Canonical SSO provider

Merge lp:~mfoord/canonical-identity-provider/keep-passwords into lp:canonical-identity-provider/release

keep-passwords
Merge into trunk

Proposed by Michael Foord on 2013-11-21

Status:	Rejected
Rejected by:	Natalia Bidart on 2016-05-05
Proposed branch:	lp:~mfoord/canonical-identity-provider/keep-passwords
Merge into:	lp:canonical-identity-provider/release
Diff against target:	620 lines (+326/-54) 11 files modified src/identityprovider/admin.py (+5/-0) src/identityprovider/management/commands/populate.py (+3/-2) src/identityprovider/migrations/0017_keep_passwords.py (+236/-0) src/identityprovider/models/account.py (+28/-10) src/identityprovider/schema.py (+1/-0) src/identityprovider/signals.py (+1/-13) src/identityprovider/templates/nexus/admin/password_change_form.html (+0/-1) src/identityprovider/tests/test_admin.py (+7/-7) src/identityprovider/tests/test_models_account.py (+7/-0) src/identityprovider/tests/test_signals.py (+2/-20) src/identityprovider/validators.py (+36/-1)
To merge this branch:	bzr merge lp:~mfoord/canonical-identity-provider/keep-passwords
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Canonical ISD hackers		2013-11-21	Pending
Review via email: mp+196209@code.launchpad.net

lp:~mfoord/canonical-identity-provider/keep-passwords updated on 2013-11-27

1098. By Michael Foord on 2013-11-22: Remove the invalidate tokens signal
1099. By Michael Foord on 2013-11-22: Merge
1100. By Michael Foord on 2013-11-22: Clear oauth tokens when password changes
1101. By Michael Foord on 2013-11-25: Remove and move old tests
1102. By Michael Foord on 2013-11-25: Merge
1103. By Michael Foord on 2013-11-25: PCI compliance validator
1104. By Michael Foord on 2013-11-25: Fixes to the PCI validator
1105. By Michael Foord on 2013-11-25: Fix circular import
1106. By Michael Foord on 2013-11-26: Add PCI group setting
1107. By Michael Foord on 2013-11-27: Merge
1108. By Michael Foord on 2013-11-27: Merge

Revision history for this message

Natalia Bidart (nataliabidart) wrote on 2016-05-05:

Hi! I'm doing some cleanup on SSO MPs, I assume this is no longer valid, will set as Rejected.

Please shange the global status if this is still current. Thanks!

Unmerged revisions

1108. By Michael Foord on 2013-11-27: Merge
1107. By Michael Foord on 2013-11-27: Merge
1106. By Michael Foord on 2013-11-26: Add PCI group setting
1105. By Michael Foord on 2013-11-25: Fix circular import
1104. By Michael Foord on 2013-11-25: Fixes to the PCI validator
1103. By Michael Foord on 2013-11-25: PCI compliance validator
1102. By Michael Foord on 2013-11-25: Merge
1101. By Michael Foord on 2013-11-25: Remove and move old tests
1100. By Michael Foord on 2013-11-22: Clear oauth tokens when password changes
1099. By Michael Foord on 2013-11-22: Merge

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Adrian John San migel

Alexsandr

Corey Russell SR

Damian

Danny Tamez

Diane Montana

Frederico Miranda

Magdalena Shneider

Maximiliano Bertacchini

Michael Foord

Rick McMeen

William Grant

abdulhameed omair

alhawiti

fralogos32

marek duda

martin

to status/vote changes:

Harpianto,ANDI

rocket_69

Canonical SSO provider

Merge lp:~mfoord/canonical-identity-provider/keep-passwords into lp:canonical-identity-provider/release

