cs3org · 2403905 · Sep 21, 2023 · Sep 19, 2023
@@ -0,0 +1,5 @@
+Enhancement: Add the Banned-Passwords List
+
+Add ability to validation against the Banned-Passwords List OCIS-3809
+
+https://github.com/cs3org/reva/pull/4197
@@ -88,12 +88,13 @@ type CapabilitiesGraph struct {
 
 // CapabilitiesPasswordPolicy hold the password policy capabilities
 type CapabilitiesPasswordPolicy struct {
-	MinCharacters          int `json:"min_characters" xml:"min_characters" mapstructure:"min_characters"`
-	MaxCharacters          int `json:"max_characters" xml:"max_characters" mapstructure:"max_characters"`
-	MinLowerCaseCharacters int `json:"min_lowercase_characters" xml:"min_lowercase_characters" mapstructure:"min_lowercase_characters"`
-	MinUpperCaseCharacters int `json:"min_uppercase_characters" xml:"min_uppercase_characters" mapstructure:"min_uppercase_characters"`
-	MinDigits              int `json:"min_digits" xml:"min_digits" mapstructure:"min_digits"`
-	MinSpecialCharacters   int `json:"min_special_characters" xml:"min_special_characters" mapstructure:"min_special_characters"`
+	MinCharacters          int                 `json:"min_characters" xml:"min_characters" mapstructure:"min_characters"`
+	MaxCharacters          int                 `json:"max_characters" xml:"max_characters" mapstructure:"max_characters"`
+	MinLowerCaseCharacters int                 `json:"min_lowercase_characters" xml:"min_lowercase_characters" mapstructure:"min_lowercase_characters"`
+	MinUpperCaseCharacters int                 `json:"min_uppercase_characters" xml:"min_uppercase_characters" mapstructure:"min_uppercase_characters"`
+	MinDigits              int                 `json:"min_digits" xml:"min_digits" mapstructure:"min_digits"`
+	MinSpecialCharacters   int                 `json:"min_special_characters" xml:"min_special_characters" mapstructure:"min_special_characters"`
+	BannedPasswordsList    map[string]struct{} `json:"-" xml:"-" mapstructure:"banned_passwords_list"`
 }
 
 // CapabilitiesGraphUsers holds the graph user capabilities

@@ -153,7 +153,7 @@ func (h *Handler) createPublicLinkShare(w http.ResponseWriter, r *http.Request,
 		if err := h.passwordValidator.Validate(password); err != nil {
 			return nil, &ocsError{
 				Code:    response.MetaBadRequest.StatusCode,
-				Message: "password validation failed",
+				Message: err.Error(),
 				Error:   fmt.Errorf("password validation failed: %w", err),
 			}
 		}
@@ -479,7 +479,7 @@ func (h *Handler) updatePublicShare(w http.ResponseWriter, r *http.Request, shar
 		// skip validation if the clear password scenario
 		if len(newPassword[0]) > 0 {
 			if err := h.passwordValidator.Validate(newPassword[0]); err != nil {
-				response.WriteOCSError(w, r, response.MetaBadRequest.StatusCode, fmt.Errorf("missing required password %w", err).Error(), err)
+				response.WriteOCSError(w, r, response.MetaBadRequest.StatusCode, err.Error(), err)
 				return
 			}
 		}

@@ -1592,14 +1592,15 @@ func publicPwdEnforced(c *config.Config) passwordEnforced {
 
 func passwordPolicies(c *config.Config) password.Validator {
 	if c.Capabilities.Capabilities == nil || c.Capabilities.Capabilities.PasswordPolicy == nil {
-		return password.NewPasswordPolicy(0, 0, 0, 0, 0)
+		return password.NewPasswordPolicy(0, 0, 0, 0, 0, nil)
 	}
 	return password.NewPasswordPolicy(
 		c.Capabilities.Capabilities.PasswordPolicy.MinCharacters,
 		c.Capabilities.Capabilities.PasswordPolicy.MinLowerCaseCharacters,
 		c.Capabilities.Capabilities.PasswordPolicy.MinUpperCaseCharacters,
 		c.Capabilities.Capabilities.PasswordPolicy.MinDigits,
 		c.Capabilities.Capabilities.PasswordPolicy.MinSpecialCharacters,
+		c.Capabilities.Capabilities.PasswordPolicy.BannedPasswordsList,
 	)
 }
 

@@ -23,18 +23,20 @@ type Policies struct {
 	minUpperCaseCharacters  int
 	minDigits               int
 	minSpecialCharacters    int
+	bannedPasswordsList     map[string]struct{}
 	digitsRegexp            *regexp.Regexp
 	specialCharactersRegexp *regexp.Regexp
 }
 
