Merge pull request #8079 from...

Merge pull request #8079 from metabase/respect-password-complexity-requirements-when-generating-new-password Respect password complexity requirements when generating new password

Merge pull request #8079 from...
2657fc56 · Cam Saul · GitHub · a9cf679f · b3fd16e3 · 2657fc56
Unverified Commit 2657fc56 authored 6 years ago by Cam Saul Committed by GitHub 6 years ago
--- a/frontend/src/metabase/admin/people/containers/PeopleListingApp.jsx
+++ b/frontend/src/metabase/admin/people/containers/PeopleListingApp.jsx
@@ -160,10 +160,7 @@ export default class PeopleListingApp extends Component {
      });
    } else {
      // generate a password
-      const password = MetabaseUtils.generatePassword(
+      const password = MetabaseUtils.generatePassword();
-        14,
-        MetabaseSettings.get("password_complexity"),
-      );
      // trigger the reset
      this.props.resetPasswordManually(user, password);

--- a/frontend/src/metabase/auth/containers/PasswordResetApp.jsx
+++ b/frontend/src/metabase/auth/containers/PasswordResetApp.jsx
@@ -93,7 +93,9 @@ export default class PasswordResetApp extends Component {
  render() {
    const { resetError, resetSuccess, newUserJoining } = this.props;
-    const passwordComplexity = MetabaseSettings.passwordComplexity(false);
+    const passwordComplexity = MetabaseSettings.passwordComplexityDescription(
+      false,
+    );
    const requestLink = (
      <Link to="/auth/forgot_password" className="link">

--- a/frontend/src/metabase/lib/settings.js
+++ b/frontend/src/metabase/lib/settings.js
@@ -80,7 +80,11 @@ const MetabaseSettings = {
    );
  },
-  passwordComplexity: function(capitalize) {
+  // returns a map that looks like {total: 6, digit: 1}
+  passwordComplexityRequirements: () => mb_settings.password_complexity,
+  // returns a description of password complexity requirements rather than the actual map of requirements
+  passwordComplexityDescription: function(capitalize) {
    const complexity = this.get("password_complexity");
    const clauseDescription = function(clause) {

--- a/frontend/src/metabase/lib/utils.js
+++ b/frontend/src/metabase/lib/utils.js
 import generatePassword from "password-generator";
 import { t } from "c-3po";
+import MetabaseSettings from "metabase/lib/settings";
 const LAYOUT_PROPS = [
  "m",
@@ -42,20 +43,21 @@ function s4() {
 // provides functions for building urls to things we care about
 let MetabaseUtils = {
-  generatePassword: function(length, complexity) {
+  // generate a password that satisfies `complexity` requirements, by default the ones that come back in the
-    const len = length || 14;
+  // `password_complexity` Setting; must be a map like {total: 6, number: 1}
+  generatePassword: function(complexity) {
-    if (!complexity) {
+    complexity =
-      return generatePassword(len, false);
+      complexity || MetabaseSettings.passwordComplexityRequirements() || {};
-    } else {
+    // fall back to length of 14 if the password_complexity Setting isn't set or total isn't passed in
-      let password = "";
+    const len = complexity.total || 14;
-      let tries = 0;
-      while (!isStrongEnough(password) && tries < 100) {
+    let password = "";
-        password = generatePassword(len, false, /[\w\d\?\-]/);
+    let tries = 0;
-        tries++;
+    while (!isStrongEnough(password) && tries < 100) {
-      }
+      password = generatePassword(len, false, /[\w\d\?\-]/);
-      return password;
+      tries++;
    }
+    return password;
    function isStrongEnough(password) {
      let uc = password.match(/([A-Z])/g);

--- a/frontend/src/metabase/setup/components/UserStep.jsx
+++ b/frontend/src/metabase/setup/components/UserStep.jsx
@@ -149,7 +149,7 @@ export default class UserStep extends Component {
    let { activeStep, setActiveStep, stepNumber, userDetails } = this.props;
    let { formError, passwordError, valid } = this.state;
-    const passwordComplexityDesc = MetabaseSettings.passwordComplexity();
+    const passwordComplexityDesc = MetabaseSettings.passwordComplexityDescription();
    const stepText =
      activeStep <= stepNumber
        ? t`What should we call you?`

--- a/frontend/src/metabase/user/components/SetUserPassword.jsx
+++ b/frontend/src/metabase/user/components/SetUserPassword.jsx
@@ -88,7 +88,9 @@ export default class SetUserPassword extends Component {
  render() {
    const { updatePasswordResult } = this.props;
    let { formError, valid } = this.state;
-    const passwordComplexity = MetabaseSettings.passwordComplexity(true);
+    const passwordComplexity = MetabaseSettings.passwordComplexityDescription(
+      true,
+    );
    formError =
      updatePasswordResult && !formError ? updatePasswordResult : formError;

--- a/frontend/test/lib/utils.unit.spec.js
+++ b/frontend/test/lib/utils.unit.spec.js
 import MetabaseUtils from "metabase/lib/utils";
+import MetabaseSettings from "metabase/lib/settings";
 describe("utils", () => {
  describe("generatePassword", () => {
-    it("defaults to length 14 passwords", () => {
+    it("defaults to complexity requirements from Settings", () => {
-      expect(MetabaseUtils.generatePassword().length).toBe(14);
+      MetabaseSettings.set("password_complexity", { total: 10 });
+      expect(MetabaseUtils.generatePassword().length).toBe(10);
+    });
+    it("falls back to length 14 passwords", () => {
+      expect(MetabaseUtils.generatePassword({}).length).toBe(14);
    });
    it("creates passwords for the length we specify", () => {
-      expect(MetabaseUtils.generatePassword(25).length).toBe(25);
+      expect(MetabaseUtils.generatePassword({ total: 25 }).length).toBe(25);
    });
    it("can enforce ", () => {
      expect(
-        MetabaseUtils.generatePassword(14, { digit: 2 }).match(/([\d])/g)
+        MetabaseUtils.generatePassword({ total: 14, digit: 2 }).match(/([\d])/g)
          .length >= 2,
      ).toBe(true);
    });
    it("can enforce digit requirements", () => {
      expect(
-        MetabaseUtils.generatePassword(14, { digit: 2 }).match(/([\d])/g)
+        MetabaseUtils.generatePassword({ total: 14, digit: 2 }).match(/([\d])/g)
          .length >= 2,
      ).toBe(true);
    });
    it("can enforce uppercase requirements", () => {
      expect(
-        MetabaseUtils.generatePassword(14, { uppercase: 2 }).match(/([A-Z])/g)
+        MetabaseUtils.generatePassword({ total: 14, uppercase: 2 }).match(
-          .length >= 2,
+          /([A-Z])/g,
+        ).length >= 2,
      ).toBe(true);
    });
    it("can enforce special character requirements", () => {
      expect(
-        MetabaseUtils.generatePassword(14, { special: 2 }).match(
+        MetabaseUtils.generatePassword({ total: 14, special: 2 }).match(
          /([!@#\$%\^\&*\)\(+=._-{}])/g,
        ).length >= 2,
      ).toBe(true);

--- a/src/metabase/util/password.clj
+++ b/src/metabase/util/password.clj
 (ns metabase.util.password
+  "Utility functions for checking passwords against hashes and for making sure passwords match complexity requirements."
  (:require [cemerick.friend.credentials :as creds]
            [metabase
             [config :as config]