diff --git a/axes/decorators.py b/axes/decorators.py index e50d79a..10215f3 100644 --- a/axes/decorators.py +++ b/axes/decorators.py @@ -144,13 +144,12 @@ def is_user_lockable(request): else: return True - -def get_user_attempts(request): +def _get_user_attempts(request): """Returns access attempt record if it exists. Otherwise return None. """ ip = get_ip(request) - + username = request.POST.get('username', None) if USE_USER_AGENT: @@ -174,11 +173,26 @@ def get_user_attempts(request): params['username'] = username attempts |= AccessAttempt.objects.filter(**params) + return attempts + +def get_user_attempts(request): + objects_deleted = False + attempts = _get_user_attempts(request) + if COOLOFF_TIME: for attempt in attempts: - if attempt.attempt_time + COOLOFF_TIME < datetime.now() \ - and attempt.trusted is False: - attempt.delete() + if attempt.attempt_time + COOLOFF_TIME < datetime.now(): + if attempt.trusted: + attempt.failures_since_start = 0 + attempt.save() + else: + attempt.delete() + objects_deleted = True + + # If objects were deleted, we need to update the queryset to reflect this, + # so force a reload. + if objects_deleted: + attempts = _get_user_attempts(request) return attempts diff --git a/axes/test_settings.py b/axes/test_settings.py index 31f71be..61a6f26 100644 --- a/axes/test_settings.py +++ b/axes/test_settings.py @@ -38,3 +38,6 @@ SECRET_KEY = 'too-secret-for-test' LOGIN_REDIRECT_URL = '/admin' AXES_LOGIN_FAILURE_LIMIT = 10 +from datetime import timedelta +AXES_COOLOFF_TIME=timedelta(seconds = 2) + diff --git a/axes/tests.py b/axes/tests.py index fe5aade..682cd49 100644 --- a/axes/tests.py +++ b/axes/tests.py @@ -1,14 +1,15 @@ import random import string +import time from django.test import TestCase +from django.test.client import Client from django.contrib.auth.models import User from django.core.urlresolvers import reverse from django.test.utils import override_settings -from axes.decorators import FAILURE_LIMIT -from axes.decorators import LOGIN_FORM_KEY -from axes.models import AccessLog +from axes.decorators import FAILURE_LIMIT, COOLOFF_TIME, LOGIN_FORM_KEY +from axes.models import AccessLog, AccessAttempt class AccessAttemptTest(TestCase): @@ -107,6 +108,60 @@ class AccessAttemptTest(TestCase): self.assertNotIn(LOGIN_FORM_KEY, response.content) + def _successful_login(self, username, password): + c = Client() + response = c.post('/admin/', { + 'username': username, + 'password': username, + 'this_is_the_login_form': 1, + }) + + return response + + + def _unsuccessful_login(self, username): + c = Client() + response = c.post('/admin/', { + 'username': username, + 'password': 'wrong', + 'this_is_the_login_form': 1, + }) + + return response + + def test_cooling_off_for_trusted_user(self): + valid_username = self._random_username(existing_username=True) + + # Test successful login, this makes the user trusted. + response = self._successful_login(valid_username, valid_username) + self.assertNotIn(LOGIN_FORM_KEY, response.content) + + self.test_cooling_off(username=valid_username) + + def test_cooling_off(self, username=None): + if username: + valid_username = username + else: + valid_username = self._random_username(existing_username=True) + + # Test unsuccessful login and stop just before lockout happens + for i in range(0, FAILURE_LIMIT): + response = self._unsuccessful_login(valid_username) + + # Check if we are in the same login page + self.assertIn(LOGIN_FORM_KEY, response.content) + + # Lock out the user + response = self._unsuccessful_login(valid_username) + self.assertIn(self.LOCKED_MESSAGE, response.content) + + # Wait for the cooling off period + time.sleep(COOLOFF_TIME.total_seconds()) + + # It should be possible to login again, make sure it is. + response = self._successful_login(valid_username, valid_username) + self.assertNotIn(self.LOCKED_MESSAGE, response.content) + def test_valid_logout(self): """Tests a valid logout and make sure the logout_time is updated """