[full-ci] The password policy added. Bump reva (#7195)

* The password policy added. Bump reva

* the special characters list became constant

---------

Co-authored-by: Roman Perekhod <rperekhod@owncloud.com>

changelog/unreleased/add-passwod-policies.md

@@ -0,0 +1,6 @@
+Enhancement: Add the password policies
+
+Add the password policies OCIS-3767
+
+https://github.com/owncloud/ocis/pull/7194
+https://github.com/cs3org/reva/pull/4147

go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/coreos/go-oidc v2.2.1+incompatible
 	github.com/coreos/go-oidc/v3 v3.6.0
 	github.com/cs3org/go-cs3apis v0.0.0-20230516150832-730ac860c71d
-	github.com/cs3org/reva/v2 v2.16.1-0.20230906142214-864d9012e37f
+	github.com/cs3org/reva/v2 v2.16.1-0.20230908122008-491b5c5bf72a
 	github.com/disintegration/imaging v1.6.2
 	github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e
 	github.com/egirna/icap-client v0.1.1

go.sum

@@ -1013,8 +1013,8 @@ github.com/crewjam/httperr v0.2.0 h1:b2BfXR8U3AlIHwNeFFvZ+BV1LFvKLlzMjzaTnZMybNo
 github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4=
 github.com/crewjam/saml v0.4.13 h1:TYHggH/hwP7eArqiXSJUvtOPNzQDyQ7vwmwEqlFWhMc=
 github.com/crewjam/saml v0.4.13/go.mod h1:igEejV+fihTIlHXYP8zOec3V5A8y3lws5bQBFsTm4gA=
-github.com/cs3org/reva/v2 v2.16.1-0.20230906142214-864d9012e37f h1:0mbvh+AvpYOp29R5LFgeqddyI0uKZnO/E3MyPEIaYdg=
-github.com/cs3org/reva/v2 v2.16.1-0.20230906142214-864d9012e37f/go.mod h1:RvhuweTFqzezjUFU0SIdTXakrEx9vJlMvQ7znPXSP1g=
+github.com/cs3org/reva/v2 v2.16.1-0.20230908122008-491b5c5bf72a h1:E7XghgSsNsR57wd0z/emKRfwDmoT2q/vuIYGNtx9IkA=
+github.com/cs3org/reva/v2 v2.16.1-0.20230908122008-491b5c5bf72a/go.mod h1:RvhuweTFqzezjUFU0SIdTXakrEx9vJlMvQ7znPXSP1g=
 github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=

services/frontend/README.md

@@ -63,3 +63,24 @@ The `frontend` service contains an eventhandler for handling `ocs` related event
 ### Auto-Accept Shares
 
 When setting the `FRONTEND_AUTO_ACCEPT_SHARES` to `true`, all incoming shares will be accepted automatically. Users can overwrite this setting individually in their profile.
+
+## The password policy
+
+Note that the password policy currently impacts _only_ public link password validation.
+
+With the password policy, mandatory criteria for the password can be defined via the environment variables listed below.
+
+Generally, a password can contain any UTF-8 characters, however some characters are regarded as special since they are not used in ordinary texts. Which characters should be treated as special is defined by "The OWASP® Foundation" [password-special-characters](https://owasp.org/www-community/password-special-characters) (between double quotes): " !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~"
+
+Note that a password can have a maximum length of **72 bytes**. Depending on the alphabet used, a character is encoded by 1 to 4 bytes, defining the maximum length of a password indirectly. While US-ASCII will only need one byte, Latin alphabets and also Greek or Cyrillic ones need two bytes. Three bytes are needed for characters in Chinese, Japanese and Korean etc.
+
+-   `FRONTEND_PASSWORD_POLICIES_MIN_CHARACTERS`
+Define the minimum password length.
+-   `FRONTEND_PASSWORD_POLICIES_MIN_LOWER_CASE_CHARACTERS`
+Define the minimum number of uppercase letters.
+-   `FRONTEND_PASSWORD_POLICIES_MIN_UPPER_CASE_CHARACTERS`
+Define the minimum number of lowercase letters.
+-   `FRONTEND_PASSWORD_POLICIES_MIN_DIGITS`
+Define the minimum number of digits.
+-   `FRONTEND_PASSWORD_POLICIES_MIN_SPECIAL_CHARACTERS`
+Define the minimum number of special characters.

services/frontend/pkg/config/config.go

@@ -58,6 +58,8 @@ type Config struct {
 	AutoAcceptShares bool                  `yaml:"auto_accept_shares" env:"FRONTEND_AUTO_ACCEPT_SHARES" desc:"Defines if shares should be auto accepted by default. Users can change this setting individually in their profile."`
 	ServiceAccount   ServiceAccount        `yaml:"service_account"`
 
