summaryrefslogtreecommitdiff
path: root/src/mailman/utilities/passwords.py
diff options
context:
space:
mode:
Diffstat (limited to 'src/mailman/utilities/passwords.py')
-rw-r--r--src/mailman/utilities/passwords.py79
1 files changed, 77 insertions, 2 deletions
diff --git a/src/mailman/utilities/passwords.py b/src/mailman/utilities/passwords.py
index c14584748..896872436 100644
--- a/src/mailman/utilities/passwords.py
+++ b/src/mailman/utilities/passwords.py
@@ -26,24 +26,32 @@ __metaclass__ = type
__all__ = [
'Schemes',
'check_response',
+ 'encrypt_password',
'make_secret',
+ 'make_user_friendly_password',
]
import os
import re
import hmac
+import random
import hashlib
from array import array
from base64 import urlsafe_b64decode as decode
from base64 import urlsafe_b64encode as encode
from flufl.enum import Enum
+from itertools import chain, product
+from string import ascii_lowercase
+from mailman.config import config
from mailman.core import errors
SALT_LENGTH = 20 # bytes
ITERATIONS = 2000
+EMPTYSTRING = ''
+SCHEME_RE = r'{(?P<scheme>[^}]+?)}(?P<rest>.*)'
@@ -288,8 +296,7 @@ def check_response(challenge, response):
:return: True if the response matches the challenge.
:rtype: bool
"""
- mo = re.match(r'{(?P<scheme>[^}]+?)}(?P<rest>.*)',
- challenge, re.IGNORECASE)
+ mo = re.match(SCHEME_RE, challenge, re.IGNORECASE)
if not mo:
return False
# See above for why we convert here. However because we should have
@@ -315,3 +322,71 @@ def lookup_scheme(scheme_name):
:rtype: `PasswordScheme`
"""
return _SCHEMES_BY_TAG.get(scheme_name.lower())
+
+
+def encrypt_password(password, scheme=None):
+ """Return an encrypted password.
+
+ If the given password is already encrypted (i.e. it has a scheme prefix),
+ then the password is return unchanged. Otherwise, it is encrypted with
+ the given scheme or the default scheme.
+
+ :param password: The plain text or encrypted password.
+ :type password: string
+ :param scheme: The scheme enum to use for encryption. If not given, the
+ system default scheme is used. This can be a `Schemes` enum item, or
+ the scheme name as a string.
+ :type scheme: `Schemes` enum, or string.
+ :return: The encrypted password.
+ :rtype: bytes
+ """
+ if not isinstance(password, (bytes, unicode)):
+ raise ValueError('Got {0}, expected unicode or bytes'.format(
+ type(password)))
+ if re.match(SCHEME_RE, password, re.IGNORECASE):
+ # Just ensure we're getting bytes back.
+ if isinstance(password, unicode):
+ return password.encode('us-ascii')
+ assert isinstance(password, bytes), 'Expected bytes'
+ return password
+ if scheme is None:
+ password_scheme = lookup_scheme(config.passwords.password_scheme)
+ elif scheme in Schemes:
+ password_scheme = scheme
+ else:
+ password_scheme = lookup_scheme(scheme)
+ if password_scheme is None:
+ raise ValueError('Bad password scheme: {0}'.format(scheme))
+ return make_secret(password, password_scheme)
+
+
+
+# Password generation.
+
+_vowels = tuple('aeiou')
+_consonants = tuple(c for c in ascii_lowercase if c not in _vowels)
+_syllables = tuple(x + y for (x, y) in
+ chain(product(_vowels, _consonants),
+ product(_consonants, _vowels)))
+
+
+def make_user_friendly_password(length=None):
+ """Make a random *user friendly* password.
+
+ Such passwords are nominally easier to pronounce and thus remember. Their
+ security in relationship to purely random passwords has not been
+ determined.
+
+ :param length: Minimum length in characters for the resulting password.
+ The password will always be an even number of characters. When
+ omitted, the system default length will be used.
+ :type length: int
+ :return: The user friendly password.
+ :rtype: unicode
+ """
+ if length is None:
+ length = int(config.passwords.password_length)
+ syllables = []
+ while len(syllables) * 2 < length:
+ syllables.append(random.choice(_syllables))
+ return EMPTYSTRING.join(syllables)[:length]
generated by cgit v1.2.3-70-g09d2 (git 2.51.2) at 2025-11-09 11:48:50 +0000