Skip to content

feat: add minimum password entropy requirements #6090

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Feb 8, 2023
Merged

feat: add minimum password entropy requirements #6090

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1a7fc2e
feat: add minimum password entropy requirements
kylecarbs Feb 7, 2023
9de345a
Fix all the tests
kylecarbs Feb 7, 2023
6a84f11
Fix E2E tests
kylecarbs Feb 7, 2023
15575fa
Merge branch 'main' into securepass
kylecarbs Feb 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Fix all the tests
  • Loading branch information
@kylecarbs
kylecarbs committed Feb 7, 2023
commit 9de345a70b13d54d29db05deedd591f38fbfe499
11 changes: 3 additions & 8 deletions cli/login.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,14 +163,9 @@ func login() *cobra.Command {
return xerrors.Errorf("specify password prompt: %w", err)
}
confirm, err := cliui.Prompt(cmd, cliui.PromptOptions{
Text: "Confirm " + cliui.Styles.Field.Render("password") + ":",
Secret: true,
Validate: func(s string) error {
if s != password {
return xerrors.New("Passwords do not match")
}
return nil
},
Text: "Confirm " + cliui.Styles.Field.Render("password") + ":",
Secret: true,
Validate: cliui.ValidateNotEmpty,
})
if err != nil {
return xerrors.Errorf("confirm password prompt: %w", err)
Expand Down
18 changes: 9 additions & 9 deletions cli/login_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,8 @@ func TestLogin(t *testing.T) {
"first user?", "yes",
"username", "testuser",
"email", "user@coder.com",
"password", "password",
"password", "password", // Confirm.
"password", "SomeSecurePassword!",
"password", "SomeSecurePassword!", // Confirm.
"trial", "yes",
}
for i := 0; i < len(matches); i += 2 {
Expand Down Expand Up @@ -89,8 +89,8 @@ func TestLogin(t *testing.T) {
"first user?", "yes",
"username", "testuser",
"email", "user@coder.com",
"password", "password",
"password", "password", // Confirm.
"password", "SomeSecurePassword!",
"password", "SomeSecurePassword!", // Confirm.
"trial", "yes",
}
for i := 0; i < len(matches); i += 2 {
Expand All @@ -107,7 +107,7 @@ func TestLogin(t *testing.T) {
t.Parallel()
client := coderdtest.New(t, nil)
doneChan := make(chan struct{})
root, _ := clitest.New(t, "login", client.URL.String(), "--first-user-username", "testuser", "--first-user-email", "user@coder.com", "--first-user-password", "password", "--first-user-trial")
root, _ := clitest.New(t, "login", client.URL.String(), "--first-user-username", "testuser", "--first-user-email", "user@coder.com", "--first-user-password", "SomeSecurePassword!", "--first-user-trial")
pty := ptytest.New(t)
root.SetIn(pty.Input())
root.SetOut(pty.Output())
Expand Down Expand Up @@ -143,8 +143,8 @@ func TestLogin(t *testing.T) {
"first user?", "yes",
"username", "testuser",
"email", "user@coder.com",
"password", "mypass",
"password", "wrongpass", // Confirm.
"password", "MyFirstSecurePassword!",
"password", "MyNonMatchingSecurePassword!", // Confirm.
}
for i := 0; i < len(matches); i += 2 {
match := matches[i]
Expand All @@ -157,9 +157,9 @@ func TestLogin(t *testing.T) {
pty.ExpectMatch("Passwords do not match")
pty.ExpectMatch("Enter a " + cliui.Styles.Field.Render("password"))

pty.WriteLine("pass")
pty.WriteLine("SomeSecurePassword!")
pty.ExpectMatch("Confirm")
pty.WriteLine("pass")
pty.WriteLine("SomeSecurePassword!")
pty.ExpectMatch("trial")
pty.WriteLine("yes")
pty.ExpectMatch("Welcome to Coder")
Expand Down
8 changes: 5 additions & 3 deletions cli/resetpassword.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,9 +50,11 @@ func resetPassword() *cobra.Command {
}

