slapos_erp5: Implement quick password expiration

It add a script to be custom on project site, if you have short term users, that requires short password expiration timing.

slapos_erp5: Implement quick password expiration
It add a script to be custom on project site, if you have short term users, that requires short password expiration timing.
06f72fdf · Rafael Monnerat · b1047cb1 · 06f72fdf · 06f72fdf · 06f72fdf
Commit 06f72fdf authored Nov 12, 2021 by Rafael Monnerat
3 changed files
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_base/Login_getFastExpirationReferenceList.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_base/Login_getFastExpirationReferenceList.py
+"""
+  Returns the list of logins that will expire in 24 hours.
+
+  This is used for mantain superusers accounts in auto expiration mode.
+"""
+
+return  []
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_base/Login_getFastExpirationReferenceList.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_base/Login_getFastExpirationReferenceList.xml
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>Script_magic</string> </key>
+            <value> <int>3</int> </value>
+        </item>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string></string> </value>
+        </item>
+        <item>
+            <key> <string>_proxy_roles</string> </key>
+            <value>
+              <tuple>
+                <string>Manager</string>
+              </tuple>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>Login_getFastExpirationReferenceList</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_base/Login_isPasswordExpired.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_base/Login_isPasswordExpired.py
 """
  Returns if user account is Person's password is expired.
  Start password recovery process for expired password (if configured).
+
+  This script was introduce to expire superusers passwords faster, 
+  requiring them to reset it for using it. This allow us keep them 
+  with a reasonably easy access w/o require to reccur to zope password
+  while debug or update code on production.
+
+  The second reason is to overcome certain security restrictions when
+  search Password events.
+
 """
 portal = context.getPortalObject()
 is_password_expired = False
 expire_date_warning = 0
 password_event_list = context.Login_unrestrictedSearchPasswordEvent()
+quick_expiration_login_list = context.Login_getFastExpirationReferenceList()

 if password_event_list:
  ONE_HOUR = 1 / 24.0
  portal_preferences = portal.portal_preferences
-  expire_date = password_event_list[0].creation_date + portal_preferences.getPreferredMaxPasswordLifetimeDuration() * ONE_HOUR
+  if context.getReference() in quick_expiration_login_list:
+    # Expire the superusers every 24 hours maximum
+    expire_date = password_event_list[0].creation_date + 24 * ONE_HOUR
+  else:
+    expire_date = password_event_list[0].creation_date + portal_preferences.getPreferredMaxPasswordLifetimeDuration() * ONE_HOUR
  now = DateTime()
  if expire_date < now:
    # password is expired