Pull request: 3503 password policy

Merge in DNS/adguard-home from 3503-password-policy to master Closes #3503. Squashed commit of the following: commit 1f03cd9 Author: Eugene Burkov <[email protected]> Date: Thu Feb 10 18:24:59 2022 +0300 client: imp msg commit e164ae2 Merge: b7efd76 f53f48c Author: Eugene Burkov <[email protected]> Date: Thu Feb 10 16:52:01 2022 +0300 Merge branch 'master' into 3503-password-policy commit b7efd76 Author: Ildar Kamalov <[email protected]> Date: Thu Feb 10 16:17:59 2022 +0300 client: remove empty line commit f19aba6 Author: Ildar Kamalov <[email protected]> Date: Thu Feb 10 16:09:14 2022 +0300 client: validate password length commit a6943c9 Author: Eugene Burkov <[email protected]> Date: Fri Feb 4 18:57:02 2022 +0300 all: fix docs again commit 9346bb6 Author: Eugene Burkov <[email protected]> Date: Fri Feb 4 18:54:15 2022 +0300 openapi: fix docs commit a801644 Author: Eugene Burkov <[email protected]> Date: Fri Feb 4 18:25:55 2022 +0300 all: validate passwd runes count
AdguardTeam · Feb 10, 2022 · 0ef8344 · 0ef8344
1 parent f53f48c
commit 0ef8344
Show file tree

Hide file tree

Showing 10 changed files with 133 additions and 31 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -72,13 +72,15 @@ In this release, the schema version has changed from 12 to 13.
 
 ### Security
 
+- Enforced password strength policy ([3503]).
 - Weaker cipher suites that use the CBC (cipher block chaining) mode of
   operation have been disabled ([#2993]).
 
 [#1730]: https://github.com/AdguardTeam/AdGuardHome/issues/1730
 [#2993]: https://github.com/AdguardTeam/AdGuardHome/issues/2993
 [#3057]: https://github.com/AdguardTeam/AdGuardHome/issues/3057
 [#3367]: https://github.com/AdguardTeam/AdGuardHome/issues/3367
+[#3503]: https://github.com/AdguardTeam/AdGuardHome/issues/3503
 [#4216]: https://github.com/AdguardTeam/AdGuardHome/issues/4216
 [#4221]: https://github.com/AdguardTeam/AdGuardHome/issues/4221
 [#4238]: https://github.com/AdguardTeam/AdGuardHome/issues/4238

diff --git a/client/package-lock.json b/client/package-lock.json
diff --git a/client/package.json b/client/package.json
@@ -42,6 +42,7 @@
         "redux-actions": "^2.6.5",
         "redux-form": "^8.3.5",
         "redux-thunk": "^2.3.0",
+        "string-length": "^5.0.1",
         "url-polyfill": "^1.1.9"
     },
     "devDependencies": {

diff --git a/client/src/__locales/en.json b/client/src/__locales/en.json
@@ -627,5 +627,6 @@
     "use_saved_key": "Use the previously saved key",
     "parental_control": "Parental Control",
     "safe_browsing": "Safe Browsing",
-    "served_from_cache": "{{value}} <i>(served from cache)</i>"
+    "served_from_cache": "{{value}} <i>(served from cache)</i>",
+    "form_error_password_length": "Password must be at least {{value}} characters long"
 }
diff --git a/client/src/helpers/constants.js b/client/src/helpers/constants.js
@@ -26,6 +26,8 @@ export const R_WIN_ABSOLUTE_PATH = /^([a-zA-Z]:)?(\\|\/)(?:[^\\/:*?"<>|\x00]+\\)
 
 export const R_CLIENT_ID = /^[a-z0-9-]{1,63}$/;
 
