diff --git a/engine/go.mod b/engine/go.mod index 2d94aa6aadb08589b5dfc544c18b5306cfdc3025..934b525b627e36f8b972cf7f96a188a9a79fe0e5 100644 --- a/engine/go.mod +++ b/engine/go.mod @@ -74,6 +74,7 @@ require ( github.com/stretchr/objx v0.5.0 // indirect github.com/tklauser/go-sysconf v0.3.11 // indirect github.com/tklauser/numcpus v0.6.1 // indirect + github.com/wagslane/go-password-validator v0.3.0 // indirect github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect github.com/yusufpapurcu/wmi v1.2.3 // indirect golang.org/x/net v0.12.0 // indirect diff --git a/engine/go.sum b/engine/go.sum index d17051d4dc7a275ba7c71c248f8d4d18035db7de..e9618945a83dbdc614837bf26c2e8a6eafeb9c77 100644 --- a/engine/go.sum +++ b/engine/go.sum @@ -684,6 +684,8 @@ github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5 github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc/go.mod h1:ZjcWmFBXmLKZu9Nxj3WKYEafiSqer2rnvPr0en9UNpI= github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= +github.com/wagslane/go-password-validator v0.3.0 h1:vfxOPzGHkz5S146HDpavl0cw1DSVP061Ry2PX0/ON6I= +github.com/wagslane/go-password-validator v0.3.0/go.mod h1:TI1XJ6T5fRdRnHqHt14pvy1tNVnrwe7m3/f1f2fDphQ= github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4= github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= diff --git a/engine/internal/validator/validator.go b/engine/internal/validator/validator.go index 7a811191a6db82e7d78d46c96c6b1ef0347b1d2b..6e50f0ef0f6445e2a48293efef54e5cb5dfbd505 100644 --- a/engine/internal/validator/validator.go +++ b/engine/internal/validator/validator.go @@ -6,11 +6,16 @@ package validator import ( + "fmt" + "github.com/pkg/errors" + passwordvalidator "github.com/wagslane/go-password-validator" "gitlab.com/postgres-ai/database-lab/v3/pkg/client/dblabapi/types" ) +const minEntropyBits = 60 + // Service provides a validation service. type Service struct { } @@ -29,5 +34,9 @@ func (v Service) ValidateCloneRequest(cloneRequest *types.CloneCreateRequest) er return errors.New("missing DB password") } + if err := passwordvalidator.Validate(cloneRequest.DB.Password, minEntropyBits); err != nil { + return fmt.Errorf("password validation: %w", err) + } + return nil } diff --git a/engine/internal/validator/validator_test.go b/engine/internal/validator/validator_test.go index 652854c017a7a2b17e9624f0e9e4393405221fe3..031868758dacda9e420fb5a8a059b90b0d67eb0e 100644 --- a/engine/internal/validator/validator_test.go +++ b/engine/internal/validator/validator_test.go @@ -18,12 +18,24 @@ func TestValidationCloneRequest(t *testing.T) { &types.CloneCreateRequest{ DB: &types.DatabaseRequest{ Username: "username", - Password: "password", + Password: "secret_password", }}) assert.Nil(t, err) } +func TestWeakPassword(t *testing.T) { + validator := Service{} + err := validator.ValidateCloneRequest( + &types.CloneCreateRequest{ + DB: &types.DatabaseRequest{ + Username: "username", + Password: "password", + }}) + + assert.ErrorContains(t, err, "insecure password") +} + func TestValidationCloneRequestErrors(t *testing.T) { validator := Service{}