You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficcontrol.apache.org by ra...@apache.org on 2018/09/21 22:57:15 UTC
[trafficcontrol] 01/02: Invalid password validation with tests
This is an automated email from the ASF dual-hosted git repository.
rawlin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
commit 1df4f536686389e71e25338946964a87825a9216
Author: moltzaum <ma...@moltzau.net>
AuthorDate: Thu Sep 20 15:51:25 2018 -0600
Invalid password validation with tests
---
.../traffic_ops_golang/auth/authenticate_test.go | 19 +++++
.../traffic_ops_golang/auth/password_check.go | 94 ++++++++++++++++++++++
.../traffic_ops_golang/traffic_ops_golang.go | 7 ++
3 files changed, 120 insertions(+)
diff --git a/traffic_ops/traffic_ops_golang/auth/authenticate_test.go b/traffic_ops/traffic_ops_golang/auth/authenticate_test.go
index 036986e..99d636f 100644
--- a/traffic_ops/traffic_ops_golang/auth/authenticate_test.go
+++ b/traffic_ops/traffic_ops_golang/auth/authenticate_test.go
@@ -20,6 +20,7 @@ package auth
*/
import (
+ "github.com/apache/trafficcontrol/lib/go-log"
"testing"
)
@@ -50,3 +51,21 @@ func TestScryptPasswordIsRequired(t *testing.T) {
t.Errorf("scrypt password should be required")
}
}
+
+func TestPasswordStrength(t *testing.T) {
+
+ passwords := []string{"password", "pa$$word"}
+ expected := []bool{true, false}
+ LoadPasswordBlacklist("app/conf/invalid_passwords.txt")
+
+ for i, password := range passwords {
+ if IsInvalidPassword(password) != expected[i] {
+ if expected[i] {
+ t.Errorf("%s should have been marked as an invalid password", password)
+ } else {
+ t.Errorf("%s should be an ok password", password)
+ }
+ }
+ }
+
+}
diff --git a/traffic_ops/traffic_ops_golang/auth/password_check.go b/traffic_ops/traffic_ops_golang/auth/password_check.go
new file mode 100644
index 0000000..323723a
--- /dev/null
+++ b/traffic_ops/traffic_ops_golang/auth/password_check.go
@@ -0,0 +1,94 @@
+package auth
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import (
+ "bufio"
+ "fmt"
+ "os"
+ "strings"
+
+ "github.com/apache/trafficcontrol/lib/go-log"
+)
+
+// A lookup table, bool will always be true
+var invalidPasswords map[string]bool
+
+// Expects a relative path from the traffic_ops directory
+func LoadPasswordBlacklist(filePath string) error {
+
+ if invalidPasswords == nil {
+ invalidPasswords = make(map[string]bool)
+ } else {
+ return fmt.Errorf("Password blacklist is already loaded")
+ }
+
+ pwd, err := os.Getwd()
+ if err != nil {
+ return err
+ }
+
+ filePath = fmt.Sprintf("%straffic_ops/%s", pwd[:strings.Index(pwd, "traffic_ops")], filePath)
+
+ log.Infof("full path to password blacklist: %s\n", filePath)
+ in, err := os.Open(filePath)
+ if err != nil {
+ return err
+ }
+
+ scanner := bufio.NewScanner(in)
+ for scanner.Scan() {
+ invalidPasswords[scanner.Text()] = true
+ }
+
+ in.Close()
+ return scanner.Err()
+}
+
+func IsInvalidPassword(pw string) bool {
+ _, bad := invalidPasswords[pw]
+ return bad
+}
+
+func IsGoodPassword(pw string, confirmPw string, username string) error {
+
+ if pw == "" {
+ return nil
+ }
+
+ if pw != confirmPw {
+ return fmt.Errorf("Passwords do not match.")
+ }
+
+ if pw == username {
+ return fmt.Errorf("Your password cannot be the same as your username.")
+ }
+
+ if len(pw) < 8 {
+ return fmt.Errorf("Password must be greater than 7 chars.")
+ }
+
+ if IsInvalidPassword(pw) {
+ return fmt.Errorf("Password is too common.")
+ }
+
+ // At this point we're happy with the password
+ return nil
+}
diff --git a/traffic_ops/traffic_ops_golang/traffic_ops_golang.go b/traffic_ops/traffic_ops_golang/traffic_ops_golang.go
index c8348fb..c042d51 100644
--- a/traffic_ops/traffic_ops_golang/traffic_ops_golang.go
+++ b/traffic_ops/traffic_ops_golang/traffic_ops_golang.go
@@ -33,6 +33,7 @@ import (
"github.com/apache/trafficcontrol/lib/go-log"
"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/about"
+ "github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/auth"
"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/config"
"github.com/jmoiron/sqlx"
@@ -108,6 +109,12 @@ func main() {
Event Log: %s
LDAP Enabled: %v`, cfg.Port, cfg.DB.Hostname, cfg.DB.User, cfg.DB.DBName, cfg.DB.SSL, cfg.MaxDBConnections, cfg.Listen[0], cfg.Insecure, cfg.CertPath, cfg.KeyPath, time.Duration(cfg.ProxyTimeout)*time.Second, time.Duration(cfg.ProxyKeepAlive)*time.Second, time.Duration(cfg.ProxyTLSTimeout)*time.Second, time.Duration(cfg.ProxyReadHeaderTimeout)*time.Second, time.Duration(cfg.ReadTimeout)*time.Second, time.Duration(cfg.ReadHeaderTimeout)*time.Second, time.Duration(cfg.WriteTimeou [...]
+ err := auth.LoadPasswordBlacklist("app/conf/invalid_passwords.txt")
+ if err != nil {
+ log.Errorf("loading password blacklist: %v\n", err)
+ return
+ }
+
sslStr := "require"
if !cfg.DB.SSL {
sslStr = "disable"