Merge pull request #35 from mikemanger/feature/json-session-serializer

mpasternak · web-flow · commit 020d21892e8c · 2024-07-27T22:35:14.000+02:00
Feature/json session serializer and Django 5 support
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -19,6 +19,7 @@ jobs:
         - '3.9'
         - '3.10'
         - '3.11'
+        - '3.12'
 
     steps:
     - uses: actions/checkout@v4
diff --git a/docs/topics/setup.rst b/docs/topics/setup.rst
@@ -195,10 +195,10 @@ file::
 Serializer
 ============================
 
-For now this app uses the PickleSerializer. This needs to be set up in the Django settings
-file::
+This app is tested with both PickleSerializer and JsonSerializer.
 
-    SESSION_SERIALIZER='django.contrib.sessions.serializers.PickleSerializer'
+Django recommends to change from old pickle serializer to json because
+possible remote code execution vulnerability.
 
 .. _setup-create-db-tables:
 
diff --git a/password_policies/conf/settings.py b/password_policies/conf/settings.py
@@ -184,3 +184,8 @@
 
 
 PASSWORD_RESET_TIMEOUT_DAYS = 1
+
+PASSWORD_POLICIES_LAST_CHECKED_SESSION_KEY = "_password_policies_last_checked"
+PASSWORD_POLICIES_EXPIRED_SESSION_KEY = "_password_policies_expired"
+PASSWORD_POLICIES_LAST_CHANGED_SESSION_KEY = "_password_policies_last_changed"
+PASSWORD_POLICIES_CHANGE_REQUIRED_SESSION_KEY = "_password_policies_change_required"
diff --git a/password_policies/context_processors.py b/password_policies/context_processors.py
@@ -1,3 +1,4 @@
+from password_policies.conf import settings
 from password_policies.models import PasswordHistory
 
 
@@ -29,9 +30,9 @@ def password_status(request):
         auth = auth()
 
     if auth:
-        if '_password_policies_change_required' not in request.session:
+        if settings.PASSWORD_POLICIES_CHANGE_REQUIRED_SESSION_KEY not in request.session:
             r = PasswordHistory.objects.change_required(request.user)
         else:
-            r = request.session['_password_policies_change_required']
+            r = request.session[settings.PASSWORD_POLICIES_CHANGE_REQUIRED_SESSION_KEY]
         d['password_change_required'] = r
     return d
diff --git a/password_policies/middleware.py b/password_policies/middleware.py
@@ -20,8 +20,7 @@
 
 from password_policies.conf import settings
 from password_policies.models import PasswordChangeRequired, PasswordHistory
-from password_policies.utils import PasswordCheck
-
+from password_policies.utils import PasswordCheck, string_to_datetime, datetime_to_string
 
 class PasswordChangeMiddleware(MiddlewareMixin):
     """
@@ -70,22 +69,24 @@ class PasswordChangeMiddleware(MiddlewareMixin):
         This middleware does not try to redirect using the HTTPS
         protocol."""
 
-    checked = "_password_policies_last_checked"
-    expired = "_password_policies_expired"
-    last = "_password_policies_last_changed"
-    required = "_password_policies_change_required"
+    checked = settings.PASSWORD_POLICIES_LAST_CHECKED_SESSION_KEY
+    expired = settings.PASSWORD_POLICIES_EXPIRED_SESSION_KEY
+    last = settings.PASSWORD_POLICIES_LAST_CHANGED_SESSION_KEY
+    required = settings.PASSWORD_POLICIES_CHANGE_REQUIRED_SESSION_KEY
     td = timedelta(seconds=settings.PASSWORD_DURATION_SECONDS)
 
     def _check_history(self, request):
         if not request.session.get(self.last, None):
             newest = PasswordHistory.objects.get_newest(request.user)
             if newest:
-                request.session[self.last] = newest.created
+                request.session[self.last] = datetime_to_string(newest.created)
             else:
                 # TODO: This relies on request.user.date_joined which might not
                 # be available!!!
-                request.session[self.last] = request.user.date_joined
-        if request.session[self.last] < self.expiry_datetime:
+                request.session[self.last] = datetime_to_string(request.user.date_joined)
+
+        date_last = string_to_datetime(request.session[self.last])
+        if date_last < self.expiry_datetime:
             request.session[self.required] = True
             if not PasswordChangeRequired.objects.filter(user=request.user).count():
                 PasswordChangeRequired.objects.create(user=request.user)
@@ -95,27 +96,30 @@ def _check_history(self, request):
     def _check_necessary(self, request):
 
         if not request.session.get(self.checked, None):
-            request.session[self.checked] = self.now
+            request.session[self.checked] = datetime_to_string(self.now)
 
             #  If the PASSWORD_CHECK_ONLY_AT_LOGIN is set, then only check at the beginning of session, which we can
             #  tell by self.now time having just been set.
         if (
             not settings.PASSWORD_CHECK_ONLY_AT_LOGIN
-            or request.session.get(self.checked, None) == self.now
+            or request.session.get(self.checked, None) == datetime_to_string(self.now)
         ):
             # If a password change is enforced we won't check
             # the user's password history, thus reducing DB hits...
             if PasswordChangeRequired.objects.filter(user=request.user).count():
                 request.session[self.required] = True
                 return
-            if request.session[self.checked] < self.expiry_datetime:
+
+            date_checked = string_to_datetime(request.session[self.checked])
+            if date_checked < self.expiry_datetime:
                 try:
                     del request.session[self.last]
                     del request.session[self.checked]
                     del request.session[self.required]
                     del request.session[self.expired]
                 except KeyError:
                     pass
+
             if settings.PASSWORD_USE_HISTORY:
                 self._check_history(request)
         else:
diff --git a/password_policies/tests/test_middleware.py b/password_policies/tests/test_middleware.py
@@ -10,6 +10,7 @@
 except ImportError:
     from django.urls.base import reverse
 
