This repository has been archived by the owner on Jan 17, 2018. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpassword_changer_api_complexity.inc
executable file
·494 lines (399 loc) · 19.3 KB
/
password_changer_api_complexity.inc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
<?php
// $Id$
/**
* @file
* Store the core function for the password complexity checker for the password
* changer API.
*
* This functions are back bone to the password complexity checker for the password
* changer API, it would be work in conjunction with password_changer_api.module.
*
*/
function password_changer_api_check_maximum_length_requirement($password, $module_list = array()) {
//Get register modules
$register_modules = (empty($module_list)) ? variable_get('password_changer_api_register_modules', array())
: $module_list;
//Get maximum length
$min_maximum = _password_changer_api_get_mim_maxlength( $register_modules);
if (strlen($password) > $min_maximum['value'] && $min_maximum != 0) {
watchdog('[password_changer_api_complexity][check_maximum_length_requirement]',
'Password is longer than the maximum length' . $min_maximum['value'] . ' require by system ' . $min_maximum['system'], WATCHDOG_INFO);
throw new passwordChangerApiExeption(t('Password is longer than the maximum length @maxlen require by system @system',
array( '@maxlen' => $min_maximum['value'], '@system' => $min_maximum['system'] )));
return array('status' => t('error'), 'message' => t('Password is longer than the maximum lent @maxlen require by system @system',
array( '@maxlen' => $min_maximum['value'], '@system' => $min_maximum['system'] )));
}
else {
return array('status' => t('success'), 'message' => t('Password passed length requirements'));
}
}
/*
* Function to check .
*
* @param string $password new password.
*
*/
function password_changer_api_check_minimum_length_requirement($password, $module_list = array()) {
//Get register modules
$register_modules = (empty($module_list)) ? variable_get('password_changer_api_register_modules', array())
:$module_list;
//Get minimum length
$max_minimum = _password_changer_api_get_max_minlength( $register_modules );
if (strlen($password) < $max_minimum['value'] && $max_minimum != 0) {
watchdog('[password_changer_api_complexity][_check_minimum_length_requirement]', 'Password is shorter than the minimum length ' .
$max_minimum['value'] . ' require by system ' . $max_minimum['system'], WATCHDOG_INFO);
throw new passwordChangerApiExeption(t('Password is shorter than the minimum length @minlen require by system @system',
array( '@minlen' => $max_minimum['value'], '@system' => $max_minimum['system'] )));
return array('status' => t('error'), 'message' => t('Password is shorter than the minimum length @minlen require by system @system',
array( '@minlen' => $max_minimum['value'], '@system' => $max_minimum['system'])));
}
else {
return array('status' => t('success'), 'message' => t('Password passed length requirements'));
}
}
/*
* Function to check that new password does not break complexity rules in any
* of the register modules. Throw an passwordChangerApiExeption exception if it
* breaks a complexity rule from any of the sub modules install.
*
* @param string $password new password.
*
* @param string $user_role use to check complexity by user role.
*
*/
function _password_changer_api_check_property_requirement($password, $user_role = NULL) {
//Get register module
$register_modules = variable_get('password_changer_api_register_modules', array());
//Modules list is in session
if (isset($_SESSION['permission_modules'])) {
//Create list modules with it's property
foreach($_SESSION['permission_modules'] AS $index => $module_name) {
$module_list[$module_name] = $register_modules[$module_name];
foreach($user_role AS $index => $role) {
if (isset( $module_list[$module_name]['#complexity'][$role])) {
$module_list[$module_name]['#complexity'] = $register_modules[$module_name]['#complexity'][$role];
break;
}
}
}
}
//Default regex values
$default_regex_values = array('symbols' => '/[^A-Za-z0-9]/',
'digit' => '/[0-9]/',
'upper_case' => '/[A-Z]/',
'lower_case' => '/[a-b]/',
);
//Default functions
$default_validate_function = array('max_length' => 'check_maximum_length_requirement',
'min_length' => 'check_minimum_length_requirement');
if (isset($_SESSION['permission_modules'])) {
//For modules that user has account
foreach ($_SESSION['permission_modules'] AS $index => $permission_module) {
//Check if the module has complexity rules
if(isset($module_list[$permission_module]['#complexity'])) {
//Foreach property in the complexity
foreach ($module_list[$permission_module]['#complexity'] AS $property_name => $property_value ) {
//Value set in the complexity array this could be a negative (deny)number
//positive(require at least) number or zero (allow)
$value = $property_value['value'];
//Regex patter
$pattern = NULL;
//If there is a regex function define for this property
//set it to the pattern
if (isset($default_regex_values[$property_name])) {
$pattern = $default_regex_values[$property_name];
}//If user has define a patter in the current property
elseif (isset($property_value['pattern'])) {
$pattern = $property_value['pattern'];
}
//If property has a pattern, value (negative number, positive number or zero)
//and new password set then check the patter and throw error if necessary.