 // NewPasswordPolicy returns a new NewPasswordPolicy instance
-func NewPasswordPolicy(minCharacters, minLowerCaseCharacters, minUpperCaseCharacters, minDigits, minSpecialCharacters int) Validator {
+func NewPasswordPolicy(minCharacters, minLowerCaseCharacters, minUpperCaseCharacters, minDigits, minSpecialCharacters int, bannedPasswordsList map[string]struct{}) Validator {
 	p := &Policies{
 		minCharacters:          minCharacters,
 		minLowerCaseCharacters: minLowerCaseCharacters,
 		minUpperCaseCharacters: minUpperCaseCharacters,
 		minDigits:              minDigits,
 		minSpecialCharacters:   minSpecialCharacters,
+		bannedPasswordsList:    bannedPasswordsList,
 	}
 
 	p.digitsRegexp = regexp.MustCompile("[0-9]")
@@ -48,7 +50,11 @@ func (s Policies) Validate(str string) error {
 	if !utf8.ValidString(str) {
 		return fmt.Errorf("the password contains invalid characters")
 	}
-	err := s.validateCharacters(str)
+	err := s.validateBannedList(str)
+	if err != nil {
+		return err
+	}
+	err = s.validateCharacters(str)
 	if err != nil {
 		allErr = errors.Join(allErr, err)
 	}
@@ -74,6 +80,16 @@ func (s Policies) Validate(str string) error {
 	return nil
 }
 
+func (s Policies) validateBannedList(str string) error {
+	if len(s.bannedPasswordsList) == 0 {
+		return nil
+	}
+	if _, ok := s.bannedPasswordsList[str]; ok {
+		return fmt.Errorf("unfortunately, your password is commonly used. please pick a harder-to-guess password for your safety")
+	}
+	return nil
+}
+
 func (s Policies) validateCharacters(str string) error {
 	if s.count(str) < s.minCharacters {
 		return fmt.Errorf("at least %d characters are required", s.minCharacters)
@@ -104,7 +120,7 @@ func (s Policies) validateDigits(str string) error {
 
 func (s Policies) validateSpecialCharacters(str string) error {
 	if s.countSpecialCharacters(str) < s.minSpecialCharacters {
-		return fmt.Errorf("at least %d special characters are required. %s", s.minSpecialCharacters, _defaultSpecialCharacters)
+		return fmt.Errorf("at least %d special characters are required %s", s.minSpecialCharacters, _defaultSpecialCharacters)
 	}
 	return nil
 }

@@ -2,6 +2,8 @@ package password
 
 import (
 	"testing"
+
+	"github.com/stretchr/testify/assert"
 )
 
 func TestPolicies_Validate(t *testing.T) {
@@ -11,12 +13,14 @@ func TestPolicies_Validate(t *testing.T) {
 		minUpperCaseCharacters int
 		minDigits              int
 		minSpecialCharacters   int
+		bannedPasswordsList    map[string]struct{}
 	}
 	tests := []struct {
 		name    string
 		fields  fields
 		args    string
 		wantErr bool
+		errMsg  string
 	}{
 		{
 			name: "all in one",
@@ -51,6 +55,21 @@ func TestPolicies_Validate(t *testing.T) {
 			},
 			args:    "0äÖ-",
 			wantErr: true,
+			errMsg:  "at least 2 lowercase letters are required\nat least 2 uppercase letters are required\nat least 2 numbers are required\nat least 2 special characters are required  !\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~",
+		},
+		{
+			name: "banned list",
+			fields: fields{
+				minCharacters:          10,
+				minLowerCaseCharacters: 3,
+				minUpperCaseCharacters: 3,
+				minDigits:              3,
+				minSpecialCharacters:   1,
+				bannedPasswordsList:    map[string]struct{}{"123abcABC!": struct{}{}},
+			},
+			args:    "123abcABC!",
+			wantErr: true,
+			errMsg:  "unfortunately, your password is commonly used. please pick a harder-to-guess password for your safety",
 		},
 	}
 	for _, tt := range tests {
@@ -61,9 +80,13 @@ func TestPolicies_Validate(t *testing.T) {
 				tt.fields.minUpperCaseCharacters,
 				tt.fields.minDigits,
 				tt.fields.minSpecialCharacters,
+				tt.fields.bannedPasswordsList,
 			)
-			if err := s.Validate(tt.args); (err != nil) != tt.wantErr {
-				t.Errorf("Validate() error = %v, wantErr %v", err.Error(), tt.wantErr)
+			err := s.Validate(tt.args)
+			if tt.wantErr {
+				assert.EqualError(t, err, tt.errMsg)
+			} else {
+				assert.NoError(t, err)
 			}
 		})
 	}
@@ -125,6 +148,7 @@ func TestPasswordPolicies_Count(t *testing.T) {
 				tt.fields.wantUpperCaseCharacters,
 				tt.fields.wantDigits,
 				tt.fields.wantSpecialCharacters,
+				nil,
 			)
 			s := i.(*Policies)
 			if got := s.count(tt.args); got != tt.fields.wantCharacters {