From 5bcf2aef8c3dd14320eb212776f3620be1929da1 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Fri, 10 Jul 2020 20:43:35 +0200
Subject: [PATCH] policies/password: Add Password Policy tests, update password
 policy for flows

---
 passbook/policies/password/api.py             |  1 +
 passbook/policies/password/forms.py           |  2 +
 .../0002_passwordpolicy_password_field.py     | 21 ++++++++++
 passbook/policies/password/models.py          | 35 ++++++++++++----
 passbook/policies/password/tests.py           | 42 +++++++++++++++++++
 swagger.yaml                                  |  5 +++
 6 files changed, 97 insertions(+), 9 deletions(-)
 create mode 100644 passbook/policies/password/migrations/0002_passwordpolicy_password_field.py
 create mode 100644 passbook/policies/password/tests.py

diff --git a/passbook/policies/password/api.py b/passbook/policies/password/api.py
index 6124d4bf1..c95ef2fff 100644
--- a/passbook/policies/password/api.py
+++ b/passbook/policies/password/api.py
@@ -12,6 +12,7 @@ class PasswordPolicySerializer(ModelSerializer):
     class Meta:
         model = PasswordPolicy
         fields = GENERAL_SERIALIZER_FIELDS + [
+            "password_field",
             "amount_uppercase",
             "amount_lowercase",
             "amount_symbols",
diff --git a/passbook/policies/password/forms.py b/passbook/policies/password/forms.py
index a60fd522f..3b9e7695e 100644
--- a/passbook/policies/password/forms.py
+++ b/passbook/policies/password/forms.py
@@ -14,6 +14,7 @@ class PasswordPolicyForm(forms.ModelForm):
 
         model = PasswordPolicy
         fields = GENERAL_FIELDS + [
+            "password_field",
             "amount_uppercase",
             "amount_lowercase",
             "amount_symbols",
@@ -23,6 +24,7 @@ class PasswordPolicyForm(forms.ModelForm):
         ]
         widgets = {
             "name": forms.TextInput(),
+            "password_field": forms.TextInput(),
             "symbol_charset": forms.TextInput(),
             "error_message": forms.TextInput(),
         }
diff --git a/passbook/policies/password/migrations/0002_passwordpolicy_password_field.py b/passbook/policies/password/migrations/0002_passwordpolicy_password_field.py
new file mode 100644
index 000000000..84d5fe063
--- /dev/null
+++ b/passbook/policies/password/migrations/0002_passwordpolicy_password_field.py
@@ -0,0 +1,21 @@
+# Generated by Django 3.0.8 on 2020-07-10 18:29
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_policies_password", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="passwordpolicy",
+            name="password_field",
+            field=models.TextField(
+                default="password",
+                help_text="Field key to check, field keys defined in Prompt stages are available.",
+            ),
+        ),
+    ]
diff --git a/passbook/policies/password/models.py b/passbook/policies/password/models.py
index 4f14da98d..f0250a2f4 100644
--- a/passbook/policies/password/models.py
+++ b/passbook/policies/password/models.py
@@ -14,6 +14,13 @@ LOGGER = get_logger()
 class PasswordPolicy(Policy):
     """Policy to make sure passwords have certain properties"""
 
+    password_field = models.TextField(
+        default="password",
+        help_text=_(
+            "Field key to check, field keys defined in Prompt stages are available."
+        ),
+    )
+
     amount_uppercase = models.IntegerField(default=0)
     amount_lowercase = models.IntegerField(default=0)
     amount_symbols = models.IntegerField(default=0)
@@ -24,19 +31,29 @@ class PasswordPolicy(Policy):
     form = "passbook.policies.password.forms.PasswordPolicyForm"
 
     def passes(self, request: PolicyRequest) -> PolicyResult:
-        # Only check if password is being set
-        if not hasattr(request.user, "__password__"):
-            return PolicyResult(True)
-        password = getattr(request.user, "__password__")
+        if self.password_field not in request.context:
+            LOGGER.warning(
+                "Password field not set in Policy Request",
+                field=self.password_field,
+                fields=request.context.keys(),
+            )
+        password = request.context[self.password_field]
 
-        filter_regex = r""
+        filter_regex = []
         if self.amount_lowercase > 0:
-            filter_regex += r"[a-z]{%d,}" % self.amount_lowercase
+            filter_regex.append(r"[a-z]{%d,}" % self.amount_lowercase)
         if self.amount_uppercase > 0:
-            filter_regex += r"[A-Z]{%d,}" % self.amount_uppercase
+            filter_regex.append(r"[A-Z]{%d,}" % self.amount_uppercase)
         if self.amount_symbols > 0:
-            filter_regex += r"[%s]{%d,}" % (self.symbol_charset, self.amount_symbols)
-        result = bool(re.compile(filter_regex).match(password))
+            filter_regex.append(
+                r"[%s]{%d,}" % (self.symbol_charset, self.amount_symbols)
+            )
+        full_regex = "|".join(filter_regex)
+        LOGGER.debug("Built regex", regexp=full_regex)
+        result = bool(re.compile(full_regex).match(password))
+
+        result = result and len(password) >= self.length_min
+
         if not result:
             return PolicyResult(result, self.error_message)
         return PolicyResult(result)
diff --git a/passbook/policies/password/tests.py b/passbook/policies/password/tests.py
new file mode 100644
index 000000000..51875ff6d
--- /dev/null
+++ b/passbook/policies/password/tests.py
@@ -0,0 +1,42 @@
+"""Password Policy tests"""
+from django.test import TestCase
+from guardian.shortcuts import get_anonymous_user
+
+from passbook.policies.password.models import PasswordPolicy
+from passbook.policies.types import PolicyRequest, PolicyResult
+
+
+class TestPasswordPolicy(TestCase):
+    """Test Password Policy"""
+
+    def test_false(self):
+        """Failing password case"""
+        policy = PasswordPolicy.objects.create(
+            name="test_false",
+            amount_uppercase=1,
+            amount_lowercase=2,
+            amount_symbols=3,
+            length_min=24,
+            error_message="test message",
+        )
+        request = PolicyRequest(get_anonymous_user())
+        request.context["password"] = "test"
+        result: PolicyResult = policy.passes(request)
+        self.assertFalse(result.passing)
+        self.assertEqual(result.messages, ("test message",))
+
+    def test_true(self):
+        """Positive password case"""
+        policy = PasswordPolicy.objects.create(
+            name="test_true",
+            amount_uppercase=1,
+            amount_lowercase=2,
+            amount_symbols=3,
+            length_min=3,
+            error_message="test message",
+        )
+        request = PolicyRequest(get_anonymous_user())
+        request.context["password"] = "Test()!"
+        result: PolicyResult = policy.passes(request)
+        self.assertTrue(result.passing)
+        self.assertEqual(result.messages, tuple())
diff --git a/swagger.yaml b/swagger.yaml
index 3cfe4a277..b4bd00851 100755
--- a/swagger.yaml
+++ b/swagger.yaml
@@ -5838,6 +5838,11 @@ definitions:
         title: Name
         type: string
         x-nullable: true
+      password_field:
+        title: Password field
+        description: Field key to check, field keys defined in Prompt stages are available.
+        type: string
+        minLength: 1
       amount_uppercase:
         title: Amount uppercase
         type: integer