def test_too_frequent_password_resets(self):
"""
Assert that a user should not be able to password reset too frequently
"""
student = self._user_factory_with_history()
grandfathered_student = self._user_factory_with_history(set_initial_history=False)
self.assertTrue(PasswordHistory.is_password_reset_too_soon(student))
self.assertFalse(PasswordHistory.is_password_reset_too_soon(grandfathered_student))
staff_reset_time = timezone.now() + timedelta(days=100)
with freeze_time(staff_reset_time):
self.assertFalse(PasswordHistory.is_password_reset_too_soon(student))
def test_too_frequent_password_resets(self):
"""
Assert that a user should not be able to password reset too frequently
"""
student = self._user_factory_with_history()
grandfathered_student = self._user_factory_with_history(set_initial_history=False)
self.assertTrue(PasswordHistory.is_password_reset_too_soon(student))
self.assertFalse(PasswordHistory.is_password_reset_too_soon(grandfathered_student))
staff_reset_time = timezone.now() + timedelta(days=100)
with freeze_time(staff_reset_time):
self.assertFalse(PasswordHistory.is_password_reset_too_soon(student))
def test_disabled_too_frequent_password_resets(self):
"""
Verify properly default behavior when feature is disabled
"""
student = self._user_factory_with_history()
self.assertFalse(PasswordHistory.is_password_reset_too_soon(student))
def _validate_password_security(password, user):
"""
Check password reuse and similar operational security policy considerations.
"""
# Check reuse
if not PasswordHistory.is_allowable_password_reuse(user, password):
if user.is_staff:
num_distinct = settings.ADVANCED_SECURITY_CONFIG[
'MIN_DIFFERENT_STAFF_PASSWORDS_BEFORE_REUSE']
else:
num_distinct = settings.ADVANCED_SECURITY_CONFIG[
'MIN_DIFFERENT_STUDENT_PASSWORDS_BEFORE_REUSE']
raise SecurityPolicyError(
ungettext(
"You are re-using a password that you have used recently. "
"You must have {num} distinct password before reusing a previous password.",
"You are re-using a password that you have used recently. "
"You must have {num} distinct passwords before reusing a previous password.",
num_distinct).format(num=num_distinct))
# Check reset frequency
if PasswordHistory.is_password_reset_too_soon(user):
num_days = settings.ADVANCED_SECURITY_CONFIG[
'MIN_TIME_IN_DAYS_BETWEEN_ALLOWED_RESETS']
raise SecurityPolicyError(
ungettext(
"You are resetting passwords too frequently. Due to security policies, "
"{num} day must elapse between password resets.",
"You are resetting passwords too frequently. Due to security policies, "
"{num} days must elapse between password resets.",
num_days).format(num=num_days))
def validate_password_security(password, user):
"""
Check password reuse and similar operational security policy considerations.
"""
# Check reuse
if not PasswordHistory.is_allowable_password_reuse(user, password):
if user.is_staff:
num_distinct = settings.ADVANCED_SECURITY_CONFIG['MIN_DIFFERENT_STAFF_PASSWORDS_BEFORE_REUSE']
else:
num_distinct = settings.ADVANCED_SECURITY_CONFIG['MIN_DIFFERENT_STUDENT_PASSWORDS_BEFORE_REUSE']
raise SecurityPolicyError(ungettext(
"You are re-using a password that you have used recently. "
"You must have {num} distinct password before reusing a previous password.",
"You are re-using a password that you have used recently. "
"You must have {num} distinct passwords before reusing a previous password.",
num_distinct
).format(num=num_distinct))
# Check reset frequency
if PasswordHistory.is_password_reset_too_soon(user):
num_days = settings.ADVANCED_SECURITY_CONFIG['MIN_TIME_IN_DAYS_BETWEEN_ALLOWED_RESETS']
raise SecurityPolicyError(ungettext(
"You are resetting passwords too frequently. Due to security policies, "
"{num} day must elapse between password resets.",
"You are resetting passwords too frequently. Due to security policies, "
"{num} days must elapse between password resets.",
num_days
).format(num=num_days))
def test_disabled_too_frequent_password_resets(self):
"""
Verify properly default behavior when feature is disabled
"""
student = self._user_factory_with_history()
self.assertFalse(PasswordHistory.is_password_reset_too_soon(student))
