Add zxcvbn to ocflib

Add zxcvbn to ocflib

Author: jaysa68

.github/workflows/deploy.yml

@@ -0,0 +1,38 @@
+name: Publish
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [master]
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  deploy:
+    name: Publish
+    runs-on: self-hosted
+    steps:
+      - name: Checkout branch
+        uses: actions/checkout@v5.0.0
+        with:
+          fetch-depth: 0
+      - name: Install dependencies
+        run: |
+          poetry --version
+          poetry check --no-interaction
+          poetry config virtualenvs.in-project true
+          poetry install --no-interaction
+      - name: Run tests
+        run: |
+          poetry run pytest
+      - name: Build package 
+        run: |
+          poetry build --no-interaction
+      - name: Publish to PyPi
+        env:
+          PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
+        run: |
+          poetry config pypi-token.pypi $PYPI_TOKEN
+          poetry publish --build --no-interaction

.gitignore

@@ -62,4 +62,5 @@ debian/python3-ocflib/
 debian/python3-ocflib.substvars
 debian/*.debhelper
 /venv
+/.venv
 .direnv/

Jenkinsfile

@@ -76,23 +76,6 @@ installed, pre-commit will run every time you commit.
 Alternatively, if you'd rather not install any hooks, you can simply use
 `make test` as usual, which will also run the hooks.
 
-### Troubleshooting: Cracklib Error
-
-If you're trying to run make install-hooks on ocfweb (or related repos) and get
-this error:
-
-```
-./_cracklib.c:40:10: fatal error: 'crack.h' file not found
-  #include <crack.h>
-           ^~~~~~~~~
-  1 error generated.
-```
-
-The issue relates to the cracklib package not finding the necessary header files
-to install. Make sure cracklib is installed on your machine
-(https://github.com/cracklib/cracklib, if you're on Mac,
-`brew install cracklib`).
-
 ## Deploying changes
 
 Deploying changes involves:

README.md

@@ -8,7 +8,6 @@
 , poetry-core
 
 # system dependencies
-, cracklib
 
 # python dependencies
 , attrs
@@ -24,21 +23,10 @@
 , sqlalchemy_1_4
 , dos2unix
 , pyasn1
+, zxcvbn
 }:
 
 let
-  cracklib-pypi = buildPythonPackage rec {
-    pname = "cracklib";
-    version = "2.9.6";
-    format = "setuptools";
-    src = fetchPypi {
-      inherit pname version;
-      hash = "sha256-o/S6jNIOrppRbridviJJghx3EIsERyMFW0W/eTYVABI=";
-    };
-    propagatedBuildInputs = [ cracklib ];
-    # cracklib uses unittest assertEquals which is removed in Python 3.12
-    doCheck = false;
-  };
   pysnmp-pypi = buildPythonPackage rec {
     pname = "pysnmp";
     version = "4.4.12";
@@ -89,19 +77,17 @@ in
 
 buildPythonPackage {
   pname = "ocflib";
-  version = "2025-08-27";
+  version = "2025-08-28";
   format = "pyproject";
   disabled = pythonOlder "3.7";
   src = ./.;
 
   buildInputs = [
-    cracklib # cracklib system library
   ];
 
   propagatedBuildInputs = [
     attrs
     cached-property-pypi
-    cracklib-pypi # cracklib python package
     dnspython
     jinja2
     ldap3
@@ -115,6 +101,7 @@ buildPythonPackage {
     requests
     sqlalchemy_1_4
     poetry-core
+    zxcvbn
   ];
 
   meta = with lib; {

default.nix

@@ -3,7 +3,7 @@
 import string
 import sys
 
-import cracklib
+from zxcvbn import zxcvbn
 
 import ocflib.misc.mail
 import ocflib.account.search as search
@@ -364,16 +364,9 @@ def validate_password(username, password, strength_check=True):
         if len(password) < 12:
             raise ValueError('Password must be at least 12 characters.')
 
-        s = difflib.SequenceMatcher()
-        s.set_seqs(password, username)
-
-        if s.ratio() > 0.6:
-            raise ValueError('Password is too similar to username.')
-
-        try:
-            cracklib.VeryFascistCheck(password)
-        except ValueError as e:
-            raise ValueError('Password problem: {}.'.format(e))
+        result = zxcvbn(password, user_inputs=[username])
+        if result['score'] < 4:
+            raise ValueError('Password is too weak: {}'.format(result['feedback']['warning']))
 
     # sanity check; note we don't use string.whitespace since we don't want
     # tabs or newlines