Commit message

Description of the change

Unmerged revisions

Preview Diff

Subscribers

 === modified file 'src/identityprovider/admin.py'
 --- src/identityprovider/admin.py	2013-11-26 15:40:55 +0000
 +++ src/identityprovider/admin.py	2013-11-27 18:08:05 +0000
@@ -1,6 +1,8 @@
  # Copyright 2010,2013 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
++from datetime import datetime
++
  from django import forms
  from django.contrib import admin
  from django.contrib.auth.admin import UserAdmin
@@ -134,6 +136,7 @@
      class Meta:
          model = AccountPassword
++        exclude = ['when_created']
      def __init__(self, *args, **kwargs):
          initial = kwargs.get('initial', {})
@@ -143,6 +146,7 @@
  class AccountPasswordFormset(forms.models.BaseInlineFormSet):
++
      def __init__(self, *args, **kwargs):
          super(AccountPasswordFormset, self).__init__(*args, **kwargs)
          self.can_delete = False
@@ -260,6 +264,7 @@
                  instance = instances[0]
                  encrypted_password = make_password(password)
                  instance.password = encrypted_password
++                instance.when_created = datetime.utcnow()
                  instance.save()
          else:
              super(AccountAdmin, self).save_formset(
 === modified file 'src/identityprovider/management/commands/populate.py'
 --- src/identityprovider/management/commands/populate.py	2013-11-19 18:45:46 +0000
 +++ src/identityprovider/management/commands/populate.py	2013-11-27 18:08:05 +0000
@@ -167,14 +167,15 @@
      def gen_accountpassword(self, id):
          """Return a sequence representing an AccountPassword.
--        Currently (id, account, password)
++        Currently (id, account, password, when_created)
          """
          account_id = (id - self.ranges['accountpassword'][0] +
                        self.ranges['account'][0])
          plaintext = self.random_string(size=8)
          self.passwords.append(plaintext)
          password = make_password(plaintext)
--        return [str(id), str(account_id), password]
++        when_created = self.random_date()
++        return [str(id), str(account_id), password, when_created]
      def gen_lp_openididentifier(self, id):
          """ Returns a sequence representing an LPOpenIdIdentfier.
 === added file 'src/identityprovider/migrations/0017_keep_passwords.py'
 --- src/identityprovider/migrations/0017_keep_passwords.py	1970-01-01 00:00:00 +0000
 +++ src/identityprovider/migrations/0017_keep_passwords.py	2013-11-27 18:08:05 +0000
@@ -0,0 +1,236 @@
++# -*- coding: utf-8 -*-
++import datetime
++from south.db import db
++from south.v2 import SchemaMigration
++from django.db import models
++
++
++class Migration(SchemaMigration):
++
++    def forwards(self, orm):
++        # Removing unique constraint on 'AccountPassword', fields ['account']
++        db.delete_unique(u'accountpassword', ['account'])
++
++        # Adding field 'AccountPassword.when_created'
++        db.add_column(u'accountpassword', 'when_created',
++                      self.gf('django.db.models.fields.DateTimeField')(default=datetime.datetime.now),
++                      keep_default=False)
++
++
++        # Changing field 'AccountPassword.account'
++        db.alter_column(u'accountpassword', 'account', self.gf('django.db.models.fields.related.ForeignKey')(to=orm['identityprovider.Account'], db_column='account'))
++
++    def backwards(self, orm):
++        # Deleting field 'AccountPassword.when_created'
++        db.delete_column(u'accountpassword', 'when_created')
++
++
++        # Changing field 'AccountPassword.account'
++        db.alter_column(u'accountpassword', 'account', self.gf('django.db.models.fields.related.OneToOneField')(to=orm['identityprovider.Account'], unique=True, db_column='account'))
++        # Adding unique constraint on 'AccountPassword', fields ['account']
++        db.create_unique(u'accountpassword', ['account'])
++
++
++    models = {
++        'identityprovider.account': {
++            'Meta': {'object_name': 'Account', 'db_table': "u'account'"},
++            'creation_rationale': ('django.db.models.fields.IntegerField', [], {}),
++            'date_created': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.datetime.utcnow'}),
++            'date_status_set': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.datetime.utcnow'}),
++            'displayname': ('identityprovider.models.account.DisplaynameField', [], {}),
++            u'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
++            'old_openid_identifier': ('django.db.models.fields.TextField', [], {'db_index': 'True', 'null': 'True', 'blank': 'True'}),
++            'openid_identifier': ('django.db.models.fields.TextField', [], {'default': "u'XrCnJdc'", 'unique': 'True'}),
++            'preferredlanguage': ('django.db.models.fields.TextField', [], {'null': 'True', 'blank': 'True'}),
++            'status': ('django.db.models.fields.IntegerField', [], {}),