+	PasswordPolicies PasswordPolicies `yaml:"password_policies"`
+
 	Supervised bool            `yaml:"-"`
 	Context    context.Context `yaml:"-"`
 }
@@ -171,3 +173,12 @@ type ServiceAccount struct {
 	ServiceAccountID     string `yaml:"service_account_id" env:"OCIS_SERVICE_ACCOUNT_ID;FRONTEND_SERVICE_ACCOUNT_ID" desc:"The ID of the service account the service should use. See the 'auth-service' service description for more details."`
 	ServiceAccountSecret string `yaml:"service_account_secret" env:"OCIS_SERVICE_ACCOUNT_SECRET;FRONTEND_SERVICE_ACCOUNT_SECRET" desc:"The service account secret."`
 }
+
+// PasswordPolicies configures reva password policies
+type PasswordPolicies struct {
+	MinCharacters          int `yaml:"min_characters,omitempty" env:"FRONTEND_PASSWORD_POLICIES_MIN_CHARACTERS" desc:"Define the minimum password length. Defaults to 0 if not set."`
+	MinLowerCaseCharacters int `yaml:"min_lower_case_characters" env:"FRONTEND_PASSWORD_POLICIES_MIN_LOWER_CASE_CHARACTERS" desc:"Define the minimum number of uppercase letters. Defaults to 0 if not set."`
+	MinUpperCaseCharacters int `yaml:"min_upper_case_characters" env:"FRONTEND_PASSWORD_POLICIES_MIN_UPPER_CASE_CHARACTERS" desc:"Define the minimum number of lowercase letters. Defaults to 0 if not set."`
+	MinDigits              int `yaml:"min_digits" env:"FRONTEND_PASSWORD_POLICIES_MIN_DIGITS" desc:"Define the minimum number of digits. Defaults to 0 if not set."`
+	MinSpecialCharacters   int `yaml:"min_special_characters" env:"FRONTEND_PASSWORD_POLICIES_MIN_SPECIAL_CHARACTERS" desc:"Define the minimum number of characters from the special characters list to be present. Defaults to 0 if not set."`
+}

services/frontend/pkg/revaconfig/config.go

@@ -274,6 +274,14 @@ func FrontendConfigFromStruct(cfg *config.Config) (map[string]interface{}, error
 								"share_jail": cfg.EnableShareJail,
 								"max_quota":  cfg.MaxQuota,
 							},
+							"password_policies": map[string]interface{}{
+								"max_characters":            72,
+								"min_characters":            cfg.PasswordPolicies.MinCharacters,
+								"min_lower_case_characters": cfg.PasswordPolicies.MinLowerCaseCharacters,
+								"min_upper_case_characters": cfg.PasswordPolicies.MinUpperCaseCharacters,
+								"min_digits":                cfg.PasswordPolicies.MinDigits,
+								"min_special_characters":    cfg.PasswordPolicies.MinSpecialCharacters,
+							},
 							"notifications": map[string]interface{}{
 								"endpoints": []string{"list", "get", "delete"},
 							},

vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/shares.go

@@ -126,7 +126,6 @@ type GatewayClientGetter func() (gateway.GatewayAPIClient, error)
 
 // Init initializes this and any contained handlers
 func (h *Handler) Init(c *config.Config) error {
-	var err error
 	h.gatewayAddr = c.GatewaySvc
 	h.machineAuthAPIKey = c.MachineAuthAPIKey
 	h.storageRegistryAddr = c.StorageregistrySvc
@@ -142,10 +141,7 @@ func (h *Handler) Init(c *config.Config) error {
 	h.deniable = c.EnableDenials
 	h.resharing = resharing(c)
 	h.publicPasswordEnforced = publicPwdEnforced(c)
-	h.passwordValidator, err = passwordPolicies(c)
-	if err != nil {
-		return err
-	}
+	h.passwordValidator = passwordPolicies(c)
 
 	h.statCache = cache.GetStatCache(c.StatCacheStore, c.StatCacheNodes, c.StatCacheDatabase, "stat", time.Duration(c.StatCacheTTL)*time.Second, c.StatCacheSize)
 	if c.CacheWarmupDriver != "" {
@@ -1594,28 +1590,17 @@ func publicPwdEnforced(c *config.Config) passwordEnforced {
 	return enf
 }
 
-func passwordPolicies(c *config.Config) (password.Validator, error) {
-	var pv password.Validator
-	var err error
+func passwordPolicies(c *config.Config) password.Validator {
 	if c.Capabilities.Capabilities == nil || c.Capabilities.Capabilities.PasswordPolicies == nil {
-		pv, err = password.NewPasswordPolicies(0, 0, 0, 0, 0, "")
-		if err != nil {
-			return nil, fmt.Errorf("can't init the Password Policies %w", err)
-		}
-		return pv, nil
+		return password.NewPasswordPolicies(0, 0, 0, 0, 0)
 	}
-	pv, err = password.NewPasswordPolicies(
+	return password.NewPasswordPolicies(
 		c.Capabilities.Capabilities.PasswordPolicies.MinCharacters,
 		c.Capabilities.Capabilities.PasswordPolicies.MinLowerCaseCharacters,
 		c.Capabilities.Capabilities.PasswordPolicies.MinUpperCaseCharacters,
 		c.Capabilities.Capabilities.PasswordPolicies.MinDigits,
 		c.Capabilities.Capabilities.PasswordPolicies.MinSpecialCharacters,
-		c.Capabilities.Capabilities.PasswordPolicies.SpecialCharacters,
 	)
-	if err != nil {
-		return nil, fmt.Errorf("can't init the Password Policies %w", err)
-	}
-	return pv, nil
 }
 
 // sufficientPermissions returns true if the `existing` permissions contain the `requested` permissions

vendor/github.com/cs3org/reva/v2/pkg/password/password_policies.go

@@ -8,6 +8,9 @@ import (
 	"unicode/utf8"
 )
 
+// https://owasp.org/www-community/password-special-characters
+var _defaultSpecialCharacters = " !\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~"
+
 // Validator describes the interface providing a password Validate method
 type Validator interface {
 	Validate(str string) error
@@ -20,32 +23,23 @@ type Policies struct {
 	minUpperCaseCharacters  int
 	minDigits               int
 	minSpecialCharacters    int
-	specialCharacters       string
 	digitsRegexp            *regexp.Regexp
 	specialCharactersRegexp *regexp.Regexp
 }
 
 // NewPasswordPolicies returns a new NewPasswordPolicies instance
-func NewPasswordPolicies(minCharacters, minLowerCaseCharacters, minUpperCaseCharacters, minDigits, minSpecialCharacters int,
-	specialCharacters string) (Validator, error) {
+func NewPasswordPolicies(minCharacters, minLowerCaseCharacters, minUpperCaseCharacters, minDigits, minSpecialCharacters int) Validator {
 	p := &Policies{
 		minCharacters:          minCharacters,
 		minLowerCaseCharacters: minLowerCaseCharacters,
 		minUpperCaseCharacters: minUpperCaseCharacters,
 		minDigits:              minDigits,
 		minSpecialCharacters:   minSpecialCharacters,
-		specialCharacters:      specialCharacters,
 	}
 
 	p.digitsRegexp = regexp.MustCompile("[0-9]")
-	if len(specialCharacters) > 0 {
-		var err error
-		p.specialCharactersRegexp, err = regexp.Compile(specialCharactersExp(specialCharacters))
-		if err != nil {
-			return nil, err
-		}
-	}
-	return p, nil
+	p.specialCharactersRegexp = regexp.MustCompile(specialCharactersExp(_defaultSpecialCharacters))
+	return p
 }
 
 // Validate implements a password validation regarding the policy
@@ -110,7 +104,7 @@ func (s Policies) validateDigits(str string) error {
 
 func (s Policies) validateSpecialCharacters(str string) error {
 	if s.countSpecialCharacters(str) < s.minSpecialCharacters {
-		return fmt.Errorf("at least %d special characters are required. %s", s.minSpecialCharacters, s.specialCharacters)
+		return fmt.Errorf("at least %d special characters are required. %s", s.minSpecialCharacters, _defaultSpecialCharacters)
 	}
 	return nil
 }

vendor/modules.txt

@@ -356,7 +356,7 @@ github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1
 github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1
 github.com/cs3org/go-cs3apis/cs3/tx/v1beta1
 github.com/cs3org/go-cs3apis/cs3/types/v1beta1
-# github.com/cs3org/reva/v2 v2.16.1-0.20230906142214-864d9012e37f
+# github.com/cs3org/reva/v2 v2.16.1-0.20230908122008-491b5c5bf72a
 ## explicit; go 1.20
 github.com/cs3org/reva/v2/cmd/revad/internal/grace
 github.com/cs3org/reva/v2/cmd/revad/runtime