misc: use SystemRandom to generate passwords (#43154)

2020-05-20 14:11:52 +02:00 · 2020-05-20 14:11:52 +02:00 · 15aae1e96a
parent 484ed13a1e
commit 15aae1e96a
2 changed files with 38 additions and 4 deletions
--- a/src/authentic2/passwords.py
+++ b/src/authentic2/passwords.py
@ -35,18 +35,19 @@ def generate_password():
       Beware that A2_PASSWORD_POLICY_REGEX cannot be validated.
    '''
    digits = string.digits
-    lower = string.lowercase
-    upper = string.uppercase
+    lower = string.ascii_lowercase
+    upper = string.ascii_uppercase
    punc = string.punctuation

    min_len = max(app_settings.A2_PASSWORD_POLICY_MIN_LENGTH, 8)
    min_class_count = max(app_settings.A2_PASSWORD_POLICY_MIN_CLASSES, 3)
    new_password = []

+    generator = random.SystemRandom()
    while len(new_password) < min_len:
        for cls in (digits, lower, upper, punc)[:min_class_count]:
-            new_password.append(random.choice(cls))
-    random.shuffle(new_password)
+            new_password.append(generator.choice(cls))
+    generator.shuffle(new_password)
    return ''.join(new_password)


--- a/tests/test_passwords.py
+++ b/tests/test_passwords.py
@ -0,0 +1,33 @@
+# authentic2 - versatile identity manager
+# Copyright (C) 2010-2019 Entr'ouvert
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU Affero General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import unicode_literals
+
+import string
+
+from authentic2 import app_settings
+from authentic2.passwords import generate_password
+
+
+def test_generate_password():
+    passwords = set(generate_password() for i in range(10))
+
+    char_classes = [string.digits, string.ascii_lowercase, string.ascii_uppercase, string.punctuation]
+    assert len(passwords) == 10
+    for password in passwords:
+        assert len(password) >= max(app_settings.A2_PASSWORD_POLICY_MIN_LENGTH, 8)
+        assert (sum(any(char in char_class for char in password) for char_class in char_classes)
+                == max(app_settings.A2_PASSWORD_POLICY_MIN_CLASSES, 3))