From: Hancock, D. (DHANCOCK) <DHA...@ar...> - 2017-08-11 12:40:21
|
Thank you very much for this. I had abandoned hope of this, owing to not seeing the password until it was hashed. This will work great, and users of our tracker will LOVE not having the double-login anymore. Cheers! -- David Hancock | dha...@ar... On Aug 11, 2017, at 12:05 AM, John P. Rouillard <ro...@cs...> wrote: Hi David et al: In message <C7A...@ar...>, "Hancock, David (DHANCOCK)" writes: > Our Roundup users are currently logging in twice to get to the > tracker: once to an internal “wrapper” system with reasonable > requirements for password complexity, then a second time to Roundup > itself. I’d like to remove the wrapper requirement; it’s confusing to > users. But to do so I need to ensure a minimum level of complexity > for passwords. (Nothing too sophisticated, minimum length of 10, at > least one number or special character required.) > > Has anyone else undertaken such a modification? It seems like I’d > need to make an addition to roundup/password.py but I don’t want to > do that without a LITTLE guidance. Any implementation ideas? I was playing around with this. If you monkey patch the roundup.password.encodePassword routine, you can intercept calls to it. AFAICT, all password changes use this function. As a test I placed this at the end of schema.py (without the indentation): import roundup.password as password from roundup.exceptions import Reject origencodePassword = password.encodePassword def mpencodePassword(plaintext, scheme, other=None, config=None): print "in mpencodePassword", plaintext raise Reject ("Password needs complexity") origencodePassword(plaintext, scheme, other=None, config=None) password.encodePassword = mpencodePassword Using roundup-admin with this code and setting the password using: set user5 password=foo prints "in mpencodePassword foo" and then generates a stackdump ending with: Reject: Password needs complexity However in a running tracker, it captures the Reject and I get "Password needs complexity" at the top of the page with a red background. You should be able to replace my print statement with some simple checks on the plaintext password. Putting this at the end of the schema.py was simply to make sure that it was executed. The roundup initialization code I think still executes the file interfaces.py. This file should be in the tracker home directory beside schema.py. So I think you can put this code in that file and have it work. However it may be limited to only the web and email interfaces. The doc for it says: interfaces.py (optional, not installed from standard templates) defines the CGI Client and mail gateway MailGW classes that are used by roundup.cgi, roundup-server and roundup-mailgw. but that may be what you want since that allows you to set an insecure password using the python or command line interfaces. Also maybe as a nice addition add: https://github.com/dropbox/python-zxcvbn as part of the analysis? -- -- rouilj John Rouillard =========================================================================== My employers don't acknowledge my existence much less my opinions. |