Re: [Roundup-users] How to require stronger passwords for Roundup (1.5.1)

[Hancock, D. (DHANCOCK) <DHA...@ar...>]

Thank you very much for this. I had abandoned hope of this, owing to not seeing the password until it was hashed. This will work great, and users of our tracker will LOVE not having the double-login anymore.

Cheers!
--
David Hancock | dha...@ar...

On Aug 11, 2017, at 12:05 AM, John P. Rouillard <ro...@cs...> wrote:

Hi David et al:

In message <C7A...@ar...>,
"Hancock, David (DHANCOCK)" writes:
> Our Roundup users are currently logging in twice to get to the
> tracker: once to an internal “wrapper” system with reasonable
> requirements for password complexity, then a second time to Roundup
> itself. I’d like to remove the wrapper requirement; it’s confusing to
> users. But to do so I need to ensure a minimum level of complexity
> for passwords. (Nothing too sophisticated, minimum length of 10, at
> least one number or special character required.)
> 
> Has anyone else undertaken such a modification? It seems like I’d
> need to make an addition to roundup/password.py but I don’t want to
> do that without a LITTLE guidance. Any implementation ideas?

I was playing around with this. If you monkey patch the
roundup.password.encodePassword routine, you can intercept calls to
it. AFAICT, all password changes use this function.

As a test I placed this at the end of schema.py (without the
indentation):


   import roundup.password as password
   from roundup.exceptions import Reject

   origencodePassword = password.encodePassword
   def mpencodePassword(plaintext, scheme, other=None, config=None):
	print "in mpencodePassword", plaintext
	raise Reject ("Password needs complexity")
	origencodePassword(plaintext, scheme, other=None, config=None)
   password.encodePassword = mpencodePassword

Using roundup-admin with this code and setting the password using:

  set user5 password=foo

prints "in mpencodePassword foo" and then generates a stackdump ending
with:

  Reject: Password needs complexity

However in a running tracker, it captures the Reject and I get
"Password needs complexity" at the top of the page with a red
background.

You should be able to replace my print statement with some simple
checks on the plaintext password.

Putting this at the end of the schema.py was simply to make sure that
it was executed.

The roundup initialization code I think still executes the file
interfaces.py. This file should be in the tracker home directory
beside schema.py. So I think you can put this code in that file and
have it work. However it may be limited to only the web and email
interfaces. The doc for it says:

 interfaces.py
     (optional, not installed from standard templates) defines
     the CGI Client and mail gateway MailGW classes that are
     used by roundup.cgi, roundup-server and roundup-mailgw.

but that may be what you want since that allows you to set an insecure
password using the python or command line interfaces.

Also maybe as a nice addition add:

 https://github.com/dropbox/python-zxcvbn

as part of the analysis?

--
				-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.