Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-67309

Have options to call check_password_policy on every login

XMLWordPrintable

    • MOODLE_39_STABLE
    • MOODLE_39_STABLE
    • Hide

      Setup:

      php admin/cli/cfg.php --name=passwordpolicy --set=1

      php admin/cli/cfg.php --name=passwordpolicycheckonlogin --set=1

      Test normal accounts which can have passwords changed

      1) Ensure the admin account (or whichever test account is required) is using the 'manual' login type.
      2) Set the admin account password to a weak password 'a'.

      php admin/cli/reset_password.php --username=admin --password=a --ignore-password-policy

      3) Logout of Moodle, and attempt to login
      4) Verify that you are sent to the \login\change_password.php page
      5) Verify that there is a red notification box with the text 'Your current password no longer matches the set password policy.'

      6) Verify that the checks that were failed are displayed to the user.
      7) Verify that there is a red notification box with the text 'You must change your password to proceed.'

       

      Test auth types with an external change the password page

       

      1) Logout of Moodle, and modify auth manual to an external password change url

      auth/manual/auth.php

      Modify the change_password_url to take us to google

      function change_password_url() { 
          return 'https://www.google.com';
      }

      function is_internal() { 
          return false;
      }

      3) Attempt to login to Moodle again

      4) Verify you are redirected to Google

      5) Press Back in the browser

      6) Click Logout on the logout confirmation screen

      7) Click Continue on the next confirmation screen 

      Test auth types which cannot change the password

      1) Modify auth manual to disable the ability to change password 

      auth/manual/auth.php

      function can_change_password() {
          return false;
      }

      function is_internal() {
          return true;
      }
      

      2) Attempt to login to Moodle again

      3) Verify you are redirected to the password reset page /login/forgot_password.php

      3) Verify there is an error notification with the text 'You must reset your password to login. '

      4) Verify that the checks that were failed are displayed to the user.

       

      Test auth types which cannot reset the password

      2) Disable the password policy to a different simple password, to reset the must_change_password user preference

      php admin/cli/cfg.php --name=passwordpolicy --set=0

      auth/manual/auth.php

      function can_change_password() {
          return true;
      }

      function change_password_url() { 
          return null;
      }
      

      2) Log into Moodle, and manually change the password to another simple password 'b'

      3) Log out of Moodle.

      4) Put the password policy back in place

      php admin/cli/cfg.php --name=passwordpolicy --set=1

      5) Modify auth manual to disable password resets and password changes.

      auth/manual/auth.php

      function can_reset_password() {
          return false;
      }

      function can_change_password() {
          return false;
      }
      

      6) Attempt to login to Moodle again

      7) Verify that you are able to login to the site

      8) Verify that a warning notification is shown with the text 'Your password no longer passes the set password policy, however the authentication type does not allow for changing or resetting of passwords. Please contact your Moodle administrator for assistance. '

      9) Verify that the checks that were failed are displayed to the user.

      10) Visit the logs for the system at http://moodlecore.lan/report/log/index.php

      11) Verify that there are 3 events for 'User password failed password policy.

      12) Verify that all the information for the event matches the correct username.

      13_ Verify that the Event Name link correctly links to the user profile.

