qbo.Security.PasswordCompliance

Using functionality in the qbo.Security.PasswordCompliance namespace, you can customize which rules your website enforces on passwords, as well as add new rules to use via plugins.

Customization:

There are two settings in qbo.Security that allow for customization. The first is PasswordRulesText which is simply the human readable text instructions to display to the user. The second is PasswordRuleSet which the underlying code uses to determine which methods to call based on reflection.

By example, lets take a look at the default string in PasswordRuleSet

DefaultRules.IsLongEnough(7);DefaultRules.ContainsAnUppercase();DefaultRules.ContainsANumber();DefaultRules.ContainsNoReservedWords();DefaultRules.IsNotRecentlyUsed();

This string dictates the use of rules that are effectively identical to the rules enforced in QBO previous to this addition. The setting comprises of multiple rules to execute, delimited by semicolons.

The parts of a rule are Class.Method(Parameters1,Parameters2,AdditionalParametersN) where Class is the exact name of a class in the qbo.Security.PasswordCompliance namespace and Method is the exact name of the classes method. AdditionalParameters are extra parameters the underlying code needs; the methods will receive the username and password on top of these additional parameters.

Example use cases:
  • The requirement changed, and reserved words are no longer significant. Remove DefaultRules.ContainsNoReservedWords(); from the string.
  • A new requirement "x" surfaced, and a developer has created the functionality in the DefaultRules class as method ChecksIfX. Add DefaultRules.ChecksIfX() to the string.
  • A requirement changed, and passwords must be at least 8 characters long, and assume we know that this parameter dictates the required length. Change the additional parameter in the rule to 8 DefaultRules.IsLongEnough(8);
Extending Functionality:

The plugin project exists in the plugin solution qbo.PasswordCompliance, comprising of the project qbo.Secuirty.PasswordCompliance, it's complimentary tests project, and required references.

In order to create a new rule, use or create a new class in the main project of the solution named XyzRules by convention.

Next, create a new method with the following method signature: public static async Task<Tuple<bool, string>> MethodName(List<string> parameters). It is Required to create methods using this signature to extend functionality.

List<string> parameters - Filled at index 0 with password, and index 1 of username. Index 2 and on is what is added as additional parameters in the setting string in order.

Tuple<bool, string> - The result. The first value, a bool, will be an indicator of successfully passing the check operations within your code. The second is a string that is used to inform the user of why their password didn't pass your check operations.

async Task<T> - Set to allow the async await pattern within your method, in the case you need to make an API hit, have an expensive CPU-bound algorithm, etc.

After you have completed development with your new rule(s), and have deployed the plugin project to your website, the only thing left to do is add your new rule to the PasswordRuleSet string as described above.

In the main qbo.Security project, there exists a rules.cs in the PasswordCompliance folder.  Use this class to abstract rule functionality for code reuse in these aforementioned methods/classes.

Use PasswordManagerTests (in SecurityTests) to further test your methods in relation to mock PasswordRuleSet strings and the underlying reflection play. Please note, you must copy over an updated version of the qbo.Security.PasswordCompliance.dll assembly (built from the plugin project) into the qbo.SecurityTests build output for these kinds of unit tests to work.
Comments