/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this file, * You can obtain one at http://mozilla.org/MPL/2.0/. */ "use strict"; /** * This file is a port of a subset of Chromium's implementation from * https://cs.chromium.org/chromium/src/components/password_manager/core/browser/generation/password_generator.cc?l=93&rcl=a896a3ac4ea731b5ab3d2ab5bd76a139885d5c4f * which is Copyright 2018 The Chromium Authors. All rights reserved. */ const EXPORTED_SYMBOLS = ["PasswordGenerator"]; const DEFAULT_PASSWORD_LENGTH = 15; const MAX_UINT8 = Math.pow(2, 8) - 1; const MAX_UINT32 = Math.pow(2, 32) - 1; // Some characters are removed due to visual similarity: const LOWER_CASE_ALPHA = "abcdefghijkmnpqrstuvwxyz"; // no 'l' or 'o' const UPPER_CASE_ALPHA = "ABCDEFGHJKLMNPQRSTUVWXYZ"; // no 'I' or 'O' const DIGITS = "23456789"; // no '1' or '0' const SPECIAL_CHARACTERS = " -~!@#$%^&*_+=`|(){}[:;\"'<>,.?]"; const REQUIRED_CHARACTER_CLASSES = [LOWER_CASE_ALPHA, UPPER_CASE_ALPHA, DIGITS]; // Consts for different password rules const REQUIRED = "required"; const MAX_LENGTH = "maxlength"; const MIN_LENGTH = "minlength"; const MAX_CONSECUTIVE = "max-consecutive"; const UPPER = "upper"; const LOWER = "lower"; const DIGIT = "digit"; const SPECIAL = "special"; // Default password rules const DEFAULT_RULES = new Map(); DEFAULT_RULES.set(MIN_LENGTH, REQUIRED_CHARACTER_CLASSES.length); DEFAULT_RULES.set(MAX_LENGTH, MAX_UINT8); DEFAULT_RULES.set(REQUIRED, [UPPER, LOWER, DIGIT]); const PasswordGenerator = { /** * @param {Object} options * @param {number} options.length - length of the generated password if there are no rules that override the length * @param {Map} options.rules - map of password rules * @returns {string} password that was generated * @throws Error if `length` is invalid * @copyright 2018 The Chromium Authors. All rights reserved. * @see https://cs.chromium.org/chromium/src/components/password_manager/core/browser/generation/password_generator.cc?l=93&rcl=a896a3ac4ea731b5ab3d2ab5bd76a139885d5c4f */ generatePassword({ length = DEFAULT_PASSWORD_LENGTH, rules = DEFAULT_RULES, }) { rules = new Map([...DEFAULT_RULES, ...rules]); if (rules.get(MIN_LENGTH) > length) { length = rules.get(MIN_LENGTH); } if (rules.get(MAX_LENGTH) < length) { length = rules.get(MAX_LENGTH); } let password = ""; let requiredClasses = []; let allRequiredCharacters = ""; // Generate one character of each required class and/or required character list from the rules this._addRequiredClassesAndCharacters(rules, requiredClasses); // Generate one of each required class for (const charClassString of requiredClasses) { password += charClassString[this._randomUInt8Index(charClassString.length)]; if (Array.isArray(charClassString)) { // Convert array into single string so that commas aren't // concatenated with each character in the arbitrary character array. allRequiredCharacters += charClassString.join(""); } else { allRequiredCharacters += charClassString; } } // Now fill the rest of the password with random characters. while (password.length < length) { password += allRequiredCharacters[ this._randomUInt8Index(allRequiredCharacters.length) ]; } // So far the password contains the minimally required characters at the // the beginning. Therefore, we create a random permutation. password = this._shuffleString(password); // Make sure the password passes the "max-consecutive" rule, if the rule exists if (rules.has(MAX_CONSECUTIVE)) { // Ensures that a password isn't shuffled an infinite number of times. const DEFAULT_NUMBER_OF_SHUFFLES = 15; let shuffleCount = 0; let consecutiveFlag = this._checkConsecutiveCharacters( password, rules.get(MAX_CONSECUTIVE) ); while (!consecutiveFlag) { password = this._shuffleString(password); consecutiveFlag = this._checkConsecutiveCharacters( password, rules.get(MAX_CONSECUTIVE) ); ++shuffleCount; if (shuffleCount === DEFAULT_NUMBER_OF_SHUFFLES) { consecutiveFlag = true; } } } return password; }, /** * Adds special characters and/or other required characters to the requiredCharacters array. * @param {Map} rules * @param {string[]} requiredClasses */ _addRequiredClassesAndCharacters(rules, requiredClasses) { for (const charClass of rules.get(REQUIRED)) { if (charClass === UPPER) { requiredClasses.push(UPPER_CASE_ALPHA); } else if (charClass === LOWER) { requiredClasses.push(LOWER_CASE_ALPHA); } else if (charClass === DIGIT) { requiredClasses.push(DIGITS); } else if (charClass === SPECIAL) { requiredClasses.push(SPECIAL_CHARACTERS); } else { requiredClasses.push(charClass); } } }, /** * @param range to generate the number in * @returns a random number in range [0, range). * @copyright 2018 The Chromium Authors. All rights reserved. * @see https://cs.chromium.org/chromium/src/base/rand_util.cc?l=58&rcl=648a59893e4ed5303b5c381b03ce0c75e4165617 */ _randomUInt8Index(range) { if (range > MAX_UINT8) { throw new Error("`range` cannot fit into uint8"); } // We must discard random results above this number, as they would // make the random generator non-uniform (consider e.g. if // MAX_UINT64 was 7 and |range| was 5, then a result of 1 would be twice // as likely as a result of 3 or 4). // See https://en.wikipedia.org/wiki/Fisher%E2%80%93Yates_shuffle#Modulo_bias const MAX_ACCEPTABLE_VALUE = Math.floor(MAX_UINT8 / range) * range - 1; const randomValueArr = new Uint8Array(1); do { crypto.getRandomValues(randomValueArr); } while (randomValueArr[0] > MAX_ACCEPTABLE_VALUE); return randomValueArr[0] % range; }, /** * Shuffle the order of characters in a string. * @param {string} str to shuffle * @returns {string} shuffled string */ _shuffleString(str) { let arr = Array.from(str); // Generate all the random numbers that will be needed. const randomValues = new Uint32Array(arr.length - 1); crypto.getRandomValues(randomValues); // Fisher-Yates Shuffle // https://en.wikipedia.org/wiki/Fisher%E2%80%93Yates_shuffle for (let i = arr.length - 1; i > 0; i--) { const j = Math.floor((randomValues[i - 1] / MAX_UINT32) * (i + 1)); [arr[i], arr[j]] = [arr[j], arr[i]]; } return arr.join(""); }, /** * Determine the number of consecutive characters in a string. * This is primarily used to validate the "max-consecutive" rule * of a generated password. * @param {string} generatedPassword * @param {number} value the number of consecutive characters allowed * @return {boolean} `true` if the generatePassword has less than the value argument number of characters, `false` otherwise */ _checkConsecutiveCharacters(generatedPassword, value) { let max = 0; for (let start = 0, end = 1; end < generatedPassword.length; ) { if (generatedPassword[end] === generatedPassword[start]) { if (max < end - start + 1) { max = end - start + 1; if (max > value) { return false; } } end++; } else { start = end++; } } return true; }, _getUpperCaseCharacters() { return UPPER_CASE_ALPHA; }, _getLowerCaseCharacters() { return LOWER_CASE_ALPHA; }, _getDigits() { return DIGITS; }, _getSpecialCharacters() { return SPECIAL_CHARACTERS; }, };