mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-10-31 22:58:59 +01:00
61b89747ed
This PR refactors and improves the password hashing code within gitea and makes it possible for server administrators to set the password hashing parameters In addition it takes the opportunity to adjust the settings for `pbkdf2` in order to make the hashing a little stronger. The majority of this work was inspired by PR #14751 and I would like to thank @boppy for their work on this. Thanks to @gusted for the suggestion to adjust the `pbkdf2` hashing parameters. Close #14751 --------- Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: delvh <dev.lh@web.de> Co-authored-by: John Olheiser <john.olheiser@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
142 lines
3 KiB
Go
142 lines
3 KiB
Go
// Copyright 2023 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package pwn
|
|
|
|
import (
|
|
"errors"
|
|
"math/rand"
|
|
"net/http"
|
|
"os"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
var client = New(WithHTTP(&http.Client{
|
|
Timeout: time.Second * 2,
|
|
}))
|
|
|
|
func TestMain(m *testing.M) {
|
|
rand.Seed(time.Now().Unix())
|
|
os.Exit(m.Run())
|
|
}
|
|
|
|
func TestPassword(t *testing.T) {
|
|
// Check input error
|
|
_, err := client.CheckPassword("", false)
|
|
if err == nil {
|
|
t.Log("blank input should return an error")
|
|
t.Fail()
|
|
}
|
|
if !errors.Is(err, ErrEmptyPassword) {
|
|
t.Log("blank input should return ErrEmptyPassword")
|
|
t.Fail()
|
|
}
|
|
|
|
// Should fail
|
|
fail := "password1234"
|
|
count, err := client.CheckPassword(fail, false)
|
|
if err != nil {
|
|
t.Log(err)
|
|
t.Fail()
|
|
}
|
|
if count == 0 {
|
|
t.Logf("%s should fail as a password\n", fail)
|
|
t.Fail()
|
|
}
|
|
|
|
// Should fail (with padding)
|
|
failPad := "administrator"
|
|
count, err = client.CheckPassword(failPad, true)
|
|
if err != nil {
|
|
t.Log(err)
|
|
t.Fail()
|
|
}
|
|
if count == 0 {
|
|
t.Logf("%s should fail as a password\n", failPad)
|
|
t.Fail()
|
|
}
|
|
|
|
// Checking for a "good" password isn't going to be perfect, but we can give it a good try
|
|
// with hopefully minimal error. Try five times?
|
|
var good bool
|
|
var pw string
|
|
for idx := 0; idx <= 5; idx++ {
|
|
pw = testPassword()
|
|
count, err = client.CheckPassword(pw, false)
|
|
if err != nil {
|
|
t.Log(err)
|
|
t.Fail()
|
|
}
|
|
if count == 0 {
|
|
good = true
|
|
break
|
|
}
|
|
}
|
|
if !good {
|
|
t.Log("no generated passwords passed. there is a chance this is a fluke")
|
|
t.Fail()
|
|
}
|
|
|
|
// Again, but with padded responses
|
|
good = false
|
|
for idx := 0; idx <= 5; idx++ {
|
|
pw = testPassword()
|
|
count, err = client.CheckPassword(pw, true)
|
|
if err != nil {
|
|
t.Log(err)
|
|
t.Fail()
|
|
}
|
|
if count == 0 {
|
|
good = true
|
|
break
|
|
}
|
|
}
|
|
if !good {
|
|
t.Log("no generated passwords passed. there is a chance this is a fluke")
|
|
t.Fail()
|
|
}
|
|
}
|
|
|
|
// Credit to https://golangbyexample.com/generate-random-password-golang/
|
|
// DO NOT USE THIS FOR AN ACTUAL PASSWORD GENERATOR
|
|
var (
|
|
lowerCharSet = "abcdedfghijklmnopqrst"
|
|
upperCharSet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
|
specialCharSet = "!@#$%&*"
|
|
numberSet = "0123456789"
|
|
allCharSet = lowerCharSet + upperCharSet + specialCharSet + numberSet
|
|
)
|
|
|
|
func testPassword() string {
|
|
var password strings.Builder
|
|
|
|
// Set special character
|
|
for i := 0; i < 5; i++ {
|
|
random := rand.Intn(len(specialCharSet))
|
|
password.WriteString(string(specialCharSet[random]))
|
|
}
|
|
|
|
// Set numeric
|
|
for i := 0; i < 5; i++ {
|
|
random := rand.Intn(len(numberSet))
|
|
password.WriteString(string(numberSet[random]))
|
|
}
|
|
|
|
// Set uppercase
|
|
for i := 0; i < 5; i++ {
|
|
random := rand.Intn(len(upperCharSet))
|
|
password.WriteString(string(upperCharSet[random]))
|
|
}
|
|
|
|
for i := 0; i < 5; i++ {
|
|
random := rand.Intn(len(allCharSet))
|
|
password.WriteString(string(allCharSet[random]))
|
|
}
|
|
inRune := []rune(password.String())
|
|
rand.Shuffle(len(inRune), func(i, j int) {
|
|
inRune[i], inRune[j] = inRune[j], inRune[i]
|
|
})
|
|
return string(inRune)
|
|
}
|