++            'status_comment': ('django.db.models.fields.TextField', [], {'null': 'True', 'blank': 'True'}),
++            'twofactor_attempts': ('django.db.models.fields.SmallIntegerField', [], {'default': '0'}),
++            'twofactor_required': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
++            'warn_about_backup_device': ('django.db.models.fields.BooleanField', [], {'default': 'True'})
++        },
++        'identityprovider.accountpassword': {
++            'Meta': {'ordering': "['-when_created']", 'object_name': 'AccountPassword', 'db_table': "u'accountpassword'"},
++            'account': ('django.db.models.fields.related.ForeignKey', [], {'to': "orm['identityprovider.Account']", 'db_column': "'account'"}),
++            u'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
++            'password': ('identityprovider.models.account.PasswordField', [], {}),
++            'when_created': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.datetime.now'})
++        },
++        'identityprovider.apiuser': {
++            'Meta': {'object_name': 'APIUser', 'db_table': "'api_user'"},
++            'created_at': ('django.db.models.fields.DateTimeField', [], {'auto_now_add': 'True', 'blank': 'True'}),
++            u'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
++            'password': ('django.db.models.fields.CharField', [], {'max_length': '256'}),
++            'updated_at': ('django.db.models.fields.DateTimeField', [], {'auto_now': 'True', 'blank': 'True'}),
++            'username': ('django.db.models.fields.CharField', [], {'max_length': '256'})
++        },
++        'identityprovider.authenticationdevice': {
++            'Meta': {'ordering': "('id',)", 'object_name': 'AuthenticationDevice'},
++            'account': ('django.db.models.fields.related.ForeignKey', [], {'related_name': "'devices'", 'to': "orm['identityprovider.Account']"}),
++            'counter': ('django.db.models.fields.IntegerField', [], {'default': '0'}),
++            'device_type': ('django.db.models.fields.TextField', [], {'null': 'True'}),
++            u'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
++            'key': ('django.db.models.fields.TextField', [], {}),
++            'name': ('django.db.models.fields.TextField', [], {})
++        },
++        'identityprovider.authtoken': {
++            'Meta': {'object_name': 'AuthToken', 'db_table': "u'authtoken'"},
++            'date_consumed': ('django.db.models.fields.DateTimeField', [], {'db_index': 'True', 'null': 'True', 'blank': 'True'}),
++            'date_created': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.datetime.utcnow', 'db_index': 'True', 'blank': 'True'}),
++            'displayname': ('identityprovider.models.account.DisplaynameField', [], {'null': 'True', 'blank': 'True'}),
++            'email': ('django.db.models.fields.TextField', [], {'db_index': 'True'}),
++            u'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
++            'password': ('identityprovider.models.account.PasswordField', [], {'null': 'True', 'blank': 'True'}),
++            'redirection_url': ('django.db.models.fields.TextField', [], {'null': 'True', 'blank': 'True'}),
++            'requester': ('django.db.models.fields.related.ForeignKey', [], {'to': "orm['identityprovider.Account']", 'null': 'True', 'db_column': "'requester'", 'blank': 'True'}),
++            'requester_email': ('django.db.models.fields.TextField', [], {'null': 'True', 'blank': 'True'}),
++            'token': ('django.db.models.fields.TextField', [], {'unique': 'True'}),
++            'token_type': ('django.db.models.fields.IntegerField', [], {})
++        },
++        'identityprovider.emailaddress': {
++            'Meta': {'object_name': 'EmailAddress', 'db_table': "u'emailaddress'"},
++            'account': ('django.db.models.fields.related.ForeignKey', [], {'to': "orm['identityprovider.Account']", 'null': 'True', 'db_column': "'account'", 'blank': 'True'}),
++            'date_created': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.datetime.utcnow', 'blank': 'True'}),
++            'email': ('django.db.models.fields.TextField', [], {}),
++            u'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
++            'lp_person': ('django.db.models.fields.IntegerField', [], {'null': 'True', 'db_column': "'person'", 'blank': 'True'}),
++            'status': ('django.db.models.fields.IntegerField', [], {})
++        },
++        'identityprovider.invalidatedemailaddress': {
++            'Meta': {'object_name': 'InvalidatedEmailAddress', 'db_table': "u'invalidated_emailaddress'"},
++            'account': ('django.db.models.fields.related.ForeignKey', [], {'to': "orm['identityprovider.Account']", 'null': 'True', 'db_column': "'account'", 'blank': 'True'}),
++            'account_notified': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
++            'date_created': ('django.db.models.fields.DateTimeField', [], {'blank': 'True'}),
