0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-29 10:54:02 -05:00
forgejo/modules/auth/password/password.go
zeripath 61b89747ed
Provide the ability to set password hash algorithm parameters (#22942)
This PR refactors and improves the password hashing code within gitea
and makes it possible for server administrators to set the password
hashing parameters

In addition it takes the opportunity to adjust the settings for `pbkdf2`
in order to make the hashing a little stronger.

The majority of this work was inspired by PR #14751 and I would like to
thank @boppy for their work on this.

Thanks to @gusted for the suggestion to adjust the `pbkdf2` hashing
parameters.

Close #14751

---------

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-19 15:35:20 +08:00

126 lines
3 KiB
Go

// Copyright 2019 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package password
import (
"bytes"
goContext "context"
"crypto/rand"
"math/big"
"strings"
"sync"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/translation"
)
// complexity contains information about a particular kind of password complexity
type complexity struct {
ValidChars string
TrNameOne string
}
var (
matchComplexityOnce sync.Once
validChars string
requiredList []complexity
charComplexities = map[string]complexity{
"lower": {
`abcdefghijklmnopqrstuvwxyz`,
"form.password_lowercase_one",
},
"upper": {
`ABCDEFGHIJKLMNOPQRSTUVWXYZ`,
"form.password_uppercase_one",
},
"digit": {
`0123456789`,
"form.password_digit_one",
},
"spec": {
` !"#$%&'()*+,-./:;<=>?@[\]^_{|}~` + "`",
"form.password_special_one",
},
}
)
// NewComplexity for preparation
func NewComplexity() {
matchComplexityOnce.Do(func() {
setupComplexity(setting.PasswordComplexity)
})
}
func setupComplexity(values []string) {
if len(values) != 1 || values[0] != "off" {
for _, val := range values {
if complex, ok := charComplexities[val]; ok {
validChars += complex.ValidChars
requiredList = append(requiredList, complex)
}
}
if len(requiredList) == 0 {
// No valid character classes found; use all classes as default
for _, complex := range charComplexities {
validChars += complex.ValidChars
requiredList = append(requiredList, complex)
}
}
}
if validChars == "" {
// No complexities to check; provide a sensible default for password generation
validChars = charComplexities["lower"].ValidChars + charComplexities["upper"].ValidChars + charComplexities["digit"].ValidChars
}
}
// IsComplexEnough return True if password meets complexity settings
func IsComplexEnough(pwd string) bool {
NewComplexity()
if len(validChars) > 0 {
for _, req := range requiredList {
if !strings.ContainsAny(req.ValidChars, pwd) {
return false
}
}
}
return true
}
// Generate a random password
func Generate(n int) (string, error) {
NewComplexity()
buffer := make([]byte, n)
max := big.NewInt(int64(len(validChars)))
for {
for j := 0; j < n; j++ {
rnd, err := rand.Int(rand.Reader, max)
if err != nil {
return "", err
}
buffer[j] = validChars[rnd.Int64()]
}
pwned, err := IsPwned(goContext.Background(), string(buffer))
if err != nil {
return "", err
}
if IsComplexEnough(string(buffer)) && !pwned && string(buffer[0]) != " " && string(buffer[n-1]) != " " {
return string(buffer), nil
}
}
}
// BuildComplexityError builds the error message when password complexity checks fail
func BuildComplexityError(locale translation.Locale) string {
var buffer bytes.Buffer
buffer.WriteString(locale.Tr("form.password_complexity"))
buffer.WriteString("<ul>")
for _, c := range requiredList {
buffer.WriteString("<li>")
buffer.WriteString(locale.Tr(c.TrNameOne))
buffer.WriteString("</li>")
}
buffer.WriteString("</ul>")
return buffer.String()
}