Increase minimum password requirements in line with industry standard…

…s - >8 chars, upper & lower & number.
ckan · Jun 9, 2017 · d241333 · d241333
1 parent 8e0d6d4
commit d241333
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 2 deletions.
diff --git a/ckan/logic/validators.py b/ckan/logic/validators.py
@@ -578,8 +578,11 @@ def user_password_validator(key, data, errors, context):
         errors[('password',)].append(_('Passwords must be strings'))
     elif value == '':
         pass
-    elif len(value) < 4:
-        errors[('password',)].append(_('Your password must be 4 characters or longer'))
+    elif len(value) < 8:
+        errors[('password',)].append(_('Your password must be 8 characters or longer'))
+    elif not re.match('^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[a-zA-Z\d]+$', value):
+        errors[('password',)].append(_('Your password must contain at least '
+            'one lowercase letter, one uppercase letter and a number'))
 
 def user_passwords_match(key, data, errors, context):
 

diff --git a/ckan/tests/logic/test_validators.py b/ckan/tests/logic/test_validators.py
@@ -584,4 +584,45 @@ def test_role_exists_empty(self):
         ctx = self._make_context()
         v = validators.role_exists('', ctx)
 
+
+class TestPasswordValidator(object):
+
+    def test_ok(self):
+        passwords = ['MyPassword1', 'my1Password', '1PasswordMY']
+        key = ('password',)
+
+        @t.does_not_modify_errors_dict
+        def call_validator(*args, **kwargs):
+            return validators.user_password_validator(*args, **kwargs)
+        for password in passwords:
+            errors = factories.validator_errors_dict()
+            errors[key] = []
+            call_validator(key, {key: password}, errors, None)
+
+    def test_too_short(self):
+        password = 'MyPass1'
+        key = ('password',)
+
+        @adds_message_to_errors_dict('Your password must be 8 characters or longer')
+        def call_validator(*args, **kwargs):
+            return validators.user_password_validator(*args, **kwargs)
+        errors = factories.validator_errors_dict()
+        errors[key] = []
+        call_validator(key, {key: password}, errors, None)
+
+    def test_not_diverse_enough(self):
+        passwords = [
+            'password1', '1password', 'PASSWORD1', 'Password', 'passWord']
+        key = ('password',)
+
+        @adds_message_to_errors_dict(
+            'Your password must contain at least one lowercase letter, one '
+            'uppercase letter and a number')
+        def call_validator(*args, **kwargs):
+            return validators.user_password_validator(*args, **kwargs)
+        for password in passwords:
+            errors = factories.validator_errors_dict()
+            errors[key] = []
+            call_validator(key, {key: password}, errors, None)
+
 # TODO: Need to test when you are not providing owner_org and the validator queries for the dataset with package_show