TT#21818 Check passwords against libcrack and user

* When enabling password_sip/web_validate, panel checks password
  against username (web and sip, respectively), and runs it through
  cracklib to enforce a reasonably strong password.
* Add auto-generate buttons next to web/sip password.

Change-Id: I11f5f6c2d69dc5658f298094f7d17d26d0a26ee1

debian/control

@@ -12,6 +12,7 @@ Homepage: https://www.sipwise.com/
 Package: ngcp-panel
 Architecture: all
 Depends:
+ cracklib-runtime,
  gettext,
  ghostscript,
  gnutls-bin,
@@ -26,6 +27,7 @@ Depends:
  libcatalyst-view-tt-perl,
  libconfig-general-perl,
  libconvert-ascii85-perl,
+ libcrypt-cracklib-perl,
  libcrypt-eksblowfish-perl,
  libcrypt-jwt-perl,
  libcrypt-rc4-perl,

lib/NGCP/Panel/Utils/Form.pm

@@ -1,6 +1,7 @@
 package NGCP::Panel::Utils::Form;
 
 use Sipwise::Base;
+use Crypt::Cracklib;
 
 sub validate_password {
     my %params = @_;
@@ -30,6 +31,33 @@ sub validate_password {
     if($r->{password_musthave_specialchar} && $pass !~ /[^0-9a-zA-Z]/) {
         $field->add_error($c->loc('Must contain special characters'));
     }
+    if($field->name eq "password" && $r->{password_sip_validate}) {
+        my $user;
+        if($field->form->field('username')) {
+            $user = $field->form->field('username')->value;
+        } elsif($c->stash->{subscriber}) {
+            $user = $c->stash->{subscriber}->provisioning_voip_subscriber->username;
+        }
+        if(defined $user && $pass =~ /$user/i) {
+            $field->add_error($c->loc('Password must not contain username'));
+        }
+        unless(Crypt::Cracklib::check($pass)) {
+            $field->add_error($c->loc('Password is too weak'));
+        }
+    } elsif($field->name eq "webpassword" && $r->{password_web_validate}) {
+        my $user;
+        if($field->form->field('webusername')) {
+            $user = $field->form->field('webusername')->value;
+        } elsif($c->stash->{subscriber}) {
+            $user = $c->stash->{subscriber}->provisioning_voip_subscriber->webusername;
+        }
+        if(defined $user && $pass =~ /$user/i) {
+            $field->add_error($c->loc('Web password must not contain username'));
+        }
+        unless(Crypt::Cracklib::check($pass)) {
+            $field->add_error($c->loc('Web password is too weak'));
+        }
+    }
 }
 
 sub validate_entities {

sandbox/cracklib.pl

@@ -0,0 +1,17 @@
+#!/usr/bin/perl
+use strict;
+use warnings;
+use English;
+
+use Crypt::Cracklib;
+
+my $pass = $ARGV[0];
+unless(defined $pass) {
+    die "Usage: $PROGRAM_NAME <password>\n";
+}
+
+if(check($pass, undef)) {
+    print "Password ok\n";
+} else {
+    print "Password NOT ok\n";
+}

share/static/js/libs/ngcp-pwdgen.js

@@ -0,0 +1,25 @@
+  function generate_password(len) {
+    var text = "";
+    var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!?/-_%$()[]";
+    for (var i = 0; i < len; i++) {
+        text += possible.charAt(Math.floor(Math.random() * possible.length));
+    }
+    return text;
+  }
+  $(document).ready(function() {
+    var btn = '<div id="gen_password" class="btn btn-primary pull-right" style="width:10%">Generate</div>';
+
+    var passwd_btn = $(btn);
+    passwd_btn.click(function() {
+        $('input#password').val(generate_password(16));
+    });
+    $('input#password').attr("style", "width: 80% !important");
+    $('input#password').after(passwd_btn);
+
+    var webpasswd_btn = $(btn);
+    webpasswd_btn.click(function() {
+        $('input#webpassword').val(generate_password(16));
+    });
+    $('input#webpassword').attr("style", "width: 80% !important");
+    $('input#webpassword').after(webpasswd_btn);
+  });

share/templates/customer/details.tt

@@ -731,6 +731,7 @@ $(function() {
     modal_footer();
     modal_script(m.close_target = close_target);
 -%]
+<script src="/js/libs/ngcp-pwdgen.js"></script>
 [% ELSIF edit_flag == 1 -%]
 [%
     IF form.has_for_js;

share/templates/subscriber/master.tt

@@ -347,6 +347,8 @@ function process_pbx_items(moveId,direction){
     modal_footer();
     modal_script(m.close_target = close_target);
 -%]
+
+<script src="/js/libs/ngcp-pwdgen.js"></script>
 [% END -%]