search

collective / collective.pwexpiry

Emulate Active Directory password complexity requirements.
1 stars 6 forks source link

readme

collective.pwexpiry

Introduction

The collective.pwexpiry package is an add-on Product for Plone that brings the feature of controlling the password expiration in Plone. It is useful when there's a need of forcing the portal's members to follow the specific password policy.

Features

Installation

  1. Add collective.pwexpiry to your plone.recipe.zope2instance section's eggs::

    [instance] recipe = plone.recipe.zope2instance ... eggs = ... collective.pwexpiry

  2. Install the Product via portal_quickinstaller.

Configuration and customization

Password period of validity

The password's period of validity is set in the configuration registry tool, and have a default value of 90 days. It can be easily customized by creating a registry.xml file in your custom pakage's gereric setup profile containing the configuration code::

<registry>
    <record name="collective.pwexpiry.validity_period">
        <value>360</value>
    </record>
</registry>

To disable password expiration, set validity_period to 0.

Last X Passwords check

It's possible to check if the new password has already been used (a history of the last password_history_size password hashes is kept).

password_history_size defaults to 0, which means: there is no active check for re-used passwords.

You need to manualy activate that feature with a registry record in registry.xml::

<registry>
    <record name="collective.pwexpiry.password_history_size">
        <value>10</value>
    </record>
</registry>

Defining notification actions

By default - there is a notification action defined that sends the notification email to the user when his password period of validity is going to end in 15 days. But there is a possibility to register a custom methods that would be triggered according to their implementation.

To register your own notification action you need to::

  1. Register adapter providing IExpirationCheck interface::

  2. Implement the adapter's __call__ and notification_action methods::

    class LastFewDaysBeforeExpiration(object): implements(IExpirationCheck)

      # Trigger on number of days before password expiration
  notify_on = (7, 4, 3, 2, 1)

  def __init__(self, context):
      self.context = context

  def __call__(self, days_to_expire):
      """
      Returns True whe n the notification_action
      method have to be executed
      """
      try:
          notify_on = iter(self.notify_on)
      except TypeError:
          notify_on = (self.notify_on,)

      if days_to_expire in notify_on:
          return True
      else:
          return False

  def notification_action(self, userdata, days_to_expire):
      """
      Implementation of the notification action.
      In this case it's sendin an email notification
      """
      send_notification_email(userdata, days_to_expire)

Defining custom password validation methods

The package allows to define your own password valdation methods executed when the user set his initial password on registration or changing his actual password by in the change password form or throught the password reset mechanizm.

To register your own notification action you need to::

  1. Register adapter providing ICustomPasswordValidator interface::

  2. Implement the adapter's __call__ and notification_action methods::

    class MyPasswordValidator(object): implements(ICustomPasswordValidator)

      def __init__(self, context):
      self.context = context

  def validate(self, password, data):
      if len(password) < 8:
          return _(u'Passwords must be at least 8 characters in length.')

Executing the notification script

The notification script should be executed once a day to check the user's passwords expiration dates and trigger relevant notification actions.

For convenience, a new command called notify_and_expire was added to zopectl, you only need to provide the absolute path to your Plone instance as only argument.

Here's an example of how the script can be executed from the command line::

$ cd ${buildoout:directory}
$ ./bin/instance notify_and_expire /opt/plone/buildout/notify_and_expire.log /Plone

This assuming your Plone site id is Plone and lives at the Zope root, and that you want to save the log in a notify_and_expire.log file in /opt/plone/buildout

Provide SERVER_URL and SERVER_NAME environment variables

The email template will try to get the server URL and server NAME from the request, and the notification script already puts them in there if it can find it as environment variables. So if you want to provide users with a better email, which includes links to reset or change the password, and a message detailing where the email is coming from, you need to define SERVER_URL and SERVER_NAME environment variables. In order to do this in buildout, you need to set your environment-vars in your [instance] section.

Locking out accounts if an invalid password is entered too many times

When the package is installed, a new PAS plugin is included, which will count invalid password attempts when logging in. If the number of invalid attempts is higher than a configurable threshold, the account will be locked out for a certain amount of hours. If the account hasn't been locked yet, entering the password correctly will reset this counter to zero. An account can be re-activated by an administrator changing its password.

Controlling the additional user's properties

The collective.pwexpiry package creates new user's properties:

In order to be able to control manually the new user's properties manually - there's a control panel form available under url: /@@pwexpiry-controlpanel.

Setting how many tries before locking the account and for how much time

This is managed with values in the registry:

TODO

Write tests!

Author & Contact

:Author:

License

This package is licensed under the Zope Public License.

.. _Plone 4.2: http://pypi.python.org/pypi/Plone/4.2