'e', InputOption::VALUE_REQUIRED);
         $this->addOption('full-name', 'l', InputOption::VALUE_REQUIRED);
         $this->addOption('descr', 's', InputOption::VALUE_REQUIRED);
     }
 
-    /**
-     * Execute the console command.
-     */
     public function handle(): int
     {
-        if (LibrenmsConfig::get('auth_mechanism') != 'mysql') {
+        if (LibrenmsConfig::get('auth_mechanism') !== 'mysql') {
             $this->warn(__('commands.user:add.wrong-auth'));
         }
 
-        $roles = Role::query()->pluck('name')
-            ->whenEmpty(fn () => collect(['admin', 'global-read', 'user']));
+        $availableRoles = Role::pluck('name')->whenEmpty(fn () => collect(['admin', 'global-read', 'user']))->all();
 
-        $this->validate([
-            'username' => ['required', Rule::unique('users', 'username')->where('auth_type', 'mysql')],
-            'email' => 'nullable|email',
-            'role.*' => Rule::in($roles),
-        ]);
-
-        // set get password
+        $username = $this->argument('username');
         $password = $this->option('password');
-        if (! $password) {
-            $password = $this->secret(__('commands.user:add.password-request'));
+        $roles = $this->option('role');
+        $roles = empty($roles) ? ['user'] : $roles;
+        $email = $this->option('email');
+        $fullName = $this->option('full-name');
+        $descr = $this->option('descr');
+
+        if ($username && $password) {
+            // cli input method
+            try {
+                Validator::make(['username' => $username], ['username' => $this->usernameRules()])->validate();
+                Validator::make(['password' => $password], ['password' => $this->passwordRules()])->validate();
+                Validator::make(['roles' => $roles],
+                    ['roles' => ['required', 'array', Rule::in($availableRoles)]])->validate();
+                Validator::make(['email' => $email], ['email' => ['nullable', 'email']])->validate();
+            } catch (ValidationException $e) {
+                $this->error($e->getMessage());
+
+                return 1;
+            }
+
+            $this->makeUser(
+                $username,
+                $password,
+                $roles,
+                $email,
+                $fullName,
+                $descr,
+            );
+
+            return 0;
         }
 
+        // interactive input
+        $data = form()
+            ->text(
+                label: __('commands.user:add.form.username'),
+                default: $username ?? '',
+                required: true,
+                validate: $this->validatePromptInput('username', $this->usernameRules())
+            )
+            ->password(
+                label: __('commands.user:add.form.password'),
+                required: true,
+                validate: $this->validatePromptInput('password', $this->passwordRules())
+            )
+            ->multiselect(
+                label: __('commands.user:add.form.roles'),
+                options: $availableRoles,
+                default: $roles,
+                required: true,
+            )
+            ->text(
+                label: __('commands.user:add.form.email'),
+                default: $email ?? '',
+                validate: $this->validatePromptInput('email', ['nullable', 'email'])
+            )
+            ->text(__('commands.user:add.form.full-name'), default: $fullName ?? '')
+            ->text(__('commands.user:add.form.descr'), default: $descr ?? '')
+            ->submit();
+
+        $this->makeUser(...$data);
+
+        return 0;
+    }
+
+    private function usernameRules(): array
+    {
+        return [
+            'required',
+            'string',
+            'max:255',
+            Rule::unique('users', 'username')->where('auth_type', 'mysql'),
+        ];
+    }
+
+    private function passwordRules(): array
+    {
+        return [
+            'required',
+            Password::defaults(),
+        ];
+    }
+
+    private function makeUser(
+        string $username,
+        string $password,
+        array $roles,
+        ?string $email,
+        ?string $fullName,
+        ?string $descr,
+    ): void {
         $user = new User([
-            'username' => $this->argument('username'),
-            'descr' => $this->option('descr'),
-            'email' => $this->option('email'),
-            'realname' => $this->option('full-name'),
+            'username' => $username,
+            'realname' => $fullName,
+            'email' => $email,
+            'descr' => $descr,
             'auth_type' => 'mysql',
         ]);
 
         $user->setPassword($password);
-        $user->save();
-        $user->assignRole($this->option('role'));
-
-        $user->auth_id = (string) LegacyAuth::get()->getUserid($user->username) ?: $user->user_id;
+        $user->save(); // assign roles requires a user_id
+        $user->assignRole($roles);
         $user->save();
 
         $this->info(__('commands.user:add.success', ['username' => $user->username]));
-
-        return 0;
     }
 }

app/Console/LnmsCommand.php

@@ -185,6 +185,19 @@ protected function configureOutputOptions(): void
         }
     }
 
+    protected function validatePromptInput(string $attributeName, string|array $rules): callable
+    {
+        return function (string|array $value) use ($attributeName, $rules): ?string {
+            $validator = Validator::make([$attributeName => $value], [$attributeName => $rules]);
+
+            if ($validator->fails()) {
+                return $validator->errors()->first($attributeName);
+            }
+
+            return null;
+        };
+    }
+
     private function getCallable(string $type, string $name): ?callable
     {
         if (empty($this->{'option' . $type}[$name])) {

app/Http/Controllers/Install/MakeUserController.php

@@ -30,6 +30,7 @@
 use Illuminate\Database\QueryException;
 use Illuminate\Http\Request;
 use Illuminate\Support\Arr;
+use Illuminate\Validation\Rules\Password;
 use LibreNMS\Interfaces\InstallerStep;
 
 class MakeUserController extends InstallationController implements InstallerStep
@@ -63,7 +64,7 @@ public function create(Request $request)
     {
         $this->validate($request, [
             'username' => 'required',
-            'password' => 'required',
+            'password' => ['required', Password::defaults()],
         ]);
 
