From f44abfecfb551e1848e1d5f5301b61b7f9ec06c1 Mon Sep 17 00:00:00 2001
From: Eliot Berriot <contact@eliotberriot.com>
Date: Sat, 21 Sep 2019 16:11:08 +0200
Subject: [PATCH] Fix #883: Prevent usage of too weak passwords

---
 api/config/settings/common.py          | 11 +++++++
 api/funkwhale_api/users/serializers.py | 11 ++++++-
 api/tests/users/test_admin.py          | 12 +++++--
 api/tests/users/test_serializers.py    | 44 ++++++++++++++++++++++++++
 api/tests/users/test_views.py          | 25 +++++++++------
 changes/changelog.d/883.enhancement    |  1 +
 6 files changed, 91 insertions(+), 13 deletions(-)
 create mode 100644 api/tests/users/test_serializers.py
 create mode 100644 changes/changelog.d/883.enhancement

diff --git a/api/config/settings/common.py b/api/config/settings/common.py
index c11d847e4..251167f4e 100644
--- a/api/config/settings/common.py
+++ b/api/config/settings/common.py
@@ -583,6 +583,17 @@ JWT_AUTH = {
     "JWT_GET_USER_SECRET_KEY": get_user_secret_key,
 }
 OLD_PASSWORD_FIELD_ENABLED = True
+AUTH_PASSWORD_VALIDATORS = [
+    {
+        "NAME": "django.contrib.auth.password_validation.UserAttributeSimilarityValidator"
+    },
+    {
+        "NAME": "django.contrib.auth.password_validation.MinimumLengthValidator",
+        "OPTIONS": {"min_length": env.int("PASSWORD_MIN_LENGTH", default=8)},
+    },
+    {"NAME": "django.contrib.auth.password_validation.CommonPasswordValidator"},
+    {"NAME": "django.contrib.auth.password_validation.NumericPasswordValidator"},
+]
 ACCOUNT_ADAPTER = "funkwhale_api.users.adapters.FunkwhaleAccountAdapter"
 CORS_ORIGIN_ALLOW_ALL = True
 # CORS_ORIGIN_WHITELIST = (
diff --git a/api/funkwhale_api/users/serializers.py b/api/funkwhale_api/users/serializers.py
index a45d414b4..9db081378 100644
--- a/api/funkwhale_api/users/serializers.py
+++ b/api/funkwhale_api/users/serializers.py
@@ -5,7 +5,7 @@ from django.utils.deconstruct import deconstructible
 from django.utils.translation import gettext_lazy as _
 
 from rest_auth.serializers import PasswordResetSerializer as PRS
-from rest_auth.registration.serializers import RegisterSerializer as RS
+from rest_auth.registration.serializers import RegisterSerializer as RS, get_adapter
 from rest_framework import serializers
 from versatileimagefield.serializers import VersatileImageFieldSerializer
 
@@ -42,6 +42,15 @@ class RegisterSerializer(RS):
         except models.Invitation.DoesNotExist:
             raise serializers.ValidationError("Invalid invitation code")
 
