Add score based password verification

[willyborankin]

Description

The aim of this PR is to add support for a score-based password verification using zxcvbn library.
For that 2 new settings were added to the plugin configuration:

• plugins.security.restapi.password_min_length - minimum password length, default and minimum is 8
• plugins.security.restapi.password_score_based_validation_strength - the strength of the valid password
  Possible values:
  • fair - very guessable password: protection from throttled online attacks
  • good - somewhat guessable password: protection from unthrottled online attacks
  • strong - safely unguessable password: moderate protection from offline slow-hash scenario
  • very_strong - very unguessable password: strong protection from offline slow-hash scenario
    By default the plugin always checks strength of the password and its minimal length together with the regular expression if its set.

The calculation time for passwords around 100 characters is ~100ms as result to avoid of performance degradation for big passwords I suggest to set max length of the password to 100.

All other settings I mentioned before are not needed.

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[peternied]

Nice security improvement around the passwords.

@willyborankin Would you mind creating a separate issue to discuss making these options the default? I think this would be a good security posture improvement and would want contributors / community members to have a chance to weight in without delaying the functionality getting merged.

A quick note on performance - looking at the documentation [link] there is a typically small impact of ~5-20ms I think this is a worthwhile tradeoff as password scoring only happens when passwords are set/updated.

[willyborankin]

Nice security improvement around the passwords.

@willyborankin Would you mind creating a separate issue to discuss making these options the default? I think this would be a good security posture improvement and would want contributors / community members to have a chance to weight in without delaying the functionality getting merged.

A quick note on performance - looking at the documentation [link] there is a typically small impact of ~5-20ms I think this is a worthwhile tradeoff as password scoring only happens when passwords are set/updated.

Sure, I will prepare an issue to discuss and address your comments. I will try to do it today,.

[DarshitChanpura]

Nice work @willyborankin ! This is of great value to security posture!

One generic comment is to add a brief documentation on the new files. This would help in debugging in future.

[DarshitChanpura]

Can you add a brief comment here stating what this condition does?

[willyborankin]

i changed code so there is no such condition anymore

[DarshitChanpura]

why either or here? Why not have both?

[willyborankin]

Changed it

[DarshitChanpura]

What do you think about changing the errorType to say WEAK_PASSWORD here?

[willyborankin]

I added WEAK_PASSWORD an SIMILAR_PASSWORD error types

[DarshitChanpura]

nice

[DarshitChanpura]

What is the behavior when username and password is only 1 or 2 letters off? Will the password be allowed as valid?

[willyborankin]

in this case the score == 0 which means a weak password

[RyanL1997]

Nice work @willyborankin! This is definitely a huge enhancement for current password mechanism. I also left some thoughts attach to the previous comments with some details about the human understandable wording and some of the validation conditions.

[willyborankin]

@peternied, @DarshitChanpura and @RyanL1997 thank you for the feedback I will address all you comments asap. As @peternied suggested I created a feature request #2569 and tried to explain how the library works and how to improve existing password verification functionality in it. So lets move our discussion there.

[codecov-commenter]

Codecov Report

Merging #2557 (8a7475d) into main (7c4e06d) will increase coverage by 0.03%.
The diff coverage is 84.69%.

❗ Current head 8a7475d differs from pull request most recent head df5109a. Consider uploading reports for the commit df5109a to get more accurate results

@@             Coverage Diff              @@
##               main    #2557      +/-   ##
============================================
+ Coverage     61.31%   61.34%   +0.03%     
+ Complexity     3408     3347      -61     
============================================
  Files           272      261      -11     
  Lines         18846    18591     -255     
  Branches       3295     3277      -18     
============================================
- Hits          11555    11405     -150     
+ Misses         5690     5592      -98     
+ Partials       1601     1594       -7     

Impacted Files	Coverage Δ
...g/opensearch/security/support/ConfigConstants.java	94.44% <ø> (ø)
...ity/dlic/rest/validation/CredentialsValidator.java	70.00% <63.63%> (+4.21%)	⬆️
...curity/dlic/rest/validation/PasswordValidator.java	84.05% <84.05%> (ø)
.../opensearch/security/OpenSearchSecurityPlugin.java	80.12% <100.00%> (-0.04%)	⬇️
...est/validation/AbstractConfigurationValidator.java	83.64% <100.00%> (+1.09%)	⬆️

... and 36 files with indirect coverage changes

[DarshitChanpura]

For my understanding why the pattern check against hard code string "user_inputs"?

[willyborankin]

user_inputs the default dictionary which library creates automatically to check similarity. I will add a comment otherwise it is confusing. So all you need is just check the dictionary name since matchedWord is a password.

[DarshitChanpura]

okay..thank yoU!

[DarshitChanpura]

nicely done! 👏

[peternied]

These seems like well written error messages seem valuable, could we return this messages instead to be visible to the user. If we did that, we could remove the password_validation_error_message (and related) value that is in the config. What do you think?

[willyborankin]

Well I would prefer to stay it as is. The main reason, that some companies prefer to send the same error message when a user creates/updates the password (kinda less possibilities for attackers to know what is the password creation rules :-) which I personally do not believe in since if somebody wanna hack the system it will do it).

[peternied]

Still a couple of outstanding comments, but I'm happy with the change as is. Thanks for the great new feature @willyborankin !

[RyanL1997]

Hi @willyborankin, thanks for all the follow-ups! My comments have been resolved, and I'm happy to merge this change if we resolve the branch conflicts.

[willyborankin]

@peternied, @scrawfor99, @RyanL1997 and @DarshitChanpura all tests now green

[stephen-crawford]

Thank you @willyborankin. This looks great.

[cwperks]

Thank you for another great contribution @willyborankin !

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-2557-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 15860b65f33861f875b62ed57b6d8b7ab3c8a65d
# Push it to GitHub
git push --set-upstream origin backport/backport-2557-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-2557-to-2.x.