         $message = trans('install.user.failure');

app/Http/Requests/StoreUserRequest.php

@@ -2,10 +2,10 @@
 
 namespace App\Http\Requests;
 
-use App\Facades\LibrenmsConfig;
 use App\Models\User;
 use Illuminate\Foundation\Http\FormRequest;
 use Illuminate\Validation\Rule;
+use Illuminate\Validation\Rules\Password;
 use LibreNMS\Authentication\LegacyAuth;
 use Spatie\Permission\Models\Role;
 
@@ -48,7 +48,7 @@ public function rules(): array
             'descr' => 'nullable|max:30|alpha_space',
             'roles' => 'array',
             'roles.*' => 'exists:roles,name',
-            'new_password' => 'required|confirmed|min:' . LibrenmsConfig::get('password.min_length', 8),
+            'new_password' => ['required', 'confirmed', Password::defaults()],
             'dashboard' => 'int',
         ];
     }

app/Http/Requests/UpdateUserRequest.php

@@ -2,11 +2,11 @@
 
 namespace App\Http\Requests;
 
-use App\Facades\LibrenmsConfig;
 use App\Models\User;
 use Hash;
 use Illuminate\Foundation\Http\FormRequest;
 use Illuminate\Validation\Rule;
+use Illuminate\Validation\Rules\Password;
 use Spatie\Permission\Models\Role;
 
 class UpdateUserRequest extends FormRequest
@@ -48,7 +48,7 @@ public function rules(): array
                 'realname' => 'nullable|max:64|alpha_space',
                 'email' => 'nullable|email|max:64',
                 'descr' => 'nullable|max:30|alpha_space',
-                'new_password' => 'nullable|confirmed|min:' . LibrenmsConfig::get('password.min_length', 8),
+                'new_password' => ['nullable', 'confirmed', Password::defaults()],
                 'new_password_confirmation' => 'nullable|same:new_password',
                 'dashboard' => 'int',
                 'roles' => 'array',
@@ -63,7 +63,7 @@ public function rules(): array
             'email' => 'nullable|email|max:64',
             'descr' => 'nullable|max:30|alpha_space',
             'old_password' => 'nullable|string',
-            'new_password' => 'nullable|confirmed|min:' . LibrenmsConfig::get('password.min_length', 8),
+            'new_password' => ['nullable', 'confirmed', Password::defaults()],
             'new_password_confirmation' => 'nullable|same:new_password',
             'dashboard' => 'int',
         ];

app/Providers/AppServiceProvider.php

@@ -13,6 +13,7 @@
 use Illuminate\Support\Facades\Gate;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\ServiceProvider;
+use Illuminate\Validation\Rules\Password;
 use LibreNMS\Cache\PermissionsCache;
 use LibreNMS\Util\IP;
 use LibreNMS\Util\Validate;
@@ -77,6 +78,16 @@ public function boot(): void
         $this->bootObservers();
         Version::registerAboutCommand();
 
+        Password::defaults(function () {
+            $validation = Password::min(LibrenmsConfig::get('password.min_length', 8));
+
+            if (LibrenmsConfig::get('password.uncompromised', true)) {
+                $validation->uncompromised();
+            }
+
+            return $validation;
+        });
+
         $this->bootAuth();
     }
 

lang/en/commands.php

@@ -300,7 +300,14 @@
             'full-name' => 'Full name for the user',
             'role' => 'Set the user to the desired role :roles',
         ],
-        'password-request' => "Please enter the user's password",
+        'form' => [
+            'username' => 'Username',
+            'password' => 'Password',
+            'roles' => 'Select user role(s)',
+            'email' => 'Email (optional)',
+            'full-name' => 'Full name (optional)',
+            'descr' => 'Description (optional)',
+        ],
         'success' => 'Successfully added user: :username',
         'wrong-auth' => 'Warning! You will not be able to log in with this user because you are not using MySQL auth',
     ],

lang/en/settings.php

@@ -1588,6 +1588,10 @@
                 'description' => 'Minimum password length',
                 'help' => 'Passwords shorter than the given length will be rejected',
             ],
+            'uncompromised' => [
+                'description' => 'Require password to be uncompromised',
+                'help' => 'Checks password against HaveIBeenPwned database using k-anonymity',
+            ],
         ],
         'peeringdb' => [
             'enabled' => [

resources/definitions/config_definitions.json

@@ -5836,6 +5836,13 @@
             "section": "general",
             "order": 6
         },
+        "password.uncompromised": {
+            "default": true,
+            "type": "boolean",
+            "group": "auth",
+            "section": "general",
+            "order": 7
+        },
         "peering_descr": {
             "default": [
                 "peering"
@@ -6382,7 +6389,7 @@
             "default": false,
             "group": "auth",
             "section": "general",
-            "order": 7,
+            "order": 20,
             "type": "boolean"
         },
         "radius.default_roles": {