Add score based password verification (#2784)

Signed-off-by: Andrey Pleskach <ples@aiven.io>

build.gradle

@@ -335,6 +335,7 @@ dependencies {
     implementation ('org.opensaml:opensaml-saml-impl:3.4.5') {
         exclude(group: 'org.apache.velocity', module: 'velocity')
     }
+    implementation "com.nulab-inc:zxcvbn:1.7.0"
     testImplementation 'org.opensaml:opensaml-messaging-impl:3.4.5'
     implementation 'org.opensaml:opensaml-messaging-api:3.4.5'
     runtimeOnly 'org.opensaml:opensaml-profile-api:3.4.5'

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

@@ -137,6 +137,7 @@
 import org.opensearch.security.configuration.Salt;
 import org.opensearch.security.configuration.SecurityFlsDlsIndexSearcherWrapper;
 import org.opensearch.security.dlic.rest.api.SecurityRestApiActions;
+import org.opensearch.security.dlic.rest.validation.PasswordValidator;
 import org.opensearch.security.filter.SecurityFilter;
 import org.opensearch.security.filter.SecurityRestFilter;
 import org.opensearch.security.http.SecurityHttpServerTransport;
@@ -1048,6 +1049,19 @@ public List<Setting<?>> getSettings() {
             settings.add(Setting.simpleString(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, Property.NodeScope, Property.Filtered));
             settings.add(Setting.simpleString(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE, Property.NodeScope, Property.Filtered));
 
+            settings.add(
+                    Setting.intSetting(
+                            ConfigConstants.SECURITY_RESTAPI_PASSWORD_MIN_LENGTH,
+                            -1, -1, Property.NodeScope, Property.Filtered)
+            );
+            settings.add(
+                    Setting.simpleString(
+                            ConfigConstants.SECURITY_RESTAPI_PASSWORD_SCORE_BASED_VALIDATION_STRENGTH,
+                            PasswordValidator.ScoreStrength.STRONG.name(),
+                            PasswordValidator.ScoreStrength::fromConfiguration,
+                            Property.NodeScope, Property.Filtered
+                    )
+            );
 
             // Compliance
             settings.add(Setting.listSetting(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, Collections.emptyList(), Function.identity(), Property.NodeScope)); //not filtered here

src/main/java/org/opensearch/security/dlic/rest/validation/AbstractConfigurationValidator.java

@@ -249,9 +249,19 @@ public XContentBuilder errorsAsXContent(RestChannel channel) {
                     break;
                 case INVALID_PASSWORD:
                     builder.field("status", "error");
-                    builder.field("reason", opensearchSettings.get(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE,
+                    builder.field("reason", opensearchSettings.get(
+                            ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE,
                             "Password does not match minimum criteria"));
                     break;
+                case WEAK_PASSWORD:
+                case SIMILAR_PASSWORD:
+                    builder.field("status", "error");
+                    builder.field(
+                            "reason",
+                            opensearchSettings.get(
+                                    ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE,
+                                    errorType.message));
+                    break;
                 case WRONG_DATATYPE:
                     builder.field("status", "error");
                     builder.field("reason", ErrorType.WRONG_DATATYPE.getMessage());
@@ -289,8 +299,14 @@ public static enum DataType {
     }
 
     public static enum ErrorType {
-        NONE("ok"), INVALID_CONFIGURATION("Invalid configuration"), INVALID_PASSWORD("Invalid password"), WRONG_DATATYPE("Wrong datatype"),
-        BODY_NOT_PARSEABLE("Could not parse content of request."), PAYLOAD_NOT_ALLOWED("Request body not allowed for this action."),
+        NONE("ok"),
+        INVALID_CONFIGURATION("Invalid configuration"),
+        INVALID_PASSWORD("Invalid password"),
+        WEAK_PASSWORD("Weak password"),
+        SIMILAR_PASSWORD("Password is similar to user name"),
+        WRONG_DATATYPE("Wrong datatype"),
+        BODY_NOT_PARSEABLE("Could not parse content of request."),
+        PAYLOAD_NOT_ALLOWED("Request body not allowed for this action."),
         PAYLOAD_MANDATORY("Request body required for this action."), SECURITY_NOT_INITIALIZED("Security index not initialized"),
         NULL_ARRAY_ELEMENT("`null` is not allowed as json array element");
 

src/main/java/org/opensearch/security/dlic/rest/validation/CredentialsValidator.java

