OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1752 Commits
13 Branches
0 Tags
45 MiB
Tree: 0a434a4736
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0a434a4736'
${ noResults }
server-tools/password_security/models/res_users.py

159 lines
5.3 KiB
Raw Normal View History

[9.0][ADD] Password Security Settings (#531) * [ADD] res_users_password_security: New module * Create new module to lock down user passwords * [REF] res_users_password_security: PR Review fixes * Also add beta pass history rule * [ADD] res_users_password_security: Pass history and min time * Add pass history memory and threshold * Add minimum time for pass resets through web reset * Begin controller tests * Fix copyright, wrong year for new file * Add tests for password_security_home * Left to do web_auth_reset_password * Fix minimum reset threshold and finish tests * Bug fixes per review * [REF] password_security: PR review improvements * Change tech name to password_security * Use new except format * Limit 1 & new api * Cascade deletion for pass history * [REF] password_security: Fix travis + style * Fix travis errors * self to cls * Better variable names in tests * [FIX] password_security: Fix travis errors
8 years ago
[FIX] password_security: Default last write date * Add a default `password_write_date` to circumvent need for immediate password reset, fixing #1083
7 years ago
[9.0][ADD] Password Security Settings (#531) * [ADD] res_users_password_security: New module * Create new module to lock down user passwords * [REF] res_users_password_security: PR Review fixes * Also add beta pass history rule * [ADD] res_users_password_security: Pass history and min time * Add pass history memory and threshold * Add minimum time for pass resets through web reset * Begin controller tests * Fix copyright, wrong year for new file * Add tests for password_security_home * Left to do web_auth_reset_password * Fix minimum reset threshold and finish tests * Bug fixes per review * [REF] password_security: PR review improvements * Change tech name to password_security * Use new except format * Limit 1 & new api * Cascade deletion for pass history * [REF] password_security: Fix travis + style * Fix travis errors * self to cls * Better variable names in tests * [FIX] password_security: Fix travis errors
8 years ago
[FIX] Underscore is a special character
7 years ago
[9.0][ADD] Password Security Settings (#531) * [ADD] res_users_password_security: New module * Create new module to lock down user passwords * [REF] res_users_password_security: PR Review fixes * Also add beta pass history rule * [ADD] res_users_password_security: Pass history and min time * Add pass history memory and threshold * Add minimum time for pass resets through web reset * Begin controller tests * Fix copyright, wrong year for new file * Add tests for password_security_home * Left to do web_auth_reset_password * Fix minimum reset threshold and finish tests * Bug fixes per review * [REF] password_security: PR review improvements * Change tech name to password_security * Use new except format * Limit 1 & new api * Cascade deletion for pass history * [REF] password_security: Fix travis + style * Fix travis errors * self to cls * Better variable names in tests * [FIX] password_security: Fix travis errors
8 years ago
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2015 LasLabs Inc.
