github.com/cs3org/reva/v2@v2.27.7/pkg/siteacc/credentials/password.go

github.com/cs3org/reva/v2@v2.27.7/pkg/siteacc/credentials/password.go (about)

     1  // Copyright 2018-2020 CERN
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  //
    15  // In applying this license, CERN does not waive the privileges and immunities
    16  // granted to it by virtue of its status as an Intergovernmental Organization
    17  // or submit itself to any jurisdiction.
    18  
    19  package credentials
    20  
    21  import (
    22  	"strings"
    23  
    24  	"github.com/pkg/errors"
    25  	"golang.org/x/crypto/bcrypt"
    26  )
    27  
    28  // Password holds a hash password alongside its salt value.
    29  type Password struct {
    30  	Value string `json:"value"`
    31  }
    32  
    33  const (
    34  	passwordMinLength = 8
    35  )
    36  
    37  // Set sets a new password by hashing the plaintext version using bcrypt.
    38  func (password *Password) Set(pwd string) error {
    39  	if err := VerifyPassword(pwd); err != nil {
    40  		return errors.Wrap(err, "invalid password")
    41  	}
    42  
    43  	pwdData, err := bcrypt.GenerateFromPassword([]byte(pwd), bcrypt.DefaultCost)
    44  	if err != nil {
    45  		return errors.Wrap(err, "unable to generate password hash")
    46  	}
    47  	password.Value = string(pwdData)
    48  	return nil
    49  }
    50  
    51  // Compare checks whether the given password string equals the stored one.
    52  func (password *Password) Compare(pwd string) bool {
    53  	return bcrypt.CompareHashAndPassword([]byte(password.Value), []byte(pwd)) == nil
    54  }
    55  
    56  // IsValid checks whether the password is valid.
    57  func (password *Password) IsValid() bool {
    58  	// bcrypt hashes are in the form of $[version]$[cost]$[22 character salt][31 character hash], so they have a minimum length of 58
    59  	return len(password.Value) > 58 && strings.Count(password.Value, "$") >= 3
    60  }
    61  
    62  // Clear resets the password.
    63  func (password *Password) Clear() {
    64  	password.Value = ""
    65  }
    66  
    67  // VerifyPassword checks whether the given password abides to the enforced password strength.
    68  func VerifyPassword(pwd string) error {
    69  	if len(pwd) < passwordMinLength {
    70  		return errors.Errorf("the password must be at least 8 characters long")
    71  	}
    72  	if !strings.ContainsAny(pwd, "abcdefghijklmnopqrstuvwxyz") {
    73  		return errors.Errorf("the password must contain at least one lowercase letter")
    74  	}
    75  	if !strings.ContainsAny(pwd, "ABCDEFGHIJKLMNOPQRSTUVWXYZ") {
    76  		return errors.Errorf("the password must contain at least one uppercase letter")
    77  	}
    78  	if !strings.ContainsAny(pwd, "0123456789") {
    79  		return errors.Errorf("the password must contain at least one digit")
    80  	}
    81  
    82  	return nil
    83  }