@@ -12,7 +12,6 @@
 package org.opensearch.security.dlic.rest.validation;
 
 import java.util.Map;
-import java.util.regex.Pattern;
 
 import org.opensearch.common.Strings;
 import org.opensearch.common.bytes.BytesReference;
@@ -22,17 +21,21 @@
 import org.opensearch.common.xcontent.XContentType;
 import org.opensearch.rest.RestRequest;
 import org.opensearch.security.ssl.util.Utils;
-import org.opensearch.security.support.ConfigConstants;
 
 /**
  * Validator for validating password and hash present in the payload
  */
 public class CredentialsValidator extends AbstractConfigurationValidator {
 
-    public CredentialsValidator(final RestRequest request, BytesReference ref, final Settings opensearchSettings,
+    private final PasswordValidator passwordValidator;
+
+    public CredentialsValidator(final RestRequest request,
+                                final BytesReference ref,
+                                final Settings opensearchSettings,
                                 Object... param) {
         super(request, ref, opensearchSettings, param);
         this.payloadMandatory = true;
+        this.passwordValidator = PasswordValidator.of(opensearchSettings);
         allowedKeys.put("hash", DataType.STRING);
         allowedKeys.put("password", DataType.STRING);
     }
@@ -46,49 +49,29 @@ public boolean validate() {
         if (!super.validate()) {
             return false;
         }
-
-        final String regex = this.opensearchSettings.get(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, null);
-
         if ((request.method() == RestRequest.Method.PUT || request.method() == RestRequest.Method.PATCH)
                 && this.content != null
                 && this.content.length() > 1) {
             try {
                 final Map<String, Object> contentAsMap = XContentHelper.convertToMap(this.content, false, XContentType.JSON).v2();
-                String password = (String) contentAsMap.get("password");
+                final String password = (String) contentAsMap.get("password");
                 if (password != null) {
                     // Password is not allowed to be empty if present.
                     if (password.isEmpty()) {
                         this.errorType = ErrorType.INVALID_PASSWORD;
                         return false;
                     }
-
-                    if (!Strings.isNullOrEmpty(regex)) {
-                        // Password can be null for an existing user. Regex will validate password if present
-                        if (!Pattern.compile("^"+regex+"$").matcher(password).matches()) {
-                            if(log.isDebugEnabled()) {
-                                log.debug("Regex does not match password");
-                            }
-                            this.errorType = ErrorType.INVALID_PASSWORD;
-                            return false;
-                        }
-
-                        final String username = Utils.coalesce(request.param("name"), hasParams() ? (String) param[0] : null);
-                        final boolean isDebugEnabled = log.isDebugEnabled();
-
-                        if (username == null || username.isEmpty()) {
-                            if (isDebugEnabled) {
-                                log.debug("Unable to validate username because no user is given");
-                            }
-                            return false;
-                        }
-
-                        if (username.toLowerCase().equals(password.toLowerCase())) {
-                            if (isDebugEnabled) {
-                                log.debug("Username must not match password");
-                            }
-                            this.errorType = ErrorType.INVALID_PASSWORD;
-                            return false;
+                    final String username = Utils.coalesce(request.param("name"), hasParams() ? (String) param[0] : null);
+                    if (Strings.isNullOrEmpty(username)) {
+                        if (log.isDebugEnabled()) {
+                            log.debug("Unable to validate username because no user is given");
                         }
+                        return false;
+                    }
+                    final ErrorType passwordValidationResult = passwordValidator.validate(username, password);
+                    if (passwordValidationResult != ErrorType.NONE) {
+                        this.errorType = passwordValidationResult;
+                        return false;
                     }
                 }
             } catch (NotXContentException e) {
@@ -99,4 +82,5 @@ public boolean validate() {
         }
         return true;
     }
+
 }

src/main/java/org/opensearch/security/dlic/rest/validation/PasswordValidator.java

