Exemplo n.º 1
0
def _validate_password(password, username=None, email=None):
    """Validate the format of the user's password.

    Passwords cannot be the same as the username of the account,
    so we create a temp_user using the username and email to test the password against.
    This user is never saved.

    Arguments:
        password (unicode): The proposed password.
        username (unicode): The username associated with the user's account.
        email (unicode): The email associated with the user's account.

    Returns:
        None

    Raises:
        errors.AccountPasswordInvalid

    """
    try:
        _validate_type(password, six.string_types,
                       accounts.PASSWORD_BAD_TYPE_MSG)
        temp_user = User(username=username, email=email) if username else None
        validate_password(password, user=temp_user)
    except errors.AccountDataBadType as invalid_password_err:
        raise errors.AccountPasswordInvalid(text_type(invalid_password_err))
    except ValidationError as validation_err:
        raise errors.AccountPasswordInvalid(' '.join(validation_err.messages))
Exemplo n.º 2
0
    def test_just_return_signals(self, mock_log_error):
        """
        Ensure that disabling Sailthru just returns
        """
        update_email_marketing_config(enabled=False)

        add_email_marketing_cookies(None)
        self.assertFalse(mock_log_error.called)

        email_marketing_register_user(None, None, None)
        self.assertFalse(mock_log_error.called)

        update_email_marketing_config(enabled=True)

        # test anonymous users
        anon = AnonymousUser()
        email_marketing_register_user(None, anon, None)
        self.assertFalse(mock_log_error.called)

        email_marketing_user_field_changed(None, user=anon)
        self.assertFalse(mock_log_error.called)

        user = User(username='******', email='*****@*****.**')
        email_marketing_user_field_changed(None, user=user)
        self.assertFalse(mock_log_error.called)
Exemplo n.º 3
0
def _validate_password(password,
                       username=None,
                       email=None,
                       reset_password_page=False):
    """Validate the format of the user's password.

    Passwords cannot be the same as the username of the account,
    so we create a temp_user using the username and email to test the password against.
    This user is never saved.

    Arguments:
        password (unicode): The proposed password.
        username (unicode): The username associated with the user's account.
        email (unicode): The email associated with the user's account.
        reset_password_page (bool): The flag that determines the validation page.

    Returns:
        None

    Raises:
        errors.AccountPasswordInvalid

    """
    try:
        _validate_type(password, str, accounts.PASSWORD_BAD_TYPE_MSG)
        temp_user = User(username=username, email=email) if username else None
        validate_password(password, user=temp_user)
    except errors.AccountDataBadType as invalid_password_err:
        raise errors.AccountPasswordInvalid(str(invalid_password_err))
    except ValidationError as validation_err:
        raise errors.AccountPasswordInvalid(' '.join(validation_err.messages))

    if ((settings.ENABLE_AUTHN_RESET_PASSWORD_HIBP_POLICY
         and reset_password_page)
            or (settings.ENABLE_AUTHN_REGISTER_HIBP_POLICY
                and not reset_password_page)):
        pwned_response = check_pwned_password(password)
        if pwned_response.get('vulnerability', 'no') == 'yes':
            if (reset_password_page or pwned_response.get('frequency', 0) >=
                    settings.HIBP_REGISTRATION_PASSWORD_FREQUENCY_THRESHOLD):
                raise errors.AccountPasswordInvalid(
                    accounts.AUTHN_PASSWORD_COMPROMISED_MSG)
Exemplo n.º 4
0
def _validate_password(password,
                       username=None,
                       email=None,
                       reset_password_page=False):
    """Validate the format of the user's password.

    Passwords cannot be the same as the username of the account,
    so we create a temp_user using the username and email to test the password against.
    This user is never saved.

    Arguments:
        password (unicode): The proposed password.
        username (unicode): The username associated with the user's account.
        email (unicode): The email associated with the user's account.
        reset_password_page (bool): The flag that determines the validation page.

    Returns:
        None

    Raises:
        errors.AccountPasswordInvalid

    """
    try:
        _validate_type(password, str, accounts.PASSWORD_BAD_TYPE_MSG)
        temp_user = User(username=username, email=email) if username else None
        validate_password(password, user=temp_user)
    except errors.AccountDataBadType as invalid_password_err:
        raise errors.AccountPasswordInvalid(str(invalid_password_err))
    except ValidationError as validation_err:
        raise errors.AccountPasswordInvalid(' '.join(validation_err.messages))

    # TODO: VAN-666 - Restrict this feature to reset password page for now until it is
    #  enabled on account sign in and register.
    if settings.ENABLE_AUTHN_RESET_PASSWORD_HIBP_POLICY and reset_password_page:
        pwned_response = check_pwned_password(password)
        if pwned_response.get('vulnerability', 'no') == 'yes':
            raise errors.AccountPasswordInvalid(
                accounts.AUTHN_PASSWORD_COMPROMISED_MSG)