gosora/common/weak_passwords.go

package common

import (
	"errors"
	"strconv"
	"strings"
	"unicode"
)

var weakPassStrings []string
var weakPassLit = make(map[string]struct{})
var ErrWeakPasswordNone = errors.New("You didn't put in a password.")
var ErrWeakPasswordShort = errors.New("Your password needs to be at-least eight characters long")
var ErrWeakPasswordNameInPass = errors.New("You can't use your name in your password.")
var ErrWeakPasswordEmailInPass = errors.New("You can't use your email in your password.")
var ErrWeakPasswordCommon = errors.New("You may not use a password that is in common use")
var ErrWeakPasswordNoNumbers = errors.New("You don't have any numbers in your password")
var ErrWeakPasswordNoUpper = errors.New("You don't have any uppercase characters in your password")
var ErrWeakPasswordNoLower = errors.New("You don't have any lowercase characters in your password")
var ErrWeakPasswordUniqueChars = errors.New("You don't have enough unique characters in your password")
var ErrWeakPasswordContains error

type weakpassHolder struct {
	Contains []string `json:"contains"`
	Literal  []string `json:"literal"`
}

func InitWeakPasswords() error {
	var weakpass weakpassHolder
	e := unmarshalJsonFile("./config/weakpass_default.json", &weakpass)
	if e != nil {
		return e
	}

	wcon := make(map[string]struct{})
	for _, item := range weakpass.Contains {
		wcon[item] = struct{}{}
	}
	for _, item := range weakpass.Literal {
		weakPassLit[item] = struct{}{}
	}

	weakpass = weakpassHolder{}
	e = unmarshalJsonFileIgnore404("./config/weakpass.json", &weakpass)
	if e != nil {
		return e
	}

	for _, item := range weakpass.Contains {
		wcon[item] = struct{}{}
	}
	for _, item := range weakpass.Literal {
		weakPassLit[item] = struct{}{}
	}
	weakPassStrings = make([]string, len(wcon))
	var i int
	for pattern, _ := range wcon {
		weakPassStrings[i] = pattern
		i++
	}

	s := "You may not have "
	for i, passBit := range weakPassStrings {
		if i > 0 {
			if i == len(weakPassStrings)-1 {
				s += " or "
			} else {
				s += ", "
			}
		}
		s += "'" + passBit + "'"
	}
	ErrWeakPasswordContains = errors.New(s + " in your password")

	return nil
}

func WeakPassword(password, username, email string) error {
	lowPassword := strings.ToLower(password)
	switch {
	case password == "":
		return ErrWeakPasswordNone
	case len(password) < 8:
		return ErrWeakPasswordShort
	case len(username) > 3 && strings.Contains(lowPassword, strings.ToLower(username)):
		return ErrWeakPasswordNameInPass
	case len(email) > 2 && strings.Contains(lowPassword, strings.ToLower(email)):
		return ErrWeakPasswordEmailInPass
	}
	if len(lowPassword) > 30 {
		return nil
	}

	litPass := lowPassword
	for i := 0; i < 10; i++ {
		litPass = strings.TrimSuffix(litPass, strconv.Itoa(i))
	}
	_, ok := weakPassLit[litPass]
	if ok {
		return ErrWeakPasswordCommon
	}
	for _, passBit := range weakPassStrings {
		if strings.Contains(lowPassword, passBit) {
			return ErrWeakPasswordContains
		}
	}

	charMap := make(map[rune]int)
	var numbers, symbols, upper, lower int
	for _, char := range password {
		charItem, ok := charMap[char]
		if ok {
			charItem++
		} else {
			charItem = 1
		}
		charMap[char] = charItem

		if unicode.IsLetter(char) {
			if unicode.IsUpper(char) {
				upper++
			} else {
				lower++
			}
		} else if unicode.IsNumber(char) {
			numbers++
		} else {
			symbols++
		}
	}

	if upper == 0 {
		return ErrWeakPasswordNoUpper
	}
	if lower == 0 {
		return ErrWeakPasswordNoLower
	}
	if len(password) < 18 {
		if numbers == 0 {
			return ErrWeakPasswordNoNumbers
		}
		if (len(password) / 2) > len(charMap) {
			return ErrWeakPasswordUniqueChars
		}
	} else if (len(password) / 3) > len(charMap) {
		// Be a little lenient on the number of unique characters for long passwords
		return ErrWeakPasswordUniqueChars
	}
	return nil
}
add more weak password definitions move the weak password logic to it's own file add another weak password test case and split the test function 2020-06-18 02:39:21 +00:00			`package common`

			`import (`
			`"errors"`
cover common mutations of literal definitions add seven char weak password definitions to take advantage of mutations avoid majority of the weak password logic for really long passwords 2020-06-18 03:37:05 +00:00			`"strconv"`
add more weak password definitions move the weak password logic to it's own file add another weak password test case and split the test function 2020-06-18 02:39:21 +00:00			`"strings"`
			`"unicode"`
			`)`

