Emulate Active Directory password complexity requirements in Plone
Project description
collective.pwexpiry
===================
Introduction
============
The ``collective.pwexpiry`` package is an add-on Product for Plone that brings the
feature of controlling the password expiration in Plone. It is useful when there's
a need of forcing the portal's members to follow the specific password policy.
Features
========
* Possibility to register and define custom password validation methods
* Possibility to define user's passwords period of validity
* Possibility to check if the password has been used in the last x variants. And disallow
reuse.
* Possibility to register custom notification actions to be triggered when the password's
period of validity is getting closer
* Provides a script that can be periodically executed from the command line (i.e. by cron).
The script checks for the user's passwords expiration dates and triggers the registered
notification actions (i.e. sending email to the relevant users).
* Provides a protection mechanizm to avoid notifying given user twice the same day
* Possibility to lock an account if too many invalid password attemps were tried
Installation
============
1. Add collective.pwexpiry to your plone.recipe.zope2instance section's eggs::
[instance]
recipe = plone.recipe.zope2instance
...
eggs =
...
collective.pwexpiry
2. Install the Product via portal_quickinstaller.
Configuration and customization
===============================
Password period of validity
~~~~~~~~~~~~~~~~~~~~~~~~~~~
The password's period of validity is set in the configuration registry tool, and have
a default value of 90 days. It can be easily customized by creating a registry.xml file
in your custom pakage's gereric setup profile containing the configuration code::
<registry>
<record name="collective.pwexpiry.validity_period">
<value>360</value>
</record>
</registry>
To disable password expiration, set `validity_period` to `0`.
Last X Passwords check
~~~~~~~~~~~~~~~~~~~~~~
It's possible to check if the new password has already been used (a history of the last `password_history_size` password hashes is kept).
`password_history_size` defaults to 0, which means: there is no active check for re-used passwords.
You need to manualy activate that feature with a registry record in registry.xml::
<registry>
<record name="collective.pwexpiry.password_history_size">
<value>10</value>
</record>
</registry>
Defining notification actions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By default - there is a notification action defined that sends the notification email
to the user when his password period of validity is going to end in 15 days.
But there is a possibility to register a custom methods that would be triggered
according to their implementation.
To register your own notification action you need to::
1. Register adapter providing ``IExpirationCheck`` interface::
<configure xmlns="http://namespaces.zope.org/zope">
<adapter
name="last_few_days_before_expiration"
factory=".actions.LastFewDaysBeforeExpiration"
provides="collective.pwexpiry.interfaces.IExpirationCheck"
for="zope.interface.Interface"
/>
</configure>
2. Implement the adapter's ``__call__`` and ``notification_action`` methods::
class LastFewDaysBeforeExpiration(object):
implements(IExpirationCheck)
# Trigger on number of days before password expiration
notify_on = (7, 4, 3, 2, 1)
def __init__(self, context):
self.context = context
def __call__(self, days_to_expire):
"""
Returns True whe n the notification_action
method have to be executed
"""
try:
notify_on = iter(self.notify_on)
except TypeError:
notify_on = (self.notify_on,)
if days_to_expire in notify_on:
return True
else:
return False
def notification_action(self, userdata, days_to_expire):
"""
Implementation of the notification action.
In this case it's sendin an email notification
"""
send_notification_email(userdata, days_to_expire)
Defining custom password validation methods
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The package allows to define your own password valdation methods
executed when the user set his initial password on registration or
changing his actual password by in the change password form or throught
the password reset mechanizm.
To register your own notification action you need to::
1. Register adapter providing ``ICustomPasswordValidator`` interface::
<configure xmlns="http://namespaces.zope.org/zope">
<adapter
name="my_password_policy"
factory=".password_validators.MyPasswordValidator"
provides="collective.pwexpiry.interfaces.ICustomPasswordValidator"
for="zope.interface.Interface"
/>
</configure>
2. Implement the adapter's ``__call__`` and ``notification_action`` methods::
class MyPasswordValidator(object):
implements(ICustomPasswordValidator)
def __init__(self, context):
self.context = context
def validate(self, password, data):
if len(password) < 8:
return _(u'Passwords must be at least 8 characters in length.')