+export const MIN_PASSWORD_LENGTH = 8;
+
 export const HTML_PAGES = {
     INSTALL: '/install.html',
     LOGIN: '/login.html',

diff --git a/client/src/helpers/validators.js b/client/src/helpers/validators.js
@@ -1,4 +1,5 @@
 import i18next from 'i18next';
+import stringLength from 'string-length';
 
 import {
     MAX_PORT,
@@ -13,6 +14,7 @@ import {
     UNSAFE_PORTS,
     R_CLIENT_ID,
     R_DOMAIN,
+    MIN_PASSWORD_LENGTH,
 } from './constants';
 import { ip4ToInt, isValidAbsolutePath } from './form';
 import { isIpInCidr, parseSubnetMask } from './helpers';
@@ -320,10 +322,20 @@ export const validatePath = (value) => {
  * @param cidr {string}
  * @returns {Function}
  */
-
 export const validateIpv4InCidr = (valueIp, allValues) => {
     if (!isIpInCidr(valueIp, allValues.cidr)) {
         return i18next.t('form_error_subnet', { ip: valueIp, cidr: allValues.cidr });
     }
     return undefined;
 };
+
+/**
+ * @param value {string}
+ * @returns {Function}
+ */
+export const validatePasswordLength = (value) => {
+    if (value && stringLength(value) < MIN_PASSWORD_LENGTH) {
+        return i18next.t('form_error_password_length', { value: MIN_PASSWORD_LENGTH });
+    }
+    return undefined;
+};
diff --git a/client/src/install/Setup/Auth.js b/client/src/install/Setup/Auth.js
@@ -8,6 +8,7 @@ import i18n from '../../i18n';
 import Controls from './Controls';
 import { renderInputField } from '../../helpers/form';
 import { FORM_NAME } from '../../helpers/constants';
+import { validatePasswordLength } from '../../helpers/validators';
 
 const required = (value) => {
     if (value || value === 0) {
@@ -67,7 +68,7 @@ const Auth = (props) => {
                         type="password"
                         className="form-control"
                         placeholder={ t('install_auth_password_enter') }
-                        validate={[required]}
+                        validate={[required, validatePasswordLength]}
                         autoComplete="new-password"
                     />
                 </div>

diff --git a/internal/home/controlinstall.go b/internal/home/controlinstall.go
@@ -13,6 +13,7 @@ import (
 	"runtime"
 	"strings"
 	"time"
+	"unicode/utf8"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
@@ -359,6 +360,9 @@ func shutdownSrv(ctx context.Context, srv *http.Server) {
 	}
 }
 
+// PasswordMinRunes is the minimum length of user's password in runes.
+const PasswordMinRunes = 8
+
 // Apply new configuration, start DNS server, restart Web server
 func (web *Web) handleInstallConfigure(w http.ResponseWriter, r *http.Request) {
 	req, restartHTTP, err := decodeApplyConfigReq(r.Body)
@@ -368,6 +372,18 @@ func (web *Web) handleInstallConfigure(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if utf8.RuneCountInString(req.Password) < PasswordMinRunes {
+		aghhttp.Error(
+			r,
+			w,
+			http.StatusUnprocessableEntity,
+			"password must be at least %d symbols long",
+			PasswordMinRunes,
+		)
+
+		return
+	}
+
 	err = aghnet.CheckPort("udp", req.DNS.IP, req.DNS.Port)
 	if err != nil {
 		aghhttp.Error(r, w, http.StatusBadRequest, "%s", err)

diff --git a/openapi/CHANGELOG.md b/openapi/CHANGELOG.md
@@ -4,6 +4,12 @@
 
 ## v0.107.3: API changes
 
+### The new possible status code in `/install/configure` response.
+
+* The new status code `422 Unprocessable Entity` in the response for
+  `POST /install/configure` which means that the specified password does not
+  meet the strength requirements.
+
 ### The new field `"version"` in `AddressesInfo`
 
 * The new field `"version"` in `GET /install/get_addresses` is the version of

diff --git a/openapi/openapi.yaml b/openapi/openapi.yaml
@@ -1088,6 +1088,9 @@
           'description': >
             Failed to parse initial configuration or cannot listen to the
             specified addresses.
+        '422':
+          'description': >
+            The specified password does not meet the strength requirements.
         '500':
           'description': 'Cannot start the DNS server'
   '/login':