  3. # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
  5. import re
  7. from datetime import datetime, timedelta
  9. from openerp import api, fields, models, _
  11. from ..exceptions import PassError
  14. def delta_now(**kwargs):
  15. dt = datetime.now() + timedelta(**kwargs)
  16. return fields.Datetime.to_string(dt)
  19. class ResUsers(models.Model):
  20. _inherit = 'res.users'
  22. password_write_date = fields.Datetime(
  23. 'Last password update',
  24. default=fields.Datetime.now,
  25. readonly=True,
  26. )
  27. password_history_ids = fields.One2many(
  28. string='Password History',
  29. comodel_name='res.users.pass.history',
  30. inverse_name='user_id',
  31. readonly=True,
  32. )
  34. @api.model
  35. def create(self, vals):
  36. vals['password_write_date'] = fields.Datetime.now()
  37. return super(ResUsers, self).create(vals)
  39. @api.multi
  40. def write(self, vals):
  41. if vals.get('password'):
  42. self.check_password(vals['password'])
  43. vals['password_write_date'] = fields.Datetime.now()
  44. return super(ResUsers, self).write(vals)
  46. @api.multi
  47. def password_match_message(self):
  48. self.ensure_one()
  49. company_id = self.company_id
  50. message = []
  51. if company_id.password_lower:
  52. message.append('* ' + _('Lowercase letter'))
  53. if company_id.password_upper:
  54. message.append('* ' + _('Uppercase letter'))
  55. if company_id.password_numeric:
  56. message.append('* ' + _('Numeric digit'))
  57. if company_id.password_special:
  58. message.append('* ' + _('Special character'))
  59. if len(message):
  60. message = [_('Must contain the following:')] + message
  61. if company_id.password_length:
  62. message = [
  63. _('Password must be %d characters or more.') %
  64. company_id.password_length
  65. ] + message
  66. return '\r'.join(message)
  68. @api.multi
  69. def check_password(self, password):
  70. self.ensure_one()
  71. if not password:
  72. return True
  73. company_id = self.company_id
  74. password_regex = ['^']
  75. if company_id.password_lower:
  76. password_regex.append('(?=.*?[a-z])')
  77. if company_id.password_upper:
  78. password_regex.append('(?=.*?[A-Z])')
  79. if company_id.password_numeric:
  80. password_regex.append(r'(?=.*?\d)')
  81. if company_id.password_special:
  82. password_regex.append(r'(?=.*?[\W_])')
  83. password_regex.append('.{%d,}$' % company_id.password_length)
  84. if not re.search(''.join(password_regex), password):
  85. raise PassError(_(self.password_match_message()))
  86. return True
  88. @api.multi
  89. def _password_has_expired(self):
  90. self.ensure_one()
  91. if not self.password_write_date:
  92. return True
  93. write_date = fields.Datetime.from_string(self.password_write_date)
  94. today = fields.Datetime.from_string(fields.Datetime.now())
  95. days = (today - write_date).days
  96. return days > self.company_id.password_expiration
  98. @api.multi
  99. def action_expire_password(self):
  100. expiration = delta_now(days=+1)
  101. for rec_id in self:
  102. rec_id.mapped('partner_id').signup_prepare(
  103. signup_type="reset", expiration=expiration
  104. )
  106. @api.multi
  107. def _validate_pass_reset(self):
  108. """ It provides validations before initiating a pass reset email
  109. :raises: PassError on invalidated pass reset attempt
  110. :return: True on allowed reset
  111. """
  112. for rec_id in self:
  113. pass_min = rec_id.company_id.password_minimum
  114. if pass_min <= 0:
  115. pass
  116. write_date = fields.Datetime.from_string(
  117. rec_id.password_write_date
  118. )
  119. delta = timedelta(hours=pass_min)
  120. if write_date + delta > datetime.now():
  121. raise PassError(
  122. _('Passwords can only be reset every %d hour(s). '
  123. 'Please contact an administrator for assistance.') %
  124. pass_min,
  125. )
  126. return True
  128. @api.multi
  129. def _set_password(self, password):
  130. """ It validates proposed password against existing history
  131. :raises: PassError on reused password
  132. """
  133. crypt = self._crypt_context()[0]
  134. for rec_id in self:
  135. recent_passes = rec_id.company_id.password_history
  136. if recent_passes < 0:
  137. recent_passes = rec_id.password_history_ids
  138. else:
  139. recent_passes = rec_id.password_history_ids[
  140. 0:recent_passes-1
  141. ]
  142. if len(recent_passes.filtered(
  143. lambda r: crypt.verify(password, r.password_crypt)
  144. )):
  145. raise PassError(
  146. _('Cannot use the most recent %d passwords') %
  147. rec_id.company_id.password_history
  148. )
  149. super(ResUsers, self)._set_password(password)
  151. @api.multi
  152. def _set_encrypted_password(self, encrypted):
  153. """ It saves password crypt history for history rules """
  154. super(ResUsers, self)._set_encrypted_password(encrypted)
  155. self.write({
  156. 'password_history_ids': [(0, 0, {
  157. 'password_crypt': encrypted,
  158. })],
  159. })