Safely generating passwords for admin users

admin-cli/Cargo.toml

@@ -10,3 +10,4 @@ base64 = "0.22.1"
 serde = { version = "1.0.215", features = ["derive"] }
 serde_json = "1.0.133"
 argon2 = "0.5.3"
+rand_core = { version = "0.9.3", features = [ "os_rng" ] }

admin-cli/src/main.rs

@@ -1,11 +1,13 @@
 use std::env;
 use std::fs;
 use std::io::Read;
+use argon2::password_hash::Salt;
 use clap::Parser;
 use postgres::{Client, NoTls};
 use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine as _};
+use base64::engine::general_purpose::STANDARD_NO_PAD;
 use serde::Serialize;
-use argon2::{Argon2, PasswordHasher, password_hash::Salt};
+use argon2::{Argon2, PasswordHasher};
 
 
 const PASSWORD_LENGTH: usize = 64;
@@ -43,10 +45,18 @@ fn random_string(size: usize) -> String {
     URL_SAFE_NO_PAD.encode(buffer)
 }
 
+fn random_b64_std(size: usize) -> String {
+    let mut buffer = vec![0; size];
+    let mut f = std::fs::File::open("/dev/urandom").unwrap();
+    f.read_exact(&mut buffer).unwrap();
+    STANDARD_NO_PAD.encode(buffer)
+}
+
+
 fn salt_and_hash(password: &str) -> String {
     // Generates a salted and hashed variation of the given password
-    let salt_str = random_string(8);
-    let salt: Salt = salt_str.as_str().try_into().unwrap();
+    let salt_str = random_b64_std(8);
+    let salt = Salt::from_b64(&salt_str).unwrap();
     let a2 = Argon2::default();
     let hash = a2.hash_password(password.as_bytes(), salt).unwrap();
     hash.to_string()