BB2-3273: Removed password expirations (#1221)

loganbertram · jimmyfagan · web-flow · commit f13b77872c08 · 2024-07-15T16:02:21.000-04:00
* Removed password expirations

* Further out synthetic date.

* Minor wording in comment

* Switched to config method

* Update apps/accounts/validators.py

Simplify password reuse condition

Co-authored-by: jimmyfagan &lt;90421499+jimmyfagan@users.noreply.github.com&gt;

* Update apps/accounts/validators.py

Simplify password reuse interval comparison

Co-authored-by: jimmyfagan &lt;90421499+jimmyfagan@users.noreply.github.com&gt;

* Update apps/accounts/validators.py

Simplify password expire condition

Co-authored-by: jimmyfagan &lt;90421499+jimmyfagan@users.noreply.github.com&gt;

---------

Co-authored-by: jimmyfagan &lt;90421499+jimmyfagan@users.noreply.github.com&gt;
diff --git a/apps/accounts/tests/test_password_reset_while_authenticated.py b/apps/accounts/tests/test_password_reset_while_authenticated.py
@@ -193,26 +193,15 @@ def test_password_change_reuse_validation(self):
         self.user = User.objects.get(username="fred")  # get user again so that you can see password changed
         self.assertEquals(self.user.check_password("IchangedTHEpassword#123"), True)
 
-        # add 12 minutes to time to expire current password
-        StubDate.now = classmethod(
-            lambda cls, timezone: datetime.now().replace(tzinfo=pytz.UTC) + relativedelta(minutes=+12)
-        )
-        self.client.logout()
-        form_data = {'username': 'fred',
-                     'password': 'IchangedTHEpassword#123'}
-        response = self.client.post(reverse('login'), form_data, follow=True)
-        self.assertContains(response,
-                            ("Your password has expired, change password strongly recommended."))
-
     @override_switch('login', active=True)
     @mock.patch("apps.accounts.validators.datetime", StubDate)
-    def test_password_expire_not_affect_staff(self):
+    def test_no_password_expire(self):
         self.client.logout()
-        # add 20 minutes to time to show staff is not effected
+        # add 90 days to time to show expiration is removed
         StubDate.now = classmethod(
-            lambda cls, timezone: datetime.now().replace(tzinfo=pytz.UTC) + relativedelta(minutes=+20)
+            lambda cls, timezone: datetime.now().replace(tzinfo=pytz.UTC) + relativedelta(days=+90)
         )
-        form_data = {'username': 'staff',
+        form_data = {'username': 'fred',
                      'password': 'foobarfoobarfoobar'}
         response = self.client.post(reverse('login'), form_data, follow=True)
         # assert account dashboard page
@@ -222,8 +211,5 @@ def test_password_expire_not_affect_staff(self):
                             ("The Developer Sandbox lets you register applications to get credentials"))
 
     def test_password_reuse_min_age_validator_args_check(self):
-        with self.assertRaisesRegex(ValueError,
-                                    (".*password_min_age < password_reuse_interval expected.*"
-                                     "password_expire < password_reuse_interval expected.*"
-                                     "password_min_age < password_expire expected.*")):
-            PasswordReuseAndMinAgeValidator(60 * 60 * 24 * 30, 60 * 60 * 24 * 10, 60 * 60 * 24 * 20)
+        with self.assertRaisesRegex(ValueError, ".*password_min_age < password_reuse_interval expected.*"):
+            PasswordReuseAndMinAgeValidator(60 * 60 * 24 * 30, 60 * 60 * 24 * 10)
diff --git a/apps/accounts/validators.py b/apps/accounts/validators.py
@@ -86,7 +86,7 @@ class PasswordReuseAndMinAgeValidator(object):
     def __init__(self,
                  password_min_age=60 * 60 * 24,
                  password_reuse_interval=60 * 60 * 24 * 120,
-                 password_expire=60 * 60 * 24 * 30):
+                 password_expire=0):
 
         msg1 = "Invalid OPTIONS, password_min_age < password_reuse_interval expected, " \
                "but having password_min_age({}) >= password_reuse_interval({})"
@@ -96,14 +96,11 @@ def __init__(self,
                "but having password_expire({}) >= password_reuse_interval({})"
 
         check_opt_err = []
-        if password_min_age > 0 and password_reuse_interval > 0 \
-                and password_min_age > password_reuse_interval:
+        if 0 < password_reuse_interval < password_min_age:
             check_opt_err.append(msg1.format(password_min_age, password_reuse_interval))
-        if password_expire > 0 and password_reuse_interval > 0 \
-                and password_expire > password_reuse_interval:
+        if 0 < password_reuse_interval < password_expire:
             check_opt_err.append(msg2.format(password_expire, password_reuse_interval))
-        if password_min_age > 0 and password_expire > 0 \
-                and password_min_age > password_expire:
+        if 0 < password_expire < password_min_age:
             check_opt_err.append(msg3.format(password_min_age, password_expire))
         if len(check_opt_err) > 0:
             raise ValueError(check_opt_err)
@@ -234,8 +231,7 @@ def password_expired(self, user=None):
             except PastPassword.DoesNotExist:
                 pass
             if passwds is not None and passwds.first() is not None:
-                if (datetime.now(timezone.utc)
-                        - passwds.first().date_created).total_seconds() >= self.password_expire:
+                if (datetime.now(timezone.utc) - passwds.first().date_created).total_seconds() >= self.password_expire:
                     # the elapsed time since last password change / create is more than password_expire
                     passwd_expired = True
         return passwd_expired
diff --git a/apps/accounts/views/login.py b/apps/accounts/views/login.py
@@ -21,11 +21,6 @@ def dispatch(self, request, *args, **kwargs):
         return super().dispatch(request, *args, **kwargs)
 
     def form_valid(self, form):
-        """
-        Extend django login view to do password expire check
-        and redirect to password-change instead of user account home
-        """
-        # auth_login(self.request, form.get_user())
         response = super().form_valid(form)
         if response.status_code == 302:
             passwd_validators = get_default_password_validators()
diff --git a/hhs_oauth_server/settings/base.py b/hhs_oauth_server/settings/base.py
@@ -77,8 +77,7 @@
             "password_min_age": 60 * 5,
             # password reuse interval in seconds (365 days)
             "password_reuse_interval": 60 * 60 * 24 * 365,
-            # password expire in seconds (60 days)
-            "password_expire": 60 * 60 * 24 * 60,
+            "password_expire": 0,
         },
     },
     {
diff --git a/hhs_oauth_server/settings/test.py b/hhs_oauth_server/settings/test.py
@@ -63,8 +63,7 @@
                 'password_min_age': 60,
                 # password reuse interval in seconds (50 minutes)
                 'password_reuse_interval': 3000,
-                # password expire in seconds (10 minutes)
-                'password_expire': 600,
+                'password_expire': 0,
         }
     },
     {

Original file line number	Diff line number	Diff line change
`@@ -63,8 +63,7 @@`
`63`	`63`	`'password_min_age': 60,`
`64`	`64`	`# password reuse interval in seconds (50 minutes)`
`65`	`65`	`'password_reuse_interval': 3000,`
`66`		`- # password expire in seconds (10 minutes)`
`67`		`- 'password_expire': 600,`
	`66`	`+ 'password_expire': 0,`
`68`	`67`	`}`
`69`	`68`	`},`
`70`	`69`	`{`