+from django.test.utils import override_settings
 from django.utils import timezone
 
 from password_policies.conf import settings
@@ -71,3 +72,48 @@ def test_password_change_required_enforced_redirect(self):
         self.assertEqual(get_response_location(response["Location"]), self.redirect_url)
         self.client.logout()
         p.delete()
+
+
+class PasswordPoliciesMiddlewareJsonSerializerTest(TestCase):
+    def setUp(self):
+        self.user = create_user()
+        self.redirect_url = "http://testserver/password/change/?next=/"
+
+    def test_password_middleware_without_history(self):
+        seconds = settings.PASSWORD_DURATION_SECONDS - 60
+        self.user.date_joined = get_datetime_from_delta(timezone.now(), seconds)
+        self.user.last_login = get_datetime_from_delta(timezone.now(), seconds)
+        self.user.save()
+        self.client.login(username="alice", password=passwords[-1])
+        response = self.client.get(reverse("home"))
+        self.assertEqual(response.status_code, 200)
+        self.client.logout()
+
+    def test_password_middleware_with_history(self):
+        create_password_history(self.user)
+        self.client.login(username="alice", password=passwords[-1])
+        response = self.client.get(reverse("home"), follow=False)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(get_response_location(response["Location"]), self.redirect_url)
+        self.client.logout()
+        PasswordHistory.objects.filter(user=self.user).delete()
+
+    def test_password_middleware_enforced_redirect(self):
+        self.client.login(username="alice", password=passwords[-1])
+        response = self.client.get(reverse("home"), follow=False)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(get_response_location(response["Location"]), self.redirect_url)
+        self.client.logout()
+
+    def test_password_change_required_enforced_redirect(self):
+        seconds = settings.PASSWORD_DURATION_SECONDS - 60
+        self.user.date_joined = get_datetime_from_delta(timezone.now(), seconds)
+        self.user.last_login = get_datetime_from_delta(timezone.now(), seconds)
+        self.user.save()
+        p = PasswordChangeRequired.objects.create(user=self.user)
+        self.client.login(username="alice", password=passwords[-1])
+        response = self.client.get(reverse("home"), follow=False)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(get_response_location(response["Location"]), self.redirect_url)
+        self.client.logout()
+        p.delete()
diff --git a/password_policies/tests/test_models.py b/password_policies/tests/test_models.py
@@ -23,4 +23,4 @@ def test_password_history_expiration(self):
         self.assertEqual(count, settings.PASSWORD_HISTORY_COUNT)
 
     def test_password_history_recent_passwords(self):
-        self.failIf(PasswordHistory.objects.check_password(self.user, passwords[-1]))
+        self.assertFalse(PasswordHistory.objects.check_password(self.user, passwords[-1]))
diff --git a/password_policies/tests/test_settings.py b/password_policies/tests/test_settings.py
@@ -1,9 +1,4 @@
 import os
-from distutils.version import LooseVersion
-
-from django import get_version
-
-django_version = get_version()
 
 DEBUG = False
 
@@ -42,36 +37,24 @@
 
 SITE_ID = 1
 
-# This is to maintain compatibility with Django 1.7
-if LooseVersion(django_version) < LooseVersion("1.8.0"):
-    TEMPLATE_DIRS = (os.path.join(os.path.dirname(__file__), "templates"),)
-    TEMPLATE_CONTEXT_PROCESSORS = (
-        "django.contrib.auth.context_processors.auth",
-        "django.core.context_processors.debug",
-        "django.core.context_processors.i18n",
-        "django.contrib.messages.context_processors.messages",
-        "password_policies.context_processors.password_status",
-    )
-
-else:
-    TEMPLATES = [
-        {
-            "BACKEND": "django.template.backends.django.DjangoTemplates",
-            "DIRS": [
-                os.path.join(os.path.dirname(__file__), "templates"),
+TEMPLATES = [
+    {
+        "BACKEND": "django.template.backends.django.DjangoTemplates",
+        "DIRS": [
+            os.path.join(os.path.dirname(__file__), "templates"),
+        ],
+        "APP_DIRS": True,
+        "OPTIONS": {
+            "context_processors": [
+                "django.contrib.auth.context_processors.auth",
+                "django.template.context_processors.debug",
+                "django.template.context_processors.i18n",
+                "django.contrib.messages.context_processors.messages",
+                "password_policies.context_processors.password_status",
             ],
-            "APP_DIRS": True,
-            "OPTIONS": {
-                "context_processors": [
-                    "django.contrib.auth.context_processors.auth",
-                    "django.template.context_processors.debug",
-                    "django.template.context_processors.i18n",
-                    "django.contrib.messages.context_processors.messages",
-                    "password_policies.context_processors.password_status",
-                ],
-            },
         },
-    ]
+    },
+]
 
 MIDDLEWARE = (
     "django.middleware.common.CommonMiddleware",
@@ -82,7 +65,8 @@
     "django.contrib.messages.middleware.MessageMiddleware",
 )
 
-SESSION_SERIALIZER = "django.contrib.sessions.serializers.PickleSerializer"
+SESSION_SERIALIZER = "django.contrib.sessions.serializers.JSONSerializer"
+
 
 MEDIA_URL = "/media/somewhere/"
 
diff --git a/password_policies/tests/test_views.py b/password_policies/tests/test_views.py
diff --git a/password_policies/utils.py b/password_policies/utils.py
diff --git a/password_policies/views.py b/password_policies/views.py
diff --git a/tox.ini b/tox.ini

-Original file line number
+Diff line change
         - '3.9'
         - '3.10'
         - '3.11'
 +        - '3.12'
     steps:
     - uses: actions/checkout@v4