people: Do not allow setting weak passwords

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/requirements.txt b/requirements.txt
index 30d61b2c3c64079648e44eacdfef3fbb4014afcd..cf11beb77fa6536cd8f7addeecb53f434b382a36 100644 (file)
--- a/requirements.txt
+++ b/requirements.txt
@@ -26,3 +26,4 @@ sshpubkeys==3.1.0
 textile==3.0.3
 tornado==4.4.2
 webencodings==0.5.1
+zxcvbn==4.4.27

diff --git a/src/backend/accounts.py b/src/backend/accounts.py
index 605a2b0b770cfd03d3baf32bd6f066517e414026..07f141f7da37f2fecb575ce47a0e38ad75de1996 100644 (file)
--- a/src/backend/accounts.py
+++ b/src/backend/accounts.py
@@ -12,6 +12,7 @@ import phonenumbers
 import sshpubkeys
 import urllib.parse
 import urllib.request
+import zxcvbn
 
 from . import util
 from .decorators import *
@@ -274,11 +275,16 @@ class Account(Object):
        def _delete_string(self, key, value):
                return self._delete_strings(key, [value,])
 
-       def passwd(self, new_password):
+       def passwd(self, password):
                """
                        Sets a new password
                """
-               self.ldap.passwd_s(self.dn, None, new_password)
+               # The new password must have a score of 3 or better
+               quality = self.check_password_quality(password)
+               if quality["score"] < 3:
+                       raise ValueError("Password too weak")
+
+               self.ldap.passwd_s(self.dn, None, password)
 
        def check_password(self, password):
                """
@@ -306,6 +312,15 @@ class Account(Object):
 
                return True
 
+       def check_password_quality(self, password):
+               """
+                       Passwords are passed through zxcvbn to make sure
+                       that they are strong enough.
+               """
+               return zxcvbn.zxcvbn(password, user_inputs=(
+                       self.first_name, self.last_name,
+               ))
+
        def is_admin(self):
                return "wheel" in self.groups