Improve password checking

Signed-off-by: Karthik Prabhu Vinod <[email protected]>

Makefile

@@ -35,8 +35,10 @@ LOCAL_GOPATH := ${CURDIR}/.gopath
 export GOPATH := ${LOCAL_GOPATH}
 export GOFLAGS += -mod=vendor
 
-CLR_INSTALLER_TEST_HTTP_PORT ?= 8181
 
+# Required for tests to work well
+export CLR_INSTALLER_LOCALE_DIR := $(top_srcdir)/locale
+CLR_INSTALLER_TEST_HTTP_PORT ?= 8181
 export TEST_HTTP_PORT = ${CLR_INSTALLER_TEST_HTTP_PORT}
 
 

clr-installer/main.go

@@ -1,4 +1,4 @@
-// Copyright © 2019 Intel Corporation
+// Copyright © 2020 Intel Corporation
 //
 // SPDX-License-Identifier: GPL-3.0-only
 
@@ -35,6 +35,7 @@ import (
  "github.com/clearlinux/clr-installer/syscheck"
  "github.com/clearlinux/clr-installer/telemetry"
  "github.com/clearlinux/clr-installer/timezone"
+ "github.com/clearlinux/clr-installer/user"
  "github.com/clearlinux/clr-installer/utils"
 )
 
@@ -138,6 +139,10 @@ func execute(options args.Args) error {
  ", built on " + model.BuildDate)
 
  if options.PamSalt != "" {
+ if status, err := user.IsValidPassword(options.PamSalt); !status {
+ return fmt.Errorf(err)
+ }
+
  hashed, errHash := encrypt.Crypt(options.PamSalt)
  if errHash != nil {
  return errHash

cmd/cmd.go

@@ -1,11 +1,12 @@
-// Copyright © 2019 Intel Corporation
+// Copyright © 2020 Intel Corporation
 //
 // SPDX-License-Identifier: GPL-3.0-only
 
 package cmd
 
 import (
  "bufio"
+ "bytes"
  "fmt"
  "io"
  "os"
@@ -68,6 +69,27 @@ func PipeRunAndLog(in string, args ...string) error {
  }, runLogger{}, nil, args...)
 }
 
+// PipeRunAndPipeOut is similar to PipeRunAndLog but runs a command by feeding
+// a string to stdin of Cmd and output is written to a byte buffer instead of a log
+func PipeRunAndPipeOut(in string, out *bytes.Buffer, args ...string) error {
+ return run(func(cmd *exec.Cmd) error {
+ stdin, err := cmd.StdinPipe()
+ if err != nil {
+ return err
+ }
+
+ go func() {
+ defer func() {
+ _ = stdin.Close()
+ }()
+
+ _, _ = io.WriteString(stdin, in)
+ }()
+
+ return nil
+ }, out, nil, args...)
+}
+
 func run(sw func(cmd *exec.Cmd) error, writer io.Writer, env map[string]string, args ...string) error {
  var exe string
  var cmdArgs []string

cmd/cmd_common.go

@@ -0,0 +1,47 @@
+// Copyright © 2020 Intel Corporation
+//
+// SPDX-License-Identifier: GPL-3.0-only
+
+package cmd
+
+import (
+ "bytes"
+ "strings"
+
+ "github.com/clearlinux/clr-installer/log"
+ "github.com/clearlinux/clr-installer/utils"
+)
+
+// Path to the cracklib-check exe
+const crackLibPath = "/usr/bin/cracklib-check"
+
+// CracklibCheck runs the cracklib-check executable piping password to stdin of cmd
+// and writing stdoutput to byte buffer
+// stringtype is used to inform kind of information we are checking: password or passphrase
+func CracklibCheck(texttoinpsect string, stringtype string) (bool, string) {
+
+ defaultprefix := "Password"
+ if stringtype != "" {
+ defaultprefix = stringtype
+ }
+
+ cmdArgs := []string{crackLibPath}
+ var out bytes.Buffer
+
+ if err := PipeRunAndPipeOut(texttoinpsect, &out, cmdArgs...); err != nil {
+ log.Error("Error running cracklib-check, %q", err)
+ log.Error("Cracklib-check check will be skipped")
+ return true, ""
+ }
+
+ stringout := string(out.Bytes())
+ if index := strings.Index(stringout, ":"); index > -1 {
+ parsedString := strings.Trim(stringout[index+1:], " \n")
+ if strings.ToUpper(parsedString) != "OK" {
+ parsedString = strings.Replace(parsedString, "it", defaultprefix, 1)
+ return false, utils.Locale.Get(parsedString)
+ }
+ }
+
+ return true, ""
+}

