(SIMP-10456) Better password randomization (#264)

- Fixed
  - Increased randomization in simplib::gen_random_password

SIMP-10456 #comment better password randomization for FIPS mode

Author: trevor-vaughan

CHANGELOG

@@ -1,3 +1,7 @@
+* Thu Sep 23 2021 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.10.1
+- Fixed
+  - Increased randomization in simplib::gen_random_password
+
 * Tue Aug 03 2021 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.10.0
 - Fixed
   - simplib::cron::hour_entry now supports comma separated lists

lib/puppet/functions/simplib/gen_random_password.rb

@@ -31,44 +31,64 @@ def gen_random_password(length, complexity=nil, complex_only=false, timeout_seco
     require 'timeout'
     passwd = ''
     Timeout::timeout(timeout_seconds) do
-      default_charlist = ('a'..'z').to_a + ('A'..'Z').to_a + ('0'..'9').to_a
-      specific_charlist = nil
+      lower_charlist = ('a'..'z').to_a
+      upper_charlist = ('A'..'Z').to_a
+      digit_charlist = ('0'..'9').to_a
+      symbol_charlist = nil
       case complexity
         when 1
-          specific_charlist = ['@','%','-','_','+','=','~']
+          symbol_charlist = ['@','%','-','_','+','=','~']
         when 2
-          specific_charlist = (' '..'/').to_a + ('['..'`').to_a + ('{'..'~').to_a
+          symbol_charlist = (' '..'/').to_a + ('['..'`').to_a + ('{'..'~').to_a
         else
       end
 
-      unless specific_charlist.nil?
+      unless symbol_charlist.nil?
         if complex_only == true
           charlists = [
-            specific_charlist
+            symbol_charlist
           ]
         else
           charlists = [
-            default_charlist,
-            specific_charlist
+            lower_charlist,
+            upper_charlist,
+            digit_charlist,
+            symbol_charlist
           ]
         end
 
       else
         charlists = [
-          default_charlist
+          lower_charlist,
+          upper_charlist,
+          digit_charlist
         ]
       end
 
-      index = 0
+      last_list_rand = nil
+      last_char_rand = nil
       Integer(length).times do |i|
-        passwd += charlists[index][rand(charlists[index].length-1)]
-        index += 1
-        index = 0 if index == charlists.length
+        rand_list_index = rand(charlists.length).floor
+
+        if rand_list_index == last_list_rand
+          rand_list_index = rand_list_index-1
+        end
+
+        last_list_rand = rand_list_index
+
+        rand_index = rand(charlists[rand_list_index].length).floor
+
+        if rand_index == last_char_rand
+          rand_index = rand_index-1
+        end
+
+        passwd += charlists[rand_list_index][rand_index]
+
+        last_char_rand = rand_index
       end
     end
 
     return passwd
   end
-
 end
 # vim: set expandtab ts=2 sw=2:

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "simp-simplib",
-  "version": "4.10.0",
+  "version": "4.10.1",
   "author": "SIMP Team",
   "summary": "A collection of common SIMP functions, facts, and types",
   "license": "Apache-2.0",

spec/functions/simplib/gen_random_password_spec.rb

@@ -45,7 +45,7 @@
       expect(result).not_to match(/(#{(unsafe_special_chars).join('|')})/)
     end
 
-    it 'should return a password that contains all special characters if complexity is 2' do
+    it 'should return a password that contains all normal and special characters if complexity is 2' do
       result = subject.execute(32, 2)
       expect(result.length).to eql(32)
       expect(result).to match(/(#{default_chars.join('|')})/)