From 10e58ce6d2a8cbb17e9c4c971a23a10e3e17a058 Mon Sep 17 00:00:00 2001 From: Olivier 'reivilibre Date: Mon, 8 Jul 2024 13:20:18 +0100 Subject: [PATCH] Remove password from rego policy descriptions and Makefile --- crates/handlers/src/views/register.rs | 2 +- crates/policy/src/lib.rs | 13 +++------- crates/policy/src/model.rs | 6 +---- frontend/src/gql/fragment-masking.ts | 26 ++++++++++++++++--- policies/Makefile | 2 -- policies/password.rego | 30 ---------------------- policies/password_test.rego | 29 --------------------- policies/register.rego | 9 ------- policies/register_test.rego | 37 --------------------------- policies/schema/register_input.json | 4 --- 10 files changed, 29 insertions(+), 129 deletions(-) delete mode 100644 policies/password.rego delete mode 100644 policies/password_test.rego diff --git a/crates/handlers/src/views/register.rs b/crates/handlers/src/views/register.rs index 12371d805..aafbccb87 100644 --- a/crates/handlers/src/views/register.rs +++ b/crates/handlers/src/views/register.rs @@ -204,7 +204,7 @@ pub(crate) async fn post( } let res = policy - .evaluate_register(&form.username, &form.password, &form.email) + .evaluate_register(&form.username, &form.email) .await?; for violation in res.violations { diff --git a/crates/policy/src/lib.rs b/crates/policy/src/lib.rs index 153455646..4a007d72a 100644 --- a/crates/policy/src/lib.rs +++ b/crates/policy/src/lib.rs @@ -204,14 +204,9 @@ impl Policy { pub async fn evaluate_register( &mut self, username: &str, - password: &str, email: &str, ) -> Result { - let input = RegisterInput::Password { - username, - password, - email, - }; + let input = RegisterInput::Password { username, email }; let [res]: [EvaluationResult; 1] = self .instance @@ -404,19 +399,19 @@ mod tests { let mut policy = factory.instantiate().await.unwrap(); let res = policy - .evaluate_register("hello", "hunter2", "hello@example.com") + .evaluate_register("hello", "hello@example.com") .await .unwrap(); assert!(!res.valid()); let res = policy - .evaluate_register("hello", "hunter2", "hello@foo.element.io") + .evaluate_register("hello", "hello@foo.element.io") .await .unwrap(); assert!(res.valid()); let res = policy - .evaluate_register("hello", "hunter2", "hello@staging.element.io") + .evaluate_register("hello", "hello@staging.element.io") .await .unwrap(); assert!(!res.valid()); diff --git a/crates/policy/src/model.rs b/crates/policy/src/model.rs index ef09723c8..2872e59c5 100644 --- a/crates/policy/src/model.rs +++ b/crates/policy/src/model.rs @@ -65,11 +65,7 @@ impl EvaluationResult { #[cfg_attr(feature = "jsonschema", derive(schemars::JsonSchema))] pub enum RegisterInput<'a> { #[serde(rename = "password")] - Password { - username: &'a str, - password: &'a str, - email: &'a str, - }, + Password { username: &'a str, email: &'a str }, #[serde(rename = "upstream-oauth2")] UpstreamOAuth2 { diff --git a/frontend/src/gql/fragment-masking.ts b/frontend/src/gql/fragment-masking.ts index fbedede1f..aca71b135 100644 --- a/frontend/src/gql/fragment-masking.ts +++ b/frontend/src/gql/fragment-masking.ts @@ -20,25 +20,45 @@ export function useFragment( _documentNode: DocumentTypeDecoration, fragmentType: FragmentType> ): TType; +// return nullable if `fragmentType` is undefined +export function useFragment( + _documentNode: DocumentTypeDecoration, + fragmentType: FragmentType> | undefined +): TType | undefined; // return nullable if `fragmentType` is nullable +export function useFragment( + _documentNode: DocumentTypeDecoration, + fragmentType: FragmentType> | null +): TType | null; +// return nullable if `fragmentType` is nullable or undefined export function useFragment( _documentNode: DocumentTypeDecoration, fragmentType: FragmentType> | null | undefined ): TType | null | undefined; // return array of non-nullable if `fragmentType` is array of non-nullable +export function useFragment( + _documentNode: DocumentTypeDecoration, + fragmentType: Array>> +): Array; +// return array of nullable if `fragmentType` is array of nullable +export function useFragment( + _documentNode: DocumentTypeDecoration, + fragmentType: Array>> | null | undefined +): Array | null | undefined; +// return readonly array of non-nullable if `fragmentType` is array of non-nullable export function useFragment( _documentNode: DocumentTypeDecoration, fragmentType: ReadonlyArray>> ): ReadonlyArray; -// return array of nullable if `fragmentType` is array of nullable +// return readonly array of nullable if `fragmentType` is array of nullable export function useFragment( _documentNode: DocumentTypeDecoration, fragmentType: ReadonlyArray>> | null | undefined ): ReadonlyArray | null | undefined; export function useFragment( _documentNode: DocumentTypeDecoration, - fragmentType: FragmentType> | ReadonlyArray>> | null | undefined -): TType | ReadonlyArray | null | undefined { + fragmentType: FragmentType> | Array>> | ReadonlyArray>> | null | undefined +): TType | Array | ReadonlyArray | null | undefined { return fragmentType as any; } diff --git a/policies/Makefile b/policies/Makefile index d216fc011..291304a6d 100644 --- a/policies/Makefile +++ b/policies/Makefile @@ -7,7 +7,6 @@ INPUTS := \ client_registration.rego \ register.rego \ authorization_grant.rego \ - password.rego \ email.rego ifeq ($(DOCKER), 1) @@ -27,7 +26,6 @@ policy.wasm: $(INPUTS) -e "client_registration/violation" \ -e "register/violation" \ -e "authorization_grant/violation" \ - -e "password/violation" \ -e "email/violation" \ $^ tar xzf bundle.tar.gz /policy.wasm diff --git a/policies/password.rego b/policies/password.rego deleted file mode 100644 index bae1c215a..000000000 --- a/policies/password.rego +++ /dev/null @@ -1,30 +0,0 @@ -# METADATA -# schemas: -# - input: schema["password_input"] -package password - -default allow := false - -allow { - count(violation) == 0 -} - -violation[{"msg": msg}] { - count(input.password) < data.passwords.min_length - msg := sprintf("needs to be at least %d characters", [data.passwords.min_length]) -} - -violation[{"msg": "requires at least one number"}] { - data.passwords.require_number - not regex.match("[0-9]", input.password) -} - -violation[{"msg": "requires at least one lowercase letter"}] { - data.passwords.require_lowercase - not regex.match("[a-z]", input.password) -} - -violation[{"msg": "requires at least one uppercase letter"}] { - data.passwords.require_uppercase - not regex.match("[A-Z]", input.password) -} diff --git a/policies/password_test.rego b/policies/password_test.rego deleted file mode 100644 index 4748974dd..000000000 --- a/policies/password_test.rego +++ /dev/null @@ -1,29 +0,0 @@ -package password - -test_password_require_number { - allow with data.passwords.require_number as true - - not allow with input.password as "hunter" - with data.passwords.require_number as true -} - -test_password_require_lowercase { - allow with data.passwords.require_lowercase as true - - not allow with input.password as "HUNTER2" - with data.passwords.require_lowercase as true -} - -test_password_require_uppercase { - allow with data.passwords.require_uppercase as true - - not allow with input.password as "hunter2" - with data.passwords.require_uppercase as true -} - -test_password_min_length { - allow with data.passwords.min_length as 6 - - not allow with input.password as "short" - with data.passwords.min_length as 6 -} diff --git a/policies/register.rego b/policies/register.rego index 612308822..051935499 100644 --- a/policies/register.rego +++ b/policies/register.rego @@ -4,7 +4,6 @@ package register import data.email as email_policy -import data.password as password_policy import future.keywords.in @@ -34,14 +33,6 @@ violation[{"msg": "unknown registration method"}] { not input.registration_method in ["password", "upstream-oauth2"] } -violation[object.union({"field": "password"}, v)] { - # Check if the registration method is password - input.registration_method == "password" - - # Get the violation object from the password policy - some v in password_policy.violation -} - # Check that we supplied an email for password registration violation[{"field": "email", "msg": "email required for password-based registration"}] { input.registration_method == "password" diff --git a/policies/register_test.rego b/policies/register_test.rego index 6d1293fdf..4d8d5476a 100644 --- a/policies/register_test.rego +++ b/policies/register_test.rego @@ -3,7 +3,6 @@ package register mock_registration := { "registration_method": "password", "username": "hello", - "password": "Hunter2", "email": "hello@staging.element.io", } @@ -51,39 +50,3 @@ test_long_username { test_invalid_username { not allow with input as {"username": "hello world", "registration_method": "upstream-oauth2"} } - -test_password_require_number { - allow with input as mock_registration - with data.passwords.require_number as true - - not allow with input as mock_registration - with input.password as "hunter" - with data.passwords.require_number as true -} - -test_password_require_lowercase { - allow with input as mock_registration - with data.passwords.require_lowercase as true - - not allow with input as mock_registration - with input.password as "HUNTER2" - with data.passwords.require_lowercase as true -} - -test_password_require_uppercase { - allow with input as mock_registration - with data.passwords.require_uppercase as true - - not allow with input as mock_registration - with input.password as "hunter2" - with data.passwords.require_uppercase as true -} - -test_password_min_length { - allow with input as mock_registration - with data.passwords.min_length as 6 - - not allow with input as mock_registration - with input.password as "short" - with data.passwords.min_length as 6 -} diff --git a/policies/schema/register_input.json b/policies/schema/register_input.json index 455accfc6..e1d796ea1 100644 --- a/policies/schema/register_input.json +++ b/policies/schema/register_input.json @@ -7,7 +7,6 @@ "type": "object", "required": [ "email", - "password", "registration_method", "username" ], @@ -21,9 +20,6 @@ "username": { "type": "string" }, - "password": { - "type": "string" - }, "email": { "type": "string" }