password, err := cliui.Prompt(cmd, cliui.PromptOptions{
Text: "Enter new " + cliui.Styles.Field.Render("password") + ":",
Secret: true,
Validate: cliui.ValidateNotEmpty,
Text: "Enter new " + cliui.Styles.Field.Render("password") + ":",
Secret: true,
Validate: func(s string) error {
return userpassword.Validate(s)
},
})
if err != nil {
return xerrors.Errorf("password prompt: %w", err)
Expand Down
4 changes: 2 additions & 2 deletions cli/resetpassword_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,8 @@ func TestResetPassword(t *testing.T) {

const email = "some@one.com"
const username = "example"
const oldPassword = "password"
const newPassword = "password2"
const oldPassword = "MyOldPassword!"
const newPassword = "MyNewPassword!"

// start postgres and coder server processes

Expand Down
7 changes: 2 additions & 5 deletions cli/server_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ import (

"github.com/coder/coder/cli/clitest"
"github.com/coder/coder/cli/config"
"github.com/coder/coder/coderd/coderdtest"
"github.com/coder/coder/coderd/database/postgres"
"github.com/coder/coder/coderd/telemetry"
"github.com/coder/coder/codersdk"
Expand Down Expand Up @@ -70,11 +71,7 @@ func TestServer(t *testing.T) {
accessURL := waitAccessURL(t, cfg)
client := codersdk.New(accessURL)

_, err = client.CreateFirstUser(ctx, codersdk.CreateFirstUserRequest{
Email: "some@one.com",
Username: "example",
Password: "password",
})
_, err = client.CreateFirstUser(ctx, coderdtest.FirstUserParams)
require.NoError(t, err)
cancelFunc()
require.NoError(t, <-errC)
Expand Down
2 changes: 1 addition & 1 deletion coderd/coderdtest/coderdtest.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -455,7 +455,7 @@ func createAnotherUserRetry(t *testing.T, client *codersdk.Client, organizationI
req := codersdk.CreateUserRequest{
Email: namesgenerator.GetRandomName(10) + "@coder.com",
Username: randomUsername(),
Password: "testpass",
Password: "SomeSecurePassword!",
OrganizationID: organizationID,
}

Expand Down
3 changes: 3 additions & 0 deletions coderd/userpassword/userpassword.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,5 +132,8 @@ func Validate(password string) error {
if err != nil {
return err
}
if len(password) > 64 {
return xerrors.Errorf("password must be no more than %d characters", 64)
}
return nil
}
56 changes: 28 additions & 28 deletions coderd/users_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ func TestFirstUser(t *testing.T) {
_, err := client.CreateFirstUser(ctx, codersdk.CreateFirstUserRequest{
Email: "some@email.com",
Username: "exampleuser",
Password: "password",
Password: "SomeSecurePassword!",
})
var apiErr *codersdk.Error
require.ErrorAs(t, err, &apiErr)
Expand Down Expand Up @@ -78,7 +78,7 @@ func TestFirstUser(t *testing.T) {
req := codersdk.CreateFirstUserRequest{
Email: "testuser@coder.com",
Username: "testuser",
Password: "testpass",
Password: "SomeSecurePassword!",
Trial: true,
}
_, err := client.CreateFirstUser(ctx, req)
Expand Down Expand Up @@ -123,7 +123,7 @@ func TestPostLogin(t *testing.T) {
req := codersdk.CreateFirstUserRequest{
Email: "testuser@coder.com",
Username: "testuser",
Password: "testpass",
Password: "SomeSecurePassword!",
}
_, err := client.CreateFirstUser(ctx, req)
require.NoError(t, err)
Expand Down Expand Up @@ -172,7 +172,7 @@ func TestPostLogin(t *testing.T) {
// Test a new session
_, err = client.LoginWithPassword(ctx, codersdk.LoginWithPasswordRequest{
Email: memberUser.Email,
Password: "testpass",
Password: "SomeSecurePassword!",
})
numLogs++ // add an audit log for login
require.ErrorAs(t, err, &apiErr)
Expand All @@ -198,7 +198,7 @@ func TestPostLogin(t *testing.T) {
defer cancel()

