mirror of
https://github.com/go-gitea/gitea.git
synced 2025-11-04 06:24:11 +01:00
f3eb835886
Clarify when "string" should be used (and be escaped), and when "template.HTML" should be used (no need to escape) And help PRs like #29059 , to render the error messages correctly.
137 lines
3.2 KiB
Go
137 lines
3.2 KiB
Go
// Copyright 2019 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package password
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"crypto/rand"
|
|
"errors"
|
|
"html/template"
|
|
"math/big"
|
|
"strings"
|
|
"sync"
|
|
|
|
"code.gitea.io/gitea/modules/setting"
|
|
"code.gitea.io/gitea/modules/translation"
|
|
)
|
|
|
|
var (
|
|
ErrComplexity = errors.New("password not complex enough")
|
|
ErrMinLength = errors.New("password not long enough")
|
|
)
|
|
|
|
// complexity contains information about a particular kind of password complexity
|
|
type complexity struct {
|
|
ValidChars string
|
|
TrNameOne string
|
|
}
|
|
|
|
var (
|
|
matchComplexityOnce sync.Once
|
|
validChars string
|
|
requiredList []complexity
|
|
|
|
charComplexities = map[string]complexity{
|
|
"lower": {
|
|
`abcdefghijklmnopqrstuvwxyz`,
|
|
"form.password_lowercase_one",
|
|
},
|
|
"upper": {
|
|
`ABCDEFGHIJKLMNOPQRSTUVWXYZ`,
|
|
"form.password_uppercase_one",
|
|
},
|
|
"digit": {
|
|
`0123456789`,
|
|
"form.password_digit_one",
|
|
},
|
|
"spec": {
|
|
` !"#$%&'()*+,-./:;<=>?@[\]^_{|}~` + "`",
|
|
"form.password_special_one",
|
|
},
|
|
}
|
|
)
|
|
|
|
// NewComplexity for preparation
|
|
func NewComplexity() {
|
|
matchComplexityOnce.Do(func() {
|
|
setupComplexity(setting.PasswordComplexity)
|
|
})
|
|
}
|
|
|
|
func setupComplexity(values []string) {
|
|
if len(values) != 1 || values[0] != "off" {
|
|
for _, val := range values {
|
|
if complex, ok := charComplexities[val]; ok {
|
|
validChars += complex.ValidChars
|
|
requiredList = append(requiredList, complex)
|
|
}
|
|
}
|
|
if len(requiredList) == 0 {
|
|
// No valid character classes found; use all classes as default
|
|
for _, complex := range charComplexities {
|
|
validChars += complex.ValidChars
|
|
requiredList = append(requiredList, complex)
|
|
}
|
|
}
|
|
}
|
|
if validChars == "" {
|
|
// No complexities to check; provide a sensible default for password generation
|
|
validChars = charComplexities["lower"].ValidChars + charComplexities["upper"].ValidChars + charComplexities["digit"].ValidChars
|
|
}
|
|
}
|
|
|
|
// IsComplexEnough return True if password meets complexity settings
|
|
func IsComplexEnough(pwd string) bool {
|
|
NewComplexity()
|
|
if len(validChars) > 0 {
|
|
for _, req := range requiredList {
|
|
if !strings.ContainsAny(req.ValidChars, pwd) {
|
|
return false
|
|
}
|
|
}
|
|
}
|
|
return true
|
|
}
|
|
|
|
// Generate a random password
|
|
func Generate(n int) (string, error) {
|
|
NewComplexity()
|
|
buffer := make([]byte, n)
|
|
max := big.NewInt(int64(len(validChars)))
|
|
for {
|
|
for j := 0; j < n; j++ {
|
|
rnd, err := rand.Int(rand.Reader, max)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
buffer[j] = validChars[rnd.Int64()]
|
|
}
|
|
|
|
if err := IsPwned(context.Background(), string(buffer)); err != nil {
|
|
if errors.Is(err, ErrIsPwned) {
|
|
continue
|
|
}
|
|
return "", err
|
|
}
|
|
if IsComplexEnough(string(buffer)) && string(buffer[0]) != " " && string(buffer[n-1]) != " " {
|
|
return string(buffer), nil
|
|
}
|
|
}
|
|
}
|
|
|
|
// BuildComplexityError builds the error message when password complexity checks fail
|
|
func BuildComplexityError(locale translation.Locale) template.HTML {
|
|
var buffer bytes.Buffer
|
|
buffer.WriteString(locale.TrString("form.password_complexity"))
|
|
buffer.WriteString("<ul>")
|
|
for _, c := range requiredList {
|
|
buffer.WriteString("<li>")
|
|
buffer.WriteString(locale.TrString(c.TrNameOne))
|
|
buffer.WriteString("</li>")
|
|
}
|
|
buffer.WriteString("</ul>")
|
|
return template.HTML(buffer.String())
|
|
}
|