2 files changed, 146 insertions, 2 deletions

diff --git a/src/mailman/utilities/passwords.py b/src/mailman/utilities/passwords.py
index c14584748..896872436 100644
--- a/src/mailman/utilities/passwords.py
+++ b/src/mailman/utilities/passwords.py
@@ -26,24 +26,32 @@ __metaclass__ = type
 __all__ = [
     'Schemes',
     'check_response',
+    'encrypt_password',
     'make_secret',
+    'make_user_friendly_password',
     ]
 
 
 import os
 import re
 import hmac
+import random
 import hashlib
 
 from array import array
 from base64 import urlsafe_b64decode as decode
 from base64 import urlsafe_b64encode as encode
 from flufl.enum import Enum
+from itertools import chain, product
+from string import ascii_lowercase
 
+from mailman.config import config
 from mailman.core import errors
 
 SALT_LENGTH = 20 # bytes
 ITERATIONS  = 2000
+EMPTYSTRING = ''
+SCHEME_RE = r'{(?P<scheme>[^}]+?)}(?P<rest>.*)'
 
 
 
@@ -288,8 +296,7 @@ def check_response(challenge, response):
     :return: True if the response matches the challenge.
     :rtype: bool
     """
-    mo = re.match(r'{(?P<scheme>[^}]+?)}(?P<rest>.*)',
-                  challenge, re.IGNORECASE)
+    mo = re.match(SCHEME_RE, challenge, re.IGNORECASE)
     if not mo:
         return False
     # See above for why we convert here.  However because we should have
@@ -315,3 +322,71 @@ def lookup_scheme(scheme_name):
     :rtype: `PasswordScheme`
     """
     return _SCHEMES_BY_TAG.get(scheme_name.lower())
+
+
+def encrypt_password(password, scheme=None):
+    """Return an encrypted password.
+
+    If the given password is already encrypted (i.e. it has a scheme prefix),
+    then the password is return unchanged.  Otherwise, it is encrypted with
+    the given scheme or the default scheme.
+
+    :param password: The plain text or encrypted password.
+    :type password: string
+    :param scheme: The scheme enum to use for encryption.  If not given, the
+        system default scheme is used.  This can be a `Schemes` enum item, or
+        the scheme name as a string.
+    :type scheme: `Schemes` enum, or string.
+    :return: The encrypted password.
+    :rtype: bytes
+    """
+    if not isinstance(password, (bytes, unicode)):
+        raise ValueError('Got {0}, expected unicode or bytes'.format(
+                         type(password)))
+    if re.match(SCHEME_RE, password, re.IGNORECASE):
+        # Just ensure we're getting bytes back.
+        if isinstance(password, unicode):
+            return password.encode('us-ascii')
+        assert isinstance(password, bytes), 'Expected bytes'
+        return password
+    if scheme is None:
+        password_scheme = lookup_scheme(config.passwords.password_scheme)
+    elif scheme in Schemes:
+        password_scheme = scheme
+    else:
+        password_scheme = lookup_scheme(scheme)
+    if password_scheme is None:
+        raise ValueError('Bad password scheme: {0}'.format(scheme))
+    return make_secret(password, password_scheme)
+
+
+
+# Password generation.
+
+_vowels = tuple('aeiou')
+_consonants = tuple(c for c in ascii_lowercase if c not in _vowels)
+_syllables = tuple(x + y for (x, y) in
+                   chain(product(_vowels, _consonants),
+                         product(_consonants, _vowels)))
+
+
+def make_user_friendly_password(length=None):
+    """Make a random *user friendly* password.
+
+    Such passwords are nominally easier to pronounce and thus remember.  Their
+    security in relationship to purely random passwords has not been
+    determined.
+
+    :param length: Minimum length in characters for the resulting password.
+        The password will always be an even number of characters.  When
+        omitted, the system default length will be used.
+    :type length: int
+    :return: The user friendly password.
+    :rtype: unicode
+    """
+    if length is None:
+        length = int(config.passwords.password_length)
+    syllables = []
+    while len(syllables) * 2 < length:
+        syllables.append(random.choice(_syllables))
+    return EMPTYSTRING.join(syllables)[:length]
diff --git a/src/mailman/utilities/tests/test_passwords.py b/src/mailman/utilities/tests/test_passwords.py
index 60c201a5a..c9b3d2e91 100644
--- a/src/mailman/utilities/tests/test_passwords.py
+++ b/src/mailman/utilities/tests/test_passwords.py
@@ -27,7 +27,11 @@ __all__ = [
 
 import unittest
 
+from itertools import izip_longest
+
+from mailman.config import config
 from mailman.core import errors
+from mailman.testing.layers import ConfigLayer
 from mailman.utilities import passwords
 