++            'date_invalidated': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.datetime.utcnow', 'null': 'True', 'blank': 'True'}),
++            'email': ('django.db.models.fields.TextField', [], {}),
++            u'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'})
++        },
++        'identityprovider.leakedcredential': {
++            'Meta': {'unique_together': "(('email', 'source'),)", 'object_name': 'LeakedCredential'},
++            'date_leaked': ('django.db.models.fields.DateTimeField', [], {'default': 'None'}),
++            'email': ('django.db.models.fields.EmailField', [], {'default': 'None', 'max_length': '254'}),
++            u'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
++            'password': ('django.db.models.fields.TextField', [], {'default': 'None'}),
++            'source': ('django.db.models.fields.TextField', [], {'default': 'None'})
++        },
++        'identityprovider.lpopenididentifier': {
++            'Meta': {'object_name': 'LPOpenIdIdentifier', 'db_table': "u'lp_openididentifier'"},
++            'date_created': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.date.today'}),
++            'identifier': ('django.db.models.fields.TextField', [], {'unique': 'True', 'primary_key': 'True'}),
++            'lp_account': ('django.db.models.fields.IntegerField', [], {'db_column': "'account'", 'db_index': 'True'})
++        },
++        'identityprovider.openidassociation': {
++            'Meta': {'unique_together': "(('server_url', 'handle'),)", 'object_name': 'OpenIDAssociation', 'db_table': "u'openidassociation'"},
++            'assoc_type': ('django.db.models.fields.CharField', [], {'max_length': '64'}),
++            'handle': ('django.db.models.fields.CharField', [], {'max_length': '255', 'primary_key': 'True'}),
++            'issued': ('django.db.models.fields.IntegerField', [], {}),
++            'lifetime': ('django.db.models.fields.IntegerField', [], {}),
++            'secret': ('django.db.models.fields.TextField', [], {}),
++            'server_url': ('django.db.models.fields.CharField', [], {'max_length': '2047'})
++        },
++        'identityprovider.openidauthorization': {
++            'Meta': {'object_name': 'OpenIDAuthorization', 'db_table': "u'openidauthorization'"},
++            'account': ('django.db.models.fields.related.ForeignKey', [], {'to': "orm['identityprovider.Account']", 'db_column': "'account'"}),
++            'client_id': ('django.db.models.fields.TextField', [], {'null': 'True', 'blank': 'True'}),
++            'date_created': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.datetime.utcnow', 'blank': 'True'}),
++            'date_expires': ('django.db.models.fields.DateTimeField', [], {}),
++            u'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
++            'trust_root': ('django.db.models.fields.TextField', [], {})
++        },
++        'identityprovider.openidnonce': {
++            'Meta': {'unique_together': "(('server_url', 'timestamp', 'salt'),)", 'object_name': 'OpenIDNonce', 'db_table': "'openidnonce'"},
++            'salt': ('django.db.models.fields.CharField', [], {'max_length': '40'}),
++            'server_url': ('django.db.models.fields.CharField', [], {'max_length': '2047', 'primary_key': 'True'}),
++            'timestamp': ('django.db.models.fields.IntegerField', [], {})
++        },
++        'identityprovider.openidrpconfig': {
++            'Meta': {'object_name': 'OpenIDRPConfig', 'db_table': "'ssoopenidrpconfig'"},
++            'allow_unverified': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
++            'allowed_ax': ('django.db.models.fields.TextField', [], {'null': 'True', 'blank': 'True'}),
++            'allowed_sreg': ('django.db.models.fields.TextField', [], {'null': 'True', 'blank': 'True'}),
++            'allowed_user_attribs': ('django.db.models.fields.TextField', [], {'null': 'True', 'blank': 'True'}),
++            'auto_authorize': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
++            'can_query_any_team': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
++            'creation_rationale': ('django.db.models.fields.IntegerField', [], {'default': '13'}),
++            'description': ('django.db.models.fields.TextField', [], {}),
++            'displayname': ('django.db.models.fields.TextField', [], {}),
++            'flag_twofactor': ('django.db.models.fields.CharField', [], {'max_length': '256', 'null': 'True', 'blank': 'True'}),
++            'ga_snippet': ('django.db.models.fields.TextField', [], {'null': 'True', 'blank': 'True'}),
++            u'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
++            'logo': ('django.db.models.fields.TextField', [], {'null': 'True', 'blank': 'True'}),
++            'prefer_canonical_email': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
++            'require_two_factor': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
