def test_password_reset_with_login_failures_feature_disabled(self):
"""
Tests that user's login failures lockout counter is not reset upon successful password reset.
"""
# Adding an entry in LoginFailures to verify the password reset endpoint
# does not reset the user's login failures lockout counter.
LoginFailures.increment_lockout_counter(self.user)
request_params = {
'new_password1': 'password1',
'new_password2': 'password1'
}
confirm_request = self.request_factory.post(
self.password_reset_confirm_url, data=request_params)
self.setup_request_session_with_token(confirm_request)
confirm_request.user = self.user
# Make a password reset request.
resp = PasswordResetConfirmWrapper.as_view()(confirm_request,
uidb36=self.uidb36,
token=self.token)
# Verify that the user's login failures lockout count is not reset.
assert resp.status_code == 302
assert not LoginFailures.is_feature_enabled()
assert LoginFailures.is_user_locked_out(confirm_request.user)
def test_password_reset_request_with_login_failures_feature_enabled(self):
"""
Tests that user's login failures lockout counter is reset upon successful password reset.
"""
# Adding an entry in LoginFailures to verify the password reset endpoint
# reset the user's login failures lockout counter.
LoginFailures.increment_lockout_counter(self.user)
post_request = self.create_reset_request(self.uidb36, self.token,
False)
post_request.user = AnonymousUser()
reset_view = LogistrationPasswordResetView.as_view()
json_response = reset_view(post_request,
uidb36=self.uidb36,
token=self.token).render()
json_response = json.loads(json_response.content.decode('utf-8'))
# Verify that the user's login failures lockout count is reset.
assert json_response.get('reset_status')
assert not LoginFailures.is_user_locked_out(self.user)
# Verify that the user's login failures lockout counter is not reset upon
# password reset failure.
LoginFailures.increment_lockout_counter(self.user)
post_request = self.create_reset_request(self.uidb36, self.token,
False, 'new_password2')
post_request.user = AnonymousUser()
reset_view = LogistrationPasswordResetView.as_view()
reset_view(post_request, uidb36=self.uidb36, token=self.token).render()
assert LoginFailures.is_user_locked_out(self.user)
def _handle_failed_authentication_viatris(user,site):
"""
Handles updating the failed login count, inactive user notifications, and logging failed authentications.
"""
if user:
if 'viatris-via' not in site:
if LoginFailures.is_feature_enabled():
LoginFailures.increment_lockout_counter(user)
if not user.is_active:
_log_and_raise_inactive_user_auth_error(user)
# if we didn't find this username earlier, the account for this email
# doesn't exist, and doesn't have a corresponding password
if settings.FEATURES['SQUELCH_PII_IN_LOGS']:
loggable_id = user.id if user else "<unknown>"
AUDIT_LOG.warning(u"Login failed - password for user.id: {0} is invalid".format(loggable_id))
else:
AUDIT_LOG.warning(u"Login failed - password for {0} is invalid".format(user.email))
if 'viatris-via' in site:
raise AuthFailedError(_('Incorrect Password. You can reset your password using Forgot password link or Sign In using the OTP option.By entering you email address you will receive a OTP (One Time Password) by email that will be valid for 2 minutes and you can use it to sign-in into the VIA platform and join lectures.'))
elif 'viatris-kreon' in site or 'viatris-farmaciaformacion' in site:
raise AuthFailedError(_('Contrasena incorrecta. Puede restablecer su contrasena utilizando el enlace Olvide mi contrasena.'))
elif 'viatris-pvp-i' in site or 'viatris.' in site or 'viatris-multimodal' in site:
raise AuthFailedError(_('Incorrect Password. You can reset your password using Forgot password link.'))
elif 'viatris-atpon' in site:
raise AuthFailedError(_('Niepoprawne haslo. Mozesz zresetowac swoje haslo, korzystajac z linku Nie pamietam hasla.'))
elif 'viatris-norge' in site:
raise AuthFailedError(_('Du kan tilbakestille passordet ved a bruke Glemt passord - koblingen eller Logg pa med OTP-alternativet.Ved a skrive inn din e-postadresse vil du motta et OTP (engangspassord) pa e-post som vil vaere gyldig i 2 minutter, og som du kan bruke til a logge deg pa norge-plattformen og bli med pa forelesninger.'))
else:
raise AuthFailedError(_('Incorrect Password. You can reset your password using Forgot password link or Sign In using the OTP option.'))
def _handle_failed_authentication(user, authenticated_user):
"""
Handles updating the failed login count, inactive user notifications, and logging failed authentications.
