ursais · b-kannan · Dec 15, 2020
diff --git a/password_security/README.rst b/password_security/README.rst
@@ -0,0 +1,128 @@
+=================
+Password Security
+=================
+
+.. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-LGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/lgpl-3.0-standalone.html
+    :alt: License: LGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-auth/tree/13.0/password_security
+    :alt: OCA/server-auth
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-auth-12-0/server-auth-12-0-password_security
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runbot-Try%20me-875A7B.png
+    :target: https://runbot.odoo-community.org/runbot/251/13.0
+    :alt: Try me on Runbot
+
+|badge1| |badge2| |badge3| |badge4| |badge5| 
+
+This module allows admin to set company-level password security requirements
+and enforces them on the user.
+
+It contains features such as
+
+* Password expiration days
+* Password length requirement
+* Password minimum number of lowercase letters
+* Password minimum number of uppercase letters
+* Password minimum number of numbers
+* Password minimum number of special characters
+* Password strength estimation
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Configuration
+=============
+
+Navigate to General Settings under Configuration
+Scroll down to the ``Password Policy`` section
+Set the policies to your liking.
+
+Password complexity requirements will be enforced upon next password change for
+any user in that company.
+
+**Settings & Defaults**
+
+These are defined at the company level:
+
+=====================  =======   ===================================================
+ Name                  Default   Description
+=====================  =======   ===================================================
+ password_expiration   60        Days until passwords expire
+ password_length       12        Minimum number of characters in password
+ password_lower        0         Minimum number of lowercase letter in password
+ password_upper        0         Minimum number of uppercase letters in password
+ password_numeric      0         Minimum number of number in password
+ password_special      0         Minimum number of unique special character in password
+ password_history      30        Disallow reuse of this many previous passwords
+ password_minimum      24        Amount of hours that must pass until another reset
+ password_estimate     3         Required score for the strength estimation.
+=====================  =======   ===================================================
+
+Usage
+=====
+
+Configure using above instructions for each company that should have password
+security mandates.
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us smashing it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20password_security%0Aversion:%2012.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+~~~~~~~
+
+* LasLabs
+* Kaushal Prajapati
+* Tecnativa
+* initOS GmbH
+* Open Source Integrators
+
+Contributors
+~~~~~~~~~~~~
+
+* James Foster <jfoster@laslabs.com>
+* Dave Lasley <dave@laslabs.com>
+* Kaushal Prajapati <kbprajapati@live.com>
+* Petar Najman <petar.najman@modoolar.com>
+* Shepilov Vladislav <shepilov.v@protonmail.com>
+* Florian Kantelberg <florian.kantelberg@initos.com>
+* Ammar Officewala <ammar.o.serpentcs@gmail.com>
+
+Maintainers
+~~~~~~~~~~~
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/13.0/password_security>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
diff --git a/password_security/__init__.py b/password_security/__init__.py
@@ -0,0 +1,5 @@
+# Copyright 2015 LasLabs Inc.
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
+
+from . import controllers
+from . import models
diff --git a/password_security/__manifest__.py b/password_security/__manifest__.py
@@ -0,0 +1,37 @@
+# Copyright 2015 LasLabs Inc.
+# Copyright 2018 Modoolar <info@modoolar.com>.
+# Copyright 2019 initOS GmbH
+# Copyright 2020 Open Source Integrators
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
+{
+    "name": "Password Security",
+    "summary": "Allow admin to set password security requirements.",
+    "version": "13.0.0.1.0",
+    "author": "LasLabs, "
+    "Kaushal Prajapati, "
+    "Tecnativa, "
+    "initOS GmbH, "
+    "Open Source Integrators,"
+    "Odoo Community Association (OCA)",
+    "category": "Base",
+    "depends": [
+        "auth_signup",
+        "auth_password_policy_signup",
+    ],
+    "external_dependencies": {
+        "python": ["zxcvbn"],
+    },
+    "website": "https://github.com/OCA/server-auth",
+    "license": "LGPL-3",
+    "data": [
+        "views/password_security.xml",
+        "views/res_config_settings_views.xml",
+        "security/ir.model.access.csv",
+        "security/res_users_pass_history.xml",
+        "views/res_company_view.xml",
+    ],
+    "demo": [
+        "demo/res_users.xml",
+    ],
+    "installable": True,
+}
diff --git a/password_security/controllers/__init__.py b/password_security/controllers/__init__.py
@@ -0,0 +1,4 @@
+# Copyright 2015 LasLabs Inc.
