add banned password list to the default deployments

owncloud · Nov 22, 2023 · f2c228f · f2c228f
1 parent 90f186a
commit f2c228f
Show file tree

Hide file tree

Showing 13 changed files with 51 additions and 2 deletions.
diff --git a/deployments/examples/oc10_ocis_parallel/config/ocis/banned-password-list.txt b/deployments/examples/oc10_ocis_parallel/config/ocis/banned-password-list.txt
@@ -0,0 +1,5 @@
+password
+12345678
+123
+ownCloud
+ownCloud-1
diff --git a/deployments/examples/oc10_ocis_parallel/docker-compose.yml b/deployments/examples/oc10_ocis_parallel/docker-compose.yml
@@ -124,7 +124,10 @@ services:
       OCIS_INSECURE: "${INSECURE:-false}"
       # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
       PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
+      # password policies
+      FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
     volumes:
+      - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
       - ./config/ocis/proxy.yaml:/etc/ocis/proxy.yaml
       - ocis-config:/etc/ocis
       - ocis-data:/var/lib/ocis

diff --git a/deployments/examples/ocis_hello/config/ocis/banned-password-list.txt b/deployments/examples/ocis_hello/config/ocis/banned-password-list.txt
@@ -0,0 +1,5 @@
+password
+12345678
+123
+ownCloud
+ownCloud-1
diff --git a/deployments/examples/ocis_hello/docker-compose.yml b/deployments/examples/ocis_hello/docker-compose.yml
@@ -71,7 +71,10 @@ services:
       IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD:-admin}" # this overrides the admin password from the configuration file
       # demo users
       IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
+      # password policies
+      FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
     volumes:
+      - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
       - ./config/ocis/proxy.yaml:/etc/ocis/proxy.yaml
       - ./config/ocis/web.yaml:/etc/ocis/web.yaml
       - ocis-config:/etc/ocis

diff --git a/deployments/examples/ocis_keycloak/config/ocis/banned-password-list.txt b/deployments/examples/ocis_keycloak/config/ocis/banned-password-list.txt
@@ -0,0 +1,5 @@
+password
+12345678
+123
+ownCloud
+ownCloud-1
diff --git a/deployments/examples/ocis_keycloak/docker-compose.yml b/deployments/examples/ocis_keycloak/docker-compose.yml
@@ -77,7 +77,10 @@ services:
       OCIS_EXCLUDE_RUN_SERVICES: "idp"
       GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
       GRAPH_USERNAME_MATCH: "none"
+      # password policies
+      FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
     volumes:
+      - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
       - ocis-config:/etc/ocis
       - ocis-data:/var/lib/ocis
     labels:

diff --git a/deployments/examples/ocis_ldap/config/ocis/banned-password-list.txt b/deployments/examples/ocis_ldap/config/ocis/banned-password-list.txt
@@ -0,0 +1,5 @@
+password
+12345678
+123
+ownCloud
+ownCloud-1
diff --git a/deployments/examples/ocis_ldap/docker-compose.yml b/deployments/examples/ocis_ldap/docker-compose.yml
@@ -88,8 +88,10 @@ services:
       OCIS_INSECURE: "${INSECURE:-false}"
       # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
       PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
-      # admin user password
+      # password policies
+      FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
     volumes:
+      - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
       - ocis-config:/etc/ocis
       - ocis-data:/var/lib/ocis
     labels:

diff --git a/deployments/examples/ocis_s3/docker-compose.yml b/deployments/examples/ocis_s3/docker-compose.yml
@@ -78,7 +78,10 @@ services:
       IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD:-admin}" # this overrides the admin password from the configuration file
       # demo users
       IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
+      # password policies
+      FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
     volumes:
+      - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
       - ocis-config:/etc/ocis
       - ocis-data:/var/lib/ocis
     labels:

diff --git a/deployments/examples/ocis_traefik/config/ocis/banned-password-list.txt b/deployments/examples/ocis_traefik/config/ocis/banned-password-list.txt
@@ -0,0 +1,5 @@
+password
+12345678
+123
+ownCloud
+ownCloud-1
diff --git a/deployments/examples/ocis_traefik/docker-compose.yml b/deployments/examples/ocis_traefik/docker-compose.yml
@@ -57,7 +57,7 @@ services:
     command: ["-c", "ocis init || true; ocis server"]
     environment:
       OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
-      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info}
+      OCIS_LOG_LEVEL: debug
       OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}"
       PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
       # INSECURE: needed if oCIS / Traefik is using self generated certificates
@@ -74,7 +74,10 @@ services:
       NOTIFICATIONS_SMTP_SENDER: oCIS notifications <notifications@${OCIS_DOMAIN:-ocis.owncloud.test}>
       NOTIFICATIONS_SMTP_USERNAME: notifications@${OCIS_DOMAIN:-ocis.owncloud.test}
       NOTIFICATIONS_SMTP_INSECURE: "true" # the mail catcher uses self signed certificates
+      # password policies
+      FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
     volumes:
+      - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
       - ocis-config:/etc/ocis
       - ocis-data:/var/lib/ocis
     labels:

diff --git a/deployments/examples/ocis_wopi/config/ocis/banned-password-list.txt b/deployments/examples/ocis_wopi/config/ocis/banned-password-list.txt
@@ -0,0 +1,5 @@
+password
+12345678
+123
+ownCloud
+ownCloud-1
diff --git a/services/frontend/pkg/revaconfig/config.go b/services/frontend/pkg/revaconfig/config.go
@@ -28,6 +28,8 @@ func FrontendConfigFromStruct(cfg *config.Config, logger log.Logger) (map[string
 	var bannedPasswordsList map[string]struct{}
 	if cfg.PasswordPolicy.BannedPasswordsList != "" {
 		bannedPasswordsList, err = readMultilineFile(cfg.PasswordPolicy.BannedPasswordsList)
+		fmt.Println("bannedPasswordsList")
+		fmt.Println(bannedPasswordsList)
 		if err != nil {
 			err = fmt.Errorf("failed to load the banned passwords from a file %s: %w", cfg.PasswordPolicy.BannedPasswordsList, err)
 			logger.Err(err).Send()