IBX-5361: Implemented handling of NotCompromisedPassword constraint

[glye]

Question	Answer
JIRA issue	IBX-5361
Type	feature
Target Ibexa version	v4.5
BC breaks	no

Implement the https://haveibeenpwned.com/ API, to verify that passwords do not exist in known password dumps from security breaches, using Symfony's NotCompromisedPassword constraint. Disabled by default, for BC and for not doing requests to this external API without the knowledge of the site owners.

Admin UI for this: ibexa/admin-ui#750

Documentation
The password rules page would need documentation for this feature.

Limitations
Since this is done in the password validator, and passwords are only validated when created or changed, there is no warning message when already existing bad passwords are used to log in. That could also be useful, but it means a whole lot more requests to this API, most of which would be pointless repetitions. We could limit it to only one check per password hash, and unset that bit when the hash changes. But if the check is enabled, further login checks are again pointless, so we'd need to take that into account too, and it gets complicated. Might be better to just add an extra button to the login form: "Check if my password has been exposed". Then the users have the choice. But let's do that in a separate PR, if at all.

Our permission to use the API
AFAICT, while you need to buy an API key to use the email/username based haveibeenpwned search, there is no such requirement for the password based search. There is also no rate limiting or attribution requirement, as they say: "In order to help maximise adoption, there is no licencing or attribution requirements on the Pwned Passwords API, although it is welcomed if you would like to include it." https://haveibeenpwned.com/API/v3
It would be nice of us to attribute them anyway, and donate/sponsor, of course.

Checklist:

• Provided PR description.
• Tested the solution manually.
• Provided automated test coverage.
• Checked that target branch is set correctly (main for features, the oldest supported for bugs).
• Ran PHP CS Fixer for new PHP code (use $ composer fix-cs).
• Setting in User fieldtype, see IBX-5361: Use NotCompromisedPassword constraint admin-ui#750
• Attribution, see IBX-5361: Use NotCompromisedPassword constraint admin-ui#750
• Asked for a review (ping @ibexa/engineering).

Screenshot

[adamwojs]

@glye Could you please take a look on CI failure ?

[adamwojs]

@adamwojs You agree the feature is useful, right?

Indeed, but please ensure that we can safety use https://haveibeenpwned.com/ (from company product/perspective)

I'm stuck on getting CI to inject the Symfony @validator service, CI can't find it. I thought it would be simple since the Generic fieldtype already uses the validator, but no such luck

Probably you have to create validator service definition on your own. Some tips:

• You will find how to instantiate validator service on component page:
  https://symfony.com/doc/current/components/validator.html
• Potential location for service definition: tests/integration/Core/Resources/settings/common.yml

[glye]

@adamwojs Added notes on our permission to use the API in the description. It is free and open.
I also avoided injecting it altogether, so there is no need for a service. This seemed sensible to me for such a limited usecase.

[glye]

The sonarcloud failure is only due to duplicated lines, and is wrong in this case imho.

[alongosz]

The sonarcloud failure is only due to duplicated lines, and is wrong in this case imho.

It's not wrong. We have exactly the same configuration expectation for unit & integration test duplicated and redundant. By modifying these lines of code we increase technical debt.

What needs to be done here is extracting that configuration into a common provider.

For example:

declare(strict_types=1);

namespace Ibexa\Tests\Core\FieldType\DataProvider;

/**
 * @internal
 */
final class UserValidatorConfigurationSchemaProvider
{
    /**
     * @return array<string, array<string, array{type: string, default: ?scalar}>>
     */
    public function getExpectedValidatorConfigurationSchema(): array
    {
        return [
            'PasswordValueValidator' => [
                // ... duplicated code
            ],
        ];
    }
}

And then use it in:

• \Ibexa\Tests\Core\FieldType\UserTest::getValidatorConfigurationSchemaExpectation
• \Ibexa\Tests\Core\FieldType\DataProvider\UserValidatorConfigurationSchemaProvider::getExpectedValidatorConfigurationSchema
  as:

        return (new UserValidatorConfigurationSchemaProvider())
            ->getExpectedValidatorConfigurationSchema();

[glye]

What needs to be done here is extracting that configuration into a common provider.

@alongosz Done, thanks.

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication

[alongosz]

Thank you @glye 🎉