luci-app-acl: enforce password policy

ckorber · ckorber · commit 0c74ac1998b8 · 2026-04-29T13:33:50.000+02:00
Password policy is enforced on acl if it is defined via plugin.

Signed-off-by: Christian Korber &lt;ckorber@tdt.de&gt;
diff --git a/applications/luci-app-acl/htdocs/luci-static/resources/view/system/acl.js b/applications/luci-app-acl/htdocs/luci-static/resources/view/system/acl.js
@@ -7,6 +7,7 @@
 'require uci';
 'require form';
 'require tools.widgets as widgets';
+'require tools.password as pwtool';
 
 const aclList = {};
 
@@ -17,6 +18,28 @@ const callSetPassword = rpc.declare({
 	expect: { result: 1}
 });
 
+function checkPassword(value) {
+	const uuid = '51af4ae847774aac863d4c94a9ba6d58';
+	const pw_length = uci.get('luci_plugins', uuid, 'pw_length');
+	const pw_digits = uci.get('luci_plugins', uuid, 'digits');
+	const pw_ul = uci.get('luci_plugins', uuid, 'uc_lc');
+	const special = uci.get('luci_plugins', uuid, 'special_characters');
+
+	if (pw_length && !pwtool.checkLength(value, pw_length))
+		return _('Policy: min. length of %s characters').format(pw_length);
+
+	if (pw_digits && !pwtool.checkDigits(value))
+		return _('Policy: contain digits');
+
+	if (pw_ul && !pwtool.checkUpperLower(value))
+		return _('Policy: contain uppercase/lowercase');
+
+	if (special && !pwtool.checkSpecialChars(value))
+		return _('Policy: contain special characters');
+
+	return true;
+}
+
 function globListToRegExp(section_id, option) {
 	const list = L.toArray(uci.get('rpcd', section_id, option));
 	const positivePatterns = [];
@@ -170,7 +193,9 @@ return view.extend({
 		return L.resolveDefault(fs.list('/usr/share/rpcd/acl.d'), []).then(function(entries) {
 			const tasks = [
 				L.resolveDefault(fs.stat('/usr/sbin/uhttpd'), null),
-				fs.lines('/etc/passwd')
+				fs.lines('/etc/passwd'),
+				uci.load('rpcd'),
+				uci.load('luci_plugins')
 			];
 
 			for (let e of entries)
@@ -181,7 +206,7 @@ return view.extend({
 		});
 	},
 
-	render([has_uhttpd, passwd, ...acls]) {
+	render([has_uhttpd, passwd, uci_rpcd, plugins, ...acls]) {
 		ui.addNotification(null, E('p', [
 			_('The LuCI ACL management is in an experimental stage! It does not yet work reliably with all applications')
 		]), 'warning');
@@ -275,7 +300,7 @@ return view.extend({
 					return _('Cannot encrypt plaintext password since uhttpd is not installed.');
 			}
 
-			return true;
+			return checkPassword(value);
 		};
 		o.write = function(section_id, value) {
 			const variant = this.map.lookupOption('_variant', section_id)[0];
diff --git a/applications/luci-app-acl/root/usr/share/rpcd/acl.d/luci-app-acl.json b/applications/luci-app-acl/root/usr/share/rpcd/acl.d/luci-app-acl.json
@@ -10,7 +10,7 @@
 				"/usr/share/rpcd/acl.d": [ "list" ],
 				"/usr/share/rpcd/acl.d/*.json": [ "read" ]
 			},
-			"uci": [ "rpcd" ]
+			"uci": [ "rpcd", "luci_plugins" ]
 		},
 		"write": {
 			"uci": [ "rpcd" ],