if (!is_null($pattern) && isset($value) && isset($password)) {
_password_changer_api_check_pattern( $password, $pattern, $value, $property_value['error_message'] );
}
//Call functions define as default for max_length and min_length
if (isset($default_validate_function[$property_name])) {
//Throw an exception
module_invoke('password_changer_api', $default_validate_function[$property_name], $password, $module_list);
}
//Call validation function define by user
if (isset($property_value['validate_function'])) {
if (function_exists($property_value['validate_function'])) {
//Call user function
call_user_func_array($property_value['validate_function']);
}
}
// End of foreach
}
}
//Remove the complexity variable
unset($complexity);
}
}
}
/*
* Helper function to check if value is require and is not in the password
* or if value is deny and is part of the password.
*
* Helper function to detect if value is require at least a number of times
* and not in the password or deny and is part of the password. Throw a
* passwordChangerApiExeption if value deny and is password or require at
* least a number of times and is not in the password.
*
* @param string $password new password.
*
* @param string $pattern a php regex pattern to check in the password.
*
* @param int $value -1 deny, 0 allow and positive integer for require at least
* a number of times.
*
* @param $error_message error message that function is going to throw.
*
*/
function _password_changer_api_check_pattern($password, $pattern, $value, $error_message = 'Password complexity error.') {
//Check if password required upper case
$has_item = preg_match_all($pattern, $password, $matches);
//if is require and it does not have this value at lea
if ($value > 0 && $has_item < $value ) {
watchdog('[password_changer_api_complexity][password_changer_api_check_pattern]' ,
'Value is required and is not in the password.' .
$error_message, WATCHDOG_ERROR);
throw new passwordChangerApiExeption($error_message);
}//if is this value is deny and it has this value throw an error
elseif ($value < 0 && $has_item > 0 ) {
watchdog('[password_changer_api_complexity][password_changer_api_check_pattern]',
'Value is deny and is in the password' .
$error_message, WATCHDOG_ERROR);
throw new passwordChangerApiExeption($error_message);
}
}
/*
* Helper function to find the maximum number of the minimum password requirement.
*
* Helper function to find the maximum number withiEn all the minimum length values
* of the register modules.
*
* @param array $register_module an with all the register modules and their properties.
*
* @return integer $max_minlength the greater value of the minimum length requirement.
*
*/
function _password_changer_api_get_max_minlength( $register_module ) {
//Initialize the variable to empty values.
$max_minlength = array();
$max_minimum = 0;
//Get the max minimum
foreach ($register_module AS $module_name => $properties) {
//Check if complexity is not empty
if (!empty($properties['#complexity']['min_length']['value'])) {
if ( $max_minimum < $properties['#complexity']['min_length']['value'] ) {
$max_minimum = $properties['#complexity']['min_length']['value'];
$max_minlength['value'] = $max_minimum;
$max_minlength['system'] = $module_name;
}
}
}
if (empty($max_minlength)) {
watchdog( '[password_changer_api_complexity][_get_max_minlength]', 'None maximum minimum value set in the sub-modules.', WATCHDOG_INFO);
}
else {
watchdog( '[password_changer_api_complexity][_get_max_minlength]', 'Maximum minimum value between sub-modules is ' . $max_minlength['value'] . ' from sub module ' . $max_minlength['system'] , WATCHDOG_INFO);
}
//Return array with the max min and the module name
return $max_minlength;
}
/*
* Helper function to find the minimum number of the maximum length.
