apg-go/random.go

375 lines
11 KiB
Go
Raw Permalink Normal View History

// SPDX-FileCopyrightText: 2021-2024 Winni Neessen <wn@neessen.dev>
//
// SPDX-License-Identifier: MIT
package apg
import (
"crypto/rand"
"encoding/binary"
"errors"
"fmt"
"math/big"
"os"
"regexp"
"strings"
)
const (
// 7 bits to represent a letter index
letterIdxBits = 7
// All 1-bits, as many as letterIdxBits
letterIdxMask = 1<<letterIdxBits - 1
// # of letter indices fitting in 63 bits)
letterIdxMax = 63 / letterIdxBits
)
// maxInt32 is the maximum positive value for a int32 number type
const maxInt32 = 2147483647
var (
// ErrInvalidLength is returned if the provided maximum number is equal or less than zero
ErrInvalidLength = errors.New("provided length value cannot be zero or less")
// ErrLengthMismatch is returned if the number of generated bytes does not match the expected length
ErrLengthMismatch = errors.New("number of generated random bytes does not match the expected length")
// ErrInvalidCharRange is returned if the given range of characters is not valid
ErrInvalidCharRange = errors.New("provided character range is not valid or empty")
)
// CoinFlip performs a simple coinflip based on the rand library and returns 1 or 0
func (g *Generator) CoinFlip() int64 {
coinFlip, _ := g.RandNum(2)
return coinFlip
}
// CoinFlipBool performs a simple coinflip based on the rand library and returns true or false
func (g *Generator) CoinFlipBool() bool {
return g.CoinFlip() == 1
}
// Generate generates a password based on all the different config flags and returns
// it as string type. If the generation fails, an error will be thrown
func (g *Generator) Generate() (string, error) {
switch g.config.Algorithm {
case AlgoPronounceable:
return g.generatePronounceable()
case AlgoCoinFlip:
return g.generateCoinFlip()
case AlgoRandom:
return g.generateRandom()
case AlgoBinary:
return g.generateBinary()
case AlgoUnsupported:
return "", fmt.Errorf("unsupported algorithm")
default:
return "", fmt.Errorf("unsupported algorithm")
}
}
// GetCharRangeFromConfig checks the Mode from the Config and returns a
// list of all possible characters that are supported by these Mode
func (g *Generator) GetCharRangeFromConfig() string {
charRange := strings.Builder{}
if MaskHasMode(g.config.Mode, ModeLowerCase) {
switch MaskHasMode(g.config.Mode, ModeHumanReadable) {
case true:
charRange.WriteString(CharRangeAlphaLowerHuman)
default:
charRange.WriteString(CharRangeAlphaLower)
}
}
if MaskHasMode(g.config.Mode, ModeNumeric) {
switch MaskHasMode(g.config.Mode, ModeHumanReadable) {
case true:
charRange.WriteString(CharRangeNumericHuman)
default:
charRange.WriteString(CharRangeNumeric)
}
}
if MaskHasMode(g.config.Mode, ModeSpecial) {
switch MaskHasMode(g.config.Mode, ModeHumanReadable) {
case true:
charRange.WriteString(CharRangeSpecialHuman)
default:
charRange.WriteString(CharRangeSpecial)
}
}
if MaskHasMode(g.config.Mode, ModeUpperCase) {
switch MaskHasMode(g.config.Mode, ModeHumanReadable) {
case true:
charRange.WriteString(CharRangeAlphaUpperHuman)
default:
charRange.WriteString(CharRangeAlphaUpper)
}
}
if g.config.ExcludeChars != "" {
rex, err := regexp.Compile("[" + regexp.QuoteMeta(g.config.ExcludeChars) + "]")
if err == nil {
newRange := rex.ReplaceAllLiteralString(charRange.String(), "")
charRange.Reset()
charRange.WriteString(newRange)
} else {
_, _ = fmt.Fprintf(os.Stderr, "failed to exclude characters: %s\n", err)
}
}
return charRange.String()
}
// GetPasswordLength returns the password length based on the given config
// parameters
func (g *Generator) GetPasswordLength() (int64, error) {
if g.config.FixedLength > 0 {
return g.config.FixedLength, nil
}
minLength := g.config.MinLength
maxLength := g.config.MaxLength
if minLength > maxLength {
maxLength = minLength
}
diff := maxLength - minLength + 1
randNum, err := g.RandNum(diff)
if err != nil {
return 0, err
}
length := minLength + randNum
if length <= 0 {
return 1, nil
}
return length, nil
}
// RandomBytes returns a byte slice of random bytes with given length that got generated by
// the crypto/rand generator
func (g *Generator) RandomBytes(length int64) ([]byte, error) {
if length < 1 {
return nil, ErrInvalidLength
}
bytes := make([]byte, length)
numBytes, err := rand.Read(bytes)
if int64(numBytes) != length {
return nil, ErrLengthMismatch
}
if err != nil {
return nil, err
}
return bytes, nil
}
// RandNum generates a random, non-negative number with given maximum value
func (g *Generator) RandNum(max int64) (int64, error) {
if max < 1 {
return 0, ErrInvalidLength
}
max64 := big.NewInt(max)
randNum, err := rand.Int(rand.Reader, max64)
if err != nil {
return 0, fmt.Errorf("random number generation failed: %w", err)
}
return randNum.Int64(), nil
}
// RandomStringFromCharRange returns a random string of length l based of the range of characters given.
