Added gopass audit command (gopasspw#228)

`gopass audit` validates known passwords against common flaws, like being too short or systematic. This uses my own Golang implementation of cracklib: https://github.com/muesli/crunchy
kpitt · Aug 4, 2017 · 2266c10 · 2266c10
1 parent bb1aac0
commit 2266c10
Show file tree

Hide file tree

Showing 17 changed files with 935 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -144,8 +144,8 @@ Eech4ahRoy2oowi0ohl
 The default action of `gopass` is show. It also accepts the `-c` flag to copy the content of
 the secret directly to the clipboard.
 
-Since it may be dangerous to always display the password on `gopass` calls, the `safecontent` 
-setting may be set to `true` to allow one to display only the rest of the password entries by 
+Since it may be dangerous to always display the password on `gopass` calls, the `safecontent`
+setting may be set to `true` to allow one to display only the rest of the password entries by
 default and display the whole entry, with password, only when the `-f` flag is used.
 
 #### Copy secret to clipboard
@@ -205,6 +205,16 @@ We also support `pull before push` to reduce the change of `rejected` pushes whe
 $ gopass config autopull true
 ```
 
+### Check Passwords for Common Flaws
+
+gopass can check your passwords for common flaws, like being too short or coming
+from a dictionary.
+
+```bash
+$ gopass audit
+Weak password for golang.org/gopher: it is too short
+```
+
 ### Support for Binary Content
 
 gopass provides secure and easy support for working with binary files through the

diff --git a/action/audit.go b/action/audit.go
@@ -0,0 +1,41 @@
+package action
+
+import (
+	"fmt"
+	"io"
+	"os"
+
+	"github.com/muesli/crunchy"
+	"github.com/urfave/cli"
+)
+
+// Audit validates passwords against common flaws
+func (s *Action) Audit(c *cli.Context) error {
+	t, err := s.Store.Tree()
+	if err != nil {
+		return err
+	}
+
+	validator := crunchy.NewValidator()
+	var out io.Writer
+	out = os.Stdout
+
+	foundWeakPasswords := false
+	for _, secret := range t.List(0) {
+		content, err := s.Store.Get(secret)
+		if err != nil {
+			return err
+		}
+
+		if err = validator.Check(string(content)); err != nil {
+			foundWeakPasswords = true
+			fmt.Fprintf(out, "Detected weak password for %s: %v\n", secret, err)
+		}
+	}
+
+	if !foundWeakPasswords {
+		fmt.Fprintln(out, "No weak passwords detected.")
+	}
+
+	return nil
+}
diff --git a/main.go b/main.go
@@ -107,6 +107,12 @@ func main() {
 	}
 
 	app.Commands = []cli.Command{
+		{
+			Name:        "audit",
+			Usage:       "Audit passwords for common flaws",
+			Description: "To check passwords for common flaws (e.g. too short or from a dictionary)",
+			Action:      action.Audit,
+		},
 		{
 			Name:    "binary",
 			Usage:   "Work with binary blobs",

diff --git a/tests/audit_test.go b/tests/audit_test.go
@@ -0,0 +1,21 @@
+package tests
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAudit(t *testing.T) {
+	ts := newTester(t)
+	defer ts.teardown()
+
+	ts.initStore()
+	ts.initSecrets("")
+
+	list := `Detected weak password for fixed/secret: Password is too short`
+	out, err := ts.run("audit")
+	assert.NoError(t, err)
+	assert.Equal(t, strings.TrimSpace(list), out)
+}
diff --git a/vendor/github.com/muesli/crunchy/LICENSE b/vendor/github.com/muesli/crunchy/LICENSE
diff --git a/vendor/github.com/muesli/crunchy/README.md b/vendor/github.com/muesli/crunchy/README.md