// With a user account.
const password = "testpass"
const password = "SomeSecurePassword!"
user, err := client.CreateUser(ctx, codersdk.CreateUserRequest{
Email: "test+user-@coder.com",
Username: "user",
Expand Down Expand Up @@ -245,7 +245,7 @@ func TestPostLogin(t *testing.T) {
req := codersdk.CreateFirstUserRequest{
Email: "testuser@coder.com",
Username: "testuser",
Password: "testpass",
Password: "SomeSecurePassword!",
}
_, err := client.CreateFirstUser(ctx, req)
require.NoError(t, err)
Expand Down Expand Up @@ -309,7 +309,7 @@ func TestDeleteUser(t *testing.T) {
another, err = api.CreateUser(context.Background(), codersdk.CreateUserRequest{
Email: another.Email,
Username: another.Username,
Password: "testing",
Password: "SomeSecurePassword!",
OrganizationID: user.OrganizationID,
})
require.NoError(t, err)
Expand Down Expand Up @@ -421,7 +421,7 @@ func TestPostUsers(t *testing.T) {
_, err = client.CreateUser(ctx, codersdk.CreateUserRequest{
Email: me.Email,
Username: me.Username,
Password: "password",
Password: "MySecurePassword!",
OrganizationID: uuid.New(),
})
var apiErr *codersdk.Error
Expand All @@ -441,7 +441,7 @@ func TestPostUsers(t *testing.T) {
OrganizationID: uuid.New(),
Email: "another@user.org",
Username: "someone-else",
Password: "testing",
Password: "SomeSecurePassword!",
})
var apiErr *codersdk.Error
require.ErrorAs(t, err, &apiErr)
Expand All @@ -466,7 +466,7 @@ func TestPostUsers(t *testing.T) {
_, err = notInOrg.CreateUser(ctx, codersdk.CreateUserRequest{
Email: "some@domain.com",
Username: "anotheruser",
Password: "testing",
Password: "SomeSecurePassword!",
OrganizationID: org.ID,
})
var apiErr *codersdk.Error
Expand All @@ -491,7 +491,7 @@ func TestPostUsers(t *testing.T) {
OrganizationID: user.OrganizationID,
Email: "another@user.org",
Username: "someone-else",
Password: "testing",
Password: "SomeSecurePassword!",
})
require.NoError(t, err)

Expand Down Expand Up @@ -561,7 +561,7 @@ func TestUpdateUserProfile(t *testing.T) {
existentUser, err := client.CreateUser(ctx, codersdk.CreateUserRequest{
Email: "bruno@coder.com",
Username: "bruno",
Password: "password",
Password: "SomeSecurePassword!",
OrganizationID: user.OrganizationID,
})
require.NoError(t, err)
Expand Down Expand Up @@ -627,18 +627,18 @@ func TestUpdateUserPassword(t *testing.T) {
member, err := client.CreateUser(ctx, codersdk.CreateUserRequest{
Email: "coder@coder.com",
Username: "coder",
Password: "password",
Password: "SomeStrongPassword!",
OrganizationID: admin.OrganizationID,
})
require.NoError(t, err, "create member")
err = client.UpdateUserPassword(ctx, member.ID.String(), codersdk.UpdateUserPasswordRequest{
Password: "newpassword",
Password: "SomeNewStrongPassword!",
})
require.NoError(t, err, "admin should be able to update member password")
// Check if the member can login using the new password
_, err = client.LoginWithPassword(ctx, codersdk.LoginWithPasswordRequest{
Email: "coder@coder.com",
Password: "newpassword",
Password: "SomeNewStrongPassword!",
})
require.NoError(t, err, "member should login successfully with the new password")
})
Expand All @@ -659,8 +659,8 @@ func TestUpdateUserPassword(t *testing.T) {
defer cancel()

err := member.UpdateUserPassword(ctx, "me", codersdk.UpdateUserPasswordRequest{
OldPassword: "testpass",
Password: "newpassword",
OldPassword: "SomeSecurePassword!",
Password: "MyNewSecurePassword!",
})
numLogs++ // add an audit log for user update

Expand Down Expand Up @@ -696,7 +696,7 @@ func TestUpdateUserPassword(t *testing.T) {
defer cancel()

err := client.UpdateUserPassword(ctx, "me", codersdk.UpdateUserPasswordRequest{
Password: "newpassword",
Password: "MySecurePassword!",
})
numLogs++ // add an audit log for user update

