feat: enforce strong DB password values

agneum · agneum · commit 01e47a72d8e2 · 2023-08-21T13:44:39.000+07:00
diff --git a/engine/go.mod b/engine/go.mod
@@ -74,6 +74,7 @@ require (
 	github.com/stretchr/objx v0.5.0 // indirect
 	github.com/tklauser/go-sysconf v0.3.11 // indirect
 	github.com/tklauser/numcpus v0.6.1 // indirect
+	github.com/wagslane/go-password-validator v0.3.0 // indirect
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
 	github.com/yusufpapurcu/wmi v1.2.3 // indirect
 	golang.org/x/net v0.12.0 // indirect
diff --git a/engine/go.sum b/engine/go.sum
@@ -684,6 +684,8 @@ github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5
 github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
 github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc/go.mod h1:ZjcWmFBXmLKZu9Nxj3WKYEafiSqer2rnvPr0en9UNpI=
 github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
+github.com/wagslane/go-password-validator v0.3.0 h1:vfxOPzGHkz5S146HDpavl0cw1DSVP061Ry2PX0/ON6I=
+github.com/wagslane/go-password-validator v0.3.0/go.mod h1:TI1XJ6T5fRdRnHqHt14pvy1tNVnrwe7m3/f1f2fDphQ=
 github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4=
 github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
diff --git a/engine/internal/validator/validator.go b/engine/internal/validator/validator.go
@@ -6,11 +6,16 @@
 package validator
 
 import (
+	"fmt"
+
 	"github.com/pkg/errors"
+	passwordvalidator "github.com/wagslane/go-password-validator"
 
 	"gitlab.com/postgres-ai/database-lab/v3/pkg/client/dblabapi/types"
 )
 
+const minEntropyBits = 60
+
 // Service provides a validation service.
 type Service struct {
 }
@@ -29,5 +34,9 @@ func (v Service) ValidateCloneRequest(cloneRequest *types.CloneCreateRequest) er
 		return errors.New("missing DB password")
 	}
 
+	if err := passwordvalidator.Validate(cloneRequest.DB.Password, minEntropyBits); err != nil {
+		return fmt.Errorf("password validation: %w", err)
+	}
+
 	return nil
 }
diff --git a/engine/internal/validator/validator_test.go b/engine/internal/validator/validator_test.go
@@ -18,12 +18,24 @@ func TestValidationCloneRequest(t *testing.T) {
 		&types.CloneCreateRequest{
 			DB: &types.DatabaseRequest{
 				Username: "username",
-				Password: "password",
+				Password: "secret_password",
 			}})
 
 	assert.Nil(t, err)
 }
 
+func TestWeakPassword(t *testing.T) {
+	validator := Service{}
+	err := validator.ValidateCloneRequest(
+		&types.CloneCreateRequest{
+			DB: &types.DatabaseRequest{
+				Username: "username",
+				Password: "password",
+			}})
+
+	assert.ErrorContains(t, err, "insecure password")
+}
+
 func TestValidationCloneRequestErrors(t *testing.T) {
 	validator := Service{}
 

Original file line number	Diff line number	Diff line change
`@@ -6,11 +6,16 @@`
`6`	`6`	`package validator`
`7`	`7`
`8`	`8`	`import (`
	`9`	`+ "fmt"`
	`10`	`+`
`9`	`11`	`"github.com/pkg/errors"`
	`12`	`+ passwordvalidator "github.com/wagslane/go-password-validator"`
`10`	`13`
`11`	`14`	`"gitlab.com/postgres-ai/database-lab/v3/pkg/client/dblabapi/types"`
`12`	`15`	`)`
`13`	`16`
	`17`	`+const minEntropyBits = 60`
	`18`	`+`
`14`	`19`	`// Service provides a validation service.`
`15`	`20`	`type Service struct {`
`16`	`21`	`}`
`@@ -29,5 +34,9 @@ func (v Service) ValidateCloneRequest(cloneRequest *types.CloneCreateRequest) er`
`29`	`34`	`return errors.New("missing DB password")`
`30`	`35`	`}`
`31`	`36`
	`37`	`+ if err := passwordvalidator.Validate(cloneRequest.DB.Password, minEntropyBits); err != nil {`
	`38`	`+ return fmt.Errorf("password validation: %w", err)`
	`39`	`+ }`
	`40`	`+`
`32`	`41`	`return nil`
`33`	`42`	`}`