Require password complexity (#3205)

Require password complexity
NuGet · Sep 12, 2016 · 93fa02b · 93fa02b
1 parent a173a57
commit 93fa02b
Show file tree

Hide file tree

Showing 12 changed files with 142 additions and 21 deletions.
diff --git a/src/NuGetGallery/Configuration/AppConfiguration.cs b/src/NuGetGallery/Configuration/AppConfiguration.cs
@@ -174,6 +174,18 @@ public class AppConfiguration : IAppConfiguration
         /// </summary>
         public string EnforcedAuthProviderForAdmin { get; set; }
 
+        /// <summary>
+        /// A regex to validate password format. The default regex requires the password to be atlease 8 characters, 
+        /// include at least one uppercase letter, one lowercase letter and a digit.
+        /// </summary>
+        [Required]
+        [DefaultValue("^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9]).{8,64}$")]
+        public string UserPasswordRegex { get; set; }
+
+        [Required]
+        [DefaultValue("Your password must be at least 8 characters, should include at least one uppercase letter, one lowercase letter and a digit.")]
+        public string UserPasswordHint { get; set; }
+
         /// <summary>
         /// Defines the time after which V1 API keys expire.
         /// </summary>

diff --git a/src/NuGetGallery/Configuration/IAppConfiguration.cs b/src/NuGetGallery/Configuration/IAppConfiguration.cs
@@ -160,6 +160,16 @@ public interface IAppConfiguration
         /// </summary>
         string EnforcedAuthProviderForAdmin { get; set; }
 
+        /// <summary>
+        /// The required format for a user password.
+        /// </summary>
+        string UserPasswordRegex { get; set; }
+
+        /// <summary>
+        /// A message to show the user, to explain password requirements.
+        /// </summary>
+        string UserPasswordHint { get; set; }
+
         /// <summary>
         /// Defines the time after which V1 API keys expire.
         /// </summary>

diff --git a/src/NuGetGallery/Infrastructure/PasswordValidationAttribute.cs b/src/NuGetGallery/Infrastructure/PasswordValidationAttribute.cs
@@ -0,0 +1,36 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.ComponentModel.DataAnnotations;
+using System.Web.Mvc;
+using NuGetGallery.Configuration;
+
+namespace NuGetGallery.Infrastructure
+{
+    [AttributeUsage(AttributeTargets.Property)]
+    public sealed class PasswordValidationAttribute : ValidationAttribute
+    {
+        private readonly RegularExpressionAttribute _regexAttribute;
+
+        public PasswordValidationAttribute()
+        {
+            var configuration = DependencyResolver.Current.GetService<IGalleryConfigurationService>().Current;
+
+            _regexAttribute = new RegularExpressionAttribute(configuration.UserPasswordRegex)
+            {
+                ErrorMessage = configuration.UserPasswordHint
+            };
+        }
+
+        public override bool IsValid(object value)
+        {
+            return _regexAttribute.IsValid(value);
+        }
+
+        public override string FormatErrorMessage(string name)
+        {
+            return _regexAttribute.FormatErrorMessage(name);
+        }
+    }
+}
diff --git a/src/NuGetGallery/NuGetGallery.csproj b/src/NuGetGallery/NuGetGallery.csproj
@@ -749,6 +749,7 @@
     <Compile Include="Infrastructure\Authentication\CredentialValidator.cs" />
     <Compile Include="Infrastructure\Authentication\ICredentialBuilder.cs" />
     <Compile Include="Infrastructure\Authentication\ICredentialValidator.cs" />
+    <Compile Include="Infrastructure\PasswordValidationAttribute.cs" />
     <Compile Include="Migrations\201602181939424_RemovePackageStatistics.cs" />
     <Compile Include="Migrations\201602181939424_RemovePackageStatistics.Designer.cs">
       <DependentUpon>201602181939424_RemovePackageStatistics.cs</DependentUpon>

diff --git a/src/NuGetGallery/Strings.resx b/src/NuGetGallery/Strings.resx
@@ -316,7 +316,7 @@ The {2} Team</value>
   </data>
   <data name="NuGetPackageReleaseVersionContainsOnlyNumerics" xml:space="preserve">
     <value>Package {0} invalid: the release label can not only contain numerics.</value>
-  </data>  
+  </data>
   <data name="CopyExternalPackages_PackageFileBlobAlreadyExists" xml:space="preserve">
     <value>SKIPPED! Package file blob {0} already exists</value>
   </data>

diff --git a/src/NuGetGallery/ViewModels/AccountViewModel.cs b/src/NuGetGallery/ViewModels/AccountViewModel.cs
@@ -7,6 +7,7 @@
 using System.ComponentModel.DataAnnotations;
 using System.Web.Mvc;
 using NuGetGallery.Authentication.Providers;
+using NuGetGallery.Infrastructure;
 
 namespace NuGetGallery
 {
@@ -53,6 +54,7 @@ public class ChangePasswordViewModel
 
         [Required]
         [Display(Name = "New Password")]
+        [PasswordValidation]
         [AllowHtml]
         public string NewPassword { get; set; }
 

diff --git a/src/NuGetGallery/ViewModels/LogOnViewModel.cs b/src/NuGetGallery/ViewModels/LogOnViewModel.cs
@@ -3,9 +3,9 @@
 
 using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
-using System.Text.RegularExpressions;
 using System.Web.Mvc;
 using NuGetGallery.Authentication.Providers;
+using NuGetGallery.Infrastructure;
 
 namespace NuGetGallery
 {
@@ -74,40 +74,32 @@ public class RegisterViewModel
         internal const string EmailValidationRegex = "^" + FirstPart + "@" + SecondPart + "$";
 
         internal const string EmailValidationErrorMessage = "This doesn't appear to be a valid email address.";
+        public const string EmailHint = "Your email will not be public unless you choose to disclose it. " +
+                                          "It is required to verify your registration and for password retrieval, important notifications, etc. ";
 
         internal const string UsernameValidationRegex =
             @"[A-Za-z0-9][A-Za-z0-9_\.-]+[A-Za-z0-9]";
-
-        /// <summary>
-        /// Regex that matches INVALID username characters, to make it easy to strip those characters out.
-        /// </summary>
-        internal static readonly Regex UsernameNormalizationRegex =
-            new Regex(@"[^A-Za-z0-9_\.-]");
-
+
         internal const string UsernameValidationErrorMessage =
             "User names must start and end with a letter or number, and may only contain letters, numbers, underscores, periods, and hyphens in between.";
 
+        public const string UserNameHint = "Choose something unique so others will know which contributions are yours.";
+
         [Required]
         [StringLength(255)]
         [Display(Name = "Email")]
-        //[DataType(DataType.EmailAddress)] - does not work with client side validation
         [RegularExpression(EmailValidationRegex, ErrorMessage = EmailValidationErrorMessage)]
-        [Hint(
-            "Your email will not be public unless you choose to disclose it. " +
-            "It is required to verify your registration and for password retrieval, important notifications, etc. ")]
         [Subtext("We use <a href=\"http://www.gravatar.com\" target=\"_blank\">Gravatar</a> to get your profile picture", AllowHtml = true)]
         public string EmailAddress { get; set; }
 
         [Required]
         [StringLength(64)]
         [RegularExpression(UsernameValidationRegex, ErrorMessage = UsernameValidationErrorMessage)]
-        [Hint("Choose something unique so others will know which contributions are yours.")]
         public string Username { get; set; }
 
         [Required]
         [DataType(DataType.Password)]
-        [StringLength(64, MinimumLength = 7)]
-        [Hint("Passwords must be at least 7 characters long.")]
+        [PasswordValidation]
         [AllowHtml]
         public string Password { get; set; }
     }

diff --git a/src/NuGetGallery/ViewModels/PasswordResetViewModel.cs b/src/NuGetGallery/ViewModels/PasswordResetViewModel.cs
@@ -1,6 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 using System.ComponentModel.DataAnnotations;
+using NuGetGallery.Infrastructure;
 
 namespace NuGetGallery
 {
@@ -9,8 +10,7 @@ public class PasswordResetViewModel
         [Required]
         [DataType(DataType.Password)]
         [Display(Name = "New password")]
-        [StringLength(64, MinimumLength = 7)]
-        [Hint("Passwords must be at least 7 characters long.")]
+        [PasswordValidation]
         public string NewPassword { get; set; }
 
         [Required]

diff --git a/src/NuGetGallery/Views/Authentication/_Register.cshtml b/src/NuGetGallery/Views/Authentication/_Register.cshtml
@@ -1,4 +1,5 @@
-@model LogOnViewModel
+@using NuGetGallery.Configuration
+@model LogOnViewModel
 
 <div id="register-form">
     @using (Html.BeginForm("Register", "Authentication"))
@@ -19,7 +20,8 @@
             <div class="form-field form-field-full">
                 @Html.LabelFor(m => m.Register.Username)
                 @Html.EditorFor(m => m.Register.Username)
-                @Html.ValidationMessageFor(m => m.Register.Username)
+                @Html.ValidationMessageFor(m => m.Register.Username)
+                <span class="field-hint-message">@RegisterViewModel.UserNameHint</span>
             </div>
 
