OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1503 Commits
13 Branches
0 Tags
45 MiB
Tree: 8d156ee54f
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '8d156ee54f'
${ noResults }
server-tools/password_security/models/res_users.py

158 lines
5.3 KiB
Raw Normal View History

[9.0][ADD] Password Security Settings (#531) * [ADD] res_users_password_security: New module * Create new module to lock down user passwords * [REF] res_users_password_security: PR Review fixes * Also add beta pass history rule * [ADD] res_users_password_security: Pass history and min time * Add pass history memory and threshold * Add minimum time for pass resets through web reset * Begin controller tests * Fix copyright, wrong year for new file * Add tests for password_security_home * Left to do web_auth_reset_password * Fix minimum reset threshold and finish tests * Bug fixes per review * [REF] password_security: PR review improvements * Change tech name to password_security * Use new except format * Limit 1 & new api * Cascade deletion for pass history * [REF] password_security: Fix travis + style * Fix travis errors * self to cls * Better variable names in tests * [FIX] password_security: Fix travis errors
8 years ago
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2015 LasLabs Inc.
  3. # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
  5. import re
  7. from datetime import datetime, timedelta
  9. from openerp import api, fields, models, _
  11. from ..exceptions import PassError
  14. def delta_now(**kwargs):
  15. dt = datetime.now() + timedelta(**kwargs)
  16. return fields.Datetime.to_string(dt)
  19. class ResUsers(models.Model):
  20. _inherit = 'res.users'
  22. password_write_date = fields.Datetime(
  23. 'Last password update',
  24. readonly=True,
  25. )
  26. password_history_ids = fields.One2many(
  27. string='Password History',
  28. comodel_name='res.users.pass.history',
  29. inverse_name='user_id',
  30. readonly=True,
  31. )
  33. @api.model
  34. def create(self, vals):
  35. vals['password_write_date'] = fields.Datetime.now()
  36. return super(ResUsers, self).create(vals)
  38. @api.multi
  39. def write(self, vals):
  40. if vals.get('password'):
  41. self.check_password(vals['password'])
  42. vals['password_write_date'] = fields.Datetime.now()
  43. return super(ResUsers, self).write(vals)
  45. @api.multi
  46. def password_match_message(self):
  47. self.ensure_one()
  48. company_id = self.company_id
  49. message = []
  50. if company_id.password_lower:
  51. message.append('* ' + _('Lowercase letter'))
  52. if company_id.password_upper:
  53. message.append('* ' + _('Uppercase letter'))
  54. if company_id.password_numeric:
  55. message.append('* ' + _('Numeric digit'))
  56. if company_id.password_special:
  57. message.append('* ' + _('Special character'))
  58. if len(message):
  59. message = [_('Must contain the following:')] + message
  60. if company_id.password_length:
  61. message = [
  62. _('Password must be %d characters or more.') %
  63. company_id.password_length
  64. ] + message
  65. return '\r'.join(message)
  67. @api.multi
  68. def check_password(self, password):
  69. self.ensure_one()
  70. if not password:
  71. return True
  72. company_id = self.company_id
  73. password_regex = ['^']
  74. if company_id.password_lower:
  75. password_regex.append('(?=.*?[a-z])')
  76. if company_id.password_upper:
  77. password_regex.append('(?=.*?[A-Z])')
  78. if company_id.password_numeric:
  79. password_regex.append(r'(?=.*?\d)')
  80. if company_id.password_special:
  81. password_regex.append(r'(?=.*?\W)')
  82. password_regex.append('.{%d,}$' % company_id.password_length)
  83. if not re.search(''.join(password_regex), password):
  84. raise PassError(_(self.password_match_message()))
  85. return True
  87. @api.multi
  88. def _password_has_expired(self):
  89. self.ensure_one()
  90. if not self.password_write_date:
  91. return True
  92. write_date = fields.Datetime.from_string(self.password_write_date)
  93. today = fields.Datetime.from_string(fields.Datetime.now())
  94. days = (today - write_date).days
  95. return days > self.company_id.password_expiration
  97. @api.multi
  98. def action_expire_password(self):
  99. expiration = delta_now(days=+1)
  100. for rec_id in self:
  101. rec_id.mapped('partner_id').signup_prepare(
  102. signup_type="reset", expiration=expiration
  103. )
  105. @api.multi
  106. def _validate_pass_reset(self):
  107. """ It provides validations before initiating a pass reset email
  108. :raises: PassError on invalidated pass reset attempt
  109. :return: True on allowed reset
  110. """
  111. for rec_id in self:
  112. pass_min = rec_id.company_id.password_minimum
  113. if pass_min <= 0:
  114. pass
  115. write_date = fields.Datetime.from_string(
  116. rec_id.password_write_date
  117. )
  118. delta = timedelta(hours=pass_min)
  119. if write_date + delta > datetime.now():
  120. raise PassError(
  121. _('Passwords can only be reset every %d hour(s). '
  122. 'Please contact an administrator for assistance.') %
  123. pass_min,
  124. )
  125. return True
  127. @api.multi
  128. def _set_password(self, password):
  129. """ It validates proposed password against existing history
  130. :raises: PassError on reused password
  131. """
  132. crypt = self._crypt_context()[0]
  133. for rec_id in self:
  134. recent_passes = rec_id.company_id.password_history
  135. if recent_passes < 0:
  136. recent_passes = rec_id.password_history_ids
  137. else:
  138. recent_passes = rec_id.password_history_ids[
  139. 0:recent_passes-1
  140. ]
  141. if len(recent_passes.filtered(
  142. lambda r: crypt.verify(password, r.password_crypt)
  143. )):
  144. raise PassError(
  145. _('Cannot use the most recent %d passwords') %
  146. rec_id.company_id.password_history
  147. )
  148. super(ResUsers, self)._set_password(password)
  150. @api.multi
  151. def _set_encrypted_password(self, encrypted):
  152. """ It saves password crypt history for history rules """
  153. super(ResUsers, self)._set_encrypted_password(encrypted)
  154. self.write({
  155. 'password_history_ids': [(0, 0, {
  156. 'password_crypt': encrypted,
  157. })],
  158. })