 
@@ -138,6 +142,70 @@ class TestSchemeLookup(unittest.TestCase):
 
 
 
+# See itertools doc page examples.
+def _grouper(seq):
+    args = [iter(seq)] * 2
+    return list(izip_longest(*args))
+
+
+class TestPasswordGeneration(unittest.TestCase):
+    layer = ConfigLayer
+
+    def test_default_user_friendly_password_length(self):
+        self.assertEqual(len(passwords.make_user_friendly_password()),
+                         int(config.passwords.password_length))
+
+    def test_provided_user_friendly_password_length(self):
+        self.assertEqual(len(passwords.make_user_friendly_password(12)), 12)
+
+    def test_provided_odd_user_friendly_password_length(self):
+        self.assertEqual(len(passwords.make_user_friendly_password(15)), 15)
+
+    def test_user_friendly_password(self):
+        password = passwords.make_user_friendly_password()
+        for pair in _grouper(password):
+            # There will always be one vowel and one non-vowel.
+            vowel = (pair[0] if pair[0] in 'aeiou' else pair[1])
+            consonant = (pair[0] if pair[0] not in 'aeiou' else pair[1])
+            self.assertTrue(vowel in 'aeiou', vowel)
+            self.assertTrue(consonant not in 'aeiou', consonant)
+
+    def test_encrypt_password_plaintext_default_scheme(self):
+        # Test that a plain text password gets encrypted.
+        self.assertEqual(passwords.encrypt_password('abc'),
+                         '{CLEARTEXT}abc')
+
+    def test_encrypt_password_plaintext(self):
+        # Test that a plain text password gets encrypted with the given scheme.
+        scheme = passwords.Schemes.sha
+        self.assertEqual(passwords.encrypt_password('abc', scheme),
+                         '{SHA}qZk-NkcGgWq6PiVxeFDCbJzQ2J0=')
+
+    def test_encrypt_password_plaintext_by_scheme_name(self):
+        # Test that a plain text password gets encrypted with the given
+        # scheme, which is given by name.
+        self.assertEqual(passwords.encrypt_password('abc', 'cleartext'),
+                         '{CLEARTEXT}abc')
+
+    def test_encrypt_password_already_encrypted_default_scheme(self):
+        # Test that a password which is already encrypted is return unchanged.
+        self.assertEqual(passwords.encrypt_password('{SHA}abc'), '{SHA}abc')
+
+    def test_encrypt_password_already_encrypted(self):
+        # Test that a password which is already encrypted is return unchanged,
+        # ignoring any requested scheme.
+        scheme = passwords.Schemes.cleartext
+        self.assertEqual(passwords.encrypt_password('{SHA}abc', scheme),
+                         '{SHA}abc')
+
+    def test_encrypt_password_password_value_error(self):
+        self.assertRaises(ValueError, passwords.encrypt_password, 7)
+
+    def test_encrypt_password_scheme_value_error(self):
+        self.assertRaises(ValueError, passwords.encrypt_password, 'abc', 'foo')
+
+
+
 def test_suite():
     suite = unittest.TestSuite()
     suite.addTest(unittest.makeSuite(TestBogusPasswords))
@@ -147,4 +215,5 @@ def test_suite():
     suite.addTest(unittest.makeSuite(TestSSHAPasswords))
     suite.addTest(unittest.makeSuite(TestPBKDF2Passwords))
     suite.addTest(unittest.makeSuite(TestSchemeLookup))
+    suite.addTest(unittest.makeSuite(TestPasswordGeneration))
     return suite