def _enforce_password_policy_compliance(request, user):
try:
password_policy_compliance.enforce_compliance_on_login(user, request.POST.get('password'))
except password_policy_compliance.NonCompliantPasswordWarning as e:
# Allow login, but warn the user that they will be required to reset their password soon.
PageLevelMessages.register_warning_message(request, e.message)
except password_policy_compliance.NonCompliantPasswordException as e:
# Prevent the login attempt.
raise AuthFailedError(e.message)
def _enforce_password_policy_compliance(request, user):
try:
password_policy_compliance.enforce_compliance_on_login(
user, request.POST.get('password'))
except password_policy_compliance.NonCompliantPasswordWarning as e:
# Allow login, but warn the user that they will be required to reset their password soon.
PageLevelMessages.register_warning_message(request, six.text_type(e))
except password_policy_compliance.NonCompliantPasswordException as e:
send_password_reset_email_for_user(user, request)
# Prevent the login attempt.
raise AuthFailedError(HTML(six.text_type(e)))
def _enforce_password_policy_compliance(request, user): # lint-amnesty, pylint: disable=missing-function-docstring
try:
password_policy_compliance.enforce_compliance_on_login(user, request.POST.get('password'))
except password_policy_compliance.NonCompliantPasswordWarning as e:
# Allow login, but warn the user that they will be required to reset their password soon.
PageLevelMessages.register_warning_message(request, str(e))
except password_policy_compliance.NonCompliantPasswordException as e:
AUDIT_LOG.info("Password reset initiated for email %s.", user.email)
send_password_reset_email_for_user(user, request)
# Prevent the login attempt.
raise AuthFailedError(HTML(str(e)), error_code=e.__class__.__name__) # lint-amnesty, pylint: disable=raise-missing-from
def test_enforce_compliance_on_login(self):
"""
Verify that compliance does not need to be enforced if:
* Password is compliant
* There is no compliance deadline
Verify that compliance does need to be enforced if:
* Deadline has passed and the password is not compliant
Verify that a warning is thrown if:
* Deadline is in the future
"""
user = UserFactory()
password = '******' # Don't actually need a password or user as methods will be mocked
# Test password is compliant
with patch('openedx.core.djangoapps.password_policy.compliance._check_user_compliance') as \
mock_check_user_compliance:
mock_check_user_compliance.return_value = True
assert enforce_compliance_on_login(user, password) is None
# Test no deadline is set
with patch('openedx.core.djangoapps.password_policy.compliance._check_user_compliance') as \
mock_check_user_compliance:
mock_check_user_compliance.return_value = False
with patch('openedx.core.djangoapps.password_policy.compliance._get_compliance_deadline_for_user') as \
mock_get_compliance_deadline_for_user:
mock_get_compliance_deadline_for_user.return_value = None
assert enforce_compliance_on_login(user, password) is None
# Test deadline is in the past
with patch('openedx.core.djangoapps.password_policy.compliance._check_user_compliance') as \
mock_check_user_compliance:
mock_check_user_compliance.return_value = False
with patch('openedx.core.djangoapps.password_policy.compliance._get_compliance_deadline_for_user') as \
mock_get_compliance_deadline_for_user:
mock_get_compliance_deadline_for_user.return_value = datetime.now(
pytz.UTC) - timedelta(1)
pytest.raises(NonCompliantPasswordException,
enforce_compliance_on_login, user, password)
# Test deadline is in the future
with patch('openedx.core.djangoapps.password_policy.compliance._check_user_compliance') as \
mock_check_user_compliance:
mock_check_user_compliance.return_value = False
with patch('openedx.core.djangoapps.password_policy.compliance._get_compliance_deadline_for_user') as \
mock_get_compliance_deadline_for_user:
mock_get_compliance_deadline_for_user.return_value = datetime.now(
pytz.UTC) + timedelta(1)
assert pytest.raises(NonCompliantPasswordWarning,
enforce_compliance_on_login, user,
password)
def test_enforce_compliance_on_login(self):
"""
Verify that compliance does not need to be enforced if:
* Password is compliant
* There is no compliance deadline
Verify that compliance does need to be enforced if:
* Deadline has passed and the password is not compliant
Verify that a warning is thrown if:
* Deadline is in the future
"""
user = UserFactory()
password = '******' # Don't actually need a password or user as methods will be mocked
# Test password is compliant
with patch('openedx.core.djangoapps.password_policy.compliance._check_user_compliance') as \
mock_check_user_compliance:
mock_check_user_compliance.return_value = True