cmd/cmd_common_test.go

@@ -0,0 +1,18 @@
+// Copyright © 2020 Intel Corporation
+//
+// SPDX-License-Identifier: GPL-3.0-only
+
+package cmd
+
+import (
+ "fmt"
+ "os/exec"
+ "testing"
+)
+
+func TestCracklibCheckExecutable(t *testing.T) {
+ if _, err := exec.LookPath(crackLibPath); err != nil {
+ fmt.Println("cracklib-check exe could not be found")
+ t.Fail()
+ }
+}

locale/en_US/LC_MESSAGES/clr-installer.po

@@ -253,8 +253,8 @@ msgstr "Login is required"
 msgid "Login maximum length is %d"
 msgstr "Login maximum length is %d"
 
-msgid "Login must contain only numbers, letters, -, _ or ."
-msgstr "Login must contain only numbers, letters, -, _ or ."
+msgid "Login must contain only numbers, letters, -, . or _"
+msgstr "Login must contain only numbers, letters, -, . or _"
 
 msgid "Password is required"
 msgstr "Password is required"
@@ -812,3 +812,29 @@ msgstr "Network Required"
 
 msgid "Installation Steps Complete"
 msgstr "Installation Steps Complete"
+
+# cracklib password messages
+msgid "Password does not contain enough DIFFERENT characters"
+msgstr "Password does not contain enough DIFFERENT characters"
+
+msgid "Password is too simplistic/systematic"
+msgstr "Password is too simplistic/systematic"
+
+msgid "Password is based on a dictionary word"
+msgstr "Password is based on a dictionary word"
+
+msgid "Password is based on a (reversed) dictionary word"
+msgstr "Password is based on a (reversed) dictionary word"
+
+# cracklib passphrase messages
+msgid "Passphrase does not contain enough DIFFERENT characters"
+msgstr "Passphrase does not contain enough DIFFERENT characters"
+
+msgid "Passphrase is too simplistic/systematic"
+msgstr "Passphrase is too simplistic/systematic"
+
+msgid "Passphrase is based on a dictionary word"
+msgstr "Passphrase is based on a dictionary word"
+
+msgid "Passphrase is based on a (reversed) dictionary word"
+msgstr "Passphrase is based on a (reversed) dictionary word"

locale/es_MX/LC_MESSAGES/clr-installer.po

@@ -253,8 +253,8 @@ msgstr "Debe iniciar sesión."
 msgid "Login maximum length is %d"
 msgstr "La extensión máxima del inicio de sesión debe ser de %d."
 
-msgid "Login must contain only numbers, letters, -, _ or ."
-msgstr "El inicio de sesión debe contener solo números, letras, -, _ o ."
+msgid "Login must contain only numbers, letters, -, . or _"
+msgstr "El inicio de sesión debe contener solo números, letras, -, . o _"
 
 msgid "Password is required"
 msgstr "Se requiere una contraseña."
@@ -812,3 +812,29 @@ msgstr "Red requerida"
 
 msgid "Installation Steps Complete"
 msgstr "Pasos de instalación completados"
+
+# cracklib password messages
+msgid "Password does not contain enough DIFFERENT characters"
+msgstr "La contraseña no contiene suficientes caracteres DIFERENTES"
+
+msgid "Password is too simplistic/systematic"
+msgstr "La contraseña es muy simple"
+
+msgid "Password is based on a dictionary word"
+msgstr "La contraseña se basa en una palabra del diccionario"
+
+msgid "Password is based on a (reversed) dictionary word"
+msgstr "La contraseña se basa en una palabra del diccionario invertida"
+
+# cracklib passphrase messages
+msgid "Passphrase does not contain enough DIFFERENT characters"
+msgstr "La frase de contraseña no contiene suficientes caracteres DIFERENTES"
+
+msgid "Passphrase is too simplistic/systematic"
+msgstr "La frase de contraseña es muy simple"
+
+msgid "Passphrase is based on a dictionary word"
+msgstr "La frase de contraseña se basa en una palabra del diccionario"
+
+msgid "Passphrase is based on a (reversed) dictionary word"
+msgstr "La frase de contraseña se basa en una palabra del diccionario invertida"

