oxirs-fuseki 0.2.4

SPARQL 1.1/1.2 HTTP protocol server with Fuseki-compatible configuration
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242

//! Password hashing and verification utilities

use crate::auth::types::PasswordStrength;
use crate::error::{FusekiError, FusekiResult};
use argon2::password_hash::{rand_core::OsRng, SaltString};
use argon2::{Argon2, PasswordHash, PasswordHasher, PasswordVerifier};
use regex::Regex;
use scirs2_core::random::{Random, Rng};

/// Password utility functions
pub struct PasswordUtils;

impl PasswordUtils {
    /// Hash a password using Argon2
    pub fn hash_password(password: &str) -> FusekiResult<String> {
        let salt = SaltString::generate(&mut OsRng);
        let argon2 = Argon2::default();

        argon2
            .hash_password(password.as_bytes(), &salt)
            .map(|hash| hash.to_string())
            .map_err(|e| FusekiError::authentication(format!("Failed to hash password: {e}")))
    }

    /// Verify a password against its hash
    pub fn verify_password(password: &str, hash: &str) -> FusekiResult<bool> {
        let parsed_hash = PasswordHash::new(hash)
            .map_err(|e| FusekiError::authentication(format!("Invalid password hash: {e}")))?;

        let argon2 = Argon2::default();
        Ok(argon2
            .verify_password(password.as_bytes(), &parsed_hash)
            .is_ok())
    }

    /// Check password strength
    pub fn check_password_strength(password: &str) -> PasswordStrength {
        let mut score = 0;

        // Length scoring
        if password.len() >= 8 {
            score += 1;
        }
        if password.len() >= 12 {
            score += 1;
        }
        if password.len() >= 16 {
            score += 1;
        }

        // Character variety scoring
        if password.chars().any(|c| c.is_lowercase()) {
            score += 1;
        }
        if password.chars().any(|c| c.is_uppercase()) {
            score += 1;
        }
        if password.chars().any(|c| c.is_numeric()) {
            score += 1;
        }
        if password.chars().any(|c| c.is_ascii_punctuation()) {
            score += 1;
        }

        // Additional complexity
        if password.len() >= 20 {
            score += 1;
        }
        if Self::has_mixed_case_and_numbers_and_symbols(password) {
            score += 1;
        }

        match score {
            0..=2 => PasswordStrength::VeryWeak,
            3..=4 => PasswordStrength::Weak,
            5..=6 => PasswordStrength::Medium,
            7..=8 => PasswordStrength::Strong,
            _ => PasswordStrength::VeryStrong,
        }
    }

    /// Validate password meets minimum requirements
    pub fn validate_password(password: &str) -> Result<(), Vec<String>> {
        let mut errors = Vec::new();

        if password.len() < 8 {
            errors.push("Password must be at least 8 characters long".to_string());
        }

        if password.len() > 128 {
            errors.push("Password must be no more than 128 characters long".to_string());
        }

        if !password.chars().any(|c| c.is_lowercase()) {
            errors.push("Password must contain at least one lowercase letter".to_string());
        }

        if !password.chars().any(|c| c.is_uppercase()) {
            errors.push("Password must contain at least one uppercase letter".to_string());
        }

        if !password.chars().any(|c| c.is_numeric()) {
            errors.push("Password must contain at least one number".to_string());
        }

        if !password.chars().any(|c| c.is_ascii_punctuation()) {
            errors.push("Password must contain at least one special character".to_string());
        }

        // Check for common patterns
        if Self::contains_common_patterns(password) {
            errors.push("Password contains common patterns and is not secure".to_string());
        }

        // Check for dictionary words
        if Self::contains_dictionary_words(password) {
            errors.push("Password contains common dictionary words".to_string());
        }

        if errors.is_empty() {
            Ok(())
        } else {
            Err(errors)
        }
    }

    /// Generate a secure random password
    pub fn generate_password(length: usize) -> String {
        const CHARSET: &[u8] = b"abcdefghijklmnopqrstuvwxyz\
                                 ABCDEFGHIJKLMNOPQRSTUVWXYZ\
                                 0123456789\
                                 !@#$%^&*()_+-=[]{}|;:,.<>?";

        let mut rng = Random::seed(42);
        let password: String = (0..length)
            .map(|_| {
                let idx = rng.random_range(0..CHARSET.len());
                CHARSET[idx] as char
            })
            .collect();

        // Ensure the generated password meets requirements
        if Self::validate_password(&password).is_ok() {
            password
        } else {
            // Recursively generate until we get a valid one
            Self::generate_password(length)
        }
    }

    /// Check if password has good character variety
    fn has_mixed_case_and_numbers_and_symbols(password: &str) -> bool {
        let has_lower = password.chars().any(|c| c.is_lowercase());
        let has_upper = password.chars().any(|c| c.is_uppercase());
        let has_digit = password.chars().any(|c| c.is_numeric());
        let has_symbol = password.chars().any(|c| c.is_ascii_punctuation());

        has_lower && has_upper && has_digit && has_symbol
    }

    /// Check for common password patterns
    fn contains_common_patterns(password: &str) -> bool {
        let common_patterns = vec![
            r"123456",
            r"password",
            r"qwerty",
            r"abc123",
            r"admin",
            r"letmein",
            r"welcome",
            r"monkey",
            r"dragon",
            r"pass",
        ];

        let lower_password = password.to_lowercase();

        for pattern in common_patterns {
            if lower_password.contains(pattern) {
                return true;
            }
        }

        // Check for sequential patterns
        let sequential_patterns = vec![
            r"(?i)abcde",
            r"(?i)12345",
            r"(?i)qwert",
            r"(?i)asdfg",
            r"(?i)zxcvb",
        ];

        for pattern in sequential_patterns {
            if let Ok(regex) = Regex::new(pattern) {
                if regex.is_match(password) {
                    return true;
                }
            }
        }

        false
    }

    /// Check for common dictionary words
    fn contains_dictionary_words(password: &str) -> bool {
        let common_words = vec![
            "password", "admin", "user", "login", "system", "computer", "server", "database",
            "access", "secret", "private", "public", "test", "demo", "guest", "root", "master",
            "default",
        ];

        let lower_password = password.to_lowercase();

        for word in common_words {
            if lower_password.contains(word) {
                return true;
            }
        }

        false
    }

    /// Generate password reset token
    pub fn generate_reset_token() -> String {
        const CHARSET: &[u8] = b"abcdefghijklmnopqrstuvwxyz\
                                 ABCDEFGHIJKLMNOPQRSTUVWXYZ\
                                 0123456789";

        let mut rng = Random::seed(42);
        (0..32)
            .map(|_| {
                let idx = rng.random_range(0..CHARSET.len());
                CHARSET[idx] as char
            })
            .collect()
    }

    /// Validate reset token format
    pub fn is_valid_reset_token(token: &str) -> bool {
        token.len() == 32 && token.chars().all(|c| c.is_alphanumeric())
    }
}