Skip to content

KC-1314: Add vault-style passphrase generation to Commander CLI#2164

Merged
sshrushanth-ks merged 4 commits into
commander-add-passphrase-generationfrom
commander-add-passphrase-generation-int
Jun 22, 2026
Merged

KC-1314: Add vault-style passphrase generation to Commander CLI#2164
sshrushanth-ks merged 4 commits into
commander-add-passphrase-generationfrom
commander-add-passphrase-generation-int

Conversation

@sshrushanth-ks

Copy link
Copy Markdown
Contributor

Summary

Added Vault-style passphrase generation to Commander using the bundled EFF word list, with support on generate --passphrase, $GEN:passphrase on record commands (including NSF), optional CLI overrides for word count/separator/capitals/digit, enterprise passphrase-* policy integration for generation, and Vault-aligned passphrase validation so valid passphrases are accepted on record add/update without --force when random-password rules would otherwise fail.

Changes

  • Added KeeperPassphraseGenerator in generator.py using the bundled EFF word list (7776 words), matching Vault behavior: pick-order words, configurable separator, optional capitalization per word, optional single digit on the first word only
  • Added $GEN:passphrase to record-add, record-update, and NSF record commands via RecordEditMixin.generate_password(), with optional parameters: word_count[,separator][,capitalize][,number]
  • Added generate --passphrase and passphrase-only CLI overrides: --pp-separator, --pp-capitalize / --pp-no-capitalize, --pp-number / --pp-no-number; --count sets word count in passphrase mode
  • Integrated enterprise GENERATED_PASSWORD_COMPLEXITY passphrase-* fields for generation; fall back to random password with a warning when passphrase-allow is false
  • Added Vault-aligned passphrase validation in PasswordComplexityEnforcer: re-validate as a passphrase when random-password rules fail; accept valid passphrases on record commands without --force
  • Refactored DicewarePasswordGenerator to share word-list loading; left $GEN:dice behavior unchanged for backward compatibility
  • Added unit tests in test_passphrase_generator.py and test_passphrase_enforcement.py

Introduce KeeperPassphraseGenerator using the bundled EFF word list and
wire it into generate --passphrase and :passphrase on record-add,
record-update, and nsf-record commands. Honor enterprise passphrase-* policy
fields with CLI/ overrides for word count, separator, capitals, and digit.

Add Vault-aligned passphrase validation in PasswordComplexityEnforcer so
passphrases that meet passphrase policy pass record commands without --force,
even when random password rules (upper-min, digit-min) would reject them.
Includes unit tests for generation, enforcement, and existing NSF coverage.
@sshrushanth-ks sshrushanth-ks self-assigned this Jun 19, 2026
@sshrushanth-ks sshrushanth-ks marked this pull request as ready for review June 19, 2026 09:46
Comment thread keepercommander/enforcement.py Outdated

return failures
if not failures:
return failures

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can use return [] here for clarity, since failures is always empty at this point.

@sshrushanth-ks sshrushanth-ks merged commit 25949f1 into commander-add-passphrase-generation Jun 22, 2026
4 checks passed
sshrushanth-ks added a commit that referenced this pull request Jun 23, 2026
* Add vault-style passphrase generation with CLI overrides and validation

Introduce KeeperPassphraseGenerator using the bundled EFF word list and
wire it into generate --passphrase and :passphrase on record-add,
record-update, and nsf-record commands. Honor enterprise passphrase-* policy
fields with CLI/ overrides for word count, separator, capitals, and digit.

Add Vault-aligned passphrase validation in PasswordComplexityEnforcer so
passphrases that meet passphrase policy pass record commands without --force,
even when random password rules (upper-min, digit-min) would reject them.
Includes unit tests for generation, enforcement, and existing NSF coverage.

* Fix passphrase separator handling and document allowed separator characters

* Made capitals + digit on the first word as default

* addressed review comment
sk-keeper pushed a commit that referenced this pull request Jun 23, 2026
* Add vault-style passphrase generation with CLI overrides and validation

Introduce KeeperPassphraseGenerator using the bundled EFF word list and
wire it into generate --passphrase and :passphrase on record-add,
record-update, and nsf-record commands. Honor enterprise passphrase-* policy
fields with CLI/ overrides for word count, separator, capitals, and digit.

Add Vault-aligned passphrase validation in PasswordComplexityEnforcer so
passphrases that meet passphrase policy pass record commands without --force,
even when random password rules (upper-min, digit-min) would reject them.
Includes unit tests for generation, enforcement, and existing NSF coverage.

* Fix passphrase separator handling and document allowed separator characters

* Made capitals + digit on the first word as default

* addressed review comment
sk-keeper pushed a commit that referenced this pull request Jun 23, 2026
* Add vault-style passphrase generation with CLI overrides and validation

Introduce KeeperPassphraseGenerator using the bundled EFF word list and
wire it into generate --passphrase and :passphrase on record-add,
record-update, and nsf-record commands. Honor enterprise passphrase-* policy
fields with CLI/ overrides for word count, separator, capitals, and digit.

Add Vault-aligned passphrase validation in PasswordComplexityEnforcer so
passphrases that meet passphrase policy pass record commands without --force,
even when random password rules (upper-min, digit-min) would reject them.
Includes unit tests for generation, enforcement, and existing NSF coverage.

* Fix passphrase separator handling and document allowed separator characters

* Made capitals + digit on the first word as default

* addressed review comment
@sk-keeper sk-keeper deleted the commander-add-passphrase-generation-int branch June 26, 2026 18:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants