You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficcontrol.apache.org by ra...@apache.org on 2018/09/21 22:57:15 UTC

[trafficcontrol] 01/02: Invalid password validation with tests

This is an automated email from the ASF dual-hosted git repository.

rawlin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git

commit 1df4f536686389e71e25338946964a87825a9216
Author: moltzaum <ma...@moltzau.net>
AuthorDate: Thu Sep 20 15:51:25 2018 -0600

    Invalid password validation with tests
---
 .../traffic_ops_golang/auth/authenticate_test.go   | 19 +++++
 .../traffic_ops_golang/auth/password_check.go      | 94 ++++++++++++++++++++++
 .../traffic_ops_golang/traffic_ops_golang.go       |  7 ++
 3 files changed, 120 insertions(+)

diff --git a/traffic_ops/traffic_ops_golang/auth/authenticate_test.go b/traffic_ops/traffic_ops_golang/auth/authenticate_test.go
index 036986e..99d636f 100644
--- a/traffic_ops/traffic_ops_golang/auth/authenticate_test.go
+++ b/traffic_ops/traffic_ops_golang/auth/authenticate_test.go
@@ -20,6 +20,7 @@ package auth
  */
 
 import (
+	"github.com/apache/trafficcontrol/lib/go-log"
 	"testing"
 )
 
@@ -50,3 +51,21 @@ func TestScryptPasswordIsRequired(t *testing.T) {
 		t.Errorf("scrypt password should be required")
 	}
 }
+
+func TestPasswordStrength(t *testing.T) {
+
+	passwords := []string{"password", "pa$$word"}
+	expected := []bool{true, false}
+	LoadPasswordBlacklist("app/conf/invalid_passwords.txt")
+
+	for i, password := range passwords {
+		if IsInvalidPassword(password) != expected[i] {
+			if expected[i] {
+				t.Errorf("%s should have been marked as an invalid password", password)
+			} else {
+				t.Errorf("%s should be an ok password", password)
+			}
+		}
+	}
+
+}
diff --git a/traffic_ops/traffic_ops_golang/auth/password_check.go b/traffic_ops/traffic_ops_golang/auth/password_check.go
new file mode 100644
index 0000000..323723a
--- /dev/null
+++ b/traffic_ops/traffic_ops_golang/auth/password_check.go
@@ -0,0 +1,94 @@
+package auth
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/apache/trafficcontrol/lib/go-log"
+)
+
+// A lookup table, bool will always be true
+var invalidPasswords map[string]bool
+
+// Expects a relative path from the traffic_ops directory
+func LoadPasswordBlacklist(filePath string) error {
+
+	if invalidPasswords == nil {
+		invalidPasswords = make(map[string]bool)
+	} else {
+		return fmt.Errorf("Password blacklist is already loaded")
+	}
+
+	pwd, err := os.Getwd()
+	if err != nil {
+		return err
+	}
+
+	filePath = fmt.Sprintf("%straffic_ops/%s", pwd[:strings.Index(pwd, "traffic_ops")], filePath)
+
+	log.Infof("full path to password blacklist: %s\n", filePath)
+	in, err := os.Open(filePath)
+	if err != nil {
+		return err
+	}
+
+	scanner := bufio.NewScanner(in)
+	for scanner.Scan() {
+		invalidPasswords[scanner.Text()] = true
+	}
+
+	in.Close()
+	return scanner.Err()
+}
+
+func IsInvalidPassword(pw string) bool {
+	_, bad := invalidPasswords[pw]
+	return bad
+}
+
+func IsGoodPassword(pw string, confirmPw string, username string) error {
+
+	if pw == "" {
+		return nil
+	}
+
+	if pw != confirmPw {
+		return fmt.Errorf("Passwords do not match.")
+	}
+
+	if pw == username {
+		return fmt.Errorf("Your password cannot be the same as your username.")
+	}
+
+	if len(pw) < 8 {
+		return fmt.Errorf("Password must be greater than 7 chars.")
+	}
+
+	if IsInvalidPassword(pw) {
+		return fmt.Errorf("Password is too common.")
+	}
+
+	// At this point we're happy with the password
+	return nil
+}
diff --git a/traffic_ops/traffic_ops_golang/traffic_ops_golang.go b/traffic_ops/traffic_ops_golang/traffic_ops_golang.go
index c8348fb..c042d51 100644
--- a/traffic_ops/traffic_ops_golang/traffic_ops_golang.go
+++ b/traffic_ops/traffic_ops_golang/traffic_ops_golang.go
@@ -33,6 +33,7 @@ import (
 
 	"github.com/apache/trafficcontrol/lib/go-log"
 	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/about"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/auth"
 	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/config"
 
 	"github.com/jmoiron/sqlx"
@@ -108,6 +109,12 @@ func main() {
 		Event Log:            %s
 		LDAP Enabled:         %v`, cfg.Port, cfg.DB.Hostname, cfg.DB.User, cfg.DB.DBName, cfg.DB.SSL, cfg.MaxDBConnections, cfg.Listen[0], cfg.Insecure, cfg.CertPath, cfg.KeyPath, time.Duration(cfg.ProxyTimeout)*time.Second, time.Duration(cfg.ProxyKeepAlive)*time.Second, time.Duration(cfg.ProxyTLSTimeout)*time.Second, time.Duration(cfg.ProxyReadHeaderTimeout)*time.Second, time.Duration(cfg.ReadTimeout)*time.Second, time.Duration(cfg.ReadHeaderTimeout)*time.Second, time.Duration(cfg.WriteTimeou [...]
 
+	err := auth.LoadPasswordBlacklist("app/conf/invalid_passwords.txt")
+	if err != nil {
+		log.Errorf("loading password blacklist: %v\n", err)
+		return
+	}
+
 	sslStr := "require"
 	if !cfg.DB.SSL {
 		sslStr = "disable"