"""
failure_count = 0
if user:
if LoginFailures.is_feature_enabled():
LoginFailures.increment_lockout_counter(user)
if authenticated_user and not user.is_active:
_log_and_raise_inactive_user_auth_error(user)
# if we didn't find this username earlier, the account for this email
# doesn't exist, and doesn't have a corresponding password
loggable_id = user.id if user else "<unknown>"
AUDIT_LOG.warning(
f"Login failed - password for user.id: {loggable_id} is invalid")
if user and LoginFailures.is_feature_enabled():
blocked_threshold, failure_count = LoginFailures.check_user_reset_password_threshold(
user)
if blocked_threshold:
if not LoginFailures.is_user_locked_out(user):
max_failures_allowed = settings.MAX_FAILED_LOGIN_ATTEMPTS_ALLOWED
remaining_attempts = max_failures_allowed - failure_count
error_message = Text(
_('Email or password is incorrect.'
'{li_start}You have {remaining_attempts} more sign-in '
'attempts before your account is temporarily locked.{li_end}'
'{li_start}If you\'ve forgotten your password, click '
'{link_start}here{link_end} to reset.{li_end}')
).format(link_start=HTML(
'<a http="#login" class="form-toggle" data-type="password-reset">'
),
link_end=HTML('</a>'),
li_start=HTML('<li>'),
li_end=HTML('</li>'),
remaining_attempts=remaining_attempts)
raise AuthFailedError(error_message,
error_code='failed-login-attempt',
context={
'remaining_attempts':
remaining_attempts,
'allowed_failure_attempts':
max_failures_allowed,
'failure_count': failure_count,
})
_generate_locked_out_error_message()
raise AuthFailedError(
_('Email or password is incorrect.'),
error_code='incorrect-email-or-password',
context={'failure_count': failure_count},
)
def _handle_failed_authentication(user, authenticated_user):
"""
Handles updating the failed login count, inactive user notifications, and logging failed authentications.
"""
if user:
if LoginFailures.is_feature_enabled():
LoginFailures.increment_lockout_counter(user)
if authenticated_user and not user.is_active:
_log_and_raise_inactive_user_auth_error(user)
# if we didn't find this username earlier, the account for this email
# doesn't exist, and doesn't have a corresponding password
if settings.FEATURES['SQUELCH_PII_IN_LOGS']:
loggable_id = user.id if user else "<unknown>"
AUDIT_LOG.warning(u"Login failed - password for user.id: {0} is invalid".format(loggable_id))
else:
AUDIT_LOG.warning(u"Login failed - password for {0} is invalid".format(user.email))
if user and LoginFailures.is_feature_enabled():
blocked_threshold, failure_count = LoginFailures.check_user_reset_password_threshold(user)
if blocked_threshold:
if not LoginFailures.is_user_locked_out(user):
max_failures_allowed = settings.MAX_FAILED_LOGIN_ATTEMPTS_ALLOWED
remaining_attempts = max_failures_allowed - failure_count
if not should_redirect_to_logistration_mircrofrontend: # pylint: disable=no-else-raise
raise AuthFailedError(Text(_('Email or password is incorrect.'