// The method makes use of the crypto/random package and therfore is
// cryptographically secure
func (g *Generator) RandomStringFromCharRange(length int64, charRange string) (string, error) {
if length < 1 {
return "", ErrInvalidLength
}
if len(charRange) < 1 {
return "", ErrInvalidCharRange
}
randString := strings.Builder{}
// As long as the length is smaller than the max. int32 value let's grow
// the string builder to the actual size, so we need less allocations
if length <= maxInt32 {
randString.Grow(int(length))
}
charRangeLength := len(charRange)
randPool := make([]byte, 8)
_, err := rand.Read(randPool)
if err != nil {
return randString.String(), err
}
for idx, char, rest := length-1, binary.BigEndian.Uint64(randPool), letterIdxMax; idx >= 0; {
if rest == 0 {
_, err = rand.Read(randPool)
if err != nil {
return randString.String(), err
}
char, rest = binary.BigEndian.Uint64(randPool), letterIdxMax
}
if i := int(char & letterIdxMask); i < charRangeLength {
randString.WriteByte(charRange[i])
idx--
}
char >>= letterIdxBits
rest--
}
return randString.String(), nil
}
// checkMinimumRequirements checks if a password meets the minimum requirements specified in the
// generator's configuration. It returns true if the password meets the requirements, otherwise it
// returns false.
//
// The minimum requirements for each character type (lowercase, numeric, special, uppercase) are
// checked independently. For each character type, the corresponding character range is determined
// based on the generator's configuration. The password is then checked for the presence of each
// character in the character range, and a count is maintained.
func (g *Generator) checkMinimumRequirements(password string) bool {
ok := true
if g.config.MinLowerCase > 0 {
var charRange string
switch MaskHasMode(g.config.Mode, ModeHumanReadable) {
case true:
charRange = CharRangeAlphaLowerHuman
default:
charRange = CharRangeAlphaLower
}
matchesMinimumAmount(charRange, password, g.config.MinLowerCase, &ok)
}
if g.config.MinNumeric > 0 {
var charRange string
switch MaskHasMode(g.config.Mode, ModeHumanReadable) {
case true:
charRange = CharRangeNumericHuman
default:
charRange = CharRangeNumeric
}
matchesMinimumAmount(charRange, password, g.config.MinNumeric, &ok)
}
if g.config.MinSpecial > 0 {
var charRange string
switch MaskHasMode(g.config.Mode, ModeHumanReadable) {
case true:
charRange = CharRangeSpecialHuman
default:
charRange = CharRangeSpecial
}
matchesMinimumAmount(charRange, password, g.config.MinSpecial, &ok)
}
if g.config.MinUpperCase > 0 {
var charRange string
switch MaskHasMode(g.config.Mode, ModeHumanReadable) {
case true:
charRange = CharRangeAlphaUpperHuman
default:
charRange = CharRangeAlphaUpper
}
matchesMinimumAmount(charRange, password, g.config.MinUpperCase, &ok)
}
return ok
}
// generateCoinFlip is executed when Generate() is called with Algorithm set
// to AlgoCoinFlip
func (g *Generator) generateCoinFlip() (string, error) {
if g.CoinFlipBool() {
return "Heads", nil
}
return "Tails", nil
}
// generatePronounceable is executed when Generate() is called with Algorithm set
// to AlgoPronounceable
func (g *Generator) generatePronounceable() (string, error) {
var password string
g.syllables = make([]string, 0)
length, err := g.GetPasswordLength()
if err != nil {
return "", fmt.Errorf("failed to calculate password length: %w", err)
}
characterSet := KoremutakeSyllables
characterSet = append(characterSet, strings.Split(CharRangeNumericHuman, "")...)
characterSet = append(characterSet, strings.Split(CharRangeSpecialHuman, "")...)
characterSetLength := len(characterSet)
for int64(len(password)) < length {
randNum, err := g.RandNum(int64(characterSetLength))
if err != nil {
return "", fmt.Errorf("failed to generate a random number for Koremutake syllable generation: %w",
err)
}
nextSyllable := characterSet[randNum]
if g.CoinFlipBool() {
syllableLength := len(nextSyllable)
characterPosition, err := g.RandNum(int64(syllableLength))
if err != nil {
return "", fmt.Errorf("failed to generate a random number for Koremutake syllable generation: %w",
err)
}
randomChar := string(nextSyllable[characterPosition])
nextSyllable = strings.ReplaceAll(nextSyllable, randomChar, strings.ToUpper(randomChar))
}
password += nextSyllable
g.syllables = append(g.syllables, nextSyllable)
}
return password, nil
}
// generateBinary is executed when Generate() is called with Algorithm set
// to AlgoBinary
func (g *Generator) generateBinary() (string, error) {
length := DefaultBinarySize
if g.config.FixedLength > 0 {
length = g.config.FixedLength
}
randBytes := make([]byte, length)
_, err := rand.Read(randBytes)
if err != nil {
return "", fmt.Errorf("failed to generate random bytes: %w", err)
}
if g.config.BinaryHexMode {
return fmt.Sprintf("%x", randBytes), nil
}
return string(randBytes), nil
}
// generateRandom is executed when Generate() is called with Algorithm set
// to AlgoRandom
func (g *Generator) generateRandom() (string, error) {
length, err := g.GetPasswordLength()
if err != nil {
return "", fmt.Errorf("failed to calculate password length: %w", err)
}
charRange := g.GetCharRangeFromConfig()
var password string
var ok bool
for !ok {
password, err = g.RandomStringFromCharRange(length, charRange)
if err != nil {
return "", err
}
ok = g.checkMinimumRequirements(password)
}
if g.config.MobileGrouping {
return GroupCharsForMobile(password), nil
}
return password, nil
}
// matchesMinimumAmount checks if the number of occurrences of characters in
// charRange in the password is less than minAmount and updates the
// value of ok accordingly.
func matchesMinimumAmount(charRange, password string, minAmount int64, ok *bool) {
count := 0
for _, char := range charRange {
count += strings.Count(password, string(char))
}
if int64(count) < minAmount {
*ok = false
}
}