			`var weakPassStrings []string`
			`var weakPassLit = make(map[string]struct{})`
			`var ErrWeakPasswordNone = errors.New("You didn't put in a password.")`
			`var ErrWeakPasswordShort = errors.New("Your password needs to be at-least eight characters long")`
			`var ErrWeakPasswordNameInPass = errors.New("You can't use your name in your password.")`
			`var ErrWeakPasswordEmailInPass = errors.New("You can't use your email in your password.")`
			`var ErrWeakPasswordCommon = errors.New("You may not use a password that is in common use")`
			`var ErrWeakPasswordNoNumbers = errors.New("You don't have any numbers in your password")`
			`var ErrWeakPasswordNoUpper = errors.New("You don't have any uppercase characters in your password")`
			`var ErrWeakPasswordNoLower = errors.New("You don't have any lowercase characters in your password")`
			`var ErrWeakPasswordUniqueChars = errors.New("You don't have enough unique characters in your password")`
			`var ErrWeakPasswordContains error`

			`type weakpassHolder struct {`
			Contains []string `json:"contains"`
			Literal []string `json:"literal"`
			`}`

			`func InitWeakPasswords() error {`
			`var weakpass weakpassHolder`
WIP forum action code. Currently disabled. Add Http Conn Count tracking. Move more panel phrases into the panel namespace. Use a string builder in hookgen. Use Countf() in a couple of places to eliminate boilerplate. Reduce prepared stmt boilerplate in forum store with a lambda. Reduce prepared stmt boilerplate in topic.go with a lambda. Reduce prepared stmt boilerplate in group.go with a lambda. Add TestSetCreatedAt method to Topic. Add DateOlderThanQ method to accDeleteBuilder and accUpdateBuilder. Add Stmt method to accUpdateBuilder and *AccSelectBuilder. Add AccBuilder interface. Shorten variable names. Shorten extractPerm name to ep. Add avatar_visibility setting stub. Implementation coming in a later commit. Don't set an IP for installer generated posts. Add counters_perf_tick_row hook. Add avatar_visibility phrase. Add avatar_visibility_label phrase. Rename forums_no_description to forums_no_desc. Rename panel.forums_create_description_label to panel.forums_create_desc_label. Rename panel.forums_create_description to panel.forums_create_desc. Rename panel_forum_description to panel.forum_desc. Rename panel_forum_description_placeholder to panel.forum_desc_placeholder. Add panel_debug_http_conns_label phrase. Add panel.forum_actions_head phrase. Add panel.forum_actions_create_head phrase. Add panel.forum_action_run_on_topic_creation phrase. Add panel.forum_action_run_days_after_topic_creation phrase. Add panel.forum_action_run_days_after_topic_last_reply phrase. Add panel.forum_action_action phrase. Add panel.forum_action_action_delete phrase. Add panel.forum_action_action_lock phrase. Add panel.forum_action_action_unlock phrase. Add panel.forum_action_action_move phrase. Add panel.forum_action_extra phrase. Add panel.forum_action_create_button phrase. You will need to run the patcher / updater for this commit. 2021-04-07 14:23:11 +00:00			`e := unmarshalJsonFile("./config/weakpass_default.json", &weakpass)`
			`if e != nil {`
			`return e`
add more weak password definitions move the weak password logic to it's own file add another weak password test case and split the test function 2020-06-18 02:39:21 +00:00			`}`

			`wcon := make(map[string]struct{})`
			`for _, item := range weakpass.Contains {`
			`wcon[item] = struct{}{}`
			`}`
			`for _, item := range weakpass.Literal {`
			`weakPassLit[item] = struct{}{}`
			`}`

			`weakpass = weakpassHolder{}`
WIP forum action code. Currently disabled. Add Http Conn Count tracking. Move more panel phrases into the panel namespace. Use a string builder in hookgen. Use Countf() in a couple of places to eliminate boilerplate. Reduce prepared stmt boilerplate in forum store with a lambda. Reduce prepared stmt boilerplate in topic.go with a lambda. Reduce prepared stmt boilerplate in group.go with a lambda. Add TestSetCreatedAt method to Topic. Add DateOlderThanQ method to accDeleteBuilder and accUpdateBuilder. Add Stmt method to accUpdateBuilder and *AccSelectBuilder. Add AccBuilder interface. Shorten variable names. Shorten extractPerm name to ep. Add avatar_visibility setting stub. Implementation coming in a later commit. Don't set an IP for installer generated posts. Add counters_perf_tick_row hook. Add avatar_visibility phrase. Add avatar_visibility_label phrase. Rename forums_no_description to forums_no_desc. Rename panel.forums_create_description_label to panel.forums_create_desc_label. Rename panel.forums_create_description to panel.forums_create_desc. Rename panel_forum_description to panel.forum_desc. Rename panel_forum_description_placeholder to panel.forum_desc_placeholder. Add panel_debug_http_conns_label phrase. Add panel.forum_actions_head phrase. Add panel.forum_actions_create_head phrase. Add panel.forum_action_run_on_topic_creation phrase. Add panel.forum_action_run_days_after_topic_creation phrase. Add panel.forum_action_run_days_after_topic_last_reply phrase. Add panel.forum_action_action phrase. Add panel.forum_action_action_delete phrase. Add panel.forum_action_action_lock phrase. Add panel.forum_action_action_unlock phrase. Add panel.forum_action_action_move phrase. Add panel.forum_action_extra phrase. Add panel.forum_action_create_button phrase. You will need to run the patcher / updater for this commit. 2021-04-07 14:23:11 +00:00			`e = unmarshalJsonFileIgnore404("./config/weakpass.json", &weakpass)`
			`if e != nil {`
			`return e`
add more weak password definitions move the weak password logic to it's own file add another weak password test case and split the test function 2020-06-18 02:39:21 +00:00			`}`

			`for _, item := range weakpass.Contains {`
			`wcon[item] = struct{}{}`
			`}`
			`for _, item := range weakpass.Literal {`
			`weakPassLit[item] = struct{}{}`
			`}`
			`weakPassStrings = make([]string, len(wcon))`
			`var i int`
			`for pattern, _ := range wcon {`
			`weakPassStrings[i] = pattern`
			`i++`
			`}`

			`s := "You may not have "`
			`for i, passBit := range weakPassStrings {`
			`if i > 0 {`
			`if i == len(weakPassStrings)-1 {`
			`s += " or "`
			`} else {`
			`s += ", "`
			`}`
			`}`
			`s += "'" + passBit + "'"`
			`}`
			`ErrWeakPasswordContains = errors.New(s + " in your password")`

			`return nil`
			`}`

			`func WeakPassword(password, username, email string) error {`
			`lowPassword := strings.ToLower(password)`
			`switch {`
			`case password == "":`
			`return ErrWeakPasswordNone`
			`case len(password) < 8:`
			`return ErrWeakPasswordShort`
			`case len(username) > 3 && strings.Contains(lowPassword, strings.ToLower(username)):`
			`return ErrWeakPasswordNameInPass`
			`case len(email) > 2 && strings.Contains(lowPassword, strings.ToLower(email)):`
			`return ErrWeakPasswordEmailInPass`
			`}`
cover common mutations of literal definitions add seven char weak password definitions to take advantage of mutations avoid majority of the weak password logic for really long passwords 2020-06-18 03:37:05 +00:00			`if len(lowPassword) > 30 {`
			`return nil`
			`}`
add more weak password definitions move the weak password logic to it's own file add another weak password test case and split the test function 2020-06-18 02:39:21 +00:00
cover common mutations of literal definitions add seven char weak password definitions to take advantage of mutations avoid majority of the weak password logic for really long passwords 2020-06-18 03:37:05 +00:00			`litPass := lowPassword`
			`for i := 0; i < 10; i++ {`
			`litPass = strings.TrimSuffix(litPass, strconv.Itoa(i))`
			`}`
			`_, ok := weakPassLit[litPass]`
add more weak password definitions move the weak password logic to it's own file add another weak password test case and split the test function 2020-06-18 02:39:21 +00:00			`if ok {`
			`return ErrWeakPasswordCommon`
			`}`
			`for _, passBit := range weakPassStrings {`
			`if strings.Contains(lowPassword, passBit) {`
			`return ErrWeakPasswordContains`
			`}`
			`}`

			`charMap := make(map[rune]int)`
			`var numbers, symbols, upper, lower int`
			`for _, char := range password {`
			`charItem, ok := charMap[char]`
			`if ok {`
			`charItem++`
			`} else {`
			`charItem = 1`
			`}`
			`charMap[char] = charItem`

			`if unicode.IsLetter(char) {`
			`if unicode.IsUpper(char) {`
			`upper++`
			`} else {`
			`lower++`
			`}`
			`} else if unicode.IsNumber(char) {`
			`numbers++`
			`} else {`
			`symbols++`
			`}`
			`}`

			`if upper == 0 {`
			`return ErrWeakPasswordNoUpper`
			`}`
			`if lower == 0 {`
			`return ErrWeakPasswordNoLower`
			`}`
			`if len(password) < 18 {`
			`if numbers == 0 {`
			`return ErrWeakPasswordNoNumbers`
			`}`
			`if (len(password) / 2) > len(charMap) {`
			`return ErrWeakPasswordUniqueChars`
			`}`
			`} else if (len(password) / 3) > len(charMap) {`
			`// Be a little lenient on the number of unique characters for long passwords`
			`return ErrWeakPasswordUniqueChars`
			`}`
			`return nil`
			`}`