Authentication policy fixes (!184) · Merge Requests · nexedi / erp5

Authentication policy fixes

This MR contains fixes for two bugs for erp5_authentication_policy:

passport expiration feature was only working if getPreferredNumberOfLastPasswordToCheck was set, because password events are created only in that case. So the case where we only have a maximum password duration was not working.
automatic password request was not working, a bug innotifyPasswordExpired script made that the credential request was not created. That problem remained unoticed, partially because PAS catch errors and log them with level debug only. We may want to change PAS to log with a higher log level.

At the same time, while introducing some new tests for that first problem, I noticed that tests were not properly isolated, for example test_05_PasswordExpire was only working when running after test_02_PasswordHistory, because test_02_PasswordHistory was enabling this password event logging, so I also refactored the tests a bit so that they don't depend on others so much. This way we can use --run-only or add a new test without breaking others.

This MR contains fixes for  two bugs for erp5_authentication_policy:

* passport expiration feature was only working if  `getPreferredNumberOfLastPasswordToCheck` was set, because password events are created only in that case. So the case where we only have a maximum password duration was not working.
* automatic password request was not working, a bug in`notifyPasswordExpired` script made that the credential request was not created. That problem remained unoticed, partially because PAS catch errors and log them with [level debug only](
 https://github.com/zopefoundation/Products.PluggableAuthService/blob/0fc22e9c472ba514470a9b205c945eb62df12205/Products/PluggableAuthService/PluggableAuthService.py#L663 ). We may want to change PAS to log with a higher log level.

At the same time, while introducing some new tests for that first problem, I noticed that tests were not properly isolated, for example `test_05_PasswordExpire` was only working when running after `test_02_PasswordHistory`, because `test_02_PasswordHistory` was enabling this password event logging, so I also refactored the tests a bit so that they don't depend on others so much. This way we can use `--run-only` or add a new test without breaking others.