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
+
+from . import main
diff --git a/password_security/controllers/main.py b/password_security/controllers/main.py
@@ -0,0 +1,92 @@
+# Copyright 2015 LasLabs Inc.
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
+
+import operator
+
+from odoo import http
+from odoo.http import request
+from odoo.addons.auth_signup.controllers.main import AuthSignupHome
+from odoo.addons.web.controllers.main import ensure_db, Session
+
+from ..exceptions import PassError
+
+
+class PasswordSecuritySession(Session):
+
+    @http.route()
+    def change_password(self, fields):
+        new_password = operator.itemgetter('new_password')(
+            dict(list(map(operator.itemgetter('name', 'value'), fields)))
+        )
+        user_id = request.env.user
+        user_id._check_password(new_password)
+        return super(PasswordSecuritySession, self).change_password(fields)
+
+
+class PasswordSecurityHome(AuthSignupHome):
+
+    def do_signup(self, qcontext):
+        password = qcontext.get('password')
+        user_id = request.env.user
+        user_id._check_password(password)
+        return super(PasswordSecurityHome, self).do_signup(qcontext)
+
+    @http.route('/password_security/estimate', auth='none', type='json')
+    def estimate(self, password):
+        return request.env['res.users'].get_estimation(password)
+
+    @http.route()
+    def web_login(self, *args, **kw):
+        ensure_db()
+        response = super(PasswordSecurityHome, self).web_login(*args, **kw)
+        if not request.params.get("login_success"):
+            return response
+        # Now, I'm an authenticated user
+        if not request.env.user._password_has_expired():
+            return response
+        # My password is expired, kick me out
+        request.env.user.action_expire_password()
+        request.session.logout(keep_db=True)
+        # I was kicked out, so set login_success in request params to False
+        request.params['login_success'] = False
+        redirect = request.env.user.partner_id.signup_url
+        return http.redirect_with_hash(redirect)
+
+    @http.route()
+    def web_auth_signup(self, *args, **kw):
+        try:
+            return super(PasswordSecurityHome, self).web_auth_signup(
+                *args, **kw
+            )
+        except PassError as e:
+            qcontext = self.get_auth_signup_qcontext()
+            qcontext['error'] = str(e)
+            return request.render('auth_signup.signup', qcontext)
+
+    @http.route()
+    def web_auth_reset_password(self, *args, **kw):
+        """ It provides hook to disallow front-facing resets inside of min
+        Unfortuantely had to reimplement some core logic here because of
+        nested logic in parent
+        """
+        qcontext = self.get_auth_signup_qcontext()
+        if (
+            request.httprequest.method == 'POST' and
+            qcontext.get('login') and
+            'error' not in qcontext and
+            'token' not in qcontext
+        ):
+            login = qcontext.get('login')
+            user_ids = request.env.sudo().search(
+                [('login', '=', login)],
+                limit=1,
+            )
+            if not user_ids:
+                user_ids = request.env.sudo().search(
+                    [('email', '=', login)],
+                    limit=1,
+                )
+            user_ids._validate_pass_reset()
+        return super(PasswordSecurityHome, self).web_auth_reset_password(
+            *args, **kw
+        )
diff --git a/password_security/demo/res_users.xml b/password_security/demo/res_users.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+    Copyright 2016 LasLabs Inc.
+    License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
+-->
+
+<odoo>
+
+    <record id="base.user_root" model="res.users">
+        <field name="password_write_date"
+               eval="datetime.now()"
+               />
+    </record>
+
+</odoo>
diff --git a/password_security/exceptions.py b/password_security/exceptions.py
@@ -0,0 +1,11 @@
+# Copyright 2015 LasLabs Inc.
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
+
+from odoo.exceptions import Warning as UserError
+
+
+class PassError(UserError):
+    """ Example: When you try to create an insecure password."""
+    def __init__(self, msg):
+        self.message = msg
+        super(PassError, self).__init__(msg)