++            'trust_root': ('django.db.models.fields.TextField', [], {'unique': 'True'})
++        },
++        'identityprovider.openidrpsummary': {
++            'Meta': {'unique_together': "(('account', 'trust_root', 'openid_identifier'),)", 'object_name': 'OpenIDRPSummary', 'db_table': "u'openidrpsummary'"},
++            'account': ('django.db.models.fields.related.ForeignKey', [], {'to': "orm['identityprovider.Account']", 'db_column': "'account'"}),
++            'approved_data': ('django.db.models.fields.TextField', [], {'default': "''", 'null': 'True', 'blank': 'True'}),
++            'date_created': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.datetime.utcnow', 'blank': 'True'}),
++            'date_last_used': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.datetime.utcnow', 'blank': 'True'}),
++            u'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
++            'openid_identifier': ('django.db.models.fields.TextField', [], {'db_index': 'True'}),
++            'total_logins': ('django.db.models.fields.IntegerField', [], {'default': '1'}),
++            'trust_root': ('django.db.models.fields.TextField', [], {'db_index': 'True'})
++        },
++        'identityprovider.person': {
++            'Meta': {'object_name': 'Person', 'db_table': "u'lp_person'"},
++            'addressline1': ('django.db.models.fields.TextField', [], {'null': 'True', 'blank': 'True'}),
++            'addressline2': ('django.db.models.fields.TextField', [], {'null': 'True', 'blank': 'True'}),
++            'city': ('django.db.models.fields.TextField', [], {'null': 'True', 'blank': 'True'}),
++            'country': ('django.db.models.fields.IntegerField', [], {'null': 'True', 'db_column': "'country'", 'blank': 'True'}),
++            'creation_comment': ('django.db.models.fields.TextField', [], {'null': 'True', 'blank': 'True'}),
++            'creation_rationale': ('django.db.models.fields.IntegerField', [], {'null': 'True', 'blank': 'True'}),
++            'datecreated': ('django.db.models.fields.DateTimeField', [], {'auto_now_add': 'True', 'null': 'True', 'blank': 'True'}),
++            'defaultmembershipperiod': ('django.db.models.fields.IntegerField', [], {'null': 'True', 'blank': 'True'}),
++            'defaultrenewalperiod': ('django.db.models.fields.IntegerField', [], {'null': 'True', 'blank': 'True'}),
++            'displayname': ('django.db.models.fields.TextField', [], {'null': 'True', 'blank': 'True'}),
++            'fti': ('django.db.models.fields.TextField', [], {'null': 'True'}),
++            'hide_email_addresses': ('django.db.models.fields.NullBooleanField', [], {'default': 'False', 'null': 'True', 'blank': 'True'}),
++            'homepage_content': ('django.db.models.fields.TextField', [], {'null': 'True', 'blank': 'True'}),
++            'icon': ('django.db.models.fields.IntegerField', [], {'null': 'True', 'db_column': "'icon'", 'blank': 'True'}),
++            u'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
++            'language': ('django.db.models.fields.IntegerField', [], {'null': 'True', 'db_column': "'language'", 'blank': 'True'}),
++            'logo': ('django.db.models.fields.IntegerField', [], {'null': 'True', 'db_column': "'logo'", 'blank': 'True'}),
++            'lp_account': ('django.db.models.fields.IntegerField', [], {'unique': 'True', 'null': 'True', 'db_column': "'account'"}),
++            'mail_resumption_date': ('django.db.models.fields.DateField', [], {'null': 'True', 'blank': 'True'}),
++            'mailing_list_auto_subscribe_policy': ('django.db.models.fields.IntegerField', [], {'default': '1', 'null': 'True'}),
++            'mailing_list_receive_duplicates': ('django.db.models.fields.NullBooleanField', [], {'default': 'True', 'null': 'True', 'blank': 'True'}),
++            'merged': ('django.db.models.fields.IntegerField', [], {'null': 'True', 'db_column': "'merged'", 'blank': 'True'}),
++            'mugshot': ('django.db.models.fields.IntegerField', [], {'null': 'True', 'db_column': "'mugshot'", 'blank': 'True'}),
++            'name': ('django.db.models.fields.TextField', [], {'unique': 'True', 'null': 'True'}),
++            'organization': ('django.db.models.fields.TextField', [], {'null': 'True', 'blank': 'True'}),
++            'personal_standing': ('django.db.models.fields.IntegerField', [], {'default': '0', 'null': 'True'}),
++            'personal_standing_reason': ('django.db.models.fields.TextField', [], {'null': 'True', 'blank': 'True'}),
++            'phone': ('django.db.models.fields.TextField', [], {'null': 'True', 'blank': 'True'}),
++            'postcode': ('django.db.models.fields.TextField', [], {'null': 'True', 'blank': 'True'}),
++            'province': ('django.db.models.fields.TextField', [], {'null': 'True', 'blank': 'True'}),
++            'registrant': ('django.db.models.fields.IntegerField', [], {'null': 'True', 'db_column': "'registrant'", 'blank': 'True'}),
++            'renewal_policy': ('django.db.models.fields.IntegerField', [], {'default': '10', 'null': 'True'}),
++            'subscriptionpolicy': ('django.db.models.fields.IntegerField', [], {'default': '1', 'null': 'True'}),
++            'teamdescription': ('django.db.models.fields.TextField', [], {'null': 'True', 'blank': 'True'}),
++            'teamowner': ('django.db.models.fields.IntegerField', [], {'null': 'True', 'db_column': "'teamowner'", 'blank': 'True'}),
++            'verbose_bugnotifications': ('django.db.models.fields.NullBooleanField', [], {'default': 'False', 'null': 'True', 'blank': 'True'}),
++            'visibility': ('django.db.models.fields.IntegerField', [], {'default': '1', 'null': 'True'})
++        },
++        'identityprovider.personlocation': {
++            'Meta': {'object_name': 'PersonLocation', 'db_table': "u'lp_personlocation'"},
++            'date_created': ('django.db.models.fields.DateTimeField', [], {'null': 'True'}),
++            'date_last_modified': ('django.db.models.fields.DateTimeField', [], {'null': 'True'}),
++            u'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
++            'last_modified_by': ('django.db.models.fields.IntegerField', [], {'null': 'True', 'db_column': "'last_modified_by'"}),
++            'latitude': ('django.db.models.fields.FloatField', [], {'null': 'True', 'blank': 'True'}),
++            'locked': ('django.db.models.fields.NullBooleanField', [], {'default': 'False', 'null': 'True', 'blank': 'True'}),
++            'longitude': ('django.db.models.fields.FloatField', [], {'null': 'True', 'blank': 'True'}),
++            'person': ('django.db.models.fields.related.OneToOneField', [], {'to': "orm['identityprovider.Person']", 'unique': 'True', 'null': 'True', 'db_column': "'person'"}),
++            'time_zone': ('django.db.models.fields.TextField', [], {'null': 'True', 'blank': 'True'}),
++            'visible': ('django.db.models.fields.NullBooleanField', [], {'default': 'True', 'null': 'True', 'blank': 'True'})
++        },
++        'identityprovider.teamparticipation': {
++            'Meta': {'unique_together': "(('team', 'person'),)", 'object_name': 'TeamParticipation', 'db_table': "u'lp_teamparticipation'"},
++            u'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
++            'person': ('django.db.models.fields.related.ForeignKey', [], {'to': "orm['identityprovider.Person']", 'null': 'True', 'db_column': "'person'"}),
++            'team': ('django.db.models.fields.related.ForeignKey', [], {'related_name': "'team_participations'", 'null': 'True', 'db_column': "'team'", 'to': "orm['identityprovider.Person']"})
++        }
++    }
++
++    complete_apps = ['identityprovider']
 \ No newline at end of file
 === modified file 'src/identityprovider/models/account.py'
 --- src/identityprovider/models/account.py	2013-11-21 11:56:12 +0000
 +++ src/identityprovider/models/account.py	2013-11-27 18:08:05 +0000
@@ -120,7 +120,8 @@
          email.save()
          password = AccountPassword.objects.create(
              account=account,
--            password=password)
++            password=password,
++            when_created=datetime.utcnow())
          return account
      def get_by_email(self, email):
@@ -166,6 +167,10 @@
      objects = AccountManager.for_queryset_class(AccountQuerySet)()
++    @property
++    def accountpassword(self):
++        return self.accountpassword_set.latest()
++
      class Meta:
          app_label = 'identityprovider'
          db_table = u'account'
@@ -235,10 +240,14 @@
      def set_deleted(self):
          self.status = AccountStatus.DELETED
          self.emailaddress_set.delete()
--        self.accountpassword.password = 'invalid'
--        self.accountpassword.save()
          self.save()
++        for old_password in self.accountpassword_set.all()[1:]:
++            old_password.delete()
++        latest_password = self.accountpassword
++        latest_password.password = 'invalid'
++        latest_password.save()
++
          user, _ = User.objects.get_or_create(username=self.openid_identifier)
          user.is_active = False
          user.save()
@@ -407,16 +416,21 @@
      def set_password(self, password, salt=None):
          validate_password_policy(password, self)
--        try:
--            accountpassword = self.accountpassword
--        except AccountPassword.DoesNotExist:
--            accountpassword = AccountPassword(account=self, password='invalid')
++        accountpassword = AccountPassword(
++            account=self, password='invalid', when_created=datetime.utcnow())
          accountpassword.password = make_password(password, salt=salt)
          accountpassword.save()
          # clear the password reset flag
          self.need_password_reset = False
          self.save()
++        # clear all oauth tokens as password has changed
++        self.invalidate_oauth_tokens()
++
++        # delete all but the current and four previous
++        for old_password in self.accountpassword_set.all()[5:]:
++            old_password.delete()
++
      def get_and_delete_messages(self):
          return []
@@ -523,8 +537,9 @@
              try:
                  # by setting a plain text value we make sure its not going to
                  # match against anything
--                self.accountpassword.password = 'invalid'
--                self.accountpassword.save()
++                accountpassword = self.accountpassword
++                accountpassword.password = 'invalid'
++                accountpassword.save()
              except AccountPassword.DoesNotExist:
                  # no password, so nothing to reset
                  pass
@@ -557,14 +572,17 @@
  class AccountPassword(models.Model):
--    account = models.OneToOneField(Account, db_column='account')
++    account = models.ForeignKey(Account, db_column='account')
      password = PasswordField()
++    when_created = models.DateTimeField(default=datetime.now)
      class Meta:
          app_label = 'identityprovider'
          db_table = u'accountpassword'
          verbose_name = _('account password')
          verbose_name_plural = _('account passwords')
++        ordering = ['-when_created']
++        get_latest_by = 'when_created'
      def __unicode__(self):
          return _("Password for %s") % unicode(self.account)
 === modified file 'src/identityprovider/schema.py'
 --- src/identityprovider/schema.py	2013-11-12 13:44:06 +0000
 +++ src/identityprovider/schema.py	2013-11-27 18:08:05 +0000
@@ -172,6 +172,7 @@
          max_password_reset_tokens = IntOption(default=5)
          combo_url = StringOption(default="/combo/")
          combine = BoolOption(default=False)
++        pci_compliance_group = StringOption(default="pci-compliance")
      class static_urls(Section):
          support_form_url = StringOption()
 === modified file 'src/identityprovider/signals.py'
 --- src/identityprovider/signals.py	2013-05-16 13:24:00 +0000
 +++ src/identityprovider/signals.py	2013-11-27 18:08:05 +0000
@@ -4,13 +4,12 @@
  from django.dispatch import Signal
  from django.conf import settings
  from django.contrib.auth.signals import user_logged_in
--from django.db.models.signals import post_save
  from oauth.oauth import OAuthRequest
  from oauth_backend.models import Token
  from identityprovider.const import SESSION_TOKEN_KEY, SESSION_TOKEN_NAME
--from identityprovider.models import Account, AccountPassword
++from identityprovider.models import Account
  from identityprovider.utils import http_request_with_timeout
@@ -39,17 +38,6 @@
  application_token_invalidated.connect(account_change_notify)
--def invalidate_account_oauth_tokens(sender, instance, created, **kwargs):
--    if not created:
--        # invalidate oauth tokens on password change
--        instance.account.invalidate_oauth_tokens()
--
--
--post_save.connect(
--    invalidate_account_oauth_tokens, sender=AccountPassword,
--    dispatch_uid='identityprovider.AccountPassword.post_save')
--
--
  def set_session_oauth_token(sender, user, request, **kwargs):
      # user is an Account instance here
 === modified file 'src/identityprovider/templates/nexus/admin/password_change_form.html'
 --- src/identityprovider/templates/nexus/admin/password_change_form.html	2013-05-15 13:39:40 +0000
 +++ src/identityprovider/templates/nexus/admin/password_change_form.html	2013-11-27 18:08:05 +0000
@@ -45,7 +45,6 @@
          <div class="submit-row">
              <input type="submit" value="{% trans 'Change my password' %}" class="default" />
          </div>
--
          <script type="text/javascript">document.getElementById("id_old_password").focus();</script>
          </div>
      </form>
 === modified file 'src/identityprovider/tests/test_admin.py'
 --- src/identityprovider/tests/test_admin.py	2013-10-22 19:23:13 +0000
 +++ src/identityprovider/tests/test_admin.py	2013-11-27 18:08:05 +0000
@@ -123,10 +123,10 @@
              'status': str(self.account.status),
              'displayname': self.account.displayname,
              'openid_identifier': self.account.openid_identifier,
--            'accountpassword-TOTAL_FORMS': '1',
--            'accountpassword-INITIAL_FORMS': '1',
--            'accountpassword-0-id': str(account_id),
--            'accountpassword-0-account': str(account_id),
++            'accountpassword_set-TOTAL_FORMS': '1',
++            'accountpassword_set-INITIAL_FORMS': '1',
++            'accountpassword_set-0-id': str(account_id),
++            'accountpassword_set-0-account': str(account_id),
              'emailaddress_set-TOTAL_FORMS': '1',
              'emailaddress_set-INITIAL_FORMS': '1',
              'emailaddress_set-0-id': str(email.id),
@@ -150,7 +150,7 @@
          new_password = 'blah'
          parameters = {
              'emailaddress_set-0-email': new_email,
--            'accountpassword-0-password': new_password,
++            'accountpassword_set-0-password': new_password,
+         }
          self.post_account_change(**parameters)
@@ -244,8 +244,8 @@
