パスワードの複雑性の向上 (baserproject#3246)

Co-authored-by: ryuring <[email protected]>

composer.json

@@ -106,7 +106,7 @@
         "install": [
             "composer install --no-plugins",
             "bin/cake setup install",
-            "bin/cake install https://localhost [email protected] basercms basercms --host bc-db --username root --password root"
+            "bin/cake install https://localhost [email protected] baserCMS1234 basercms --host bc-db --username root --password root"
         ],
         "test": [
             "bin/cake setup test",

plugins/BcThemeSample/config/data/default/BaserCore/site_configs.csv

@@ -56,3 +56,4 @@ q {}","",""
 "27","mail_additional_parameters","","",""
 "28","outer_service_output_header","","",""
 "29","outer_service_output_footer","","",""
+"30","allow_simple_password","0","",""

plugins/BcThemeSample/config/data/empty/BaserCore/site_configs.csv

@@ -56,3 +56,4 @@ q {}","",""
 "27","mail_additional_parameters","","",""
 "28","outer_service_output_header","","",""
 "29","outer_service_output_footer","","",""
+"30","allow_simple_password","0","",""

plugins/baser-core/config/Seeds/SiteConfigsSeed.php

@@ -246,6 +246,13 @@ public function run(): void
                 'created' => '',
                 'modified' => ''
             ],
+            [
+                'id' => '30',
+                'name' => 'allow_simple_password',
+                'value' => '0',
+                'created' => '',
+                'modified' => ''
+            ],
         ];
         $table = $this->table('site_configs');
         $table->insert($data)->save();

plugins/baser-core/config/setting.php

@@ -535,7 +535,26 @@
                     ]
                 ]
             ]
-        ]
+        ],
+
+        /*
+         * パスワードの設定ルール
+         */
+        'passwordRule' => [
+            // 最小文字数
+            'minLength' => 12,
+            // 入力必須な文字種
+            'requiredCharacterTypes' => [
+                // 数字
+                'numeric',
+                // 大文字英字
+                'uppercase',
+                // 小文字英字
+                'lowercase',
+                // 記号
+                // 'symbol',
+            ],
+        ],
     ],
 
     /**

plugins/baser-core/config/update/5.1.0/updater.php

@@ -12,6 +12,9 @@
 /**
  * 5.1.0 アップデーター
  */
+
+use BaserCore\Service\SiteConfigsServiceInterface;
+use BaserCore\Utility\BcContainer;
 use BaserCore\Utility\BcUpdateLog;
 
 $updateDir = __DIR__;
@@ -21,3 +24,7 @@
 } else {
     BcUpdateLog::set(__d('baser_core', ROOT . DS . 'src' . DS . 'View' . DS . 'AjaxView.php に書き込み権限がありません。' . $updateDir . DS . 'src' . DS . 'View' . DS . 'AjaxView.php をコピーして手動で上書きしてください。'));
 }
+
+/** @var \BaserCore\Service\SiteConfigsService $siteConfigsService */
+$siteConfigsService = BcContainer::get()->get(SiteConfigsServiceInterface::class);
+$siteConfigsService->setValue('allow_simple_password', true);

plugins/baser-core/src/Model/Table/UsersTable.php

@@ -14,10 +14,12 @@
 use ArrayObject;
 use Authentication\Authenticator\SessionAuthenticator;
 use BaserCore\Utility\BcUtil;
+use Cake\Core\Configure;
 use Cake\ORM\Query;
 use Cake\Event\Event;
 use Cake\ORM\TableRegistry;
 use Cake\Routing\Router;
+use Cake\Utility\Hash;
 use Cake\Validation\Validator;
 use BaserCore\Model\Entity\User;
 use BaserCore\View\BcAdminAppView;
@@ -27,6 +29,7 @@
 use BaserCore\Annotation\NoTodo;
 use BaserCore\Annotation\Checked;
 use BaserCore\Annotation\UnitTest;
+use BaserCore\Service\SiteConfigsService;
 
