From 3ae181c8ebb4fd0550c15fba1bb1ac44650df2b5 Mon Sep 17 00:00:00 2001 From: Dave Lasley Date: Wed, 28 Sep 2016 23:51:43 -0700 Subject: [PATCH] [9.0][ADD] Password Security Settings (#531) * [ADD] res_users_password_security: New module * Create new module to lock down user passwords * [REF] res_users_password_security: PR Review fixes * Also add beta pass history rule * [ADD] res_users_password_security: Pass history and min time * Add pass history memory and threshold * Add minimum time for pass resets through web reset * Begin controller tests * Fix copyright, wrong year for new file * Add tests for password_security_home * Left to do web_auth_reset_password * Fix minimum reset threshold and finish tests * Bug fixes per review * [REF] password_security: PR review improvements * Change tech name to password_security * Use new except format * Limit 1 & new api * Cascade deletion for pass history * [REF] password_security: Fix travis + style * Fix travis errors * self to cls * Better variable names in tests * [FIX] password_security: Fix travis errors --- password_security/README.rst | 90 ++++++ password_security/__init__.py | 6 + password_security/__openerp__.py | 23 ++ password_security/controllers/__init__.py | 5 + password_security/controllers/main.py | 93 ++++++ password_security/exceptions.py | 12 + password_security/models/__init__.py | 7 + password_security/models/res_company.py | 51 ++++ password_security/models/res_users.py | 158 ++++++++++ .../models/res_users_pass_history.py | 26 ++ .../security/ir.model.access.csv | 2 + .../security/res_users_pass_history.xml | 19 ++ password_security/static/description/icon.png | Bin 0 -> 9455 bytes password_security/tests/__init__.py | 7 + .../tests/test_password_security_home.py | 269 ++++++++++++++++++ .../tests/test_password_security_session.py | 58 ++++ password_security/tests/test_res_users.py | 148 ++++++++++ password_security/views/res_company_view.xml | 42 +++ 18 files changed, 1016 insertions(+) create mode 100644 password_security/README.rst create mode 100644 password_security/__init__.py create mode 100644 password_security/__openerp__.py create mode 100644 password_security/controllers/__init__.py create mode 100644 password_security/controllers/main.py create mode 100644 password_security/exceptions.py create mode 100644 password_security/models/__init__.py create mode 100644 password_security/models/res_company.py create mode 100644 password_security/models/res_users.py create mode 100644 password_security/models/res_users_pass_history.py create mode 100644 password_security/security/ir.model.access.csv create mode 100644 password_security/security/res_users_pass_history.xml create mode 100644 password_security/static/description/icon.png create mode 100644 password_security/tests/__init__.py create mode 100644 password_security/tests/test_password_security_home.py create mode 100644 password_security/tests/test_password_security_session.py create mode 100644 password_security/tests/test_res_users.py create mode 100644 password_security/views/res_company_view.xml diff --git a/password_security/README.rst b/password_security/README.rst new file mode 100644 index 0000000000..842bd4e90a --- /dev/null +++ b/password_security/README.rst @@ -0,0 +1,90 @@ +.. image:: https://img.shields.io/badge/license-LGPL--3-blue.svg + :target: http://www.gnu.org/licenses/lgpl-3.0-standalone.html + :alt: License: LGPL-3 + +================= +Password Security +================= + +This module allows admin to set company-level password security requirements +and enforces them on the user. + +It contains features such as + +* Password expiration days +* Password length requirement +* Password minimum number of lowercase letters +* Password minimum number of uppercase letters +* Password minimum number of numbers +* Password minimum number of special characters + +Configuration +============= + +# Navigate to company you would like to set requirements on +# Click the ``Password Policy`` page +# Set the policies to your liking. + +Password complexity requirements will be enforced upon next password change for +any user in that company. + + +Settings & Defaults +------------------- + +These are defined at the company level: + +===================== ======= =================================================== + Name Default Description +===================== ======= =================================================== + password_expiration 60 Days until passwords expire + password_length 12 Minimum number of characters in password + password_lower True Require lowercase letter in password + password_upper True Require uppercase letters in password + password_numeric True Require number in password + password_special True Require special character in password + password_history 30 Disallow reuse of this many previous passwords + password_minimum 24 Amount of hours that must pass until another reset +===================== ======= =================================================== + +Known Issues / Roadmap +====================== + + +Bug Tracker +=========== + +Bugs are tracked on `GitHub Issues +`_. In case of trouble, please +check there if your issue has already been reported. If you spotted it first, +help us to smash it by providing detailed and welcomed feedback. + + +Credits +======= + +Images +------ + +* Odoo Community Association: `Icon `_. + +Contributors +------------ + +* James Foster +* Dave Lasley + +Maintainer +---------- + +.. image:: https://odoo-community.org/logo.png + :alt: Odoo Community Association + :target: https://odoo-community.org + +This module is maintained by the OCA. + +OCA, or the Odoo Community Association, is a nonprofit organization whose +mission is to support the collaborative development of Odoo features and +promote its widespread use. + +To contribute to this module, please visit https://odoo-community.org. diff --git a/password_security/__init__.py b/password_security/__init__.py new file mode 100644 index 0000000000..5b741cc346 --- /dev/null +++ b/password_security/__init__.py @@ -0,0 +1,6 @@ +# -*- coding: utf-8 -*- +# Copyright 2015 LasLabs Inc. +# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). + +from . import controllers +from . import models diff --git a/password_security/__openerp__.py b/password_security/__openerp__.py new file mode 100644 index 0000000000..d76bb72bbf --- /dev/null +++ b/password_security/__openerp__.py @@ -0,0 +1,23 @@ +# -*- coding: utf-8 -*- +# Copyright 2015 LasLabs Inc. +# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). +{ + + 'name': 'Password Security', + "summary": "Allow admin to set password security requirements.", + 'version': '9.0.1.0.2', + 'author': "LasLabs, Odoo Community Association (OCA)", + 'category': 'Base', + 'depends': [ + 'auth_crypt', + 'auth_signup', + ], + "website": "https://laslabs.com", + "license": "LGPL-3", + "data": [ + 'views/res_company_view.xml', + 'security/ir.model.access.csv', + 'security/res_users_pass_history.xml', + ], + 'installable': True, +} diff --git a/password_security/controllers/__init__.py b/password_security/controllers/__init__.py new file mode 100644 index 0000000000..9c90950ac3 --- /dev/null +++ b/password_security/controllers/__init__.py @@ -0,0 +1,5 @@ +# -*- coding: utf-8 -*- +# Copyright 2015 LasLabs Inc. +# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). + +from . import main diff --git a/password_security/controllers/main.py b/password_security/controllers/main.py new file mode 100644 index 0000000000..23580628d7 --- /dev/null +++ b/password_security/controllers/main.py @@ -0,0 +1,93 @@ +# -*- coding: utf-8 -*- +# Copyright 2015 LasLabs Inc. +# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). + +import operator + +from openerp import http +from openerp.http import request +from openerp.addons.auth_signup.controllers.main import AuthSignupHome +from openerp.addons.web.controllers.main import ensure_db, Session + +from ..exceptions import PassError + + +class PasswordSecuritySession(Session): + + @http.route() + def change_password(self, fields): + new_password = operator.itemgetter('new_password')( + dict(map(operator.itemgetter('name', 'value'), fields)) + ) + user_id = request.env.user + user_id.check_password(new_password) + return super(PasswordSecuritySession, self).change_password(fields) + + +class PasswordSecurityHome(AuthSignupHome): + + def do_signup(self, qcontext): + password = qcontext.get('password') + user_id = request.env.user + user_id.check_password(password) + return super(PasswordSecurityHome, self).do_signup(qcontext) + + @http.route() + def web_login(self, *args, **kw): + ensure_db() + response = super(PasswordSecurityHome, self).web_login(*args, **kw) + if not request.httprequest.method == 'POST': + return response + uid = request.session.authenticate( + request.session.db, + request.params['login'], + request.params['password'] + ) + if not uid: + return response + users_obj = request.env['res.users'].sudo() + user_id = users_obj.browse(request.uid) + if not user_id._password_has_expired(): + return response + user_id.action_expire_password() + redirect = user_id.partner_id.signup_url + return http.redirect_with_hash(redirect) + + @http.route() + def web_auth_signup(self, *args, **kw): + try: + return super(PasswordSecurityHome, self).web_auth_signup( + *args, **kw + ) + except PassError as e: + qcontext = self.get_auth_signup_qcontext() + qcontext['error'] = e.message + return request.render('auth_signup.signup', qcontext) + + @http.route() + def web_auth_reset_password(self, *args, **kw): + """ It provides hook to disallow front-facing resets inside of min + Unfortuantely had to reimplement some core logic here because of + nested logic in parent + """ + qcontext = self.get_auth_signup_qcontext() + if ( + request.httprequest.method == 'POST' and + qcontext.get('login') and + 'error' not in qcontext and + 'token' not in qcontext + ): + login = qcontext.get('login') + user_ids = request.env.sudo().search( + [('login', '=', login)], + limit=1, + ) + if not user_ids: + user_ids = request.env.sudo().search( + [('email', '=', login)], + limit=1, + ) + user_ids._validate_pass_reset() + return super(PasswordSecurityHome, self).web_auth_reset_password( + *args, **kw + ) diff --git a/password_security/exceptions.py b/password_security/exceptions.py new file mode 100644 index 0000000000..dbba100dcf --- /dev/null +++ b/password_security/exceptions.py @@ -0,0 +1,12 @@ +# -*- coding: utf-8 -*- +# Copyright 2015 LasLabs Inc. +# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). + +from openerp.exceptions import Warning as UserError + + +class PassError(UserError): + """ Example: When you try to create an insecure password.""" + def __init__(self, msg): + self.message = msg + super(PassError, self).