Merge branch '179-check-passwords-on-compromised-password-databases' of gitlab.com:yaal/canaille into 179-check-passwords-on-compromised-password-databases

2024-11-07 10:34:12 +01:00 · 2024-11-07 10:34:12 +01:00 · 9844818280
commit 9844818280
parent e6a9f2dcc6 289176a086
5 changed files with 23 additions and 11 deletions
--- a/canaille/app/forms.py
+++ b/canaille/app/forms.py
@ -5,6 +5,7 @@ import re
 import wtforms.validators
 from flask import abort
 from flask import current_app
+from flask import flash
 from flask import make_response
 from flask import request
 from flask_wtf import FlaskForm
@ -93,6 +94,13 @@ def compromised_password_validator(form, field):
    except ImportError:
        return None

+    group_user = Backend.instance.query(models.User)
+    emails_of_admins = []
+    for user in group_user:
+        for group in user.groups:
+            if "admins" == group.display_name:
+                emails_of_admins.append(user.emails[0])
+
    hashed_password = sha1(field.data.encode("utf-8")).hexdigest()
    hashed_password_prefix, hashed_password_suffix = (
        hashed_password[:5].upper(),
@ -105,18 +113,23 @@ def compromised_password_validator(form, field):
        response = requests.api.get(api_url, timeout=10)
    except Exception as e:
        print("Error: " + str(e))
-
        if current_app.features.has_smtp and not request_is_htmx():
+            flash(
+                _(
+                    "Password compromise investigation failed. Please contact the administrators."
+                ),
+                "error",
+            )
            if form.user is not None:
                user_name = form.user.user_name
                user_email = form.user.emails[0]
            else:
                user_name = form["user_name"].data
                user_email = form["emails"].data[0]
-
-            send_compromised_password_check_failure_mail(
-                api_url, user_name, user_email, hashed_password_suffix
-            )
+            for admin_email in emails_of_admins:
+                send_compromised_password_check_failure_mail(
+                    api_url, user_name, user_email, hashed_password_suffix, admin_email
+                )

        return None

--- a/canaille/core/mails.py
+++ b/canaille/core/mails.py
@ -213,7 +213,7 @@ def send_registration_mail(email, registration_url):


 def send_compromised_password_check_failure_mail(
-    check_password_url, user_name, user_email, hashed_password
+    check_password_url, user_name, user_email, hashed_password, admin_email
 ):
    base_url = url_for("core.account.index", _external=True)
    logo_cid, logo_filename, logo_raw = logo()
@ -244,8 +244,7 @@ def send_compromised_password_check_failure_mail(

    return send_email(
        subject=subject,
-        # line to change with admin group mails....
-        recipient="sebastien@yaal.coop",
+        recipient=admin_email,
        text=text_body,
        html=html_body,
        attachments=[(logo_cid, logo_filename, logo_raw)] if logo_filename else None,
--- a/canaille/core/templates/mails/compromised_password_check_failure.html
+++ b/canaille/core/templates/mails/compromised_password_check_failure.html
@ -30,7 +30,7 @@
                    <p>
                        {% trans %}You have to check manually if the new password of the user {{ user_name }} is compromised.{% endtrans %}</br>
                        {% trans %}Follow this steps : {% endtrans %}</br>
-                        {% trans %}1. click on the link above "Check if password is pwned"{% endtrans %}</br>
+                        {% trans %}1. click on the link above "Check if password is compromised".{% endtrans %}</br>
                    </p>
                </td>
            </tr>
--- a/canaille/core/templates/mails/compromised_password_check_failure.txt
+++ b/canaille/core/templates/mails/compromised_password_check_failure.txt
@ -4,7 +4,7 @@

 {% trans %}You have to check manually if the new password of the user {{ user_name }} is compromised.{% endtrans %}
 {% trans %}Follow this steps : {% endtrans %}
-{% trans %}1. click on the link above "Check if password is pwned"{% endtrans %}
+{% trans %}1. click on the link above "Check if password is compromised".{% endtrans %}
 {% trans %}2. in the page that will open, search the following hashed password in the page : {{ hashed_password }}{% endtrans %}
 {% trans %}3. if the password is in the list :{% endtrans %}
 {% trans %}3.1. open this link http://127.0.0.1:5000/profile/{{ user_name }}/settings and reset user's password.{% endtrans %}
--- a/tests/core/test_profile_settings.py
+++ b/tests/core/test_profile_settings.py
@ -156,7 +156,7 @@ def test_profile_settings_too_long_password(testclient, logged_user):
    )


-def test_profile_settings_pwned_password(testclient, logged_user):
+def test_profile_settings_compromised_password(testclient, logged_user):
    """Tests if password is compromised."""

    def with_different_values(password, message):