 /**
  * Class UsersTable
@@ -192,22 +195,8 @@ public function validationDefault(Validator $validator): Validator
                     'provider' => 'table',
                     'message' => __d('baser_core', '既に登録のあるEメールです。')
                 ]]);
-        $validator
-            ->scalar('password')
-            ->minLength('password', 6, __d('baser_core', 'パスワードは6文字以上で入力してください。'))
-            ->maxLength('password', 255, __d('baser_core', 'パスワードは255文字以内で入力してください。'))
-            ->add('password', [
-                'passwordAlphaNumericPlus' => [
-                    'rule' => ['alphaNumericPlus', ' \.:\/\(\)#,@\[\]\+=&;\{\}!\$\*'],
-                    'provider' => 'bc',
-                    'message' => __d('baser_core', 'パスワードは半角英数字(英字は大文字小文字を区別)とスペース、記号(._-:/()#,@[]+=&;{}!$*)のみで入力してください。')
-                ]])
-            ->add('password', [
-                'passwordConfirm' => [
-                    'rule' => ['confirm', ['password_1', 'password_2']],
-                    'provider' => 'bc',
-                    'message' => __d('baser_core', 'パスワードが同じものではありません。')
-                ]]);
+
+        $this->validationPassword($validator);
 
         return $validator;
     }
@@ -229,24 +218,27 @@ public function validationNew(Validator $validator): Validator
     }
 
     /**
-     * validationPasswordUpdate
+     * validationPassword
      * @param Validator $validator
      * @return Validator
      * @checked
      * @unitTest
      * @noTodo
      */
-    public function validationPasswordUpdate(Validator $validator): Validator
+    public function validationPassword(Validator $validator): Validator
     {
+        $symbol = ' ._-:/()#,@[]+=&;{}!$*';
+        $quotedSymbol = preg_quote($symbol, '/');
+
         $validator
             ->scalar('password')
             ->minLength('password', 6, __d('baser_core', 'パスワードは6文字以上で入力してください。'))
             ->maxLength('password', 255, __d('baser_core', 'パスワードは255文字以内で入力してください。'))
             ->add('password', [
                 'passwordAlphaNumericPlus' => [
-                    'rule' => ['alphaNumericPlus', ' \.:\/\(\)#,@\[\]\+=&;\{\}!\$\*'],
+                    'rule' => ['alphaNumericPlus', $quotedSymbol],
                     'provider' => 'bc',
-                    'message' => __d('baser_core', 'パスワードは半角英数字(英字は大文字小文字を区別)とスペース、記号(._-:/()#,@[]+=&;{}!$*)のみで入力してください。')
+                    'message' => __d('baser_core', 'パスワードは半角英数字(英字は大文字小文字を区別)とスペース、記号(' . trim($symbol) . ')のみで入力してください。')
                 ]])
             ->add('password', [
                 'passwordConfirm' => [
@@ -255,9 +247,76 @@ public function validationPasswordUpdate(Validator $validator): Validator
                     'message' => __d('baser_core', 'パスワードが同じものではありません。')
                 ]]);
 
+        // 複雑性のチェック
+        $SiteConfigsService = new SiteConfigsService();
+        if (!$SiteConfigsService->getValue('allow_simple_password')) {
+            // 最小文字数
+            $minLength = Configure::read('BcApp.passwordRule.minLength');
+            if ($minLength && is_numeric($minLength)) {
+                $validator->minLength('password', $minLength,
+                    __d('baser_core', 'パスワードは{0}文字以上で入力してください。', $minLength));
+            }
+
+            // 入力必須な文字種
+            $requiredCharacterTypePatterns = [
+                'numeric' => [
+                    'name' => __d('baser_core', '数字'),
+                    'pattern' => '\d',
+                ],
+                'uppercase' => [
+                    'name' => __d('baser_core', '大文字英字'),
+                    'pattern' => '[A-Z]',
+                ],
+                'lowercase' => [
+                    'name' => __d('baser_core', '小文字英字'),
+                    'pattern' => '[a-z]',
+                ],
+                'symbol' => [
+                    'name' => __d('baser_core', '記号'),
+                    'pattern' => '[' . $quotedSymbol . ']',
+                ],
+            ];
+
+            // 無効な文字種を削除
+            $requiredCharacterTypes = Configure::read('BcApp.passwordRule.requiredCharacterTypes');
+            foreach ($requiredCharacterTypePatterns as $key => $name) {
+                if (!in_array($key, $requiredCharacterTypes)) {
+                    unset($requiredCharacterTypePatterns[$key]);
+                }
+            }
+
+            // AND条件の正規表現
+            $patterns = array_map(function($pattern) {
+                return '(?=.*' . $pattern . ')';
+            }, Hash::extract($requiredCharacterTypePatterns, '{s}.pattern'));
+            $pattern = '/^' . implode('', $patterns) . '.*$/';
+
+            $validator->add('password', [
+                'passwordRequiredCharacterType' => [
+                    'rule' => ['custom', $pattern],
+                    'message' => __d('baser_core', 'パスワードは{0}を含む必要があります。',
+                        implode('・', Hash::extract($requiredCharacterTypePatterns, '{s}.name'))),
+                ]]);
+        }
+
         return $validator;
     }
 
