MM-19553: Generate valid passwords on bulk import. (#12871)

This changes the bulk import so when it needs to generate a password because no password or auth data was supplied, it now takes into account the configured minimum length, as well as assuming all other distinct character types are configured to be required. It should now generate valid passwords regardless of the password policy configuration in the Mattermost configuration file.
2025-02-25 18:55:24 -06:00 · 2019-10-30 16:57:51 +00:00
parent f9a7a16a78
commit 1b95ee9834
3 changed files with 50 additions and 1 deletions
--- a/app/import_functions.go
+++ b/app/import_functions.go
@@ -334,7 +334,7 @@ func (a *App) ImportUser(data *UserImportData, dryRun bool) *model.AppError {
 		authData = nil
 	} else {
 		// If no AuthData or Password is specified, we must generate a password.
-		password = model.NewId()
+		password = model.GeneratePassword(*a.Config().PasswordSettings.MinimumLength)
 		authData = nil
 	}

--- a/model/user.go
+++ b/model/user.go
@@ -9,10 +9,12 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
+	"math/rand"
 	"net/http"
 	"regexp"
 	"sort"
 	"strings"
+	"time"
 	"unicode/utf8"

 	"github.com/mattermost/mattermost-server/services/timezones"
@@ -836,3 +838,27 @@ func UsersWithGroupsAndCountFromJson(data io.Reader) *UsersWithGroupsAndCount {
 	json.Unmarshal(bodyBytes, uwg)
 	return uwg
 }
+
+var passwordRandomSource = rand.NewSource(time.Now().Unix())
+var passwordSpecialChars = "!$%^&*(),."
+var passwordNumbers = "0123456789"
+var passwordUpperCaseLetters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+var passwordLowerCaseLetters = "abcdefghijklmnopqrstuvwxyz"
+var passwordAllChars = passwordSpecialChars + passwordNumbers + passwordUpperCaseLetters + passwordLowerCaseLetters
+
+func GeneratePassword(minimumLength int) string {
+	r := rand.New(passwordRandomSource)
+
+	// Make sure we are guaranteed at least one of each type to meet any possible password complexity requirements.
+	password := string([]rune(passwordUpperCaseLetters)[r.Intn(len(passwordUpperCaseLetters))]) +
+		string([]rune(passwordNumbers)[r.Intn(len(passwordNumbers))]) +
+		string([]rune(passwordLowerCaseLetters)[r.Intn(len(passwordLowerCaseLetters))]) +
+		string([]rune(passwordSpecialChars)[r.Intn(len(passwordSpecialChars))])
+
+	for len(password) < minimumLength {
+		i := r.Intn(len(passwordAllChars))
+		password = password + string([]rune(passwordAllChars)[i])
+	}
+
+	return password
+}
--- a/model/user_test.go
+++ b/model/user_test.go
@@ -5,6 +5,7 @@ package model

 import (
 	"fmt"
+	"math/rand"
 	"net/http"
 	"strings"
 	"testing"
@@ -350,3 +351,25 @@ func TestUserSlice(t *testing.T) {
 		assert.Equal(t, 1, len(nonBotUsers))
 	})
 }
+
+func TestGeneratePassword(t *testing.T) {
+	passwordRandomSource = rand.NewSource(12345)
+
+	t.Run("Should be the minimum length or 4, whichever is less", func(t *testing.T) {
+		password1 := GeneratePassword(5)
+		assert.Len(t, password1, 5)
+		password2 := GeneratePassword(10)
+		assert.Len(t, password2, 10)
+		password3 := GeneratePassword(1)
+		assert.Len(t, password3, 4)
+	})
+
+	t.Run("Should contain at least one of symbols, upper case, lower case and numbers", func(t *testing.T) {
+		password := GeneratePassword(4)
+		require.Len(t, password, 4)
+		assert.Contains(t, []rune(passwordUpperCaseLetters), []rune(password)[0])
+		assert.Contains(t, []rune(passwordNumbers), []rune(password)[1])
+		assert.Contains(t, []rune(passwordLowerCaseLetters), []rune(password)[2])
+		assert.Contains(t, []rune(passwordSpecialChars), []rune(password)[3])
+	})
+}