self.assertIsNone(enforce_compliance_on_login(user, password))
# Test no deadline is set
with patch('openedx.core.djangoapps.password_policy.compliance._check_user_compliance') as \
mock_check_user_compliance:
mock_check_user_compliance.return_value = False
with patch('openedx.core.djangoapps.password_policy.compliance._get_compliance_deadline_for_user') as \
mock_get_compliance_deadline_for_user:
mock_get_compliance_deadline_for_user.return_value = None
self.assertIsNone(enforce_compliance_on_login(user, password))
# Test deadline is in the past
with patch('openedx.core.djangoapps.password_policy.compliance._check_user_compliance') as \
mock_check_user_compliance:
mock_check_user_compliance.return_value = False
with patch('openedx.core.djangoapps.password_policy.compliance._get_compliance_deadline_for_user') as \
mock_get_compliance_deadline_for_user:
mock_get_compliance_deadline_for_user.return_value = datetime.now(pytz.UTC) - timedelta(1)
self.assertRaises(NonCompliantPasswordException, enforce_compliance_on_login, user, password)
# Test deadline is in the future
with patch('openedx.core.djangoapps.password_policy.compliance._check_user_compliance') as \
mock_check_user_compliance:
mock_check_user_compliance.return_value = False
with patch('openedx.core.djangoapps.password_policy.compliance._get_compliance_deadline_for_user') as \
mock_get_compliance_deadline_for_user:
mock_get_compliance_deadline_for_user.return_value = datetime.now(pytz.UTC) + timedelta(1)
self.assertRaises(NonCompliantPasswordWarning, enforce_compliance_on_login, user, password)
def clean(self):
"""
Overrides the clean method to allow for the enforcement of password policy requirements.
"""
cleaned_data = super(PasswordPolicyAwareAdminAuthForm, self).clean()
if password_policy_compliance.should_enforce_compliance_on_login():
try:
password_policy_compliance.enforce_compliance_on_login(self.user_cache, cleaned_data['password'])
except password_policy_compliance.NonCompliantPasswordWarning as e:
# Allow login, but warn the user that they will be required to reset their password soon.
messages.warning(self.request, e.message)
except password_policy_compliance.NonCompliantPasswordException as e:
# Prevent the login attempt.
raise ValidationError(e.message)
return cleaned_data
def clean(self):
"""
Overrides the clean method to allow for the enforcement of password policy requirements.
"""
cleaned_data = super().clean()
if password_policy_compliance.should_enforce_compliance_on_login():
try:
password_policy_compliance.enforce_compliance_on_login(self.user_cache, cleaned_data['password'])
except password_policy_compliance.NonCompliantPasswordWarning as e:
# Allow login, but warn the user that they will be required to reset their password soon.
messages.warning(self.request, HTML(str(e)))
except password_policy_compliance.NonCompliantPasswordException as e:
# Prevent the login attempt.
raise ValidationError(HTML(str(e))) # lint-amnesty, pylint: disable=raise-missing-from
return cleaned_data
def clean(self):
"""
Overrides the clean method to allow for the enforcement of password policy requirements.
"""
cleaned_data = super(PasswordPolicyAwareAdminAuthForm, self).clean()
if password_policy_compliance.should_enforce_compliance_on_login():
try:
password_policy_compliance.enforce_compliance_on_login(
self.user_cache, cleaned_data['password'])
except password_policy_compliance.NonCompliantPasswordWarning as e:
# Allow login, but warn the user that they will be required to reset their password soon.
messages.warning(self.request, e.message)
except password_policy_compliance.NonCompliantPasswordException as e:
# Prevent the login attempt.
raise ValidationError(e.message)
return cleaned_data
def _enforce_password_policy_compliance(request, user): # lint-amnesty, pylint: disable=missing-function-docstring
try:
password_policy_compliance.enforce_compliance_on_login(
user, request.POST.get('password'))
except password_policy_compliance.NonCompliantPasswordWarning as e:
# Allow login, but warn the user that they will be required to reset their password soon.
PageLevelMessages.register_warning_message(request, HTML(str(e)))
except password_policy_compliance.NonCompliantPasswordException as e:
# Increment the lockout counter to safguard from further brute force requests
# if user's password has been compromised.
if LoginFailures.is_feature_enabled():
LoginFailures.increment_lockout_counter(user)
AUDIT_LOG.info("Password reset initiated for email %s.", user.email)
send_password_reset_email_for_user(user, request)
# Prevent the login attempt.
raise AuthFailedError(HTML(str(e)), error_code=e.__class__.__name__) # lint-amnesty, pylint: disable=raise-missing-from
