// Copyright 2019 The Gitea Authors. All rights reserved. // Use of this source code is governed by a MIT-style // license that can be found in the LICENSE file. package password import ( "bytes" goContext "context" "crypto/rand" "math/big" "strings" "sync" "code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/setting" ) // complexity contains information about a particular kind of password complexity type complexity struct { ValidChars string TrNameOne string } var ( matchComplexityOnce sync.Once validChars string requiredList []complexity charComplexities = map[string]complexity{ "lower": { `abcdefghijklmnopqrstuvwxyz`, "form.password_lowercase_one", }, "upper": { `ABCDEFGHIJKLMNOPQRSTUVWXYZ`, "form.password_uppercase_one", }, "digit": { `0123456789`, "form.password_digit_one", }, "spec": { ` !"#$%&'()*+,-./:;<=>?@[\]^_{|}~` + "`", "form.password_special_one", }, } ) // NewComplexity for preparation func NewComplexity() { matchComplexityOnce.Do(func() { setupComplexity(setting.PasswordComplexity) }) } func setupComplexity(values []string) { if len(values) != 1 || values[0] != "off" { for _, val := range values { if complex, ok := charComplexities[val]; ok { validChars += complex.ValidChars requiredList = append(requiredList, complex) } } if len(requiredList) == 0 { // No valid character classes found; use all classes as default for _, complex := range charComplexities { validChars += complex.ValidChars requiredList = append(requiredList, complex) } } } if validChars == "" { // No complexities to check; provide a sensible default for password generation validChars = charComplexities["lower"].ValidChars + charComplexities["upper"].ValidChars + charComplexities["digit"].ValidChars } } // IsComplexEnough return True if password meets complexity settings func IsComplexEnough(pwd string) bool { NewComplexity() if len(validChars) > 0 { for _, req := range requiredList { if !strings.ContainsAny(req.ValidChars, pwd) { return false } } } return true } // Generate a random password func Generate(n int) (string, error) { NewComplexity() buffer := make([]byte, n) max := big.NewInt(int64(len(validChars))) for { for j := 0; j < n; j++ { rnd, err := rand.Int(rand.Reader, max) if err != nil { return "", err } buffer[j] = validChars[rnd.Int64()] } pwned, err := IsPwned(goContext.Background(), string(buffer)) if err != nil { return "", err } if IsComplexEnough(string(buffer)) && !pwned && string(buffer[0]) != " " && string(buffer[n-1]) != " " { return string(buffer), nil } } } // BuildComplexityError builds the error message when password complexity checks fail func BuildComplexityError(ctx *context.Context) string { var buffer bytes.Buffer buffer.WriteString(ctx.Tr("form.password_complexity")) buffer.WriteString("<ul>") for _, c := range requiredList { buffer.WriteString("<li>") buffer.WriteString(ctx.Tr(c.TrNameOne)) buffer.WriteString("</li>") } buffer.WriteString("</ul>") return buffer.String() }