+    /**
+     * validationPasswordUpdate
+     * @param Validator $validator
+     * @return Validator
+     * @checked
+     * @unitTest
+     * @noTodo
+     */
+    public function validationPasswordUpdate(Validator $validator): Validator
+    {
+        return $this->validationPassword($validator)
+            ->requirePresence('password', true, __d('baser_core', 'パスワードを入力してください。'))
+            ->notEmptyString('password', __d('baser_core', 'パスワードを入力してください。'));
+    }
+
     /**
      * コントロールソースを取得する
      *

plugins/baser-core/tests/TestCase/Controller/Admin/PasswordRequestsControllerTest.php

@@ -97,8 +97,8 @@ public function testEntry()
 
         // パスワード変更
         $this->post($passwordEditUrl, [
-            'password_1' => 'new-password',
-            'password_2' => 'new-password',
+            'password_1' => 'New-password1',
+            'password_2' => 'New-password1',
         ]);
         $this->assertRedirect('/baser/admin/baser-core/password_requests/done');
     }

plugins/baser-core/tests/TestCase/Controller/Admin/UsersControllerTest.php

@@ -134,8 +134,8 @@ public function testAdd()
         $this->enableCsrfToken();
         $data = [
             'name' => 'Test_test_Man',
-            'password_1' => 'Lorem ipsum dolor sit amet',
-            'password_2' => 'Lorem ipsum dolor sit amet',
+            'password_1' => 'Lorem ipsum dolor sit amet1',
+            'password_2' => 'Lorem ipsum dolor sit amet1',
             'real_name_1' => 'Lorem ipsum dolor sit amet',
             'real_name_2' => 'Lorem ipsum dolor sit amet',
             'email' => '[email protected]',
@@ -159,8 +159,8 @@ public function testAdd()
         });
         $data = [
             'name' => 'Test_test_Man2',
-            'password_1' => 'Lorem ipsum dolor sit amet',
-            'password_2' => 'Lorem ipsum dolor sit amet',
+            'password_1' => 'Lorem ipsum dolor sit amet1',
+            'password_2' => 'Lorem ipsum dolor sit amet1',
             'real_name_1' => 'Lorem ipsum dolor sit amet',
             'real_name_2' => 'Lorem ipsum dolor sit amet',
             'email' => '[email protected]',
@@ -188,8 +188,8 @@ public function testBeforeAddEvent()
         });
         $data = [
             'name' => 'Test_test_Man2',
-            'password_1' => 'Lorem ipsum dolor sit amet',
-            'password_2' => 'Lorem ipsum dolor sit amet',
+            'password_1' => 'Lorem ipsum dolor sit amet1',
+            'password_2' => 'Lorem ipsum dolor sit amet1',
             'real_name_1' => 'Lorem ipsum dolor sit amet',
             'real_name_2' => 'Lorem ipsum dolor sit amet',
             'email' => '[email protected]',
@@ -252,8 +252,8 @@ public function testEdit()
         $data = [
             'id' => 1,
             'name' => 'Test_test_Man2',
-            'password_1' => 'Lorem ipsum dolor sit amet',
-            'password_2' => 'Lorem ipsum dolor sit amet',
+            'password_1' => 'Lorem ipsum dolor sit amet1',
+            'password_2' => 'Lorem ipsum dolor sit amet1',
             'real_name_1' => 'Lorem ipsum dolor sit amet',
             'real_name_2' => 'Lorem ipsum dolor sit amet',
             'email' => '[email protected]',

plugins/baser-core/tests/TestCase/Controller/Api/Admin/UsersControllerTest.php

@@ -125,8 +125,8 @@ public function testAdd()
         $this->enableCsrfToken();
         $data = [
             'name' => 'Test_test_Man',
-            'password_1' => 'Lorem ipsum dolor sit amet',
-            'password_2' => 'Lorem ipsum dolor sit amet',
+            'password_1' => 'Lorem ipsum dolor sit amet1',
+            'password_2' => 'Lorem ipsum dolor sit amet1',
             'real_name_1' => 'Lorem ipsum dolor sit amet',
             'real_name_2' => 'Lorem ipsum dolor sit amet',
             'email' => '[email protected]',