Executing the notification script
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The notification script should be executed **once a day** to check the user's passwords
expiration dates and trigger relevant notification actions.
Here's an example of how the script can be executed from the command line::
$ cd ${buildoout:directory}
$ ./bin/instance run src/collective.pwexpiry/collective/pwexpiry/scripts/notify_and_expire.py ${your-plonesite-id}
Locking out accounts if an invalid password is entered too many times
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When the package is installed, a new PAS plugin is included, which will count invalid password attempts when logging in.
If the number of invalid attempts is higher than a configurable threshold, the account will be locked out for a certain amount of hours.
If the account hasn't been locked yet, entering the password correctly will reset this counter to zero.
An account can be re-activated by an administrator changing its password.
Controlling the additional user's properties
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The ``collective.pwexpiry`` package creates new user's properties:
* ``password_date`` - the date when the user has changed his passoword
* ``last_notification_date`` - the date when the last notification action has been performed for the user
* ``account_locked_date`` - the date when the account was locked
* ``account_locked`` - boolean telling if the account was locked or not
* ``password_tries`` - the number of incorrect password attempts
In order to be able to control manually the new user's properties manually - there's a
control panel form available under url: ``/@@pwexpiry-controlpanel``.
Setting how many tries before locking the account and for how much time
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is managed with values in the registry:
* ``collective.pwexpiry.allowed_tries`` - Allows you to choose how many attempts are allowed
* ``collective.pwexpiry.disable_time`` - Allows you to specify for how many hours the user should be locked out
TODO
====
Write tests!
~~~~~~~~~~~~
Author & Contact
================
:Author:
* Radosław Jankiewicz ``radoslaw.jankiewicz@stxnext.pl``
License
=======
This package is licensed under the Zope Public License.
.. _`Plone 4.2`: http://pypi.python.org/pypi/Plone/4.2
HISTORY of collective.pwexpiry
==============================
0.9 (2016-05-23)
----------------
- Show status message "your account has expired" in login popup.
[pcdummy]
- Update german translations.
[pcdummy]
- Do not exipre passwords if `validity_period` is set to 0
[fRiSi]
- Add password history check (not in last x passwords).
[pcdummy]
- Enable the example_validator only when there is a browserlayer.
[pcdummy]
- Add a skins layer and remove the confusing > 5 chars message from
pwreset_form.
[pcdummy]
- Update german translations and translate example_validator.
[pcdummy]
0.8.1 (2015-05-06)
------------------
- Template typo
[frapell]
- Update italian translation
[giacomos]
0.8 (2015-04-20)
----------------
- Update translations
[frapell]
- Improve control panel tool to allow admins to unlock accounts
[frapell]
0.7 (2015-03-25)
----------------
- Ignore Managers from password expiring
[frapell]
- Bugfix: If a wrong password was entered that goes over the limit, do not
add a response header. Only do it when entering correctly
[frapell]
- When comparing dates, make sure both are timezone aware
[frapell]
- Ignore case when checking for name and username in password.
[enfold-josh]
- Change script to accept a path and use traversal to get plone site since it
may not always be in the application root.
[enfold-josh]
- Redirect to $portal_url/mail_password_form instead of just /mail_password_form
[enfold-josh]
- Alter notification email to support days <= 0.
[enfold-josh]
0.6 (2015-03-13)
----------------
- Use a friendlier date format for the control panel
[frapell]
0.5 (2014-11-28)
----------------
- Add i18n and italian translation
[giacomos]
- No need to include 'control panel' in the control panel title
[frapell]
0.4 (2014-09-11)
----------------
- Add member properties, registry keys, events subscribers, and a PAS plugin
to allow blocking a user if he enters too many incorrect passwords.
[frapell]
- Patch ZODBUserManager.authenticateCredentials so it fires events when entering
valid or invalid credentials.
[frapell]
- Patch CMFPlone/RegistrationTool instead of CMFDefault/RegistrationTool.