*
* Helper function to find the minimum number within all the maximum length values
* of all the register modules.
*
* @param array $register_module an with all the register modules and their properties.
*
* @return array $min_maximum the smallest value of the maximum length requirement.
*
*/
function _password_changer_api_get_mim_maxlength( $register_module ) {
//Initialize the variable to empty values.
$min_maxlength = array();
$min_maxlen = 99;
//Get the min max length
foreach ($register_module AS $module_name => $properties) {
//Check if complexity is not empty
if (!empty($properties['#complexity']['max_length']['value'])) {
if ($min_maxlen > $properties['#complexity']['max_length']['value']) {
$min_maxlen = $properties['#complexity']['max_length']['value'];
$min_maxlength['value'] = $min_maxlen;
$min_maxlength['system'] = $module_name;
}
}
}
//Return array with the min maximum length and the module name
//Log to watchdog.
if ( empty($min_maxlength) ) {
watchdog( '[password_changer_api_complexity][_get_mim_maxlength]', 'None minimum maximum value set in the sub-modules.', WATCHDOG_INFO);
}
else {
watchdog( '[password_changer_api_complexity][_get_mim_maxlength]', 'Maximum Minimum value between sub-modules is ' . $min_maxlength['value'] . ' from sub module ' . $min_maxlength['system'] , WATCHDOG_INFO);
}
//return
return $min_maxlength;
}
/*
* Check if there if there is global conflicts with password complexity rules.
*
* Check if there are any global conflicts with password complexity rules, if there
* an conflict throw error. If there is only one system with password complexity rule
* does not check for conflicts.
*
* @return boolean FALSE if there is no conflicts to resolved or TRUE if there is
* if there were no conflicts and throw and error if there were conflicts.
*
*/
function _password_changer_api_check_global_conflicts() {
watchdog('[password_changer_api_complexity][_check_global_conflicts]', 'Checking global conflicts for password changer.');
$register_modules = variable_get('password_changer_api_register_modules', array());
//Check if more than one module has complexity rules
if ($number_password_complexity = _password_changer_api_systems_with_complexity($register_modules) < 2) {
return FALSE;
}
//Get maximum length
$min_maximum = _password_changer_api_get_mim_maxlength($register_modules);
$max_minimum = _password_changer_api_get_max_minlength($register_modules);
//Check if there is a conflict between the maximum length and the minimum length
//if maximum minimum value is greater than minimum maximum value throw an error
if (isset($min_maximum['value'])&& isset($max_minimum['value'])) {
if ($min_maximum['value'] < $max_minimum['value']) {
watchdog('[password_changer_api_complexity][_check_global_conflicts]', '[CONFLICT] The maximum length of password
allow is smaller than the minimum password length allow.', WATCHDOG_ERROR);
throw new passwordChangerApiExeption('[CONFLICT] The maximum length of password allow is smaller than the minimum password length allow.');
}
}
//Get potential conflicts.
$potential_conflicts = _password_changer_api_get_potential_conflicts($register_modules);
//Check property is require and deny or allow and deny in different modules.