+    def validate(self, validated_data):
+        data = super().validate(validated_data)
+        # we create a fake user obj with validated data so we can validate
+        # password properly (we have a password validator that requires
+        # a user object)
+        user = models.User(username=data["username"], email=data["email"])
+        get_adapter().clean_password(data["password1"], user)
+        return data
+
     def save(self, request):
         user = super().save(request)
         if self.validated_data.get("invitation"):
diff --git a/api/tests/users/test_admin.py b/api/tests/users/test_admin.py
index 03b316eb0..0af38c0ee 100644
--- a/api/tests/users/test_admin.py
+++ b/api/tests/users/test_admin.py
@@ -4,7 +4,11 @@ from funkwhale_api.users.admin import MyUserCreationForm
 def test_clean_username_success(db):
     # Instantiate the form with a new username
     form = MyUserCreationForm(
-        {"username": "alamode", "password1": "123456", "password2": "123456"}
+        {
+            "username": "alamode",
+            "password1": "thisismypassword",
+            "password2": "thisismypassword",
+        }
     )
     # Run is_valid() to trigger the validation
     valid = form.is_valid()
@@ -19,7 +23,11 @@ def test_clean_username_false(factories):
     user = factories["users.User"]()
     # Instantiate the form with the same username as self.user
     form = MyUserCreationForm(
-        {"username": user.username, "password1": "123456", "password2": "123456"}
+        {
+            "username": user.username,
+            "password1": "thisismypassword",
+            "password2": "thisismypassword",
+        }
     )
     # Run is_valid() to trigger the validation, which is going to fail
     # because the username is already taken
diff --git a/api/tests/users/test_serializers.py b/api/tests/users/test_serializers.py
new file mode 100644
index 000000000..02d1ac052
--- /dev/null
+++ b/api/tests/users/test_serializers.py
@@ -0,0 +1,44 @@
+import pytest
+
+from funkwhale_api.users import serializers
+
+
+@pytest.mark.parametrize(
+    "data, expected_error",
+    [
+        (
+            {
+                "username": "myusername",
+                "email": "test@hello.com",
+                "password1": "myusername",
+            },
+            r".*password is too similar.*",
+        ),
+        (
+            {"username": "myusername", "email": "test@hello.com", "password1": "test"},
+            r".*must contain at least 8 characters.*",
+        ),
+        (
+            {
+                "username": "myusername",
+                "email": "test@hello.com",
+                "password1": "superman",
+            },
+            r".*password is too common.*",
+        ),
+        (
+            {
+                "username": "myusername",
+                "email": "test@hello.com",
+                "password1": "123457809878",
+            },
+            r".*password is entirely numeric.*",
+        ),
+    ],
+)
+def test_registration_serializer_validates_password_properly(data, expected_error, db):
+    data["password2"] = data["password1"]
+    serializer = serializers.RegisterSerializer(data=data)
+
+    with pytest.raises(serializers.serializers.ValidationError, match=expected_error):
+        serializer.is_valid(raise_exception=True)
diff --git a/api/tests/users/test_views.py b/api/tests/users/test_views.py
index 956a7178c..db8f870f3 100644
--- a/api/tests/users/test_views.py
+++ b/api/tests/users/test_views.py
@@ -9,8 +9,8 @@ def test_can_create_user_via_api(preferences, api_client, db):
     data = {
         "username": "test1",
         "email": "test1@test.com",
-        "password1": "testtest",
-        "password2": "testtest",
+        "password1": "thisismypassword",
+        "password2": "thisismypassword",
     }
     preferences["users__registration_enabled"] = True
     response = api_client.post(url, data)
@@ -72,8 +72,8 @@ def test_can_signup_with_invitation(preferences, factories, api_client):
     data = {
         "username": "test1",
         "email": "test1@test.com",
-        "password1": "testtest",
-        "password2": "testtest",
+        "password1": "thisismypassword",
+        "password2": "thisismypassword",
         "invitation": "hello",
     }
     preferences["users__registration_enabled"] = False
@@ -157,11 +157,16 @@ def test_changing_password_updates_secret_key(logged_in_api_client):
     user = logged_in_api_client.user
     password = user.password
     secret_key = user.secret_key
-    payload = {"old_password": "test", "new_password1": "new", "new_password2": "new"}
+    payload = {
+        "old_password": "test",
+        "new_password1": "thisismypassword",
+        "new_password2": "thisismypassword",
+    }
     url = reverse("change_password")
 
-    logged_in_api_client.post(url, payload)
+    response = logged_in_api_client.post(url, payload)
 
+    assert response.status_code == 200
     user.refresh_from_db()
 
     assert user.secret_key != secret_key
@@ -295,8 +300,8 @@ def test_creating_user_creates_actor_as_well(
     data = {
         "username": "test1",
         "email": "test1@test.com",
-        "password1": "testtest",
-        "password2": "testtest",
+        "password1": "thisismypassword",
+        "password2": "thisismypassword",
     }
     preferences["users__registration_enabled"] = True
     mocker.patch("funkwhale_api.users.models.create_actor", return_value=actor)
@@ -316,8 +321,8 @@ def test_creating_user_sends_confirmation_email(
     data = {
         "username": "test1",
         "email": "test1@test.com",
-        "password1": "testtest",
-        "password2": "testtest",
+        "password1": "thisismypassword",
+        "password2": "thisismypassword",
     }
     preferences["users__registration_enabled"] = True
     preferences["instance__name"] = "Hello world"
diff --git a/changes/changelog.d/883.enhancement b/changes/changelog.d/883.enhancement
new file mode 100644
index 000000000..00284a309
--- /dev/null
+++ b/changes/changelog.d/883.enhancement
@@ -0,0 +1 @@
+Prevent usage of too weak passwords (#883)