[frapell]
0.3 (2014-09-10)
----------------
- Properly package
[frapell]
0.2 (2013-08-18)
----------------
- correct pypi classifiers
- initial code
===================
Introduction
============
The ``collective.pwexpiry`` package is an add-on Product for Plone that brings the
feature of controlling the password expiration in Plone. It is useful when there's
a need of forcing the portal's members to follow the specific password policy.
Features
========
* Possibility to register and define custom password validation methods
* Possibility to define user's passwords period of validity
* Possibility to check if the password has been used in the last x variants. And disallow
reuse.
* Possibility to register custom notification actions to be triggered when the password's
period of validity is getting closer
* Provides a script that can be periodically executed from the command line (i.e. by cron).
The script checks for the user's passwords expiration dates and triggers the registered
notification actions (i.e. sending email to the relevant users).
* Provides a protection mechanizm to avoid notifying given user twice the same day
* Possibility to lock an account if too many invalid password attemps were tried
Installation
============
1. Add collective.pwexpiry to your plone.recipe.zope2instance section's eggs::
[instance]
recipe = plone.recipe.zope2instance
...
eggs =
...
collective.pwexpiry
2. Install the Product via portal_quickinstaller.
Configuration and customization
===============================
Password period of validity
~~~~~~~~~~~~~~~~~~~~~~~~~~~
The password's period of validity is set in the configuration registry tool, and have
a default value of 90 days. It can be easily customized by creating a registry.xml file
in your custom pakage's gereric setup profile containing the configuration code::
<registry>
<record name="collective.pwexpiry.validity_period">
<value>360</value>
</record>
</registry>
To disable password expiration, set `validity_period` to `0`.
Last X Passwords check
~~~~~~~~~~~~~~~~~~~~~~
It's possible to check if the new password has already been used (a history of the last `password_history_size` password hashes is kept).
`password_history_size` defaults to 0, which means: there is no active check for re-used passwords.
You need to manualy activate that feature with a registry record in registry.xml::
<registry>
<record name="collective.pwexpiry.password_history_size">
<value>10</value>
</record>
</registry>
Defining notification actions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By default - there is a notification action defined that sends the notification email
to the user when his password period of validity is going to end in 15 days.
But there is a possibility to register a custom methods that would be triggered
according to their implementation.
To register your own notification action you need to::
1. Register adapter providing ``IExpirationCheck`` interface::
<configure xmlns="http://namespaces.zope.org/zope">
<adapter
name="last_few_days_before_expiration"
factory=".actions.LastFewDaysBeforeExpiration"
provides="collective.pwexpiry.interfaces.IExpirationCheck"
for="zope.interface.Interface"
/>
</configure>
2. Implement the adapter's ``__call__`` and ``notification_action`` methods::
class LastFewDaysBeforeExpiration(object):
implements(IExpirationCheck)
# Trigger on number of days before password expiration
notify_on = (7, 4, 3, 2, 1)
def __init__(self, context):
self.context = context
def __call__(self, days_to_expire):
"""
Returns True whe n the notification_action
method have to be executed
"""
try:
notify_on = iter(self.notify_on)
except TypeError:
notify_on = (self.notify_on,)
if days_to_expire in notify_on:
return True
else:
return False
def notification_action(self, userdata, days_to_expire):
"""
Implementation of the notification action.
In this case it's sendin an email notification
"""
send_notification_email(userdata, days_to_expire)
Defining custom password validation methods
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The package allows to define your own password valdation methods
executed when the user set his initial password on registration or
changing his actual password by in the change password form or throught
the password reset mechanizm.
To register your own notification action you need to::
1. Register adapter providing ``ICustomPasswordValidator`` interface::
<configure xmlns="http://namespaces.zope.org/zope">
<adapter
name="my_password_policy"
factory=".password_validators.MyPasswordValidator"
provides="collective.pwexpiry.interfaces.ICustomPasswordValidator"
for="zope.interface.Interface"
/>
</configure>
2. Implement the adapter's ``__call__`` and ``notification_action`` methods::
class MyPasswordValidator(object):
implements(ICustomPasswordValidator)
def __init__(self, context):
self.context = context
def validate(self, password, data):
if len(password) < 8:
return _(u'Passwords must be at least 8 characters in length.')