__init__(msg) diff --git a/password_security/models/__init__.py b/password_security/models/__init__.py new file mode 100644 index 0000000000..84ba9a5fc8 --- /dev/null +++ b/password_security/models/__init__.py @@ -0,0 +1,7 @@ +# -*- coding: utf-8 -*- +# Copyright 2015 LasLabs Inc. +# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). + +from . import res_users +from . import res_company +from . import res_users_pass_history diff --git a/password_security/models/res_company.py b/password_security/models/res_company.py new file mode 100644 index 0000000000..03f00b2def --- /dev/null +++ b/password_security/models/res_company.py @@ -0,0 +1,51 @@ +# -*- coding: utf-8 -*- +# Copyright 2015 LasLabs Inc. +# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). + +from openerp import models, fields + + +class ResCompany(models.Model): + _inherit = 'res.company' + + password_expiration = fields.Integer( + 'Days', + default=60, + help='How many days until passwords expire', + ) + password_length = fields.Integer( + 'Characters', + default=12, + help='Minimum number of characters', + ) + password_lower = fields.Boolean( + 'Lowercase', + default=True, + help='Require lowercase letters', + ) + password_upper = fields.Boolean( + 'Uppercase', + default=True, + help='Require uppercase letters', + ) + password_numeric = fields.Boolean( + 'Numeric', + default=True, + help='Require numeric digits', + ) + password_special = fields.Boolean( + 'Special', + default=True, + help='Require special characters', + ) + password_history = fields.Integer( + 'History', + default=30, + help='Disallow reuse of this many previous passwords - use negative ' + 'number for infinite, or 0 to disable', + ) + password_minimum = fields.Integer( + 'Minimum Hours', + default=24, + help='Amount of hours until a user may change password again', + ) diff --git a/password_security/models/res_users.py b/password_security/models/res_users.py new file mode 100644 index 0000000000..63b1fb3d61 --- /dev/null +++ b/password_security/models/res_users.py @@ -0,0 +1,158 @@ +# -*- coding: utf-8 -*- +# Copyright 2015 LasLabs Inc. +# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). + +import re + +from datetime import datetime, timedelta + +from openerp import api, fields, models, _ + +from ..exceptions import PassError + + +def delta_now(**kwargs): + dt = datetime.now() + timedelta(**kwargs) + return fields.Datetime.to_string(dt) + + +class ResUsers(models.Model): + _inherit = 'res.users' + + password_write_date = fields.Datetime( + 'Last password update', + readonly=True, + ) + password_history_ids = fields.One2many( + string='Password History', + comodel_name='res.users.pass.history', + inverse_name='user_id', + readonly=True, + ) + + @api.model + def create(self, vals): + vals['password_write_date'] = fields.Datetime.now() + return super(ResUsers, self).create(vals) + + @api.multi + def write(self, vals): + if vals.get('password'): + self.check_password(vals['password']) + vals['password_write_date'] = fields.Datetime.now() + return super(ResUsers, self).write(vals) + + @api.multi + def password_match_message(self): + self.ensure_one() + company_id = self.company_id + message = [] + if company_id.password_lower: + message.append('* ' + _('Lowercase letter')) + if company_id.password_upper: + message.append('* ' + _('Uppercase letter')) + if company_id.password_numeric: + message.append('* ' + _('Numeric digit')) + if company_id.password_special: + message.append('* ' + _('Special character')) + if len(message): + message = [_('Must contain the following:')] + message + if company_id.password_length: + message = [ + _('Password must be %d characters or more.') % + company_id.password_length + ] + message + return '\r'.join(message) + + @api.multi + def check_password(self, password): + self.ensure_one() + if not password: + return True + company_id = self.company_id + password_regex = ['^'] + if company_id.password_lower: + password_regex.append('(?=.*?[a-z])') + if company_id.password_upper: + password_regex.append('(?=.*?[A-Z])') + if company_id.password_numeric: + password_regex.append(r'(?=.*?\d)') + if company_id.password_special: + password_regex.append(r'(?=.*?\W)') + password_regex.append('.{%d,}$' % company_id.password_length) + if not re.search(''.join(password_regex), password): + raise PassError(_(self.password_match_message())) + return True + + @api.multi + def _password_has_expired(self): + self.ensure_one() + if not self.password_write_date: + return True + write_date = fields.Datetime.from_string(self.password_write_date) + today = fields.Datetime.from_string(fields.Datetime.now()) + days = (today - write_date).days + return days > self.company_id.password_expiration + + @api.multi + def action_expire_password(self): + expiration = delta_now(days=+1) + for rec_id in self: + rec_id.mapped('partner_id').signup_prepare( + signup_type="reset", expiration=expiration + ) + + @api.multi + def _validate_pass_reset(self): + """ It provides validations before initiating a pass reset email + :raises: PassError on invalidated pass reset attempt + :return: True on allowed reset + """ + for rec_id in self: + pass_min = rec_id.company_id.password_minimum + if pass_min <= 0: + pass + write_date = fields.Datetime.from_string( + rec_id.password_write_date + ) + delta = timedelta(hours=pass_min) + if write_date + delta > datetime.now(): + raise PassError( + _('Passwords can only be reset every %d hour(s). ' + 'Please contact an administrator for assistance.') % + pass_min, + ) + return True + + @api.multi + def _set_password(self, password): + """ It validates proposed password against existing history + :raises: PassError on reused password + """ + crypt = self._crypt_context()[0] + for rec_id in self: + recent_passes = rec_id.company_id.password_history + if recent_passes < 0: + recent_passes = rec_id.password_history_ids + else: + recent_passes = rec_id.password_history_ids[ + 0:recent_passes-1 + ] + if len(recent_passes.filtered( + lambda r: crypt.verify(password, r.password_crypt) + )): + raise PassError( + _('Cannot use the most recent %d passwords') % + rec_id.company_id.password_history + ) + super(ResUsers, self)._set_password(password) + + @api.multi + def _set_encrypted_password(self, encrypted): + """ It saves password crypt history for history rules """ + super(ResUsers, self)._set_encrypted_password(encrypted) + self.write({ + 'password_history_ids': [(0, 0, { + 'password_crypt': encrypted, + })], + }) diff --git a/password_security/models/res_users_pass_history.py b/password_security/models/res_users_pass_history.py new file mode 100644 index 0000000000..8778341ac0 --- /dev/null +++ b/password_security/models/res_users_pass_history.py @@ -0,0 +1,26 @@ +# -*- coding: utf-8 -*- +# Copyright 2016 LasLabs Inc. +# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). + +from openerp import fields, models + + +class ResUsersPassHistory(models.Model): + _name = 'res.users.pass.history' + _description = 'Res Users Password History' + + _order = 'user_id, date desc' + + user_id = fields.Many2one( + string='User', + comodel_name='res.users', + ondelete='cascade', + index=True, + ) + password_crypt = fields.Char( + string='Encrypted Password', + ) + date = fields.Datetime( + default=lambda s: fields.Datetime.now(), + index=True, + ) diff --git a/password_security/security/ir.model.access.csv b/password_security/security/ir.model.access.csv new file mode 100644 index 0000000000..0936e18777 --- /dev/null +++ b/password_security/security/ir.model.access.csv @@ -0,0 +1,2 @@ +id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink +access_res_users_pass_history,access_res_users_pass_history,model_res_users_pass_history,base.group_user,1,0,1,0 diff --git a/password_security/security/res_users_pass_history.xml b/password_security/security/res_users_pass_history.xml new file mode 100644 index 0000000000..d3d984b039 --- /dev/null +++ b/password_security/security/res_users_pass_history.xml @@ -0,0 +1,19 @@ + + + + + + + + Res Users Pass History Access + + + [ + ('user_id', '=', user.id) + ] + + + diff --git a/password_security/static/description/icon.png b/password_security/static/description/icon.png new file mode 100644 index 0000000000000000000000000000000000000000..3a0328b516c4980e8e44cdb63fd945757ddd132d GIT binary patch literal 9455 zcmW++2RxMjAAjx~&dlBk9S+%}OXg)AGE&Cb*&}d0jUxM@u(PQx^-s)697TX`ehR4?GS^qbkof1cslKgkU)h65qZ9Oc=ml_0temigYLJfnz{IDzUf>bGs4N!v3=Z3jMq&A#7%rM5eQ#dc?k~! zVpnB`o+K7|Al`Q_U;eD$B zfJtP*jH`siUq~{KE)`jP2|#TUEFGRryE2`i0**z#*^6~AI|YzIWy$Cu#CSLW3q=GA z6`?GZymC;dCPk~rBS%eCb`5OLr;RUZ;D`}um=H)BfVIq%7VhiMr)_#G0N#zrNH|__ zc+blN2UAB0=617@>_u;MPHN;P;N#YoE=)R#i$k_`UAA>WWCcEVMh~L_ zj--gtp&|K1#58Yz*AHCTMziU1Jzt_jG0I@qAOHsk$2}yTmVkBp_eHuY$A9)>P6o~I z%aQ?!(GqeQ-Y+b0I(m9pwgi(IIZZzsbMv+9w{PFtd_<_(LA~0H(xz{=FhLB@(1&qHA5EJw1>>=%q2f&^X>IQ{!GJ4e9U z&KlB)z(84HmNgm2hg2C0>WM{E(DdPr+EeU_N@57;PC2&DmGFW_9kP&%?X4}+xWi)( z;)z%wI5>D4a*5XwD)P--sPkoY(a~WBw;E~AW`Yue4kFa^LM3X`8x|}ZUeMnqr}>kH zG%WWW>3ml$Yez?i%)2pbKPI7?5o?hydokgQyZsNEr{a|mLdt;X2TX(#B1j35xPnPW z*bMSSOauW>o;*=kO8ojw91VX!qoOQb)zHJ!odWB}d+*K?#sY_jqPdg{Sm2HdYzdEx zOGVPhVRTGPtv0o}RfVP;Nd(|CB)I;*t&QO8h zFfekr30S!-LHmV_Su-W+rEwYXJ^;6&3|L$mMC8*bQptyOo9;>Qb9Q9`ySe3%V$A*9 zeKEe+b0{#KWGp$F+tga)0RtI)nhMa-K@JS}2krK~n8vJ=Ngm?R!9G<~RyuU0d?nz# z-5EK$o(!F?hmX*2Yt6+coY`6jGbb7tF#6nHA zuKk=GGJ;ZwON1iAfG$E#Y7MnZVmrY|j0eVI(DN_MNFJmyZ|;w4tf@=CCDZ#5N_0K= z$;R~bbk?}TpfDjfB&aiQ$VA}s?P}xPERJG{kxk5~R`iRS(SK5d+Xs9swCozZISbnS zk!)I0>t=A<-^z(cmSFz3=jZ23u13X><0b)P)^1T_))Kr`e!-pb#q&J*Q`p+B6la%C zuVl&0duN<;uOsB3%T9Fp8t{ED108<+W(nOZd?gDnfNBC3>M8WE61$So|P zVvqH0SNtDTcsUdzaMDpT=Ty0pDHHNL@Z0w$Y`XO z2M-_r1S+GaH%pz#Uy0*w$Vdl=X=rQXEzO}d6J^R6zjM1u&c9vYLvLp?W7w(?np9x1 zE_0JSAJCPB%i7p*Wvg)pn5T`8k3-uR?*NT|J`eS#_#54p>!p(mLDvmc-3o0mX*mp_ zN*AeS<>#^-{S%W<*mz^!X$w_2dHWpcJ6^j64qFBft-o}o_Vx80o0>}Du;>kLts;$8 zC`7q$QI(dKYG`Wa8#wl@V4jVWBRGQ@1dr-hstpQL)Tl+aqVpGpbSfN>5i&QMXfiZ> zaA?T1VGe?rpQ@;+pkrVdd{klI&jVS@I5_iz!=UMpTsa~mBga?1r}aRBm1WS;TT*s0f0lY=JBl66Upy)-k4J}lh=P^8(SXk~0xW=T9v*B|gzIhN z>qsO7dFd~mgxAy4V?&)=5ieYq?zi?ZEoj)&2o)RLy=@hbCRcfT5jigwtQGE{L*8<@Yd{zg;CsL5mvzfDY}P-wos_6PfprFVaeqNE%h zKZhLtcQld;ZD+>=nqN~>GvROfueSzJD&BE*}XfU|H&(FssBqY=hPCt`d zH?@s2>I(|;fcW&YM6#V#!kUIP8$Nkdh0A(bEVj``-AAyYgwY~jB zT|I7Bf@%;7aL7Wf4dZ%VqF$eiaC38OV6oy3Z#TER2G+fOCd9Iaoy6aLYbPTN{XRPz z;U!V|vBf%H!}52L2gH_+j;`bTcQRXB+y9onc^wLm5wi3-Be}U>k_u>2Eg$=k!(l@I zcCg+flakT2Nej3i0yn+g+}%NYb?ta;R?(g5SnwsQ49U8Wng8d|{B+lyRcEDvR3+`O{zfmrmvFrL6acVP%yG98X zo&+VBg@px@i)%o?dG(`T;n*$S5*rnyiR#=wW}}GsAcfyQpE|>a{=$Hjg=-*_K;UtD z#z-)AXwSRY?OPefw^iI+ z)AXz#PfEjlwTes|_{sB?4(O@fg0AJ^g8gP}ex9Ucf*@_^J(s_5jJV}c)s$`Myn|Kd z$6>}#q^n{4vN@+Os$m7KV+`}c%4)4pv@06af4-x5#wj!KKb%caK{A&Y#Rfs z-po?Dcb1({W=6FKIUirH&(yg=*6aLCekcKwyfK^JN5{wcA3nhO(o}SK#!CINhI`-I z1)6&n7O&ZmyFMuNwvEic#IiOAwNkR=u5it{B9n2sAJV5pNhar=j5`*N!Na;c7g!l$ z3aYBqUkqqTJ=Re-;)s!EOeij=7SQZ3Hq}ZRds%IM*PtM$wV z@;rlc*NRK7i3y5BETSKuumEN`Xu_8GP1Ri=OKQ$@I^ko8>H6)4rjiG5{VBM>B|%`&&s^)jS|-_95&yc=GqjNo{zFkw%%HHhS~e=s zD#sfS+-?*t|J!+ozP6KvtOl!R)@@-z24}`9{QaVLD^9VCSR2b`b!KC#o;Ki<+wXB6 zx3&O0LOWcg4&rv4QG0)4yb}7BFSEg~=IR5#ZRj8kg}dS7_V&^%#Do==#`u zpy6{ox?jWuR(;pg+f@mT>#HGWHAJRRDDDv~@(IDw&R>9643kK#HN`!1vBJHnC+RM&yIh8{gG2q zA%e*U3|N0XSRa~oX-3EAneep)@{h2vvd3Xvy$7og(sayr@95+e6~Xvi1tUqnIxoIH zVWo*OwYElb#uyW{Imam6f2rGbjR!Y3`#gPqkv57dB6K^wRGxc9B(t|aYDGS=m$&S!NmCtrMMaUg(c zc2qC=2Z`EEFMW-me5B)24AqF*bV5Dr-M5ig(l-WPS%CgaPzs6p_gnCIvTJ=Y<6!gT zVt@AfYCzjjsMEGi=rDQHo0yc;HqoRNnNFeWZgcm?f;cp(6CNylj36DoL(?TS7eU#+ z7&mfr#y))+CJOXQKUMZ7QIdS9@#-}7y2K1{8)cCt0~-X0O!O?Qx#E4Og+;A2SjalQ zs7r?qn0H044=sDN$SRG$arw~n=+T_DNdSrarmu)V6@|?1-ZB#hRn`uilTGPJ@fqEy zGt(f0B+^JDP&f=r{#Y_wi#AVDf-y!RIXU^0jXsFpf>=Ji*TeqSY!H~AMbJdCGLhC) zn7Rx+sXw6uYj;WRYrLd^5IZq@6JI1C^YkgnedZEYy<&4(z%Q$5yv#Boo{AH8n$a zhb4Y3PWdr269&?V%uI$xMcUrMzl=;w<_nm*qr=c3Rl@i5wWB;e-`t7D&c-mcQl7x! zZWB`UGcw=Y2=}~wzrfLx=uet<;m3~=8I~ZRuzvMQUQdr+yTV|ATf1Uuomr__nDf=X zZ3WYJtHp_ri(}SQAPjv+Y+0=fH4krOP@S&=zZ-t1jW1o@}z;xk8 z(Nz1co&El^HK^NrhVHa-_;&88vTU>_J33=%{if;BEY*J#1n59=07jrGQ#IP>@u#3A z;!q+E1Rj3ZJ+!4bq9F8PXJ@yMgZL;>&gYA0%_Kbi8?S=XGM~dnQZQ!yBSgcZhY96H zrWnU;k)qy`rX&&xlDyA%(a1Hhi5CWkmg(`Gb%m(HKi-7Z!LKGRP_B8@`7&hdDy5n= z`OIxqxiVfX@OX1p(mQu>0Ai*v_cTMiw4qRt3~NBvr9oBy0)r>w3p~V0SCm=An6@3n)>@z!|o-$HvDK z|3D2ZMJkLE5loMKl6R^ez@Zz%S$&mbeoqH5`Bb){Ei21q&VP)hWS2tjShfFtGE+$z zzCR$P#uktu+#!w)cX!lWN1XU%K-r=s{|j?)Akf@q#3b#{6cZCuJ~gCxuMXRmI$nGtnH+-h z+GEi!*X=AP<|fG`1>MBdTb?28JYc=fGvAi2I<$B(rs$;eoJCyR6_bc~p!XR@O-+sD z=eH`-ye})I5ic1eL~TDmtfJ|8`0VJ*Yr=hNCd)G1p2MMz4C3^Mj?7;!w|Ly%JqmuW zlIEW^Ft%z?*|fpXda>Jr^1noFZEwFgVV%|*XhH@acv8rdGxeEX{M$(vG{Zw+x(ei@ zmfXb22}8-?Fi`vo-YVrTH*C?a8%M=Hv9MqVH7H^J$KsD?>!SFZ;ZsvnHr_gn=7acz z#W?0eCdVhVMWN12VV^$>WlQ?f;P^{(&pYTops|btm6aj>_Uz+hqpGwB)vWp0Cf5y< zft8-je~nn?W11plq}N)4A{l8I7$!ks_x$PXW-2XaRFswX_BnF{R#6YIwMhAgd5F9X zGmwdadS6(a^fjHtXg8=l?Rc0Sm%hk6E9!5cLVloEy4eh(=FwgP`)~I^5~pBEWo+F6 zSf2ncyMurJN91#cJTy_u8Y}@%!bq1RkGC~-bV@SXRd4F{R-*V`bS+6;W5vZ(&+I<9$;-V|eNfLa5n-6% z2(}&uGRF;p92eS*sE*oR$@pexaqr*meB)VhmIg@h{uzkk$9~qh#cHhw#>O%)b@+(| z^IQgqzuj~Sk(J;swEM-3TrJAPCq9k^^^`q{IItKBRXYe}e0Tdr=Huf7da3$l4PdpwWDop%^}n;dD#K4s#DYA8SHZ z&1!riV4W4R7R#C))JH1~axJ)RYnM$$lIR%6fIVA@zV{XVyx}C+a-Dt8Y9M)^KU0+H zR4IUb2CJ{Hg>CuaXtD50jB(_Tcx=Z$^WYu2u5kubqmwp%drJ6 z?Fo40g!Qd<-l=TQxqHEOuPX0;^z7iX?Ke^a%XT<13TA^5`4Xcw6D@Ur&VT&CUe0d} z1GjOVF1^L@>O)l@?bD~$wzgf(nxX1OGD8fEV?TdJcZc2KoUe|oP1#=$$7ee|xbY)A zDZq+cuTpc(fFdj^=!;{k03C69lMQ(|>uhRfRu%+!k&YOi-3|1QKB z z?n?eq1XP>p-IM$Z^C;2L3itnbJZAip*Zo0aw2bs8@(s^~*8T9go!%dHcAz2lM;`yp zD=7&xjFV$S&5uDaiScyD?B-i1ze`+CoRtz`Wn+Zl&#s4&}MO{@N!ufrzjG$B79)Y2d3tBk&)TxUTw@QS0TEL_?njX|@vq?Uz(nBFK5Pq7*xj#u*R&i|?7+6# z+|r_n#SW&LXhtheZdah{ZVoqwyT{D>MC3nkFF#N)xLi{p7J1jXlmVeb;cP5?e(=f# zuT7fvjSbjS781v?7{)-X3*?>tq?)Yd)~|1{BDS(pqC zC}~H#WXlkUW*H5CDOo<)#x7%RY)A;ShGhI5s*#cRDA8YgqG(HeKDx+#(ZQ?386dv! zlXCO)w91~Vw4AmOcATuV653fa9R$fyK8ul%rG z-wfS zihugoZyr38Im?Zuh6@RcF~t1anQu7>#lPpb#}4cOA!EM11`%f*07RqOVkmX{p~KJ9 z^zP;K#|)$`^Rb{rnHGH{~>1(fawV0*Z#)}M`m8-?ZJV<+e}s9wE# z)l&az?w^5{)`S(%MRzxdNqrs1n*-=jS^_jqE*5XDrA0+VE`5^*p3CuM<&dZEeCjoz zR;uu_H9ZPZV|fQq`Cyw4nscrVwi!fE6ciMmX$!_hN7uF;jjKG)d2@aC4ropY)8etW=xJvni)8eHi`H$%#zn^WJ5NLc-rqk|u&&4Z6fD_m&JfSI1Bvb?b<*n&sfl0^t z=HnmRl`XrFvMKB%9}>PaA`m-fK6a0(8=qPkWS5bb4=v?XcWi&hRY?O5HdulRi4?fN zlsJ*N-0Qw+Yic@s0(2uy%F@ib;GjXt01Fmx5XbRo6+n|pP(&nodMoap^z{~q ziEeaUT@Mxe3vJSfI6?uLND(CNr=#^W<1b}jzW58bIfyWTDle$mmS(|x-0|2UlX+9k zQ^EX7Nw}?EzVoBfT(-LT|=9N@^hcn-_p&sqG z&*oVs2JSU+N4ZD`FhCAWaS;>|wH2G*Id|?pa#@>tyxX`+4HyIArWDvVrX)2WAOQff z0qyHu&-S@i^MS-+j--!pr4fPBj~_8({~e1bfcl0wI1kaoN>mJL6KUPQm5N7lB(ui1 zE-o%kq)&djzWJ}ob<-GfDlkB;F31j-VHKvQUGQ3sp`CwyGJk_i!y^sD0fqC@$9|jO zOqN!r!8-p==F@ZVP=U$qSpY(gQ0)59P1&t@y?5rvg<}E+GB}26NYPp4f2YFQrQtot5mn3wu_qprZ=>Ig-$ zbW26Ws~IgY>}^5w`vTB(G`PTZaDiGBo5o(tp)qli|NeV( z@H_=R8V39rt5J5YB2Ky?4eJJ#b`_iBe2ot~6%7mLt5t8Vwi^Jy7|jWXqa3amOIoRb zOr}WVFP--DsS`1WpN%~)t3R!arKF^Q$e12KEqU36AWwnCBICpH4XCsfnyrHr>$I$4 z!DpKX$OKLWarN7nv@!uIA+~RNO)l$$w}p(;b>mx8pwYvu;dD_unryX_NhT8*Tj>BTrTTL&!?O+%Rv;b?B??gSzdp?6Uug9{ zd@V08Z$BdI?fpoCS$)t4mg4rT8Q_I}h`0d-vYZ^|dOB*Q^S|xqTV*vIg?@fVFSmMpaw0qtTRbx} z({Pg?#{2`sc9)M5N$*N|4;^t$+QP?#mov zGVC@I*lBVrOU-%2y!7%)fAKjpEFsgQc4{amtiHb95KQEwvf<(3T<9-Zm$xIew#P22 zc2Ix|App^>v6(3L_MCU0d3W##AB0M~3D00EWoKZqsJYT(#@w$Y_H7G22M~ApVFTRHMI_3be)Lkn#0F*V8Pq zc}`Cjy$bE;FJ6H7p=0y#R>`}-m4(0F>%@P|?7fx{=R^uFdISRnZ2W_xQhD{YuR3t< z{6yxu=4~JkeA;|(J6_nv#>Nvs&FuLA&PW^he@t(UwFFE8)|a!R{`E`K`i^ZnyE4$k z;(749Ix|oi$c3QbEJ3b~D_kQsPz~fIUKym($a_7dJ?o+40*OLl^{=&oq$<#Q(yyrp z{J-FAniyAw9tPbe&IhQ|a`DqFTVQGQ&Gq3!C2==4x{6EJwiPZ8zub-iXoUtkJiG{} zPaR&}_fn8_z~(=;5lD-aPWD3z8PZS@AaUiomF!G8I}Mf>e~0g#BelA-5#`cj;O5>N Xviia!U7SGha1wx#SCgwmn*{w2TRX*I literal 0 HcmV?d00001 diff --git a/password_security/tests/__init__.py b/password_security/tests/__init__.py new file mode 100644 index 0000000000..2263c21e70 --- /dev/null +++ b/password_security/tests/__init__.py @@ -0,0 +1,7 @@ +# -*- coding: utf-8 -*- +# Copyright 2015 LasLabs Inc. +# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). + +from . import test_res_users +from . import test_password_security_home +from . import test_password_security_session diff --git a/password_security/tests/test_password_security_home.py b/password_security/tests/test_password_security_home.py new file mode 100644 index 0000000000..3a9eafc718 --- /dev/null +++ b/password_security/tests/test_password_security_home.py @@ -0,0 +1,269 @@ +# -*- coding: utf-8 -*- +# Copyright 2016 LasLabs Inc. +# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). + +import mock + +from contextlib import contextmanager + +from openerp.tests.common import TransactionCase +from openerp.http import Response + +from ..controllers import main + + +IMPORT = 'openerp.addons.password_security.controllers.main' + + +class EndTestException(Exception): + """ It allows for isolation of resources by raise """ + + +class MockResponse(object): + def __new__(cls): + return mock.Mock(spec=Response) + + +class MockPassError(main.PassError): + def __init__(self): + super(MockPassError, self).__init__('Message') + + +class TestPasswordSecurityHome(TransactionCase): + + def setUp(self): + super(TestPasswordSecurityHome, self).setUp() + self.PasswordSecurityHome = main.PasswordSecurityHome + self.password_security_home = self.PasswordSecurityHome() + self.passwd = 'I am a password!' + self.qcontext = { + 'password': self.passwd, + } + + @contextmanager + def mock_assets(self): + """ It mocks and returns assets used by this controller """ + methods = ['do_signup', 'web_login', 'web_auth_signup', + 'web_auth_reset_password', + ] + with mock.patch.multiple( + main.AuthSignupHome, **{m: mock.DEFAULT for m in methods} + ) as _super: + mocks = {} + for method in methods: + mocks[method] = _super[method] + mocks[method].return_value = MockResponse() + with mock.patch('%s.request' % IMPORT) as request: + with mock.patch('%s.ensure_db' % IMPORT) as ensure: + with mock.patch('%s.http' % IMPORT) as http: + http.redirect_with_hash.return_value = \ + MockResponse() + mocks.update({ + 'request': request, + 'ensure_db': ensure, + 'http': http, + }) + yield mocks + + def test_do_signup_check(self): + """ It should check password on user """ + with self.mock_assets() as assets: + check_password = assets['request'].env.user.check_password + check_password.side_effect = EndTestException + with self.assertRaises(EndTestException): + self.password_security_home.do_signup(self.qcontext) + check_password.assert_called_once_with( + self.passwd, + ) + + def test_do_signup_return(self): + """ It should return result of super """ + with self.mock_assets() as assets: + res = self.password_security_home.do_signup(self.qcontext) + self.assertEqual(assets['do_signup'](), res) + + def test_web_login_ensure_db(self): + """ It should verify available db """ + with self.mock_assets() as assets: + assets['ensure_db'].side_effect = EndTestException + with self.assertRaises(EndTestException): + self.password_security_home.web_login() + + def test_web_login_super(self): + """ It should call superclass w/ proper args """ + expect_list = [1, 2, 3] + expect_dict = {'test1': 'good1', 'test2': 'good2'} + with self.mock_assets() as assets: + assets['web_login'].side_effect = EndTestException + with self.assertRaises(EndTestException): + self.password_security_home.web_login( + *expect_list, **expect_dict + ) + assets['web_login'].assert_called_once_with( + *expect_list, **expect_dict + ) + + def test_web_login_no_post(self): + """ It should return immediate result of super when not POST """ + with self.mock_assets() as assets: + assets['request'].httprequest.method = 'GET' + assets['request'].session.authenticate.side_effect = \ + EndTestException + res = self.password_security_home.web_login() + self.assertEqual( + assets['web_login'](), res, + ) + + def test_web_login_authenticate(self): + """ It should attempt authentication to obtain uid """ + with self.mock_assets() as assets: + assets['request'].httprequest.method = 'POST' + authenticate = assets['request'].session.authenticate + request = assets['request'] + authenticate.side_effect = EndTestException + with self.assertRaises(EndTestException): + self.password_security_home.web_login() + authenticate.assert_called_once_with( + request.session.db, + request.params['login'], + request.params['password'], + ) + + def test_web_login_authenticate_fail(self): + """ It should return super result if failed auth """ + with self.mock_assets() as assets: + authenticate = assets['request'].session.authenticate + request = assets['request'] + request.httprequest.method = 'POST' + request.env['res.users'].sudo.side_effect = EndTestException + authenticate.return_value = False + res = self.password_security_home.web_login() + self.assertEqual( + assets['web_login'](), res, + ) + + def test_web_login_get_user(self): + """ It should get the proper user as sudo """ + with self.mock_assets() as assets: + request = assets['request'] + request.httprequest.method = 'POST' + sudo = request.env['res.users'].sudo() + sudo.browse.side_effect = EndTestException + with self.assertRaises(EndTestException): + self.password_security_home.web_login() + sudo.browse.assert_called_once_with( + request.uid + ) + + def test_web_login_valid_pass(self): + """ It should return parent result if pass isn't expired """ + with self.mock_assets() as assets: + request = assets['request'] + request.httprequest.method = 'POST' + user = request.env['res.users'].sudo().browse() + user.action_expire_password.side_effect = EndTestException + user._password_has_expired.return_value = False + res = self.password_security_home.web_login() + self.assertEqual( + assets['web_login'](), res, + ) + + def test_web_login_expire_pass(self): + """ It should expire password if necessary """ + with self.mock_assets() as assets: + request = assets['request'] + request.httprequest.method = 'POST' + user = request.env['res.users'].sudo().browse() + user.action_expire_password.side_effect = EndTestException + user._password_has_expired.return_value = True + with self.assertRaises(EndTestException): + self.password_security_home.web_login() + + def test_web_login_redirect(self): + """ It should redirect w/ hash to reset after expiration """ + with self.mock_assets() as assets: + request = assets['request'] + request.httprequest.method = 'POST' + user = request.env['res.users'].sudo().browse() + user._password_has_expired.return_value = True + res = self.password_security_home.web_login() + self.assertEqual( + assets['http'].redirect_with_hash(), res, + ) + + def test_web_auth_signup_valid(self): + """ It should return super if no errors """ + with self.mock_assets() as assets: + res = self.password_security_home.web_auth_signup() + self.assertEqual( + assets['web_auth_signup'](), res, + ) + + def test_web_auth_signup_invalid_qcontext(self): + """ It should catch PassError and get signup qcontext """ + with self.mock_assets() as assets: + with mock.patch.object( + main.AuthSignupHome, 'get_auth_signup_qcontext', + ) as qcontext: + assets['web_auth_signup'].side_effect = MockPassError + qcontext.side_effect = EndTestException + with self.assertRaises(EndTestException): + self.password_security_home.web_auth_signup() + + def test_web_auth_signup_invalid_render(self): + """ It should render & return signup form on invalid """ + with self.mock_assets() as assets: + with mock.patch.object( + main.AuthSignupHome, 'get_auth_signup_qcontext', spec=dict + ) as qcontext: + assets['web_auth_signup'].side_effect = MockPassError + res = self.password_security_home.web_auth_signup() + assets['request'].render.assert_called_once_with( + 'auth_signup.signup', qcontext(), + ) + self.assertEqual( + assets['request'].render(), res, + ) + + def test_web_auth_reset_password_fail_login(self): + """ It should raise from failed _validate_pass_reset by login """ + with self.mock_assets() as assets: + with mock.patch.object( + main.AuthSignupHome, 'get_auth_signup_qcontext', spec=dict + ) as qcontext: + qcontext['login'] = 'login' + search = assets['request'].env.sudo().search + assets['request'].httprequest.method = 'POST' + user = mock.MagicMock() + user._validate_pass_reset.side_effect = MockPassError + search.return_value = user + with self.assertRaises(MockPassError): + self.password_security_home.web_auth_reset_password() + + def test_web_auth_reset_password_fail_email(self): + """ It should raise from failed _validate_pass_reset by email """ + with self.mock_assets() as assets: + with mock.patch.object( + main.AuthSignupHome, 'get_auth_signup_qcontext', spec=dict + ) as qcontext: + qcontext['login'] = 'login' + search = assets['request'].env.sudo().search + assets['request'].httprequest.method = 'POST' + user = mock.MagicMock() + user._validate_pass_reset.side_effect = MockPassError + search.side_effect = [[], user] + with self.assertRaises(MockPassError): + self.password_security_home.web_auth_reset_password() + + def test_web_auth_reset_password_success(self): + """ It should return parent response on no validate errors """ + with self.mock_assets() as assets: + with mock.patch.object( + main.AuthSignupHome, 'get_auth_signup_qcontext', spec=dict + ) as qcontext: + qcontext['login'] = 'login' + assets['request'].httprequest.method = 'POST' + res = self.password_security_home.web_auth_reset_password() + self.assertEqual( + assets['web_auth_reset_password'](), res, + ) diff --git a/password_security/tests/test_password_security_session.py b/password_security/tests/test_password_security_session.py new file mode 100644 index 0000000000..2258b89eb5 --- /dev/null +++ b/password_security/tests/test_password_security_session.py @@ -0,0 +1,58 @@ +# -*- coding: utf-8 -*- +# Copyright 2016 LasLabs Inc. +# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). + +import mock + +from contextlib import contextmanager + +from openerp.tests.common import TransactionCase + +from ..controllers import main + + +IMPORT = 'openerp.addons.password_security.controllers.main' + + +class EndTestException(Exception): + """ It allows for isolation of resources by raise """ + + +class TestPasswordSecuritySession(TransactionCase): + + def setUp(self): + super(TestPasswordSecuritySession, self).setUp() + self.PasswordSecuritySession = main.PasswordSecuritySession + self.password_security_session = self.PasswordSecuritySession() + self.passwd = 'I am a password!' + self.fields = [ + {'name': 'new_password', 'value': self.passwd}, + ] + + @contextmanager + def mock_assets(self): + """ It mocks and returns assets used by this controller """ + with mock.patch('%s.request' % IMPORT) as request: + yield { + 'request': request, + } + + def test_change_password_check(self): + """ It should check password on request user """ + with self.mock_assets() as assets: + check_password = assets['request'].env.user.check_password + check_password.side_effect = EndTestException + with self.assertRaises(EndTestException): + self.password_security_session.change_password(self.fields) + check_password.assert_called_once_with( + self.passwd, + ) + + def test_change_password_return(self): + """ It should return result of super """ + with self.mock_assets(): + with mock.patch.object(main.Session, 'change_password') as chg: + res = self.password_security_session.change_password( + self.fields + ) + self.assertEqual(chg(), res) diff --git a/password_security/tests/test_res_users.py b/password_security/tests/test_res_users.py new file mode 100644 index 0000000000..6ce341ef5c --- /dev/null +++ b/password_security/tests/test_res_users.py @@ -0,0 +1,148 @@ +# -*- coding: utf-8 -*- +# Copyright 2015 LasLabs Inc. +# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). + +import time + +from openerp.tests.common import TransactionCase + +from ..exceptions import PassError + + +class TestResUsers(TransactionCase): + + def setUp(self): + super(TestResUsers, self).setUp() + self.login = 'foslabs@example.com' + self.partner_vals = { + 'name': 'Partner', + 'is_company': False, + 'email': self.login, + } + self.password = 'asdQWE123$%^' + self.main_comp = self.env.ref('base.main_company') + self.vals = { + 'name': 'User', + 'login': self.login, + 'password': self.password, + 'company_id': self.main_comp.id + } + self.model_obj = self.env['res.users'] + + def _new_record(self): + partner_id = self.env['res.partner'].create(self.partner_vals) + self.vals['partner_id'] = partner_id.id + return self.model_obj.create(self.vals) + + def test_password_write_date_is_saved_on_create(self): + rec_id = self._new_record() + self.assertTrue( + rec_id.password_write_date, + 'Password write date was not saved to db.', + ) + + def test_password_write_date_is_updated_on_write(self): + rec_id = self._new_record() + old_write_date = rec_id.password_write_date + time.sleep(2) + rec_id.write({'password': 'asdQWE123$%^2'}) + rec_id.refresh() + new_write_date = rec_id.password_write_date + self.assertNotEqual( + old_write_date, new_write_date, + 'Password write date was not updated on write.', + ) + + def test_does_not_update_write_date_if_password_unchanged(self): + rec_id = self._new_record() + old_write_date = rec_id.password_write_date + time.sleep(2) + rec_id.write({'name': 'Luser'}) + rec_id.refresh() + new_write_date = rec_id.password_write_date + self.assertEqual( + old_write_date, new_write_date, + 'Password not changed but write date updated anyway.', + ) + + def test_check_password_returns_true_for_valid_password(self): + rec_id = self._new_record() + self.assertTrue( + rec_id.check_password('asdQWE123$%^3'), + 'Password is valid but check failed.', + ) + + def test_check_password_raises_error_for_invalid_password(self): + rec_id = self._new_record() + with self.assertRaises(PassError): + rec_id.check_password('password') + + def test_save_password_crypt(self): + rec_id = self._new_record() + self.assertEqual( + 1, len(rec_id.password_history_ids), + ) + + def test_check_password_crypt(self): + """ It should raise PassError if previously used """ + rec_id = self._new_record() + with self.assertRaises(PassError): + rec_id.write({'password': self.password}) + + def test_password_is_expired_if_record_has_no_write_date(self): + rec_id = self._new_record() + rec_id.write({'password_write_date': None}) + rec_id.refresh() + self.assertTrue( + rec_id._password_has_expired(), + 'Record has no password write date but check failed.', + ) + + def test_an_old_password_is_expired(self): + rec_id = self._new_record() + old_write_date = '1970-01-01 00:00:00' + rec_id.write({'password_write_date': old_write_date}) + rec_id.refresh() + self.assertTrue( + rec_id._password_has_expired(), + 'Password is out of date but check failed.', + ) + + def test_a_new_password_is_not_expired(self): + rec_id = self._new_record() + self.assertFalse( + rec_id._password_has_expired(), + 'Password was just created but has already expired.', + ) + + def test_expire_password_generates_token(self): + rec_id = self._new_record() + rec_id.sudo().action_expire_password() + rec_id.refresh() + token = rec_id.partner_id.signup_token + self.assertTrue( + token, + 'A token was not generated.', + ) + + def test_validate_pass_reset_error(self): + """ It should throw PassError on reset inside min threshold """ + rec_id = self._new_record() + with self.assertRaises(PassError): + rec_id._validate_pass_reset() + + def test_validate_pass_reset_allow(self): + """ It should allow reset pass when outside threshold """ + rec_id = self._new_record() + rec_id.password_write_date = '2016-01-01' + self.assertEqual( + True, rec_id._validate_pass_reset(), + ) + + def test_validate_pass_reset_zero(self): + """ It should allow reset pass when <= 0 """ + rec_id = self._new_record() + rec_id.company_id.password_minimum = 0 + self.assertEqual( + True, rec_id._validate_pass_reset(), + ) diff --git a/password_security/views/res_company_view.xml b/password_security/views/res_company_view.xml new file mode 100644 index 0000000000..408b33d838 --- /dev/null +++ b/password_security/views/res_company_view.xml @@ -0,0 +1,42 @@ + + + + + + + + res.company.form + res.company + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +