[FEATURE] Added Password deny list validator

Signed-off-by: Torben Hansen <derhansen@gmail.com>

.github/workflows/CodeQuality.yml

@@ -11,6 +11,7 @@ jobs:
       matrix:
         env:
           - { php: 8.1, coverage: 0}
+          - { php: 8.2, coverage: 0}
 
     env: ${{ matrix.env }}
 

Classes/PasswordPolicy/Validator/PasswordDenylistValidator.php

@@ -0,0 +1,66 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of the Extension "add_pwd_policy" for TYPO3 CMS.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ */
+
+namespace Derhansen\AddPwdPolicy\PasswordPolicy\Validator;
+
+use TYPO3\CMS\Core\PasswordPolicy\Validator\AbstractPasswordValidator;
+use TYPO3\CMS\Core\PasswordPolicy\Validator\Dto\ContextData;
+use TYPO3\CMS\Core\Utility\GeneralUtility;
+
+class PasswordDenylistValidator extends AbstractPasswordValidator
+{
+    private const IDENTIFIER = 'passwordDenylist';
+
+    public function validate(string $password, ?ContextData $contextData = null): bool
+    {
+        $lang = $this->getLanguageService();
+
+        $passwordDenylistPath = $this->getPasswordDenylistPath();
+        if ($passwordDenylistPath === '') {
+            return true;
+        }
+
+        $deniedPasswords = file($passwordDenylistPath, FILE_IGNORE_NEW_LINES);
+
+        $isValid = true;
+        if (is_array($deniedPasswords) && in_array($password, $deniedPasswords, true)) {
+            $this->addErrorMessage(
+                self::IDENTIFIER,
+                $lang->sL('LLL:EXT:add_pwd_policy/Resources/Private/Language/locallang.xlf:error.passwordDenylist')
+            );
+
+            $isValid = false;
+        }
+
+        return $isValid;
+    }
+
+    public function initializeRequirements(): void
+    {
+        if ($this->getPasswordDenylistPath() !== '') {
+            $this->addRequirement(
+                self::IDENTIFIER,
+                $this->getLanguageService()->sL('LLL:EXT:add_pwd_policy/Resources/Private/Language/locallang.xlf:requirement.passwordDenylist')
+            );
+        }
+    }
+
+    private function getPasswordDenylistPath(): string
+    {
+        $passwordDenylistPath = GeneralUtility::getFileAbsFileName($this->options['passwordDenylistFilepath'] ?? '');
+
+        if (is_file($passwordDenylistPath)) {
+            return $passwordDenylistPath;
+        }
+
+        return '';
+    }
+}

README.md

@@ -1,8 +1,5 @@
 # Additional Password Policy validators for TYPO3 CMS
 
-**Note, that this extension is still under development and should not be used
-in production.**
-
 This extension for TYPO3 CMS contains additional Password Policy validators for
 usage in TYPO3 12+ projects. It also adds an event listener for the
 `EnrichPasswordValidationContextDataEvent` PSR-14 event, so the context data
@@ -14,7 +11,8 @@ used for password validation is extended with the users email-address.
 
 #### Description:
 
-This validator ensures, that the given password is not part of a known data breach on haveibeenpwned.com
+This validator ensures, that the given password is not part of a known data
+breach on haveibeenpwned.com
 
 #### Options:
 * none
@@ -45,3 +43,24 @@ $GLOBALS['TYPO3_CONF_VARS']['SYS']['passwordPolicies']['default']['validators'][
     'excludeActions' => [],
 ];
 ```
+
+### Password deny list
+
+This validator ensures, that the given password is not part of a configurable
+list of denied passwords.
+
+The password file must contain one password for each line.
+
+#### Options:
+* `passwordDenylistFilepath` Relative path to password file. EXT: notation is allowed.
+
+#### Usage example
+
+```
+$GLOBALS['TYPO3_CONF_VARS']['SYS']['passwordPolicies']['default']['validators'][\Derhansen\AddPwdPolicy\PasswordPolicy\Validator\PasswordDenylistValidator::class] = [
+    'options' => [
+        'passwordDenylistFilepath' => 'EXT:add_pwd_policy/Resources/Private/Text/password_denylist.txt',
+    ],
+    'excludeActions' => [],
+];
+```

Resources/Private/Language/locallang.xlf

@@ -15,6 +15,12 @@
 			<trans-unit id="error.notUsername" resname="error.notUsername">
 				<source>The username must not be used in the password.</source>
 			</trans-unit>
+			<trans-unit id="requirement.passwordDenylist" resname="requirement.passwordDenylist">
+				<source>Must not be a denied password</source>
+			</trans-unit>
+			<trans-unit id="error.passwordDenylist" resname="error.passwordDenylist">
+				<source>The password is not accepted, because it is denied by configuration.</source>
+			</trans-unit>
 		</body>
 	</file>
 </xliff>