Add adjustable password length and tabu list for recently used passwords by seitenbau-govdata · Pull Request #87 · data-govt-nz/ckanext-security

seitenbau-govdata · 2025-07-14T13:01:28Z

We made several improvements to this plugin that are based on each other. We have included all improvements in this PR, it's a bit messy, but if needed, we can talk and maybe find a good way to split them up.

What we have done:

added tests
added translations (and included a german translation)
add config declaration
bugfix for newer CKAN, session object changed and have no "invalidate" method anymore
if used with https://github.com/keitaroinc/ckanext-saml2auth, we patch the other extension to use the password generation of this extension - so generated passwords comply with the requirements defined here

ckanext/security/constants.py

ckanext/security/helpers.py

ckanext/security/plugin/i18n/ckanext-security.pot

ckanext/security/templates/user/edit_user_form.html

ckanext/security/tests/test_action.py

ckanext/security/tests/test_validators.py

ckanext/security/validators.py

ThrawnCA · 2025-07-14T22:54:58Z

This has good potential but there are various problems, most notably the use of random to generate the password.

seitenbau-govdata · 2025-07-15T13:59:51Z

@ThrawnCA Thank you very much for your review!

ThrawnCA · 2025-07-15T22:49:09Z

ckanext/security/validators.py

-import six
 import string

+import six


six is a good library, but...is this plugin actually compatible with Python 2? If not, then there's no point.

git blame says you introduced it 2021 😄
We could lose the library but that would be out of scope for this PR, since we did not touch any of its occurrences, I think.

git blame says you introduced it 2021

Sure. In 2021, CKAN 2.8, and thus Python 2, were still current.

I just wondered where six came from, that's why I mentioned it. :) Please don't take that as criticism.
I just open an issue to track this so it can be done in another PR.

ThrawnCA · 2025-07-15T22:51:28Z

Looking better :)

TABULIST still appears in a bunch of places, which at first glance looks like something table-related. "Tabu" is a pretty esoteric word in English, plus it's more usually spelled "taboo", so I think "blacklist" is the simpler and clearer choice.

seitenbau-govdata · 2025-07-16T05:55:00Z

Looking better :)

TABULIST still appears in a bunch of places, which at first glance looks like something table-related. "Tabu" is a pretty esoteric word in English, plus it's more usually spelled "taboo", so I think "blacklist" is the simpler and clearer choice.

I looked at https://en.wikipedia.org/wiki/Tabu_search to see if it is well known in english, but then we switch to blacklist, which is more widely spread in applications. :)

…omply with security

…recently used passwords")

TimoSeitenbau added 3 commits July 14, 2025 14:37

Add config declaration and fix config example in README

5409d3f

Add test boilerplate

b30e188

Add adjustable password length

85fbbeb

ThrawnCA reviewed Jul 14, 2025

View reviewed changes

ThrawnCA reviewed Jul 15, 2025

View reviewed changes

TimoSeitenbau added 8 commits July 16, 2025 08:32

Add tests for password validator

3ae640b

Add german translation

087f386

Include i18n folder on build

47f6d00

Add blacklist for recently used passwords

66e93ca

only invalidate session on logout if there is a session object

e436b96

if saml2auth plugin is present, modify their password generation to c…

c0c7e3a

…omply with security

Review: Rename tabu_list to blacklist. (squash to "Add blacklist for …

794ce7b

…recently used passwords")

Add blacklist_item_count example line to README.md

c73b8d3

seitenbau-govdata mentioned this pull request Jul 16, 2025

remove six library #88

Open

seitenbau-govdata force-pushed the feature/adjustable-password-length-and-tabu-list branch from 230ec37 to c73b8d3 Compare July 16, 2025 06:55

Fix mistake in german translation

f4cb3cf

Conversation

seitenbau-govdata commented Jul 14, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

ThrawnCA commented Jul 14, 2025

Uh oh!

seitenbau-govdata commented Jul 15, 2025

Uh oh!

ThrawnCA Jul 15, 2025

Choose a reason for hiding this comment

Uh oh!

seitenbau-govdata Jul 16, 2025

Choose a reason for hiding this comment

Uh oh!

ThrawnCA Jul 16, 2025

Choose a reason for hiding this comment

Uh oh!

seitenbau-govdata Jul 16, 2025

Choose a reason for hiding this comment

Uh oh!

ThrawnCA commented Jul 15, 2025

Uh oh!

seitenbau-govdata commented Jul 16, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants