0001-misc-make-minimum-password-strength-configurable-in-.patch

Corentin Séchet, 07 septembre 2022 13:47

Voir les différences: en ligne côte à côte

Subject: [PATCH] misc: make minimum password strength configurable in ous
 (#68745)

 ...rganizationalunit_min_password_strength.py | 30 +++++++++++++++++
 src/authentic2/a2_rbac/models.py              | 16 +++++++++
 src/authentic2/forms/fields.py                |  2 --
 src/authentic2/forms/passwords.py             | 15 +++++++++
 src/authentic2/forms/registration.py          | 10 ++++++
 src/authentic2/forms/widgets.py               | 11 +++----
 src/authentic2/manager/forms.py               | 12 ++++++-
 src/authentic2/passwords.py                   | 10 ++++--
 tests/api/test_all.py                         |  2 +-
 tests/test_manager.py                         | 18 ++++++++++
 tests/test_password_reset.py                  | 24 ++++++++++++++
 tests/test_validators.py                      | 33 ++++++++++++-------
 tests/test_views.py                           | 33 +++++++++++++++++++
 tests/test_widgets.py                         |  4 +--
 14 files changed, 194 insertions(+), 26 deletions(-)
 create mode 100644 src/authentic2/a2_rbac/migrations/0030_organizationalunit_min_password_strength.py

     # Generated by Django 2.2.26 on 2022-09-06 15:10
     from django.db import migrations, models
     class Migration(migrations.Migration):
         dependencies = [
             ('a2_rbac', '0029_use_unique_constraints'),
+        ]
         operations = [
             migrations.AddField(
                 model_name='organizationalunit',
                 name='min_password_strength',
                 field=models.IntegerField(
                     choices=[
                         (None, 'System default'),
                         (0, 'Very Weak'),
                         (1, 'Weak'),
                         (2, 'Fair'),
                         (3, 'Good'),
                         (4, 'Strong'),
                     ],
                     default=None,
                     null=True,
                     verbose_name='Minimum password strength',
                 ),
             ),
+        ]

             MANUAL_PASSWORD_POLICY: PolicyValue(False, False, True, False),
+        }
         MIN_PASSWORD_STRENGTH_CHOICES = (
             (None, _("System default")),
             (0, _("Very Weak")),
             (1, _("Weak")),
             (2, _("Fair")),
             (3, _("Good")),
             (4, _("Strong")),
+        )
         username_is_unique = models.BooleanField(blank=True, default=False, verbose_name=_('Username is unique'))
         email_is_unique = models.BooleanField(blank=True, default=False, verbose_name=_('Email is unique'))
         default = fields.UniqueBooleanField(verbose_name=_('Default organizational unit'))
-...
             verbose_name=_('User creation password policy'), choices=USER_ADD_PASSWD_POLICY_CHOICES, default=0
+        )
         min_password_strength = models.IntegerField(
             verbose_name=_('Minimum password strength'),
             choices=MIN_PASSWORD_STRENGTH_CHOICES,
             default=None,
             null=True,
+        )
         clean_unused_accounts_alert = models.PositiveIntegerField(
             verbose_name=_('Days after which the user receives an account deletion alert'),
             validators=[

         PasswordInput,
         ProfileImageInput,
+    )
     from authentic2.passwords import validate_password
     from authentic2.validators import email_validator
-...
     class NewPasswordField(CharField):
         widget = NewPasswordInput
         default_validators = [validate_password]
     class CheckPasswordField(CharField):

     from authentic2.backends.ldap_backend import LDAPUser
     from authentic2.journal import journal
     from authentic2.passwords import get_min_password_strength, validate_password
     from .. import app_settings, hooks, models, validators
     from ..backends import get_user_queryset
-...
         new_password1 = NewPasswordField(label=_("New password"))
         new_password2 = CheckPasswordField(label=_("New password confirmation"))
         def __init__(self, user, *args, **kwargs):
             super().__init__(user, *args, **kwargs)
             self.fields['new_password1'].widget.min_strength = get_min_password_strength(user)
         def clean_new_password1(self):
             new_password1 = self.cleaned_data.get('new_password1')
             if new_password1 and self.user.check_password(new_password1):
                 raise ValidationError(_('New password must differ from old password'))
             validate_password(self.user, new_password1)
             return new_password1
-...
         old_password.widget.attrs.update({'autocomplete': 'current-password'})
         def __init__(self, user, *args, **kwargs):
             super().__init__(user, *args, **kwargs)
             self.fields['new_password1'].widget.min_strength = get_min_password_strength(user)
         def clean_new_password1(self):
             new_password1 = self.cleaned_data.get('new_password1')
             old_password = self.cleaned_data.get('old_password')
             if new_password1 and new_password1 == old_password:
                 raise ValidationError(_('New password must differ from old password'))
             validate_password(self.user, new_password1)
             return new_password1

     from authentic2.a2_rbac.models import OrganizationalUnit
     from authentic2.forms.fields import CheckPasswordField, NewPasswordField
     from authentic2.passwords import get_min_password_strength, validate_password
     from .. import app_settings, models
     from . import profile as profile_forms
-...
         password1 = NewPasswordField(label=_('Password'))
         password2 = CheckPasswordField(label=_("Password (again)"))
         def __init__(self, *args, **kwargs):
             super().__init__(*args, **kwargs)
             self.fields['password1'].widget.min_strength = get_min_password_strength(self.instance)
         def clean_password1(self):
             password1 = self.cleaned_data.get("password1")
             validate_password(self.instance, password1)
             return password1
         def clean(self):
             """
             Verifiy that the values entered into the two password fields

     class NewPasswordInput(PasswordInput):
         template_name = 'authentic2/widgets/new_password.html'
         def __init__(self, *args, **kwargs):
             super().__init__(*args, **kwargs)
             min_strength = app_settings.A2_PASSWORD_POLICY_MIN_STRENGTH
             if min_strength:
                 self.attrs['data-min-strength'] = min_strength
         min_strength = None
         def get_context(self, *args, **kwargs):
             context = super().get_context(*args, **kwargs)
-...
             if attrs is None:
                 attrs = {}
             attrs['autocomplete'] = 'new-password'
             if self.min_strength is not None:
                 attrs['data-min-strength'] = self.min_strength
             output = super().render(name, value, attrs=attrs, renderer=renderer)
             if attrs:
                 _id = attrs.get('id')

     from authentic2.forms.mixins import SlugMixin
     from authentic2.forms.profile import BaseUserForm
     from authentic2.models import PasswordReset
     from authentic2.passwords import generate_password
     from authentic2.passwords import generate_password, get_min_password_strength, validate_password
     from authentic2.utils.misc import (
         import_module_or_class,
         send_email_change_email,
-...
+                )
             return password2
         def clean_password1(self):
             password1 = self.cleaned_data.get("password1")
             if self.require_password:
                 validate_password(self.instance, password1)
             return password1
         def clean(self):
             super().clean()
             if (
-...
         password2 = CheckPasswordField(label=_("Confirmation"), required=False)
         send_mail = forms.BooleanField(initial=False, label=_('Send informations to user'), required=False)
         def __init__(self, **kwargs):
             super().__init__(**kwargs)
             self.fields['password1'].widget.min_strength = get_min_password_strength(self.instance)
         class Meta:
             model = User
             fields = ()

         return import_string(app_settings.A2_PASSWORD_POLICY_CLASS)(*args, **kwargs)
     def validate_password(password):
         min_strength = app_settings.A2_PASSWORD_POLICY_MIN_STRENGTH
     def get_min_password_strength(user):
         if user.ou and user.ou.min_password_strength is not None:
             return user.ou.min_password_strength
         return app_settings.A2_PASSWORD_POLICY_MIN_STRENGTH
     def validate_password(user, password):
         min_strength = get_min_password_strength(user)
         if min_strength is not None:
             if get_password_strength(password).strength < min_strength:
                 raise ValidationError(_('This password is not strong enough.'))

     @pytest.mark.parametrize(
         'min_length, password,strength,label',
+        [
             (0, '?', 0, 'Very Weak'),
             (0, '', 0, 'Very Weak'),
             (0, '?', 0, 'Very Weak'),
             (0, '?JR!', 1, 'Weak'),
             (0, '?JR!p4A', 2, 'Fair'),

         assert str(app.session['_auth_user_id']) == str(simple_user.pk)
     def test_manager_user_change_password_form(app, simple_user):
         from authentic2.manager.forms import UserChangePasswordForm
         data = {
             'password1': 'Password0',
             'password2': 'Password0',
+        }
         form = UserChangePasswordForm(instance=simple_user, data=data)
         assert form.fields['password1'].widget.min_strength is None
         assert 'password1' not in form.errors
         simple_user.ou.min_password_strength = 3
         form = UserChangePasswordForm(instance=simple_user, data=data)
         assert form.fields['password1'].widget.min_strength == 3
         assert form.errors['password1'] == ['This password is not strong enough.']
     def test_manager_user_detail_by_uuid(app, superuser, simple_user, simple_role):
         simple_user.roles.add(simple_role)
         url = reverse('a2-manager-user-by-uuid-detail', kwargs={'slug': simple_user.uuid})

     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import pytest
     from django.contrib.auth import get_user_model
     from django.test.utils import override_settings
     from django.urls import reverse
     from authentic2.forms.profile import modelform_factory
     from authentic2.forms.registration import RegistrationCompletionForm
     from authentic2.utils.misc import send_password_reset_mail
     from . import utils
-...
         url = reverse('password_reset')
         resp = app.get(url, status=404)  # globally deactivated, page not found
     def test_registration_completion_form(db, simple_user):
         form_class = modelform_factory(get_user_model(), form=RegistrationCompletionForm)
         data = {
             'email': 'jonh.doe@yopmail.com',
             'password': 'blah',
             'password1': 'Password0',
             'password2': 'Password0',
             'date_joined': '2022-02-07',
             'ou': simple_user.ou.pk,
+        }
         form = form_class(instance=simple_user, data=data)
         assert form.fields['password1'].widget.min_strength is None
         assert 'password1' not in form.errors
         simple_user.ou.min_password_strength = 3
         form = form_class(instance=simple_user, data=data)
         assert form.fields['password1'].widget.min_strength == 3
         assert form.errors['password1'] == ['This password is not strong enough.']

     from authentic2.validators import EmailValidator, HexaColourValidator, validate_password
     def test_validate_password(settings):
     def test_validate_password(settings, simple_user):
         with pytest.raises(ValidationError):
             validate_password('aaaaaZZZZZZ')
             validate_password(simple_user, 'aaaaaZZZZZZ')
         with pytest.raises(ValidationError):
             validate_password('00000aaaaaa')
             validate_password(simple_user, '00000aaaaaa')
         with pytest.raises(ValidationError):
             validate_password('00000ZZZZZZ')
         validate_password('000aaaaZZZZ')
             validate_password(simple_user, '00000ZZZZZZ')
         validate_password(simple_user, '000aaaaZZZZ')
     @pytest.mark.parametrize(
-...
             ('?JR!p4A2i:#', 4),
         ],
+    )
     def test_validate_password_strength(settings, password, min_strength):
     def test_validate_password_strength(settings, simple_user, password, min_strength):
         settings.A2_PASSWORD_POLICY_MIN_LENGTH = len(password)
         settings.A2_PASSWORD_POLICY_MIN_STRENGTH = min_strength
         validate_password(password)
         validate_password(simple_user, password)
         settings.A2_PASSWORD_POLICY_MIN_LENGTH = len(password) + 1
         with pytest.raises(ValidationError):
             validate_password(password)
             validate_password(simple_user, password)
         if min_strength < 4:
             settings.A2_PASSWORD_POLICY_MIN_LENGTH = len(password)
             settings.A2_PASSWORD_POLICY_MIN_STRENGTH = min_strength + 1
             with pytest.raises(ValidationError):
                 validate_password(password)
                 validate_password(simple_user, password)
     def test_validate_password_strength_ou_setting(settings, simple_user):
         settings.A2_PASSWORD_POLICY_MIN_LENGTH = 0
         settings.A2_PASSWORD_POLICY_MIN_STRENGTH = 0
         validate_password(simple_user, 'password')
         simple_user.ou.min_password_strength = 4
         with pytest.raises(ValidationError):
             validate_password(simple_user, 'password')
     def test_validate_colour():
-...
         validator('#ff00ff')
     def test_digits_password_policy(settings):
     def test_digits_password_policy(settings, simple_user):
         settings.A2_PASSWORD_POLICY_REGEX = '^[0-9]{8}$'
         settings.A2_PASSWORD_POLICY_REGEX_ERROR_MSG = 'pasbon'
         settings.A2_PASSWORD_POLICY_MIN_LENGTH = 0
         settings.A2_PASSWORD_POLICY_MIN_CLASSES = 0
         with pytest.raises(ValidationError):
             validate_password('aaa')
         validate_password('12345678')
             validate_password(simple_user, 'aaa')
         validate_password(simple_user, '12345678')
     class TestEmailValidator:

     from django.utils.html import escape
     from authentic2.custom_user.models import DeletedUser, User
     from authentic2.forms.passwords import PasswordChangeForm, SetPasswordForm
     from .utils import assert_event, get_link_from_mail, login, logout
-...
         assert_event('user.password.change', user=simple_user, session=app.session)
     def test_password_change_form(simple_user):
         data = {
             'new_password1': 'Password0',
             'new_password2': 'Password0',
+        }
         form = PasswordChangeForm(user=simple_user, data=data)
         assert form.fields['new_password1'].widget.min_strength is None
         assert 'new_password1' not in form.errors
         simple_user.ou.min_password_strength = 3
         form = PasswordChangeForm(user=simple_user, data=data)
         assert form.fields['new_password1'].widget.min_strength == 3
         assert form.errors['new_password1'] == ['This password is not strong enough.']
     def test_set_password_form(simple_user):
         data = {
             'new_password1': 'Password0',
             'new_password2': 'Password0',
+        }
         form = SetPasswordForm(user=simple_user, data=data)
         assert form.fields['new_password1'].widget.min_strength is None
         assert 'new_password1' not in form.errors
         simple_user.ou.min_password_strength = 3
         form = SetPasswordForm(user=simple_user, data=data)
         assert form.fields['new_password1'].widget.min_strength == 3
         assert form.errors['new_password1'] == ['This password is not strong enough.']
     def test_well_known_password_change(app):
         resp = app.get('/.well-known/change-password')
         assert resp.location == '/accounts/password/change/'

         assert not data
     def test_new_password_input(settings):
     def test_new_password_input():
         widget = NewPasswordInput()
         html = widget.render('foo', 'bar')
         query = PyQuery(html)
-...
         textinput = query.find('input')
         assert textinput.attr('data-min-strength') is None
         settings.A2_PASSWORD_POLICY_MIN_STRENGTH = 3
         widget = NewPasswordInput()
         widget.min_strength = 3
         html = widget.render('foo', 'bar')
         query = PyQuery(html)
+    -

Projet

Général

Profil

Produits Entr'ouvert » Authentic 2

0001-misc-make-minimum-password-strength-configurable-in-.patch