feat: warn users to change their passwords [DET-10216] (#9519)

determined-ai · Jun 14, 2024 · 66ec006 · 66ec006
1 parent 2bce8b6
commit 66ec006
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 1 deletion.
diff --git a/harness/determined/cli/user.py b/harness/determined/cli/user.py
@@ -80,6 +80,15 @@ def log_in_user(args: argparse.Namespace) -> None:
     except api.errors.UnauthenticatedException:
         raise api.errors.InvalidCredentialsException()
 
+    try:
+        authentication.check_password_complexity(password)
+    except ValueError as e:
+        print(
+            "Warning: your password does not appear to satisfy "
+            + f"recommended complexity requirements:\n{e}\n"
+            + "Please change your password as soon as possible."
+        )
+
     token_store.set_token(sess.username, sess.token)
     token_store.set_active(sess.username)
 

diff --git a/harness/determined/common/api/authentication.py b/harness/determined/common/api/authentication.py
@@ -236,6 +236,15 @@ def login_with_cache(
             raise api.errors.UnauthenticatedException()
         raise
 
+    try:
+        check_password_complexity(password)
+    except ValueError as e:
+        print(
+            "Warning: your password does not appear to satisfy "
+            + f"recommended complexity requirements:\n{e}\n"
+            + "Please change your password as soon as possible."
+        )
+
     token_store.set_token(user, token)
 
     return sess

diff --git a/webui/react/src/components/DeterminedAuth.tsx b/webui/react/src/components/DeterminedAuth.tsx
@@ -14,9 +14,10 @@ import authStore from 'stores/auth';
 import determinedStore from 'stores/determinedInfo';
 import permissionStore from 'stores/permissions';
 import userStore from 'stores/users';
-import handleError, { ErrorType } from 'utils/error';
+import handleError, { ErrorLevel, ErrorType, handleWarning } from 'utils/error';
 import { useObservable } from 'utils/observable';
 import { StorageManager } from 'utils/storage';
+import { isPasswordWeak } from 'utils/user';
 
 import css from './DeterminedAuth.module.scss';
 
@@ -54,7 +55,16 @@ const DeterminedAuth: React.FC<Props> = ({ canceler }: Props) => {
         );
         updateDetApi({ apiKey: `Bearer ${token}` });
         authStore.setAuth({ isAuthenticated: true, token });
+        user.isPasswordWeak = isPasswordWeak(creds.password || '');
         userStore.updateCurrentUser(user);
+        handleWarning({
+          level: ErrorLevel.Warn,
+          publicMessage:
+            'Your current password is either blank or weak according to current security recommendations. Please change your password.',
+          publicSubject: 'Weak Password',
+          silent: false,
+          type: ErrorType.Input,
+        });
         if (rbacEnabled) {
           // Now that we have logged in user, fetch userAssignments and userRoles and place into store.
           permissionStore.fetch(canceler.signal);

diff --git a/webui/react/src/types.ts b/webui/react/src/types.ts
@@ -154,6 +154,7 @@ export const DetailedUser = t.intersection([
   User,
   t.partial({
     agentUserGroup: AgentUserGroup,
+    isPasswordWeak: t.boolean,
     remote: t.boolean,
   }),
   t.type({

diff --git a/webui/react/src/utils/user.ts b/webui/react/src/utils/user.ts
@@ -1,3 +1,4 @@
+import { PASSWORD_RULES } from 'constants/passwordRules';
 import { V1Group, V1RoleWithAssignments } from 'services/api-ts-sdk';
 import {
   DetailedUser,
@@ -85,3 +86,16 @@ export const getUserOrGroupWithRoleInfo = (
     .filter((d) => d.userId !== -1);
   return [...groups, ...users];
 };
+
+export function isPasswordWeak(password: string): boolean {
+  let isWeak = false;
+  PASSWORD_RULES.forEach((rule) => {
+    if (rule.min && password.length < rule.min) {
+      isWeak = true;
+    }
+    if (rule.pattern && !RegExp(rule.pattern).test(password)) {
+      isWeak = true;
+    }
+  });
+  return isWeak;
+}