feat: entropy of user password is now checked by attributes passed from authsource

Created by: xpavlic

lib/Auth/Process/SwitchAuth.php

@@ -60,6 +60,12 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
      */
     private $mfa_enforced;
 
+    private $check_entropy = false;
+
+    private $sfa_alphabet_attr;
+
+    private $sfa_len_attr;
+
     /**
      * @override
      *
@@ -87,6 +93,9 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
             $this->max_user_capability_attr
         );
         $this->max_auth = $config->getString('max_auth', $this->max_auth);
+        $this->sfa_alphabet_attr = $config->getString('sfa_alphabet_attr', $this->sfa_alphabet_attr);
+        $this->sfa_len_attr = $config->getString('sfa_len_attr', $this->sfa_len_attr);
+        $this->check_entropy = $config->getBoolean('check_entropy', $this->check_entropy);
     }
 
     /**
@@ -117,6 +126,7 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
             $usersCapabilities,
             $state,
             $upstreamContext,
+            !$this->check_entropy || $this->checkSfaEntropy($state['Attributes']),
             $this->mfa_enforced
         );
 
@@ -174,6 +184,26 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
         }
     }
 
+    private function checkSfaEntropy($attributes)
+    {
+        if (!$this->sfa_len_attr || !$this->sfa_alphabet_attr || !in_array(
+            $this->sfa_alphabet_attr,
+            $attributes,
+            true
+        ) || !in_array($this->sfa_len_attr, $attributes, true)) {
+            return false;
+        }
+
+        if ($attributes[$this->sfa_alphabet_attr] >= 52 && $attributes[$this->sfa_len_attr] >= 12) {
+            return true;
+        }
+        if ($attributes[$this->sfa_alphabet_attr] >= 72 && $attributes[$this->sfa_len_attr] >= 8) {
+            return true;
+        }
+
+        return false;
+    }
+
     /**
      * Handle NoAuthnContext errors by SAML responses.
      *

[Pavel Břoušek]

Created by: melanger

This would mean a breaking change, because the original behavior is that anything satisfies SFA.

Please change the code - if sfa_len_attr or sfa_alphabet_attr is not set, log a message with level INFO, that authswitcher could not check REFEDS SFA, so it assumes it was fulfiled. When the attribute config options are set, do the new behavior and return false here.

Also update README - mention that if those 2 new options are not set, it is assumed that all passwords satisfy REFEDS SFA, and explain how to use them.

[Pavel Břoušek]

Created by: xpavlic

For this case I added $check_entropy config option with false as default value. But this solution is probably better.