-
Notifications
You must be signed in to change notification settings - Fork 1
/
PasswordUtil.cs
210 lines (181 loc) · 7.23 KB
/
PasswordUtil.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
using System;
using System.Collections.Generic;
using System.Security.Cryptography;
using System.Text;
namespace DotStd
{
/// <summary>
/// Password policy for types of passwords.
/// like Microsoft.AspNetCore.Identity.PasswordOptions
/// </summary>
[Flags]
public enum PasswordReq
{
None = 0,
Lowercase = 1, // must have lowercase.
Uppercase = 2,
Digit = 4, // Numbers. RequireDigit
NonAlphanumeric = 8, // must have special char. RequireNonAlphanumeric
UniqueChars = 16, // needs unique chars . cant just repeat ??
Def = Lowercase | Uppercase | Digit,
}
/// <summary>
/// PasswordPolicy or estimation of 'strength' of password.
/// NOTE: Use [AllowHTML] for ASP passwords to prevent screening <>
/// TODO: USE SecureString ??
/// </summary>
public class PasswordUtil
{
public static readonly PasswordUtil Def = new(8, 16, PasswordReq.Def); // default.
public const int kMinLength = 8;
// Params for the password to be generated.
public readonly int MinLength = kMinLength;
public readonly int MaxLength = 128; // These are hashed, there should be no max.
public readonly PasswordReq ReqFlags = PasswordReq.Def;
public static readonly char[] _numberChars = "1234567890".ToCharArray();
public static readonly char[] _alnumChars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890".ToCharArray();
private static readonly char[] _SpecialChars = "!@#%".ToCharArray(); // Allowed or required for passwords.
private static readonly char[] _InvalidChars = "/.,;'\\][\"}{:\"?><+_)(*&^$~`".ToCharArray(); // Not allowed.
// For auto generated passwords.
// Remove "iloILO01" from use since they can get confused by users? (26+26+10)-8 = 54
// TODO remove case ?
public static readonly char[] _BasicAlnumChars = "abcdefghjkmnpqrstuvwxyzABCDEFGHJKMNPQRSTUVWXYZ23456789".ToCharArray();
public PasswordUtil()
{
}
public PasswordUtil(int minLen, int maxLen, PasswordReq flags)
{
MinLength = minLen;
MaxLength = maxLen;
ReqFlags = flags;
}
/// <summary>
/// Generate a random password using chars supplied.
/// </summary>
/// <param name="maxSize"></param>
/// <param name="chars">restrict to this set of chars.</param>
/// <param name="lowerCase">force to lower case.</param>
/// <returns></returns>
public static string CreatePassword(int maxSize, char[] chars, bool lowerCase = false)
{
var crypto = RandomNumberGenerator.Create();
byte[] data1 = new byte[1]; // junk first byte.
crypto.GetNonZeroBytes(data1);
byte[] data = new byte[maxSize];
crypto.GetNonZeroBytes(data);
var result = new StringBuilder();
foreach (byte b in data)
{
char ch = chars[b % (chars.Length)];
if (lowerCase)
{
// Force to lower.
ch = char.ToLower(ch);
}
result.Append(ch);
}
return result.ToString();
}
public static string CreatePassCode(int maxSize = 4)
{
// Generate a maxSize digit random numeric passcode.
return CreatePassword(maxSize, _numberChars);
}
public static string CreateUniqueKey(int maxSize = 10)
{
return CreatePassword(maxSize, _BasicAlnumChars);
}
/// <summary>
/// Is this in general a valid password/ bearer token ? Complexity Level? Strong/Weak ?
/// When the client sends us a token. This makes sure its at least moderately likely to be safe.
/// https://stats.stackexchange.com/questions/371150/check-if-a-character-string-is-not-random
/// https://en.wikipedia.org/wiki/Diehard_tests
/// https://en.wikipedia.org/wiki/Randomness_tests
/// </summary>
/// <param name="s"></param>
/// <returns></returns>
public static bool IsRandomish(string s)
{
if (s == null)
return false;
if (s.Length < kMinLength)
return false;
// TODO
return true;
}
public static bool HasValidSpecial(string password)
{
int indexOf = password.IndexOfAny(_SpecialChars);
if (indexOf == -1)
return false;
else
return true;
}
public static bool HasInvalidChars(string password)
{
// Does NOT have _InvalidChars
int indexOf = password.IndexOfAny(_InvalidChars);
if (indexOf == -1)
return false;
else
return true;
}
public static bool IsMatch(string providedpwd, string currentpwd)
{
// Match ?
if (string.Equals(providedpwd, currentpwd))
return true;
return false;
}
/// <summary>
/// Match a password against password policy.
/// Second entry of the password to see if it matches the first does not need to come here.
/// </summary>
/// <param name="password"></param>
/// <param name="excludeToken"></param>
/// <returns></returns>
public List<string> GetPasswordErrorMessages(string password, string? excludeToken = null)
{
var errors = new List<string>();
if (password == null)
password = "";
if (password.Length < MinLength)
{
errors.Add("Must be at least " + MinLength + " characters long");
if (password.Length <= 0)
return errors;
}
if (password.Length > MaxLength)
{
errors.Add("Must be less than " + MaxLength + " characters");
}
if ((this.ReqFlags & PasswordReq.Lowercase) != 0 && !StringUtil.HasLowerCase(password))
{
errors.Add("Must have lower case characters");
}
if ((this.ReqFlags & PasswordReq.Uppercase) != 0 && !StringUtil.HasUpperCase(password))
{
errors.Add("Must have upper case characters");
}
if ((this.ReqFlags & PasswordReq.Digit) != 0 && !StringUtil.HasNumber(password))
{
errors.Add("Must have numbers");
}
if ((this.ReqFlags & PasswordReq.NonAlphanumeric) != 0 && !StringUtil.HasNumber(password))
{
errors.Add("Must have special characters '" + _SpecialChars + "'");
}
if (PasswordUtil.HasInvalidChars(password))
{
errors.Add("Has invalid characters");
}
// Optional checks.
// e.g. dont put your own username in password
if (excludeToken != null && password.Contains(excludeToken))
{
errors.Add("Contains text that is not allowed");
}
return errors;
}
}
}