From 9bec59bc639255554138791a46e11c546efc8e0c Mon Sep 17 00:00:00 2001 From: Roman Perekhod <2403905@gmail.com> Date: Fri, 8 Sep 2023 15:32:41 +0200 Subject: [PATCH] [full-ci] The password policy added. Bump reva (#7195) * The password policy added. Bump reva * the special characters list became constant --------- Co-authored-by: Roman Perekhod --- changelog/unreleased/add-passwod-policies.md | 6 +++++ go.mod | 2 +- go.sum | 4 ++-- services/frontend/README.md | 21 +++++++++++++++++ services/frontend/pkg/config/config.go | 11 +++++++++ services/frontend/pkg/revaconfig/config.go | 8 +++++++ .../handlers/apps/sharing/shares/shares.go | 23 ++++--------------- .../reva/v2/pkg/password/password_policies.go | 20 ++++++---------- vendor/modules.txt | 2 +- 9 files changed, 61 insertions(+), 36 deletions(-) create mode 100644 changelog/unreleased/add-passwod-policies.md diff --git a/changelog/unreleased/add-passwod-policies.md b/changelog/unreleased/add-passwod-policies.md new file mode 100644 index 0000000000..ece2306e56 --- /dev/null +++ b/changelog/unreleased/add-passwod-policies.md @@ -0,0 +1,6 @@ +Enhancement: Add the password policies + +Add the password policies OCIS-3767 + +https://github.com/owncloud/ocis/pull/7194 +https://github.com/cs3org/reva/pull/4147 diff --git a/go.mod b/go.mod index 1ac01b855f..091f874c02 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/coreos/go-oidc v2.2.1+incompatible github.com/coreos/go-oidc/v3 v3.6.0 github.com/cs3org/go-cs3apis v0.0.0-20230516150832-730ac860c71d - github.com/cs3org/reva/v2 v2.16.1-0.20230906142214-864d9012e37f + github.com/cs3org/reva/v2 v2.16.1-0.20230908122008-491b5c5bf72a github.com/disintegration/imaging v1.6.2 github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e github.com/egirna/icap-client v0.1.1 diff --git a/go.sum b/go.sum index 8719735e94..8e874fc1c7 100644 --- a/go.sum +++ b/go.sum @@ -1013,8 +1013,8 @@ github.com/crewjam/httperr v0.2.0 h1:b2BfXR8U3AlIHwNeFFvZ+BV1LFvKLlzMjzaTnZMybNo github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4= github.com/crewjam/saml v0.4.13 h1:TYHggH/hwP7eArqiXSJUvtOPNzQDyQ7vwmwEqlFWhMc= github.com/crewjam/saml v0.4.13/go.mod h1:igEejV+fihTIlHXYP8zOec3V5A8y3lws5bQBFsTm4gA= -github.com/cs3org/reva/v2 v2.16.1-0.20230906142214-864d9012e37f h1:0mbvh+AvpYOp29R5LFgeqddyI0uKZnO/E3MyPEIaYdg= -github.com/cs3org/reva/v2 v2.16.1-0.20230906142214-864d9012e37f/go.mod h1:RvhuweTFqzezjUFU0SIdTXakrEx9vJlMvQ7znPXSP1g= +github.com/cs3org/reva/v2 v2.16.1-0.20230908122008-491b5c5bf72a h1:E7XghgSsNsR57wd0z/emKRfwDmoT2q/vuIYGNtx9IkA= +github.com/cs3org/reva/v2 v2.16.1-0.20230908122008-491b5c5bf72a/go.mod h1:RvhuweTFqzezjUFU0SIdTXakrEx9vJlMvQ7znPXSP1g= github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= diff --git a/services/frontend/README.md b/services/frontend/README.md index 36c9b2a7b3..ed087d6def 100644 --- a/services/frontend/README.md +++ b/services/frontend/README.md @@ -63,3 +63,24 @@ The `frontend` service contains an eventhandler for handling `ocs` related event ### Auto-Accept Shares When setting the `FRONTEND_AUTO_ACCEPT_SHARES` to `true`, all incoming shares will be accepted automatically. Users can overwrite this setting individually in their profile. + +## The password policy + +Note that the password policy currently impacts _only_ public link password validation. + +With the password policy, mandatory criteria for the password can be defined via the environment variables listed below. + +Generally, a password can contain any UTF-8 characters, however some characters are regarded as special since they are not used in ordinary texts. Which characters should be treated as special is defined by "The OWASP® Foundation" [password-special-characters](https://owasp.org/www-community/password-special-characters) (between double quotes): " !