          self.assertEqual(r.status_code, 200)
          self.assertContains(r,
                              '<input type="password" '
--                            'name="accountpassword-0-password" '
--                            'id="id_accountpassword-0-password">',
++                            'name="accountpassword_set-0-password" '
++                            'id="id_accountpassword_set-0-password">',
                              html=True)
      def test_add_api_user(self):
 === modified file 'src/identityprovider/tests/test_models_account.py'
 --- src/identityprovider/tests/test_models_account.py	2013-11-21 13:15:42 +0000
 +++ src/identityprovider/tests/test_models_account.py	2013-11-27 18:08:05 +0000
@@ -425,6 +425,13 @@
          self.assertNotEqual(account.accountpassword.password,
                              original_password)
++    def test_password_change_deletes_tokns(self):
++        account = self.factory.make_account()
++        self.factory.make_oauth_token(account=account)
++
++        account.set_password('fooBar123')
++        self.assertEqual(account.oauth_tokens().count(), 0)
++
      def test_sets_password_with_django_cypher(self):
          password = 'Some password from 2013'
          account = self.factory.make_account()
 === modified file 'src/identityprovider/tests/test_signals.py'
 --- src/identityprovider/tests/test_signals.py	2013-08-16 15:12:35 +0000
 +++ src/identityprovider/tests/test_signals.py	2013-11-27 18:08:05 +0000
@@ -5,15 +5,12 @@
  from django.contrib.auth.signals import user_logged_in
  from django.core.urlresolvers import reverse
--from django.db.models.signals import post_save
  from oauth_backend.models import Token
  from identityprovider.const import SESSION_TOKEN_KEY, SESSION_TOKEN_NAME
--from identityprovider.signals import (
--    invalidate_account_oauth_tokens,
--    set_session_oauth_token,
--)
++from identityprovider.signals import set_session_oauth_token
++
  from identityprovider.readonly import ReadOnlyManager
  from identityprovider.tests import DEFAULT_USER_PASSWORD
  from identityprovider.tests.utils import (
@@ -77,18 +74,3 @@
          self.client.login(username=self.email, password=DEFAULT_USER_PASSWORD)
          self.assertEqual(
              self.client.session.get(SESSION_TOKEN_KEY), token.token)
--
--
--class InvalidateOauthTokenOnPasswordChangeTestCase(SSOBaseTestCase):
--
--    def test_signal_connected(self):
--        # r[1] is a weak ref
--        registered_functions = [r[1]() for r in post_save.receivers]
--        self.assertIn(invalidate_account_oauth_tokens, registered_functions)
--
--    def test_listener_on_password_change(self):
--        account = self.factory.make_account()
--        self.factory.make_oauth_token(account=account)
--
--        account.set_password('fooBar123')
--        self.assertEqual(account.oauth_tokens().count(), 0)
 === modified file 'src/identityprovider/validators.py'
 --- src/identityprovider/validators.py	2013-09-12 14:45:21 +0000
 +++ src/identityprovider/validators.py	2013-11-27 18:08:05 +0000
@@ -1,6 +1,7 @@
  from contextlib import contextmanager
  import re
++from django.conf import settings
  from django.core.exceptions import ValidationError
  from django.utils.translation import ugettext_lazy as _
@@ -11,6 +12,10 @@
      "Password must consist of lower- and upper-case characters, and at "
      "least one digit."
+ )
++PCI_PASSWORD_POLICY_ERROR = _(
++    "Your password matches a previous passowrd. PCI compliance rules "
++    "forbid the reuse of recent passwords."
++)
  class BasicValidator(object):
@@ -88,7 +93,37 @@
              raise ValidationError(CANONICAL_PASSWORD_POLICY_ERROR)
--_validators = [CanonicalValidator(), BasicValidator()]
++class PCIValidator(BasicValidator):
++    """Apply PCI compliance password rules"""
++
++    def match(self, account):
++        """Return True if the account is in the 'PCI' team."""
++        # store the account
++        self.account = account
++        return (account is not None and
++                account.person_in_team(settings.PCI_COMLIANCE_GROUP))
++
++    def validate(self, password):
++        """Check the new password doesn't match any of the last four
++        passwords."""
++        super(CanonicalValidator, self).validate(password)
++
++        # import here to avoid circular imports
++        from identityprovider.auth import LaunchpadBackend
++
++        account = self.account
++        backend = LaunchpadBackend()
++        for accountpassword in account.accountpassword_set.all()[1:]:
++            try:
++                backend._validate_raw_password(
++                    account.accountpassword, password, update=False)
++            except ValidationError:
++                pass
++            else:
++                raise ValidationError(PCI_PASSWORD_POLICY_ERROR)
++
++
++_validators = [CanonicalValidator(), BasicValidator(), PCIValidator()]
  def validate_password_policy(password, account=None):