changelog

changelog.d/7118.feature

@@ -0,0 +1 @@
+Allow server admins to define and enforce a password policy (MSC2000).

synapse/api/errors.py

@@ -455,9 +455,7 @@ def __init__(
         errcode=Codes.WEAK_PASSWORD,
     ):
         super(PasswordRefusedError, self).__init__(
-            code=400,
-            msg=msg,
-            errcode=errcode,
+            code=400, msg=msg, errcode=errcode,
         )
 
 

synapse/handlers/password_policy.py

@@ -57,35 +57,35 @@ def validate_password(self, password):
             )
 
         if (
-            self.policy.get("require_digit", False) and
-            self.regexp_digit.search(password) is None
+            self.policy.get("require_digit", False)
+            and self.regexp_digit.search(password) is None
         ):
             raise PasswordRefusedError(
                 msg="The password must include at least one digit",
                 errcode=Codes.PASSWORD_NO_DIGIT,
             )
 
         if (
-            self.policy.get("require_symbol", False) and
-            self.regexp_symbol.search(password) is None
+            self.policy.get("require_symbol", False)
+            and self.regexp_symbol.search(password) is None
         ):
             raise PasswordRefusedError(
                 msg="The password must include at least one symbol",
                 errcode=Codes.PASSWORD_NO_SYMBOL,
             )
 
         if (
-            self.policy.get("require_uppercase", False) and
-            self.regexp_uppercase.search(password) is None
+            self.policy.get("require_uppercase", False)
+            and self.regexp_uppercase.search(password) is None
         ):
             raise PasswordRefusedError(
                 msg="The password must include at least one uppercase letter",
                 errcode=Codes.PASSWORD_NO_UPPERCASE,
             )
 
         if (
-            self.policy.get("require_lowercase", False) and
-            self.regexp_lowercase.search(password) is None
+            self.policy.get("require_lowercase", False)
+            and self.regexp_lowercase.search(password) is None
         ):
             raise PasswordRefusedError(
                 msg="The password must include at least one lowercase letter",

synapse/rest/client/v2_alpha/register.py

@@ -421,7 +421,7 @@ async def on_POST(self, request):
                 or len(body["password"]) > 512
             ):
                 raise SynapseError(400, "Invalid password")
-            self.password_policy_handler.validate_password(body['password'])
+            self.password_policy_handler.validate_password(body["password"])
 
         desired_username = None
         if "username" in body:

synapse/server.py

@@ -199,7 +199,7 @@ def build_DEPENDENCY(self)
         "account_validity_handler",
         "saml_handler",
         "event_client_serializer",
-        'password_policy_handler',
+        "password_policy_handler",
         "storage",
     ]
 

tests/rest/client/v2_alpha/test_password_policy.py

@@ -70,17 +70,23 @@ def make_homeserver(self, reactor, clock):
     def test_get_policy(self):
         """Tests if the /password_policy endpoint returns the configured policy."""
 
-        request, channel = self.make_request("GET", "/_matrix/client/r0/password_policy")
+        request, channel = self.make_request(
+            "GET", "/_matrix/client/r0/password_policy"
+        )
         self.render(request)
 
         self.assertEqual(channel.code, 200, channel.result)
-        self.assertEqual(channel.json_body, {
-            "m.minimum_length": 10,
-            "m.require_digit": True,
-            "m.require_symbol": True,
-            "m.require_lowercase": True,
-            "m.require_uppercase": True,
-        }, channel.result)
+        self.assertEqual(
+            channel.json_body,
+            {
+                "m.minimum_length": 10,
+                "m.require_digit": True,
+                "m.require_symbol": True,
+                "m.require_lowercase": True,
+                "m.require_uppercase": True,
+            },
+            channel.result,
+        )
 
     def test_password_too_short(self):
         request_data = json.dumps({"username": "kermit", "password": "shorty"})
@@ -89,9 +95,7 @@ def test_password_too_short(self):
 
         self.assertEqual(channel.code, 400, channel.result)
         self.assertEqual(
-            channel.json_body["errcode"],
-            Codes.PASSWORD_TOO_SHORT,
-            channel.result,
+            channel.json_body["errcode"], Codes.PASSWORD_TOO_SHORT, channel.result,
         )
 
     def test_password_no_digit(self):
@@ -101,9 +105,7 @@ def test_password_no_digit(self):
 
         self.assertEqual(channel.code, 400, channel.result)
         self.assertEqual(
-            channel.json_body["errcode"],
-            Codes.PASSWORD_NO_DIGIT,
-            channel.result,
+            channel.json_body["errcode"], Codes.PASSWORD_NO_DIGIT, channel.result,
         )
 
     def test_password_no_symbol(self):
@@ -113,9 +115,7 @@ def test_password_no_symbol(self):
 
         self.assertEqual(channel.code, 400, channel.result)
         self.assertEqual(
-            channel.json_body["errcode"],
-            Codes.PASSWORD_NO_SYMBOL,
-            channel.result,
+            channel.json_body["errcode"], Codes.PASSWORD_NO_SYMBOL, channel.result,
         )
 
     def test_password_no_uppercase(self):
@@ -125,9 +125,7 @@ def test_password_no_uppercase(self):
 
         self.assertEqual(channel.code, 400, channel.result)
         self.assertEqual(
-            channel.json_body["errcode"],
-            Codes.PASSWORD_NO_UPPERCASE,
-            channel.result,
+            channel.json_body["errcode"], Codes.PASSWORD_NO_UPPERCASE, channel.result,
         )
 
     def test_password_no_lowercase(self):
@@ -137,9 +135,7 @@ def test_password_no_lowercase(self):
 
         self.assertEqual(channel.code, 400, channel.result)
         self.assertEqual(
-            channel.json_body["errcode"],
-            Codes.PASSWORD_NO_LOWERCASE,
-            channel.result,
+            channel.json_body["errcode"], Codes.PASSWORD_NO_LOWERCASE, channel.result,
         )
 
     def test_password_compliant(self):
@@ -161,14 +157,16 @@ def test_password_change(self):
         user_id = self.register_user("kermit", compliant_password)
         tok = self.login("kermit", compliant_password)
 
-        request_data = json.dumps({
-            "new_password": not_compliant_password,
-            "auth": {
-                "password": compliant_password,
-                "type": LoginType.PASSWORD,
-                "user": user_id,
-            }
-        })
+        request_data = json.dumps(
+            {
+                "new_password": not_compliant_password,
+                "auth": {
+                    "password": compliant_password,
+                    "type": LoginType.PASSWORD,
+                    "user": user_id,
+                },
+             }
+        )
         request, channel = self.make_request(
             "POST",
             "/_matrix/client/r0/account/password",