Added the password policy

Signed-off-by: Martin Weise <martin.weise@tuwien.ac.at>

.docs/changelog.md

@@ -34,6 +34,8 @@ author: Martin Weise
 
 * Implemented a basic brute-force security defense strategy in the Auth Service that increments the wait time on wrong
   logins in [#494](https://gitlab.phaidra.org/fair-data-austria-db-repository/fda-services/-/issues/494).
+* Implemented a password policy
+  in [#495](https://gitlab.phaidra.org/fair-data-austria-db-repository/fda-services/-/issues/495).
 
 #### Changes
 

dbrepo-auth-service/dbrepo-realm.json

@@ -1172,6 +1172,7 @@
   },
   "defaultGroups" : [ "/researchers" ],
   "requiredCredentials" : [ "password" ],
+  "passwordPolicy" : "length(8) and maxLength(64) and specialChars(1) and lowerCase(1) and upperCase(1) and digits(1) and passwordAge(30)",
   "otpPolicyType" : "totp",
   "otpPolicyAlgorithm" : "HmacSHA1",
   "otpPolicyInitialCounter" : 0,
@@ -2409,7 +2410,7 @@
       "subType" : "anonymous",
       "subComponents" : { },
       "config" : {
-            "allowed-protocol-mapper-types" : [ "saml-user-attribute-mapper", "saml-user-property-mapper", "saml-role-list-mapper", "oidc-address-mapper", "oidc-usermodel-attribute-mapper", "oidc-full-name-mapper", "oidc-usermodel-property-mapper", "oidc-sha256-pairwise-sub-mapper" ]
+        "allowed-protocol-mapper-types" : [ "saml-user-property-mapper", "oidc-full-name-mapper", "oidc-usermodel-property-mapper", "saml-user-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-attribute-mapper", "saml-role-list-mapper", "oidc-address-mapper" ]
       }
     }, {
       "id" : "1849e52a-b8c9-44a8-af3d-ee19376a1ed1",
@@ -2435,7 +2436,7 @@
       "subType" : "authenticated",
       "subComponents" : { },
       "config" : {
-            "allowed-protocol-mapper-types" : [ "saml-role-list-mapper", "oidc-address-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-property-mapper", "saml-user-property-mapper", "saml-user-attribute-mapper", "oidc-usermodel-attribute-mapper", "oidc-full-name-mapper" ]
+        "allowed-protocol-mapper-types" : [ "saml-user-property-mapper", "saml-role-list-mapper", "saml-user-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-full-name-mapper", "oidc-usermodel-property-mapper", "oidc-usermodel-attribute-mapper", "oidc-address-mapper" ]
       }
     } ],
     "org.keycloak.userprofile.UserProfileProvider" : [ {
@@ -2495,8 +2496,8 @@
           "config" : {
             "ldap.attribute" : [ "mail" ],
             "is.mandatory.in.ldap" : [ "false" ],
-                "read.only" : [ "false" ],
             "always.read.value.from.ldap" : [ "false" ],
+            "read.only" : [ "false" ],
             "user.model.attribute" : [ "email" ]
           }
         }, {
@@ -2509,15 +2510,15 @@
             "membership.attribute.type" : [ "DN" ],
             "user.roles.retrieve.strategy" : [ "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE" ],
             "group.name.ldap.attribute" : [ "cn" ],
-                "preserve.group.inheritance" : [ "false" ],
             "membership.ldap.attribute" : [ "member" ],
-                "membership.user.ldap.attribute" : [ "uid" ],
+            "preserve.group.inheritance" : [ "false" ],
             "ignore.missing.groups" : [ "false" ],
-                "group.object.classes" : [ "groupOfNames" ],
+            "membership.user.ldap.attribute" : [ "uid" ],
             "groups.dn" : [ "ou=users,dc=dbrepo,dc=at" ],
             "memberof.ldap.attribute" : [ "memberOf" ],
-                "drop.non.existing.groups.during.sync" : [ "false" ],
-                "groups.path" : [ "/" ]
+            "group.object.classes" : [ "groupOfNames" ],
+            "groups.path" : [ "/" ],
+            "drop.non.existing.groups.during.sync" : [ "false" ]
           }
         }, {
           "id" : "b6ff3285-35af-4e86-8bb4-d94b8e0d70bb",
@@ -2538,11 +2539,11 @@
           "subComponents" : { },
           "config" : {
             "ldap.attribute" : [ "uid" ],
-                "attribute.force.default" : [ "false" ],
             "is.mandatory.in.ldap" : [ "true" ],
+            "attribute.force.default" : [ "false" ],
             "is.binary.attribute" : [ "false" ],
-                "always.read.value.from.ldap" : [ "false" ],
             "read.only" : [ "false" ],
+            "always.read.value.from.ldap" : [ "false" ],
             "user.model.attribute" : [ "username" ]
           }
         } ]
@@ -2557,15 +2558,15 @@
         "useKerberosForPasswordAuthentication" : [ "false" ],
         "importEnabled" : [ "true" ],
         "enabled" : [ "true" ],
+        "usernameLDAPAttribute" : [ "uid" ],
         "changedSyncPeriod" : [ "-1" ],
         "bindCredential" : [ "admin" ],
-            "usernameLDAPAttribute" : [ "uid" ],
         "bindDn" : [ "cn=admin,dc=dbrepo,dc=at" ],
         "lastSync" : [ "1719252666" ],
         "vendor" : [ "other" ],
         "uuidLDAPAttribute" : [ "entryUUID" ],
-            "allowKerberosAuthentication" : [ "false" ],
         "connectionUrl" : [ "ldap://identity-service:1389" ],
+        "allowKerberosAuthentication" : [ "false" ],
         "syncRegistrations" : [ "true" ],
         "authType" : [ "simple" ],
         "useTruststoreSpi" : [ "always" ],

helm/dbrepo/templates/auth-configmap.yaml

@@ -3714,6 +3714,7 @@ data:
         "containerId" : "afe47bd0-61f8-40c3-95cb-04930407ebdd"
       },
       "requiredCredentials" : [ "password" ],
+      "passwordPolicy" : "length(8) and maxLength(64) and specialChars(1) and lowerCase(1) and upperCase(1) and digits(1) and passwordAge(30)",
       "otpPolicyType" : "totp",
       "otpPolicyAlgorithm" : "HmacSHA1",
       "otpPolicyInitialCounter" : 0,