      Show
      Setup: php admin/cli/cfg.php --name=passwordpolicy --set=1 php admin/cli/cfg.php --name=passwordpolicycheckonlogin --set=1 Test normal accounts which can have passwords changed 1) Ensure the admin account (or whichever test account is required) is using the 'manual' login type. 2) Set the admin account password to a weak password 'a'. php admin/cli/reset_password.php --username=admin --password=a --ignore-password-policy 3) Logout of Moodle, and attempt to login 4) Verify that you are sent to the \login\change_password.php page 5) Verify that there is a red notification box with the text 'Your current password no longer matches the set password policy.' 6) Verify that the checks that were failed are displayed to the user. 7) Verify that there is a red notification box with the text 'You must change your password to proceed.'   Test auth types with an external change the password page   1) Logout of Moodle, and modify auth manual to an external password change url auth/manual/auth.php Modify the change_password_url to take us to google function  change_password_url() { return 'https://www.google.com' ; } function is_internal() { return false ; } 3) Attempt to login to Moodle again 4) Verify you are redirected to Google 5) Press Back in the browser 6) Click Logout on the logout confirmation screen 7) Click Continue on the next confirmation screen  Test auth types which cannot change the password 1) Modify auth manual to disable the ability to change password  auth/manual/auth.php function can_change_password() { return false ; } function is_internal() { return true ; } 2) Attempt to login to Moodle again 3) Verify you are redirected to the password reset page /login/forgot_password.php 3) Verify there is an error notification with the text 'You must reset your password to login. ' 4) Verify that the checks that were failed are displayed to the user.   Test auth types which cannot reset the password 2) Disable the password policy to a different simple password, to reset the must_change_password user preference php admin/cli/cfg.php --name=passwordpolicy --set=0 auth/manual/auth.php function can_change_password() { return true; } function change_password_url() { return null ; } 2) Log into Moodle, and manually change the password to another simple password 'b' 3) Log out of Moodle. 4) Put the password policy back in place php admin/cli/cfg.php --name=passwordpolicy --set=1 5) Modify auth manual to disable password resets and password changes. auth/manual/auth.php function can_reset_password() { return false; } function can_change_password() { return false ; } 6) Attempt to login to Moodle again 7) Verify that you are able to login to the site 8) Verify that a warning notification is shown with the text 'Your password no longer passes the set password policy, however the authentication type does not allow for changing or resetting of passwords. Please contact your Moodle administrator for assistance. ' 9) Verify that the checks that were failed are displayed to the user. 10) Visit the logs for the system at http://moodlecore.lan/report/log/index.php 11) Verify that there are 3 events for 'User password failed password policy. 12) Verify that all the information for the event matches the correct username. 13_ Verify that the Event Name link correctly links to the user profile.

      Most password checks have historically been deterministic, so you only really needed to check the check_password_policy on signup or when changing the password.

      But there are two edge cases where it would be good to re-check the password on every single login:

      1) if the password policy has changed and you want force people to quickly migrate to the new policy

      2) a previous good password is now bad for non-deterministic reasons eg an external check.

      Now that our password checking plugin which uses the https://haveibeenpwned.com/ API is live this is a perfect example of this:

      https://github.com/catalyst/moodle-tool_passwordvalidator

       

      In most cases if you are only using core checks, then the cost of performing them is very low. So there is no downside to having them always on. If you have gone to the trouble of installing a password checker like ours, then you are very likely to want this higher level of security. 

      So I am proposing to re-check check_password_policy very early on in the auth flow, and if it fails then flip the force password change bit and redirect them to the password reset page.

      I'm on the fence around whether this should be an option and we have the ability to just warn people but let them in, or just force them to reset. Use cases for this are for things like 'I need to login to submit my assignment, oh I need to reset my password, oh my email isn't working for some reason'. For other plugins in similar positions we've implemented grace periods, but here in core I think it adds a lot of complexity in the config and code so I'm leaning towards a zero conf patch which forces a reset.

      I think the logic flow is something like (this may be overkill)

      If the password check fails

      if can_reset_password() then don't login and redirect to reset page

      if no reset but can_change_password() and change_password_url() is external then redirect to there

      if no reset but can_change_password() and change_password_url() is internal then login and redirect to there

      fall back to just output notification

       

       

        1. MDL-67309.jpg
          MDL-67309.jpg
          39 kB
        2. MDL-67309 (2).jpg
          MDL-67309 (2).jpg
          43 kB
        3. MDL-67309 (3).jpg
          MDL-67309 (3).jpg
          100 kB

            peterburnett Peter Burnett
            brendanheywood Brendan Heywood
            Brendan Heywood Brendan Heywood
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Anna Carissa Sadia Anna Carissa Sadia
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 hours, 35 minutes
                2h 35m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.