Executing the notification script
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The notification script should be executed **once a day** to check the user's passwords
expiration dates and trigger relevant notification actions.
Here's an example of how the script can be executed from the command line::
$ cd ${buildoout:directory}
$ ./bin/instance run src/collective.pwexpiry/collective/pwexpiry/scripts/notify_and_expire.py ${your-plonesite-id}
Locking out accounts if an invalid password is entered too many times
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When the package is installed, a new PAS plugin is included, which will count invalid password attempts when logging in.
If the number of invalid attempts is higher than a configurable threshold, the account will be locked out for a certain amount of hours.
If the account hasn't been locked yet, entering the password correctly will reset this counter to zero.
An account can be re-activated by an administrator changing its password.
Controlling the additional user's properties
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The ``collective.pwexpiry`` package creates new user's properties:
* ``password_date`` - the date when the user has changed his passoword
* ``last_notification_date`` - the date when the last notification action has been performed for the user
* ``account_locked_date`` - the date when the account was locked
* ``account_locked`` - boolean telling if the account was locked or not
* ``password_tries`` - the number of incorrect password attempts
In order to be able to control manually the new user's properties manually - there's a
control panel form available under url: ``/@@pwexpiry-controlpanel``.
Setting how many tries before locking the account and for how much time
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is managed with values in the registry:
* ``collective.pwexpiry.allowed_tries`` - Allows you to choose how many attempts are allowed
* ``collective.pwexpiry.disable_time`` - Allows you to specify for how many hours the user should be locked out
TODO
====
Write tests!
~~~~~~~~~~~~
Author & Contact
================
:Author:
* Radosław Jankiewicz ``radoslaw.jankiewicz@stxnext.pl``
License
=======
This package is licensed under the Zope Public License.
.. _`Plone 4.2`: http://pypi.python.org/pypi/Plone/4.2
HISTORY of collective.pwexpiry
==============================
0.9 (2016-05-23)
----------------
- Show status message "your account has expired" in login popup.
[pcdummy]
- Update german translations.
[pcdummy]
- Do not exipre passwords if `validity_period` is set to 0
[fRiSi]
- Add password history check (not in last x passwords).
[pcdummy]
- Enable the example_validator only when there is a browserlayer.
[pcdummy]
- Add a skins layer and remove the confusing > 5 chars message from
pwreset_form.
[pcdummy]
- Update german translations and translate example_validator.
[pcdummy]
0.8.1 (2015-05-06)
------------------
- Template typo
[frapell]
- Update italian translation
[giacomos]
0.8 (2015-04-20)
----------------
- Update translations
[frapell]
- Improve control panel tool to allow admins to unlock accounts
[frapell]
0.7 (2015-03-25)
----------------
- Ignore Managers from password expiring
[frapell]
- Bugfix: If a wrong password was entered that goes over the limit, do not
add a response header. Only do it when entering correctly
[frapell]
- When comparing dates, make sure both are timezone aware
[frapell]
- Ignore case when checking for name and username in password.
[enfold-josh]
- Change script to accept a path and use traversal to get plone site since it
may not always be in the application root.
[enfold-josh]
- Redirect to $portal_url/mail_password_form instead of just /mail_password_form
[enfold-josh]
- Alter notification email to support days <= 0.
[enfold-josh]
0.6 (2015-03-13)
----------------
- Use a friendlier date format for the control panel
[frapell]
0.5 (2014-11-28)
----------------
- Add i18n and italian translation
[giacomos]
- No need to include 'control panel' in the control panel title
[frapell]
0.4 (2014-09-11)
----------------
- Add member properties, registry keys, events subscribers, and a PAS plugin
to allow blocking a user if he enters too many incorrect passwords.
[frapell]
- Patch ZODBUserManager.authenticateCredentials so it fires events when entering
valid or invalid credentials.
[frapell]
- Patch CMFPlone/RegistrationTool instead of CMFDefault/RegistrationTool.
[frapell]
0.3 (2014-09-10)
----------------
- Properly package
[frapell]
0.2 (2013-08-18)
----------------
- correct pypi classifiers
- initial code
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
collective.pwexpiry-0.9.tar.gz
(35.1 kB
view hashes)