OpenIDM : Setting up a password history policy

par | Sep 16, 2013 | Gestion des Identités, Provisioning

Let’s say we want to prevent the reuse of the 4 previous passwords when updating OpenIDM managed users. To do so, we need to store an Array containing the last passwords. We name that attribute lastPass and declare it in bin/defaults/script/ui/onCreate-user-set-default-fields.js :
object.lastPass = new Array(5);

Note : It’s highly recommended to use a custom onCreate javascript file ; you can for example copy the original bin/defaults/script/ui/onCreate-user-set-default-fields.js file to bin/defaults/script/ui/onCreate-user-set-default-fields-custom.js, add the above line and call the new file in « conf/managed.json », instead of the old one.

Even if we need just 4 elements, we declare an array containing 5 ones because of this bug. We also have to update the lastPass attribute each time the password is modified, therefore we create a script (bin/defaults/script/ui/onUpdate-user-pwpolicy.js) with the following content :

if (newObject.password != oldObject.password) {
        newObject.lastPass[1] = oldObject.lastPass[2];
        newObject.lastPass[2] = oldObject.lastPass[3];
        newObject.lastPass[3] = oldObject.lastPass[4];
        newObject.lastPass[4] = oldObject.password;
}

and call it in the user configuration bloc of conf/managed.json :

  ...
 "name" : "user",
 "onUpdate" : {
                         "type" : "text/javascript",
                         "file" : "bin/defaults/script/ui/onUpdate-user-pwpolicy.js"
                     }
  ...

Now, we have to extend the policy service by adding a scripted policy in a custom javascript file, for example script/pwpolicy.js :

var policy1 = {
                         "policyId" : "is-new",
                         "policyExec" : "isNew",
                         "policyRequirements" : ["IS_NEW"]
                    }

addPolicy(policy1);

function isNew(fullObject, value, params, property) {

        var length = fullObject.lastPass.length;
        for(var i = 1; i < length; i++) {
                if(fullObject.lastPass[i] == value) return [{"policyRequirement": "IS_NEW"}];
        }

        return [];
}

And in the conf/policy.json we first reference our previous script by filling the additionalFiles value :

{
    "file" : "bin/defaults/script/policy.js",
    "additionalFiles" : ["script/pwdpolicy.js"],
    ...

Then, we call our new policy in the password configuration bloc, by it’s policyId :

...
           {
                    "name" : "password",
                    "policies" : [
                        {
                            "policyId" : "not-empty"
                        },
                        {
                            "policyId" : "is-new"
                        },
                        ...

Finally, we configure OpenIDM to encrypt the new attribute and deny retrieving it through REST, so in conf/managed.json

...
           {
                    "name" : "user",
                    "properties" : [
                        {
                             "name" : "lastPass",
                             "encryption" : {
                                  "key" : "openidm-sym-default"
                              },
                             "scope" : "private"
                         }
                      ...
Les derniers articles par janua (tout voir)