From e557b5debd68a88ff69f43590f54fd10fcdc31e5 Mon Sep 17 00:00:00 2001 From: Jason Bau Date: Mon, 28 Jul 2014 15:17:17 -0400 Subject: [PATCH] Allow external_auth registrations to bypass PW complexity check --- .../student/tests/test_password_policy.py | 29 +++++++++++++++++-- common/djangoapps/student/views.py | 3 +- 2 files changed, 28 insertions(+), 4 deletions(-) diff --git a/common/djangoapps/student/tests/test_password_policy.py b/common/djangoapps/student/tests/test_password_policy.py index cb5c0f883a..28cd43e369 100644 --- a/common/djangoapps/student/tests/test_password_policy.py +++ b/common/djangoapps/student/tests/test_password_policy.py @@ -4,10 +4,14 @@ This test file will verify proper password policy enforcement, which is an optio """ import json from django.test import TestCase +from django.test.client import RequestFactory from django.core.urlresolvers import reverse -from mock import patch +from django.utils.importlib import import_module from django.test.utils import override_settings - +from django.conf import settings +from mock import patch +from student.views import create_account +from external_auth.models import ExternalAuthMap @patch.dict("django.conf.settings.FEATURES", {'ENFORCE_PASSWORD_POLICY': True}) class TestPasswordPolicy(TestCase): @@ -17,7 +21,7 @@ class TestPasswordPolicy(TestCase): def setUp(self): super(TestPasswordPolicy, self).setUp() self.url = reverse('create_account') - + self.request_factory = RequestFactory() self.url_params = { 'username': 'username', 'email': 'foo_bar@bar.com', @@ -237,6 +241,25 @@ class TestPasswordPolicy(TestCase): obj = json.loads(response.content) self.assertTrue(obj['success']) + @override_settings(PASSWORD_MIN_LENGTH=6, SESSION_ENGINE='django.contrib.sessions.backends.cache') + def test_ext_auth_password_length_too_short(self): + """ + Tests that even if password policy is enforced, ext_auth registrations aren't subject to it + """ + self.url_params['password'] = 'aaa' # shouldn't pass validation + request = self.request_factory.post(self.url, self.url_params) + # now indicate we are doing ext_auth by setting 'ExternalAuthMap' in the session. + request.session = import_module(settings.SESSION_ENGINE).SessionStore() # empty session + extauth = ExternalAuthMap(external_id='withmap@stanford.edu', + external_email='withmap@stanford.edu', + internal_password=self.url_params['password'], + external_domain='shib:https://idp.stanford.edu/') + request.session['ExternalAuthMap'] = extauth + response = create_account(request) + self.assertEqual(response.status_code, 200) + obj = json.loads(response.content) + self.assertTrue(obj['success']) + class TestUsernamePasswordNonmatch(TestCase): """ diff --git a/common/djangoapps/student/views.py b/common/djangoapps/student/views.py index 333156550c..edcf9278ce 100644 --- a/common/djangoapps/student/views.py +++ b/common/djangoapps/student/views.py @@ -1251,7 +1251,8 @@ def create_account(request, post_override=None): # pylint: disable-msg=too-many return JsonResponse(js, status=400) # enforce password complexity as an optional feature - if settings.FEATURES.get('ENFORCE_PASSWORD_POLICY', False): + # but not if we're doing ext auth b/c those pws never get used and are auto-generated so might not pass validation + if settings.FEATURES.get('ENFORCE_PASSWORD_POLICY', False) and not DoExternalAuth: try: password = post_vars['password']