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~" + +Note that a password can have a maximum length of **72 bytes**. Depending on the alphabet used, a character is encoded by 1 to 4 bytes, defining the maximum length of a password indirectly. While US-ASCII will only need one byte, Latin alphabets and also Greek or Cyrillic ones need two bytes. Three bytes are needed for characters in Chinese, Japanese and Korean etc. + +- `FRONTEND_PASSWORD_POLICIES_MIN_CHARACTERS` +Define the minimum password length. +- `FRONTEND_PASSWORD_POLICIES_MIN_LOWER_CASE_CHARACTERS` +Define the minimum number of uppercase letters. +- `FRONTEND_PASSWORD_POLICIES_MIN_UPPER_CASE_CHARACTERS` +Define the minimum number of lowercase letters. +- `FRONTEND_PASSWORD_POLICIES_MIN_DIGITS` +Define the minimum number of digits. +- `FRONTEND_PASSWORD_POLICIES_MIN_SPECIAL_CHARACTERS` +Define the minimum number of special characters. diff --git a/services/frontend/pkg/config/config.go b/services/frontend/pkg/config/config.go index 21acc43fc3..2e9d87afc7 100644 --- a/services/frontend/pkg/config/config.go +++ b/services/frontend/pkg/config/config.go @@ -58,6 +58,8 @@ type Config struct { AutoAcceptShares bool `yaml:"auto_accept_shares" env:"FRONTEND_AUTO_ACCEPT_SHARES" desc:"Defines if shares should be auto accepted by default. Users can change this setting individually in their profile."` ServiceAccount ServiceAccount `yaml:"service_account"` + PasswordPolicies PasswordPolicies `yaml:"password_policies"` + Supervised bool `yaml:"-"` Context context.Context `yaml:"-"` } @@ -171,3 +173,12 @@ type ServiceAccount struct { ServiceAccountID string `yaml:"service_account_id" env:"OCIS_SERVICE_ACCOUNT_ID;FRONTEND_SERVICE_ACCOUNT_ID" desc:"The ID of the service account the service should use. See the 'auth-service' service description for more details."` ServiceAccountSecret string `yaml:"service_account_secret" env:"OCIS_SERVICE_ACCOUNT_SECRET;FRONTEND_SERVICE_ACCOUNT_SECRET" desc:"The service account secret."` } + +// PasswordPolicies configures reva password policies +type PasswordPolicies struct { + MinCharacters int `yaml:"min_characters,omitempty" env:"FRONTEND_PASSWORD_POLICIES_MIN_CHARACTERS" desc:"Define the minimum password length. Defaults to 0 if not set."` + MinLowerCaseCharacters int `yaml:"min_lower_case_characters" env:"FRONTEND_PASSWORD_POLICIES_MIN_LOWER_CASE_CHARACTERS" desc:"Define the minimum number of uppercase letters. Defaults to 0 if not set."` + MinUpperCaseCharacters int `yaml:"min_upper_case_characters" env:"FRONTEND_PASSWORD_POLICIES_MIN_UPPER_CASE_CHARACTERS" desc:"Define the minimum number of lowercase letters. Defaults to 0 if not set."` + MinDigits int `yaml:"min_digits" env:"FRONTEND_PASSWORD_POLICIES_MIN_DIGITS" desc:"Define the minimum number of digits. Defaults to 0 if not set."` + MinSpecialCharacters int `yaml:"min_special_characters" env:"FRONTEND_PASSWORD_POLICIES_MIN_SPECIAL_CHARACTERS" desc:"Define the minimum number of characters from the special characters list to be present. Defaults to 0 if not set."` +} diff --git a/services/frontend/pkg/revaconfig/config.go b/services/frontend/pkg/revaconfig/config.go index 3383251c1d..e800c5a436 100644 --- a/services/frontend/pkg/revaconfig/config.go +++ b/services/frontend/pkg/revaconfig/config.go @@ -274,6 +274,14 @@ func FrontendConfigFromStruct(cfg *config.Config) (map[string]interface{}, error "share_jail": cfg.EnableShareJail, "max_quota": cfg.MaxQuota, }, + "password_policies": map[string]interface{}{ + "max_characters": 72, + "min_characters": cfg.PasswordPolicies.MinCharacters, + "min_lower_case_characters": cfg.PasswordPolicies.MinLowerCaseCharacters, + "min_upper_case_characters": cfg.PasswordPolicies.MinUpperCaseCharacters, + "min_digits": cfg.PasswordPolicies.MinDigits, + "min_special_characters": cfg.PasswordPolicies.MinSpecialCharacters, + }, "notifications": map[string]interface{}{ "endpoints": []string{"list", "get", "delete"}, }, diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/shares.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/shares.go index 562187df50..ff239b649c 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/shares.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/shares.go @@ -126,7 +126,6 @@ type GatewayClientGetter func() (gateway.GatewayAPIClient, error) // Init initializes this and any contained handlers func (h *Handler) Init(c *config.Config) error { - var err error h.gatewayAddr = c.GatewaySvc h.machineAuthAPIKey = c.MachineAuthAPIKey h.storageRegistryAddr = c.StorageregistrySvc @@ -142,10 +141,7 @@ func (h *Handler) Init(c *config.Config) error { h.deniable = c.EnableDenials h.resharing = resharing(c) h.publicPasswordEnforced = publicPwdEnforced(c) - h.passwordValidator, err = passwordPolicies(c) - if err != nil { - return err - } + h.passwordValidator = passwordPolicies(c) h.statCache = cache.GetStatCache(c.StatCacheStore, c.StatCacheNodes, c.StatCacheDatabase, "stat", time.Duration(c.StatCacheTTL)*time.Second, c.StatCacheSize) if c.CacheWarmupDriver != "" { @@ -1594,28 +1590,17 @@ func publicPwdEnforced(c *config.Config) passwordEnforced { return enf } -func passwordPolicies(c *config.Config) (password.Validator, error) { - var pv password.Validator - var err error +func passwordPolicies(c *config.Config) password.Validator { if c.Capabilities.Capabilities == nil || c.Capabilities.Capabilities.PasswordPolicies == nil { - pv, err = password.NewPasswordPolicies(0, 0, 0, 0, 0, "") - if err != nil { - return nil, fmt.Errorf("can't init the Password Policies %w", err) - } - return pv, nil + return password.NewPasswordPolicies(0, 0, 0, 0, 0) } - pv, err = password.NewPasswordPolicies( + return password.NewPasswordPolicies( c.Capabilities.Capabilities.PasswordPolicies.MinCharacters, c.Capabilities.Capabilities.PasswordPolicies.MinLowerCaseCharacters, c.Capabilities.Capabilities.PasswordPolicies.MinUpperCaseCharacters, c.Capabilities.Capabilities.PasswordPolicies.MinDigits, c.Capabilities.Capabilities.PasswordPolicies.MinSpecialCharacters, - c.Capabilities.Capabilities.PasswordPolicies.SpecialCharacters, ) - if err != nil { - return nil, fmt.Errorf("can't init the Password Policies %w", err) - } - return pv, nil } // sufficientPermissions returns true if the `existing` permissions contain the `requested` permissions diff --git a/vendor/github.com/cs3org/reva/v2/pkg/password/password_policies.go b/vendor/github.com/cs3org/reva/v2/pkg/password/password_policies.go index 9ebba7b783..9a499ba8ce 100644 --- a/vendor/github.com/cs3org/reva/v2/pkg/password/password_policies.go +++ b/vendor/github.com/cs3org/reva/v2/pkg/password/password_policies.go @@ -8,6 +8,9 @@ import ( "unicode/utf8" ) +// https://owasp.org/www-community/password-special-characters +var _defaultSpecialCharacters = " !\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~" + // Validator describes the interface providing a password Validate method type Validator interface { Validate(str string) error @@ -20,32 +23,23 @@ type Policies struct { minUpperCaseCharacters int minDigits int minSpecialCharacters int - specialCharacters string digitsRegexp *regexp.Regexp specialCharactersRegexp *regexp.Regexp } // NewPasswordPolicies returns a new NewPasswordPolicies instance -func NewPasswordPolicies(minCharacters, minLowerCaseCharacters, minUpperCaseCharacters, minDigits, minSpecialCharacters int, - specialCharacters string) (Validator, error) { +func NewPasswordPolicies(minCharacters, minLowerCaseCharacters, minUpperCaseCharacters, minDigits, minSpecialCharacters int) Validator { p := &Policies{ minCharacters: minCharacters, minLowerCaseCharacters: minLowerCaseCharacters, minUpperCaseCharacters: minUpperCaseCharacters, minDigits: minDigits, minSpecialCharacters: minSpecialCharacters, - specialCharacters: specialCharacters, } p.digitsRegexp = regexp.MustCompile("[0-9]") - if len(specialCharacters) > 0 { - var err error - p.specialCharactersRegexp, err = regexp.Compile(specialCharactersExp(specialCharacters)) - if err != nil { - return nil, err - } - } - return p, nil + p.specialCharactersRegexp = regexp.MustCompile(specialCharactersExp(_defaultSpecialCharacters)) + return p } // Validate implements a password validation regarding the policy @@ -110,7 +104,7 @@ func (s Policies) validateDigits(str string) error { func (s Policies) validateSpecialCharacters(str string) error { if s.countSpecialCharacters(str) < s.minSpecialCharacters { - return fmt.Errorf("at least %d special characters are required. %s", s.minSpecialCharacters, s.specialCharacters) + return fmt.Errorf("at least %d special characters are required. %s", s.minSpecialCharacters, _defaultSpecialCharacters) } return nil } diff --git a/vendor/modules.txt b/vendor/modules.txt index 9c67374e46..fb61d89d91 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -356,7 +356,7 @@ github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1 github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1 github.com/cs3org/go-cs3apis/cs3/tx/v1beta1 github.com/cs3org/go-cs3apis/cs3/types/v1beta1 -# github.com/cs3org/reva/v2 v2.16.1-0.20230906142214-864d9012e37f +# github.com/cs3org/reva/v2 v2.16.1-0.20230908122008-491b5c5bf72a ## explicit; go 1.20 github.com/cs3org/reva/v2/cmd/revad/internal/grace github.com/cs3org/reva/v2/cmd/revad/runtime