Expand All @@ -720,7 +720,7 @@ func TestUpdateUserPassword(t *testing.T) {
require.NoError(t, err)

err = client.UpdateUserPassword(ctx, "me", codersdk.UpdateUserPasswordRequest{
Password: "newpassword",
Password: "MyNewSecurePassword!",
})
require.NoError(t, err)

Expand All @@ -733,7 +733,7 @@ func TestUpdateUserPassword(t *testing.T) {

resp, err := client.LoginWithPassword(ctx, codersdk.LoginWithPasswordRequest{
Email: coderdtest.FirstUserParams.Email,
Password: "newpassword",
Password: "MyNewSecurePassword!",
})
require.NoError(t, err)

Expand Down Expand Up @@ -1264,7 +1264,7 @@ func TestGetUsers(t *testing.T) {
client.CreateUser(ctx, codersdk.CreateUserRequest{
Email: "alice@email.com",
Username: "alice",
Password: "password",
Password: "MySecurePassword!",
OrganizationID: user.OrganizationID,
})
// No params is all users
Expand All @@ -1290,15 +1290,15 @@ func TestGetUsers(t *testing.T) {
alice, err := client.CreateUser(ctx, codersdk.CreateUserRequest{
Email: "alice@email.com",
Username: "alice",
Password: "password",
Password: "MySecurePassword!",
OrganizationID: first.OrganizationID,
})
require.NoError(t, err)

bruno, err := client.CreateUser(ctx, codersdk.CreateUserRequest{
Email: "bruno@email.com",
Username: "bruno",
Password: "password",
Password: "MySecurePassword!",
OrganizationID: first.OrganizationID,
})
require.NoError(t, err)
Expand Down Expand Up @@ -1329,7 +1329,7 @@ func TestGetUsersPagination(t *testing.T) {
_, err = client.CreateUser(ctx, codersdk.CreateUserRequest{
Email: "alice@email.com",
Username: "alice",
Password: "password",
Password: "MySecurePassword!",
OrganizationID: first.OrganizationID,
})
require.NoError(t, err)
Expand Down Expand Up @@ -1410,13 +1410,13 @@ func TestWorkspacesByUser(t *testing.T) {
newUser, err := client.CreateUser(ctx, codersdk.CreateUserRequest{
Email: "test@coder.com",
Username: "someone",
Password: "password",
Password: "MySecurePassword!",
OrganizationID: user.OrganizationID,
})
require.NoError(t, err)
auth, err := client.LoginWithPassword(ctx, codersdk.LoginWithPasswordRequest{
Email: newUser.Email,
Password: "password",
Password: "MySecurePassword!",
})
require.NoError(t, err)

Expand Down Expand Up @@ -1463,7 +1463,7 @@ func TestSuspendedPagination(t *testing.T) {
user, err := client.CreateUser(ctx, codersdk.CreateUserRequest{
Email: email,
Username: username,
Password: "password",
Password: "MySecurePassword!",
OrganizationID: orgID,
})
require.NoError(t, err)
Expand Down Expand Up @@ -1526,7 +1526,7 @@ func TestPaginatedUsers(t *testing.T) {
newUser, err := client.CreateUser(egCtx, codersdk.CreateUserRequest{
Email: email,
Username: username,
Password: "password",
Password: "MySecurePassword!",
OrganizationID: orgID,
})
if err != nil {
Expand Down
2 changes: 1 addition & 1 deletion coderd/workspaceapps_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1138,7 +1138,7 @@ func TestAppSharing(t *testing.T) {

setup := func(t *testing.T, allowPathAppSharing, allowSiteOwnerAccess bool) (workspace codersdk.Workspace, agnt codersdk.WorkspaceAgent, user codersdk.User, ownerClient *codersdk.Client, client *codersdk.Client, clientInOtherOrg *codersdk.Client, clientWithNoAuth *codersdk.Client) {
//nolint:gosec
const password = "password"
const password = "SomeSecurePassword!"

var port uint16
ownerClient, _, _, port = setupProxyTest(t, &setupProxyTestOpts{
Expand Down