Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

blueprints: add default Password policy #11793

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

blueprints: add default Password policy #11793

wants to merge 9 commits into from
+46 −1

Conversation

gergosimonyi
Copy link
Collaborator

Details

REPLACE ME

Checklist

  • Local tests pass (ak test authentik/)
  • The code has been formatted (make lint-fix)

If an API change has been made

  • The API schema has been updated (make gen-build)

If changes to the frontend have been made

  • The code has been formatted (make web)

If applicable

  • The documentation has been updated
  • The documentation has been formatted (make website)

@netlify Netlify
Copy link

netlify bot commented Oct 24, 2024
edited
Loading

Deploy Preview for authentik-storybook canceled.

Name Link
🔨 Latest commit fac4735
🔍 Latest deploy log https://app.netlify.com/sites/authentik-storybook/deploys/672b8d7f922da30008fbf695

@netlify Netlify
Copy link

netlify bot commented Oct 24, 2024
edited
Loading

Deploy Preview for authentik-docs canceled.

Name Link
🔨 Latest commit fac4735
🔍 Latest deploy log https://app.netlify.com/sites/authentik-docs/deploys/672b8d7f5d3cc000083d6c72

@codecov Codecov
Copy link

codecov bot commented Oct 24, 2024
edited
Loading

❌ 2 Tests Failed:

Tests completed Failed Passed Skipped
1592 2 1590 1
View the top 2 failed tests by shortest run time 
authentik.blueprints.tests.test_packaged.TestPackaged test_blueprint_blueprints/default/flow-password-change.yaml
Stack Traces | 2.06s run time 
self = <unittest.case._Outcome object at 0x7f2b4ab716a0>
test_case = <authentik.blueprints.tests.test_packaged.TestPackaged testMethod=test_blueprint_blueprints/default/flow-password-change.yaml>
subTest = False

    @contextlib.contextmanager
    def testPartExecutor(self, test_case, subTest=False):
        old_success = self.success
        self.success = True
        try:
>           yield

.../hostedtoolcache/Python/3.12.7............/x64/lib/python3.12/unittest/case.py:58: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.blueprints.tests.test_packaged.TestPackaged testMethod=test_blueprint_blueprints/default/flow-password-change.yaml>
result = <TestCaseFunction test_blueprint_blueprints/default/flow-password-change.yaml>

    def run(self, result=None):
        if result is None:
            result = self.defaultTestResult()
            startTestRun = getattr(result, 'startTestRun', None)
            stopTestRun = getattr(result, 'stopTestRun', None)
            if startTestRun is not None:
                startTestRun()
        else:
            stopTestRun = None
    
        result.startTest(self)
        try:
            testMethod = getattr(self, self._testMethodName)
            if (getattr(self.__class__, "__unittest_skip__", False) or
                getattr(testMethod, "__unittest_skip__", False)):
                # If the class or method was skipped.
                skip_why = (getattr(self.__class__, '__unittest_skip_why__', '')
                            or getattr(testMethod, '__unittest_skip_why__', ''))
                _addSkip(result, self, skip_why)
                return result
    
            expecting_failure = (
                getattr(self, "__unittest_expecting_failure__", False) or
                getattr(testMethod, "__unittest_expecting_failure__", False)
            )
            outcome = _Outcome(result)
            start_time = time.perf_counter()
            try:
                self._outcome = outcome
    
                with outcome.testPartExecutor(self):
                    self._callSetUp()
                if outcome.success:
                    outcome.expecting_failure = expecting_failure
                    with outcome.testPartExecutor(self):
>                       self._callTestMethod(testMethod)

.../hostedtoolcache/Python/3.12.7............/x64/lib/python3.12/unittest/case.py:634: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.blueprints.tests.test_packaged.TestPackaged testMethod=test_blueprint_blueprints/default/flow-password-change.yaml>
method = <bound method blueprint_tester.<locals>.tester of <authentik.blueprints.tests.test_packaged.TestPackaged testMethod=test_blueprint_blueprints/default/flow-password-change.yaml>>

    def _callTestMethod(self, method):
>       if method() is not None:

.../hostedtoolcache/Python/3.12.7............/x64/lib/python3.12/unittest/case.py:589: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.blueprints.tests.test_packaged.TestPackaged testMethod=test_blueprint_blueprints/default/flow-password-change.yaml>

    def tester(self: TestPackaged):
        base = Path("blueprints/")
        rel_path = Path(file_name).relative_to(base)
        importer = Importer.from_string(BlueprintInstance(path=str(rel_path)).retrieve())
>       self.assertTrue(importer.validate()[0])

.../blueprints/tests/test_packaged.py:30: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.blueprints.tests.test_packaged.TestPackaged testMethod=test_blueprint_blueprints/default/flow-password-change.yaml>
expr = False, msg = 'False is not true'

    def assertTrue(self, expr, msg=None):
        """Check that the expression is true."""
        if not expr:
            msg = self._formatMessage(msg, "%s is not true" % safe_repr(expr))
>           raise self.failureException(msg)
E           AssertionError: False is not true

.../hostedtoolcache/Python/3.12.7............/x64/lib/python3.12/unittest/case.py:727: AssertionError

authentik.blueprints.tests.test_packaged.TestPackaged test_blueprint_blueprints/default/flow-oobe.yaml
Stack Traces | 2.28s run time 
self = <unittest.case._Outcome object at 0x7f2b3395a1e0>
test_case = <authentik.blueprints.tests.test_packaged.TestPackaged testMethod=test_blueprint_blueprints/default/flow-oobe.yaml>
subTest = False

    @contextlib.contextmanager
    def testPartExecutor(self, test_case, subTest=False):
        old_success = self.success
        self.success = True
        try:
>           yield

.../hostedtoolcache/Python/3.12.7............/x64/lib/python3.12/unittest/case.py:58: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.blueprints.tests.test_packaged.TestPackaged testMethod=test_blueprint_blueprints/default/flow-oobe.yaml>
result = <TestCaseFunction test_blueprint_blueprints/default/flow-oobe.yaml>

    def run(self, result=None):
        if result is None:
            result = self.defaultTestResult()
            startTestRun = getattr(result, 'startTestRun', None)
            stopTestRun = getattr(result, 'stopTestRun', None)
            if startTestRun is not None:
                startTestRun()
        else:
            stopTestRun = None
    
        result.startTest(self)
        try:
            testMethod = getattr(self, self._testMethodName)
            if (getattr(self.__class__, "__unittest_skip__", False) or
                getattr(testMethod, "__unittest_skip__", False)):
                # If the class or method was skipped.
                skip_why = (getattr(self.__class__, '__unittest_skip_why__', '')
                            or getattr(testMethod, '__unittest_skip_why__', ''))
                _addSkip(result, self, skip_why)
                return result
    
            expecting_failure = (
                getattr(self, "__unittest_expecting_failure__", False) or
                getattr(testMethod, "__unittest_expecting_failure__", False)
            )
            outcome = _Outcome(result)
            start_time = time.perf_counter()
            try:
                self._outcome = outcome
    
                with outcome.testPartExecutor(self):
                    self._callSetUp()
                if outcome.success:
                    outcome.expecting_failure = expecting_failure
                    with outcome.testPartExecutor(self):
>                       self._callTestMethod(testMethod)

.../hostedtoolcache/Python/3.12.7............/x64/lib/python3.12/unittest/case.py:634: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.blueprints.tests.test_packaged.TestPackaged testMethod=test_blueprint_blueprints/default/flow-oobe.yaml>
method = <bound method blueprint_tester.<locals>.tester of <authentik.blueprints.tests.test_packaged.TestPackaged testMethod=test_blueprint_blueprints/default/flow-oobe.yaml>>

    def _callTestMethod(self, method):
>       if method() is not None:

.../hostedtoolcache/Python/3.12.7............/x64/lib/python3.12/unittest/case.py:589: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.blueprints.tests.test_packaged.TestPackaged testMethod=test_blueprint_blueprints/default/flow-oobe.yaml>

    def tester(self: TestPackaged):
        base = Path("blueprints/")
        rel_path = Path(file_name).relative_to(base)
        importer = Importer.from_string(BlueprintInstance(path=str(rel_path)).retrieve())
>       self.assertTrue(importer.validate()[0])

.../blueprints/tests/test_packaged.py:30: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.blueprints.tests.test_packaged.TestPackaged testMethod=test_blueprint_blueprints/default/flow-oobe.yaml>
expr = False, msg = 'False is not true'

    def assertTrue(self, expr, msg=None):
        """Check that the expression is true."""
        if not expr:
            msg = self._formatMessage(msg, "%s is not true" % safe_repr(expr))
>           raise self.failureException(msg)
E           AssertionError: False is not true