'{li_start}You have {remaining_attempts} more sign-in '
'attempts before your account is temporarily locked.{li_end}'
'{li_start}If you\'ve forgotten your password, click '
'{link_start}here{link_end} to reset.{li_end}'
))
.format(
link_start=HTML('<a http="#login" class="form-toggle" data-type="password-reset">'),
link_end=HTML('</a>'),
li_start=HTML('<li>'),
li_end=HTML('</li>'),
remaining_attempts=remaining_attempts))
else:
raise AuthFailedError(Text(_('Email or password is incorrect.\n'
'You have {remaining_attempts} more sign-in '
'attempts before your account is temporarily locked.\n'
'If you{quote}ve forgotten your password, click '
'{link_start}here{link_end} to reset.\n'
))
.format(
quote=HTML("'"),
link_start=HTML('<a href="/reset" >'),
link_end=HTML('</a>'),
remaining_attempts=remaining_attempts))
else:
_generate_locked_out_error_message()
raise AuthFailedError(_('Email or password is incorrect.'))
def _enforce_password_policy_compliance(request, user): # lint-amnesty, pylint: disable=missing-function-docstring
try:
password_policy_compliance.enforce_compliance_on_login(user, request.POST.get('password'))
except password_policy_compliance.NonCompliantPasswordWarning as e:
# Allow login, but warn the user that they will be required to reset their password soon.
PageLevelMessages.register_warning_message(request, str(e))
except password_policy_compliance.NonCompliantPasswordException as e:
# Increment the lockout counter to safguard from further brute force requests
# if user's password has been compromised.
if LoginFailures.is_feature_enabled():
LoginFailures.increment_lockout_counter(user)
AUDIT_LOG.info("Password reset initiated for email %s.", user.email)
send_password_reset_email_for_user(user, request)
# Prevent the login attempt.
raise AuthFailedError(HTML(str(e)), error_code=e.__class__.__name__) # lint-amnesty, pylint: disable=raise-missing-from
def test_password_reset_request_with_login_failures_feature_disabled(self):
"""
Tests that user's login failures lockout counter is not reset upon successful password reset.
"""
# Adding an entry in LoginFailures to verify the password reset endpoint
# does not reset the user's login failures lockout counter.
LoginFailures.increment_lockout_counter(self.user)
post_request = self.create_reset_request(self.uidb36, self.token,
False)
post_request.user = AnonymousUser()
reset_view = LogistrationPasswordResetView.as_view()
reset_view(post_request, uidb36=self.uidb36, token=self.token).render()
# Verify that the user's login failures lockout count is not reset.
assert not LoginFailures.is_feature_enabled()
assert LoginFailures.is_user_locked_out(self.user)
def _handle_failed_authentication_microsite(user):
"""
Handles updating the failed login count, inactive user notifications, and logging failed authentications.
"""
if user:
if LoginFailures.is_feature_enabled():
LoginFailures.increment_lockout_counter(user)
if not user.is_active:
_log_and_raise_inactive_user_auth_error(user)
# if we didn't find this username earlier, the account for this email
# doesn't exist, and doesn't have a corresponding password
if settings.FEATURES['SQUELCH_PII_IN_LOGS']:
loggable_id = user.id if user else "<unknown>"
AUDIT_LOG.warning(u"Login failed - password for user.id: {0} is invalid".format(loggable_id))
else:
AUDIT_LOG.warning(u"Login failed - password for {0} is invalid".format(user.email))
raise AuthFailedError(_('Incorrect Password. You can reset your password using Forgot password link or Sign In using the OTP option.'))
def _handle_inactive_user_failed_authentication(user):
"""
Handles updating the failed login count, inactive user notifications, and logging failed authentications.
"""
if user:
if not user.is_active:
record, _ = LoginFailures.objects.get_or_create(user=user)
record.failure_count = record.failure_count + 1
log.info('count--> %s',record.failure_count)
if record.failure_count <= 5:
if record.failure_count < 5:
log.info('count1--> %s',record.failure_count)
if LoginFailures.is_feature_enabled():
LoginFailures.increment_lockout_counter(user)
return user
elif record.failure_count == 5:
log.info('count2--> %s',record.failure_count)
record.failure_count = record.failure_count
#record.lockout_until = datetime.now(UTC)
record.save()
return user
else:
_log_and_raise_inactive_user_auth_error(user)