             @if (Model.External == null)
@@ -28,13 +30,15 @@
                     @Html.LabelFor(m => m.Register.Password)
                     @Html.EditorFor(m => m.Register.Password)
                     @Html.ValidationMessageFor(m => m.Register.Password)
+                    <span class="field-hint-message">@PasswordHint()</span>
                 </div>
             }
 
             <div class="form-field form-field-full">
                 <label for="EmailAddress">Email (<a href="http://www.gravatar.com">Gravatar</a>, notifications, and password recovery)</label>
                 @Html.EditorFor(m => m.Register.EmailAddress)
                 @Html.ValidationMessageFor(m => m.Register.EmailAddress)
+                <span class="field-hint-message">@RegisterViewModel.EmailHint</span>
             </div>
 
             <img src="@Url.Content("~/Content/images/required.png")" alt="Blue border on left means required." />
@@ -46,5 +50,12 @@
 
             <input class="btn btn-big" type="submit" value="Register" title="Register" />
         </fieldset>
-    }
+    }
+
+    @helper PasswordHint() {
+        var config = DependencyResolver.Current.GetService<IGalleryConfigurationService>();
+        string hint = config.Current.UserPasswordHint;
+        @hint
+    }
+
 </div>
diff --git a/src/NuGetGallery/Web.config b/src/NuGetGallery/Web.config
@@ -81,6 +81,11 @@
     <add key="Gallery.ExpirationInDaysForApiKeyV1" value="365" />
     <add key="Gallery.WarnAboutExpirationInDaysForApiKeyV1" value="10" />
 
+    <!-- To change password complexity requirements, uncomment those lines, and set your regex and password hint.
+    <add key="Gallery.UserPasswordRegex" value="^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9]).{8,64}$" />
+    <add key="Gallery.UserPasswordHint" value="Your password must be at least 8 characters, should include at least one uppercase letter, one lowercase letter and a digit." />
+    -->
+
     <!-- *************** -->
     <!-- STABLE SETTINGS -->
     <!-- *************** -->

diff --git a/tests/NuGetGallery.Facts/NuGetGallery.Facts.csproj b/tests/NuGetGallery.Facts/NuGetGallery.Facts.csproj
@@ -404,6 +404,7 @@
     <Compile Include="Controllers\StatisticsControllerFacts.cs" />
     <Compile Include="Controllers\UsersControllerFacts.cs" />
     <Compile Include="Framework\TestGalleryConfigurationService.cs" />
+    <Compile Include="PasswordValidationRegexTests.cs" />
     <Compile Include="SearchClient\CorrelatingHttpClientHandlerFacts.cs" />
     <Compile Include="SearchClient\RequestInspectingHandler.cs" />
     <Compile Include="SearchClient\WebApiCorrelationHandlerFacts.cs" />

diff --git a/tests/NuGetGallery.Facts/PasswordValidationRegexTests.cs b/tests/NuGetGallery.Facts/PasswordValidationRegexTests.cs
@@ -0,0 +1,51 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Text.RegularExpressions;
+using NuGetGallery.Configuration;
+using NuGetGallery.Framework;
+using Xunit;
+
+namespace NuGetGallery
+{
+    /// <summary>
+    /// The regex checks that the password is at least 8 characters, one uppercase letter, one lowercase letter, and a digit.
+    /// </summary>
+    public class PasswordValidationRegexTests : TestContainer
+    {
+        private readonly string _defaultPasswordRegex;
+
+        public PasswordValidationRegexTests()
+        {
+            var configuration = Get<ConfigurationService>();
+            _defaultPasswordRegex = configuration.Current.UserPasswordRegex;
+        }
+
+        [Theory]
+        [InlineData("aA1aaaaa")]
+        [InlineData("abcdefg$0B")]
+        [InlineData("****1bB***")]
+        public void Accepts(string password)
+        {
+
+            var match = new Regex(_defaultPasswordRegex).IsMatch(password);
+            Assert.True(match);
+        }
+
+        [Theory]
+        [InlineData("v")] // Single letter
+        [InlineData("V")] // Single upper case letter
+        [InlineData("8")] // Single number
+        [InlineData("89984214214")] // Just numbers
+        [InlineData("%*`~&*()%#@$!@<>?\"")] // Special characters
+        [InlineData("aaAAaaAAaaAA")] // No digit
+        [InlineData("12345678a")] // No upperscase letter
+        [InlineData("12345678A")] // No lowercase letter
+        [InlineData("1aA")] // Too short
+        public void DoesNotAccept(string password)
+        {
+            var match = new Regex(_defaultPasswordRegex).IsMatch(password);
+            Assert.False(match);
+        }
+    }
+}