.../hostedtoolcache/Python/3.12.7............/x64/lib/python3.12/unittest/case.py:727: AssertionError

To view more test analytics, go to the Test Analytics Dashboard
Got feedback? Let us know on Github

BeryJu
BeryJu reviewed Oct 24, 2024
View reviewed changes
blueprints/default/flow-password-change.yaml Outdated
@@ -11,6 +11,15 @@ entries:
slug: default-password-change
model: authentik_flows.flow
id: flow
- attrs:
check_have_i_been_pwned: true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as much as I would like to enable this by default, we probably shouldn't enable this by default for airgapped instance

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair enough. I was going by NIST's

verifiers SHALL compare the prospective secret against a blocklist that contains known commonly used, expected, or compromised passwords

but on second thought, I agree, defaulting to HIBP is a step too far.

Perhaps we can do something about that later. I'll remove for now and add it to the hardening docs.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can set check_zxcvbn to true which includes a blocklist

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That seems to work okay. Added.

I didn't add zxcvbn initially because I felt it was too much restriction (based on NIST). However, a score of 2 seems like it effectively adds the blocklist and some variations, but not much more.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 24, 2024
edited
Loading

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-c2b91f58dbe0ebcd9c268f30a7d2818e49e335eb
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

For arm64, use these values:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-c2b91f58dbe0ebcd9c268f30a7d2818e49e335eb-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-c2b91f58dbe0ebcd9c268f30a7d2818e49e335eb

For arm64, use these values:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-c2b91f58dbe0ebcd9c268f30a7d2818e49e335eb-arm64

Afterwards, run the upgrade commands from the latest release notes.

@gergosimonyi gergosimonyi marked this pull request as ready for review October 25, 2024 06:13
@gergosimonyi gergosimonyi requested review from a team as code owners October 25, 2024 06:13
tanberry
tanberry approved these changes Oct 25, 2024
View reviewed changes
Copy link
Contributor

@tanberry tanberry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your time explaining the compliance, @gergosimonyi

gergosimonyi and others added 5 commits October 25, 2024 16:49
@gergosimonyi @BeryJu
add password policy to default password change flow
d9faba8 
This change complies with the minimal compositional requirements by
NIST SP 800-63 Digital Identity Guidelines. See
https://pages.nist.gov/800-63-4/sp800-63b.html#password

More work is needed to comply with other parts of the Guidelines,
specifically

> If the chosen password is found on the blocklist, the CSP or verifier
> [...] SHALL provide the reason for rejection.

and

> Verifiers SHALL offer guidance to the subscriber to assist the user in
> choosing a strong password. This is particularly important following
> the rejection of a password on the blocklist as it discourages trivial
> modification of listed weak passwords.
@gergosimonyi @BeryJu
add docs for default Password policy
115c29f
@gergosimonyi @BeryJu
remove HIBP from default Password policy
7586fda
@gergosimonyi @BeryJu
add zxcvbn to default Password policy
2942225
@BeryJu
add fallback password error message to password policy, fix validatio…
9065277 
…n policy

Signed-off-by: Jens Langhammer <[email protected]>
@BeryJu BeryJu force-pushed the blueprints/harden-default-password-policies branch from 8413025 to 9065277 Compare October 25, 2024 15:11
gergosimonyi and others added 4 commits October 30, 2024 14:11
@gergosimonyi @tanberry
reword docs
c2b91f5 
Co-authored-by: Tana M Berry <[email protected]>
Signed-off-by: Simonyi Gergő <[email protected]>
@gergosimonyi @BeryJu
add HIBP caveat
9154062 
Co-authored-by: Jens L. <[email protected]>
Signed-off-by: Simonyi Gergő <[email protected]>
@BeryJu
separate policy into separate blueprint
711d224 
Signed-off-by: Jens Langhammer <[email protected]>
@BeryJu
use password policy for oobe flow
fac4735 
Signed-off-by: Jens Langhammer <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BeryJu BeryJu BeryJu left review comments

@tanberry tanberry tanberry approved these changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gergosimonyi @BeryJu @tanberry