locale/zh_CN/LC_MESSAGES/clr-installer.po

@@ -253,7 +253,7 @@ msgstr "需要登录"
 msgid "Login maximum length is %d"
 msgstr "登录名最大长度为 %d"
 
-msgid "Login must contain only numbers, letters, -, _ or ."
+msgid "Login must contain only numbers, letters, -, . or _"
 msgstr "登录名必须仅包含数字、字母、连字符、下划线或句点。"
 
 msgid "Password is required"
@@ -812,3 +812,29 @@ msgstr "需要网络"
 
 msgid "Installation Steps Complete"
 msgstr "安装步骤完成"
+
+# cracklib password messages
+msgid "Password does not contain enough DIFFERENT characters"
+msgstr "密码不包含足够的不同字符"
+
+msgid "Password is too simplistic/systematic"
+msgstr "密码太简单"
+
+msgid "Password is based on a dictionary word"
+msgstr "密码基于词典词"
+
+msgid "Password is based on a (reversed) dictionary word"
+msgstr "密码基于反向字典词"
+
+# cracklib passphrase messages
+msgid "Passphrase does not contain enough DIFFERENT characters"
+msgstr "密码不包含足够的不同字符"
+
+msgid "Passphrase is too simplistic/systematic"
+msgstr "密码短语太简单"
+
+msgid "Passphrase is based on a dictionary word"
+msgstr "密码短语基于字典中的单词"
+
+msgid "Passphrase is based on a (reversed) dictionary word"
+msgstr "密码短语基于反向词典词"

storage/encrypt.go

@@ -1,4 +1,4 @@
-// Copyright © 2018 Intel Corporation
+// Copyright © 2020 Intel Corporation
 //
 // SPDX-License-Identifier: GPL-3.0-only
 
@@ -7,7 +7,6 @@ package storage
 import (
  "bytes"
  "fmt"
- "github.com/clearlinux/clr-installer/utils"
  "os"
  "os/signal"
  "path/filepath"
@@ -16,6 +15,8 @@ import (
  "strings"
  "syscall"
 
+ "github.com/clearlinux/clr-installer/utils"
+
  "golang.org/x/crypto/ssh/terminal"
 
  "github.com/clearlinux/clr-installer/cmd"
@@ -237,6 +238,10 @@ func IsValidPassphrase(phrase string) (bool, string) {
  return false, utils.Locale.Get("Passphrase may be at most %d characters long", MaxPassphraseLength)
  }
 
+ if status, errstring := cmd.CracklibCheck(phrase, "Passphrase"); !status {
+ return false, errstring
+ }
+
  return true, ""
 }
 

storage/storage_test.go

@@ -835,11 +835,7 @@ func TestInvalidLabels(t *testing.T) {
 
 func TestValidPassphrase(t *testing.T) {
  passphrases := []string{
- "password",
  "P@ssW0rd",
- "1234567890123456789012345678901234567890" +
- "1234567890123456789012345678901234567890" +
- "12345678901234",
  "~!@#$%^&*()_+=][",
  }
 
@@ -854,6 +850,11 @@ func TestInvalidPassphrase(t *testing.T) {
  passphrases := []string{
  "",
  "@ssW0rd",
+ "Password",
+ "drowssap",
+ "1234567890123456789012345678901234567890" +
+ "1234567890123456789012345678901234567890" +
+ "12345678901234",
  " ",
  "1234567890123456789012345678901234567890" +
  "1234567890123456789012345678901234567890" +

tui/common.go

@@ -1,4 +1,4 @@
-// Copyright © 2019 Intel Corporation
+// Copyright © 2020 Intel Corporation
 //
 // SPDX-License-Identifier: GPL-3.0-only