From 983d906ad61dcf810f73178c0d3dfe3bce2ad32e Mon Sep 17 00:00:00 2001
From: Holger Just <holger@plan.io>
Date: Mon, 23 Mar 2015 18:57:10 +0100
Subject: [PATCH] Allow to specify maximum password age

---
 app/models/user.rb                          | 13 ++++++++++-
 app/views/my/password.html.erb              |  2 +-
 app/views/settings/_authentication.html.erb |  4 ++++
 config/locales/de.yml                       |  1 +
 config/locales/en.yml                       |  1 +
 config/settings.yml                         |  4 ++++
 test/integration/account_test.rb            | 34 +++++++++++++++++++++++++++++
 7 files changed, 57 insertions(+), 2 deletions(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index 8811a65..5978f06 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -323,8 +323,19 @@ class User < Principal
     return auth_source.allow_password_changes?
   end
 
+  def password_expired?
+    changed_on = self.passwd_changed_on || Time.at(0)
+    period = Setting.password_max_age.to_i
+
+    if period.zero?
+      false
+    else
+      changed_on < period.days.ago
+    end
+  end
+
   def must_change_password?
-    must_change_passwd? && change_password_allowed?
+    (must_change_passwd? || password_expired?) && change_password_allowed?
   end
 
   def generate_password?
diff --git a/app/views/my/password.html.erb b/app/views/my/password.html.erb
index c3f86b9..6ba2bfc 100644
--- a/app/views/my/password.html.erb
+++ b/app/views/my/password.html.erb
@@ -17,7 +17,7 @@
 <%= submit_tag l(:button_apply) %>
 <% end %>
 
-<% unless @user.must_change_passwd? %>
+<% unless @user.must_change_passwd? || @user.password_expired? %>
 <% content_for :sidebar do %>
 <%= render :partial => 'sidebar' %>
 <% end %>
diff --git a/app/views/settings/_authentication.html.erb b/app/views/settings/_authentication.html.erb
index 77b5afc..80fb4bd 100644
--- a/app/views/settings/_authentication.html.erb
+++ b/app/views/settings/_authentication.html.erb
@@ -14,6 +14,10 @@
 
 <p><%= setting_text_field :password_min_length, :size => 6 %></p>
 
+<p>
+  <%= setting_select :password_max_age, [[l(:label_disabled), 0]] + [7, 30, 60, 90, 180, 365].collect{|days| [l('datetime.distance_in_words.x_days', :count => days), days.to_s]} %>
+</p>
+
 <p><%= setting_check_box :lost_password, :label => :label_password_lost %></p>
 
 <p><%= setting_text_field :max_additional_emails, :size => 6 %></p>
diff --git a/config/locales/de.yml b/config/locales/de.yml
index 8c069a4..c29cd60 100644
--- a/config/locales/de.yml
+++ b/config/locales/de.yml
@@ -1026,6 +1026,7 @@ de:
   setting_non_working_week_days: Arbeitsfreie Tage
   setting_openid: Erlaube OpenID-Anmeldung und -Registrierung
   setting_password_min_length: Mindestlänge des Kennworts
+  setting_password_max_age: Erzwinge Passwortwechsel nach
   setting_per_page_options: Objekte pro Seite
   setting_plain_text_mail: Nur reinen Text (kein HTML) senden
   setting_protocol: Protokoll
diff --git a/config/locales/en.yml b/config/locales/en.yml
index f1a04a0..dd08a0f 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -386,6 +386,7 @@ en:
   setting_file_max_size_displayed: Maximum size of text files displayed inline
   setting_repository_log_display_limit: Maximum number of revisions displayed on file log
   setting_openid: Allow OpenID login and registration
+  setting_password_max_age: Require password change after
   setting_password_min_length: Minimum password length
   setting_new_project_user_role_id: Role given to a non-admin user who creates a project
   setting_default_projects_modules: Default enabled modules for new projects
diff --git a/config/settings.yml b/config/settings.yml
index d2f0ff9..e5093dd 100644
--- a/config/settings.yml
+++ b/config/settings.yml
@@ -36,6 +36,10 @@ unsubscribe:
 password_min_length:
   format: int
   default: 8
+# Maximum password age in days
+password_max_age:
+  format: int
+  default: 0
 # Maximum number of additional email addresses per user
 max_additional_emails:
   format: int
diff --git a/test/integration/account_test.rb b/test/integration/account_test.rb
index 7f2f0e4..9ff6cc0 100644
--- a/test/integration/account_test.rb
+++ b/test/integration/account_test.rb
@@ -150,6 +150,40 @@ class AccountTest < Redmine::IntegrationTest
     assert_equal false, User.find_by_login('jsmith').must_change_passwd?
   end
 
+  def test_user_with_expired_password_should_be_forced_to_change_its_password
+    User.find_by_login('jsmith').update_attribute :passwd_changed_on, 14.days.ago
+
+    with_settings :password_max_age => 7 do
+      post '/login', :username => 'jsmith', :password => 'jsmith'
+      assert_redirected_to '/my/page'
+      follow_redirect!
+      assert_redirected_to '/my/password'
+
+      get '/issues'
+      assert_redirected_to '/my/password'
+    end
+  end
+
+  def test_user_with_expired_password_should_be_able_to_change_its_password
+    User.find_by_login('jsmith').update_attribute :passwd_changed_on, 14.days.ago
+
+    with_settings :password_max_age => 7 do
+      post '/login', :username => 'jsmith', :password => 'jsmith'
+      assert_redirected_to '/my/page'
+      follow_redirect!
+      assert_redirected_to '/my/password'
+      follow_redirect!
+      assert_response :success
+      post '/my/password', :password => 'jsmith', :new_password => 'newpassword', :new_password_confirmation => 'newpassword'
+      assert_redirected_to '/my/account'
+      follow_redirect!
+      assert_response :success
+
+      assert_equal false, User.find_by_login('jsmith').must_change_passwd?
+    end
+
+  end
+
   def test_register_with_automatic_activation
     Setting.self_registration = '3'
 
-- 
2.2.2