@@ -0,0 +1,185 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.dlic.rest.validation;
+
+import java.util.List;
+import java.util.Locale;
+import java.util.Objects;
+import java.util.StringJoiner;
+import java.util.function.Predicate;
+import java.util.regex.Pattern;
+
+import com.google.common.collect.ImmutableList;
+import com.nulabinc.zxcvbn.Strength;
+import com.nulabinc.zxcvbn.Zxcvbn;
+import com.nulabinc.zxcvbn.matchers.Match;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import org.opensearch.common.Strings;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.security.dlic.rest.validation.AbstractConfigurationValidator.ErrorType;
+
+import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_PASSWORD_MIN_LENGTH;
+import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_PASSWORD_SCORE_BASED_VALIDATION_STRENGTH;
+import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX;
+
+public class PasswordValidator {
+
+    private static final int MAX_LENGTH = 100;
+
+    /**
+     * Checks a username similarity and a password
+     * names and passwords like:
+     *  - some_user_name/456Some_uSer_Name_1234
+     *  - some_user_name/some_user_name_Ydfge
+     *  - some_user_name/eman_resu_emos
+     *  are similar
+     * "user_inputs" - is a default dictionary zxcvbn creates for checking similarity
+     */
+    private final static Predicate<Match> USERNAME_SIMILARITY_CHECK = m ->
+            m.pattern == com.nulabinc.zxcvbn.Pattern.Dictionary && "user_inputs".equals(m.dictionaryName);
+
+    private final Logger logger = LogManager.getLogger(this.getClass());
+
+    private final int minPasswordLength;
+
+    private final Pattern passwordRegexpPattern;
+
+    private final ScoreStrength scoreStrength;
+
+    private final Zxcvbn zxcvbn;
+
+    private PasswordValidator(final int minPasswordLength,
+                              final Pattern passwordRegexpPattern,
+                              final ScoreStrength scoreStrength) {
+        this.minPasswordLength = minPasswordLength;
+        this.passwordRegexpPattern = passwordRegexpPattern;
+        this.scoreStrength = scoreStrength;
+        this.zxcvbn = new Zxcvbn();
+    }
+
+    public static PasswordValidator of(final Settings settings) {
+        final String passwordRegex = settings.get(SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, null);
+        final ScoreStrength scoreStrength = ScoreStrength.fromConfiguration(
+                    settings.get(SECURITY_RESTAPI_PASSWORD_SCORE_BASED_VALIDATION_STRENGTH, ScoreStrength.STRONG.name())
+            );
+        final int minPasswordLength = settings.getAsInt(SECURITY_RESTAPI_PASSWORD_MIN_LENGTH, -1);
+        return new PasswordValidator(
+                minPasswordLength,
+                !Strings.isNullOrEmpty(passwordRegex) ? Pattern.compile(String.format("^%s$", passwordRegex)) : null,
+                scoreStrength);
+    }
+
+    ErrorType validate(final String username, final String password) {
+        if (minPasswordLength > 0 && password.length() < minPasswordLength) {
+            logger.debug(
+                    "Password is too short, the minimum required length is {}, but current length is {}",
+                    minPasswordLength,
+                    password.length()
+            );
+            return ErrorType.INVALID_PASSWORD;
+        }
+        if (password.length() > MAX_LENGTH) {
+            logger.debug(
+                    "Password is too long, the maximum required length is {}, but current length is {}",
+                    MAX_LENGTH,
+                    password.length()
+            );
+            return ErrorType.INVALID_PASSWORD;
+        }
+        if (Objects.nonNull(passwordRegexpPattern)
+                && !passwordRegexpPattern.matcher(password).matches()) {
+            logger.debug("Regex does not match password");
+            return ErrorType.INVALID_PASSWORD;
+        }
+        final Strength strength = zxcvbn.measure(password, ImmutableList.of(username));
+        if (strength.getScore() < scoreStrength.score()) {
+            logger.debug(