foreach ($potential_conflicts AS $property => $requirements ) {
if (isset($requirements['allow']) && isset($requirements['deny'])) {
watchdog('[password_changer_api_complexity][_check_global_conflicts]', "Module(s) @allow allow @property and module(s) @deny deny @property this is causing a conflict.",
array( '@allow' => trim($requirements['allow'], ','), '@property' => $property, '@deny' => trim($requirements['deny'], ',')),
WATCHDOG_ERROR);
throw new passwordChangerApiExeption('[CONFLICT]' . t("Module(s) @allow allow @property and module(s) @deny deny @property this is causing a conflict.",
array( '@allow' => trim($requirements['allow'], ','), '@property' => $property, '@deny' => trim($requirements['deny'], ','))) );
}
elseif (isset($requirements['require']) && isset($requirements['deny'])) {
watchdog('[password_changer_api_complexity][_check_global_conflicts]', "Module(s) @require require @property and module(s) @deny deny @property this is causing a conflict.",
array('@require' => trim($requirements['require'], ','), '@property' => $property, '@deny' => trim($requirements['deny'], ',')), WATCHDOG_ERROR);
throw new passwordChangerApiExeption('[CONFLICT] ' . t("Module(s) @require require @property and module(s) @deny deny @property this is causing a conflict.",
array('@require' => trim($requirements['require'], ','), '@property' => $property, '@deny' => trim($requirements['deny'], ','))) );
}
}
//If it reach this point then no conflicts detected.
return TRUE;
}
/*
* Check if there is more than one system with password complexity define.
*
* Helper function to check if there is more than one system with password complexity.
*
* @param array $register_module an with all the register modules and their properties.
*
* @return array $min_maximum value with the name of the module with the minimum
* maximum value.
*
* @param array $register_module store all register modules and their properties.
*
*/
function _password_changer_api_systems_with_complexity($register_modules) {
//Initializing variable
//How many modules have password complexity define
$number_password_complexity = 0;
//Loop through register modules to check if more than one has a register module
foreach ( $register_modules AS $module_name => $properties ) {
if (!empty($properties['#complexity'])) {
$number_password_complexity++;
}
else {
break;
}
}
//Return number of modules that have password complexity
return $number_password_complexity;
}
/*
* Helper function that returns a list properties and modules that deny and require
* the property.
*
* Helper function that returns a list properties (max_length, min_length, etc)
* and modules that deny and require that property.
*
* @param array $register_module an with all the register modules and their rules.
*
* @return array $potential_conflicts array build dynamically with properties and modules
* that deny or require the complexity rule.
*
*/
function _password_changer_api_get_potential_conflicts($register_module) {
//Create conflict
$potential_conflicts = array();
//for each register module
foreach ($register_module AS $module_name => $properties) {
//Check if they have complexity define
if (!empty($properties['#complexity'])) {
//foreach complexity property
foreach ($properties['#complexity'] AS $property_name => $property_value ) {
//if property is different the max_length or min_length
//NOTE: Length conflicts are check in _password_changer_api_check_global_conflicts
//the first if..
if ($property_name != 'max_length' && $property_name != 'min_length') {
//Module name out array
$name = print_r($module_name, TRUE);
//If property is set add module to the proper list, if
//require put it in the require list, if deny put in the
//deny list or if allow in the allow list.
if (isset($potential_conflicts[$property_name])) {
if ($property_value['value'] > 0) {
@$potential_conflicts[$property_name]['require'] .= $name . ',';
}
elseif ($property_value['value'] < 0) {
@$potential_conflicts[$property_name]['deny'] .= $name . ',';
}
else {
@$potential_conflicts[$property_name]['allow'] .= $name . ',';
}
}
//If property is not set create the list and add module
//to the proper list, if require in the require list
//if deny in the deny and list if allow in the allow list
else {
if ($property_value['value'] > 0) {
@$potential_conflicts[$property_name] = array('require' => $name . ',');
}
elseif ($property_value['value'] < 0) {
@$potential_conflicts[$property_name] = array('deny' => $name . ',');
}
else {
@$potential_conflicts[$property_name] = array('allow' => $name . ',');
}
}
}
}
}
}
//Return potential conflicts array
return $potential_conflicts;
}
/*
* Check password against the password complexity for each module install.
*
* @param string $password user new password.
*
* @param string $user_type modules could have different user types to and
* check of complexity base of user type.
*
*
*/
function password_changer_api_check_complexity($password, $user_role = NULL) {
_password_changer_api_check_property_requirement($password, $user_role);
//Call the module hook to change passwords
module_invoke_all('password_changer_api_check_complexity');
}