+                    "Password is weak the required score is {}, but current is {}",
+                    scoreStrength,
+                    ScoreStrength.fromScore(strength.getScore())
+            );
+            return ErrorType.WEAK_PASSWORD;
+        }
+        final boolean similar = strength.getSequence()
+                .stream()
+                .anyMatch(USERNAME_SIMILARITY_CHECK);
+        if (similar) {
+            logger.debug("Password is too similar to the user name {}", username);
+            return ErrorType.SIMILAR_PASSWORD;
+        }
+        return ErrorType.NONE;
+    }
+
+    public enum ScoreStrength {
+
+        // The weak score defines here only for debugging information
+        // and doesn't use as a configuration setting value.
+        WEAK(0, "too guessable: risky password"),
+        FAIR(1, "very guessable: protection from throttled online attacks"),
+        GOOD(2, "somewhat guessable: protection from unthrottled online attacks"),
+        STRONG(3, "safely unguessable: moderate protection from offline slow-hash scenario"),
+        VERY_STRONG(4, "very unguessable: strong protection from offline slow-hash scenario");
+
+        private final int score;
+
+        private final String description;
+
+        static final List<ScoreStrength> CONFIGURATION_VALUES = ImmutableList.of(FAIR, STRONG, VERY_STRONG);
+
+        static final String EXPECTED_CONFIGURATION_VALUES =
+                new StringJoiner(",")
+                        .add(FAIR.name().toLowerCase(Locale.ROOT))
+                        .add(STRONG.name().toLowerCase(Locale.ROOT))
+                        .add(VERY_STRONG.name().toLowerCase(Locale.ROOT))
+                        .toString();
+
+        private ScoreStrength(final int score, final String description) {
+            this.score = score;
+            this.description = description;
+        }
+
+        public static ScoreStrength fromScore(final int score) {
+            for (final ScoreStrength strength : values()) {
+                if (strength.score == score)
+                    return strength;
+            }
+            throw new IllegalArgumentException("Unknown score " + score);
+        }
+
+        public static ScoreStrength fromConfiguration(final String value) {
+            for (final ScoreStrength strength : CONFIGURATION_VALUES) {
+                if (strength.name().equalsIgnoreCase(value))
+                    return strength;
+            }
+            throw new IllegalArgumentException(
+                    String.format(
+                            "Setting [%s] cannot be used with the configured: %s. Expected one of [%s]",
+                            SECURITY_RESTAPI_PASSWORD_SCORE_BASED_VALIDATION_STRENGTH,
+                            value,
+                            EXPECTED_CONFIGURATION_VALUES
+                    )
+            );
+        }
+
+        @Override
+        public String toString() {
+            return String.format("Password strength score %s. %s", score, description);
+        }
+
+        public int score() {
+            return this.score;
+        }
+
+    }
+}

src/main/java/org/opensearch/security/support/ConfigConstants.java

@@ -253,6 +253,8 @@ public enum RolesMappingResolution {
     public static final String SECURITY_RESTAPI_ENDPOINTS_DISABLED = "plugins.security.restapi.endpoints_disabled";
     public static final String SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX = "plugins.security.restapi.password_validation_regex";
     public static final String SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE = "plugins.security.restapi.password_validation_error_message";
+    public static final String SECURITY_RESTAPI_PASSWORD_MIN_LENGTH = "plugins.security.restapi.password_min_length";
+    public static final String SECURITY_RESTAPI_PASSWORD_SCORE_BASED_VALIDATION_STRENGTH = "plugins.security.restapi.password_score_based_validation_strength";
 
     // Illegal Opcodes from here on
     public static final String SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY = "plugins.security.unsupported.disable_rest_auth_initially";