misc: set unusable password on federated users (#48136)

src/authentic2/custom_user/migrations/0021_set_unusable_password.py

@@ -0,0 +1,29 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.29 on 2020-11-02 21:52
+from __future__ import unicode_literals
+
+
+from django.db import migrations
+from django.contrib.auth.models import AbstractUser
+
+
+def noop(apps, schema_editor):
+    pass
+
+
+def set_unusable_password(apps, schema_editor):
+    User = apps.get_model('custom_user', 'User')
+    for user in User.objects.filter(password=''):
+        AbstractUser.set_unusable_password(user)
+        user.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('custom_user', '0020_deleteduser'),
+    ]
+
+    operations = [
+        migrations.RunPython(set_unusable_password, noop),
+    ]

src/authentic2_auth_fc/backends.py

@@ -51,6 +51,7 @@ class FcBackend(ModelBackend):
             if not user and app_settings.create:
                 User = get_user_model()
                 user = User.objects.create(ou=get_default_ou())
+                user.set_unusable_password()
                 try:
                     models.FcAccount.objects.create(
                         user=user,

src/authentic2_auth_oidc/backends.py

@@ -241,6 +241,7 @@ class OIDCBackend(ModelBackend):
                     pass
                 if not user:
                     user = User.objects.create(ou=provider.ou)
+                    user.set_unusable_password()
                     created = True
                 oidc_account, created = models.OIDCAccount.objects.get_or_create(
                     provider=provider,

src/authentic2_auth_saml/adapters.py

@@ -65,7 +65,10 @@ class SamlConditionContextProxy(object):
 
 class AuthenticAdapter(DefaultAdapter):
     def create_user(self, user_class):
-        return user_class.objects.create()
+        user = user_class()
+        user.set_unusable_password()
+        user.save()
+        return user
 
     def finish_create_user(self, idp, saml_attributes, user):
         try:

tests/auth_fc/test_auth_fc.py

@@ -203,7 +203,9 @@ def test_requests_proxies_support(settings, app):
 
 
 def test_no_password_with_fc_account_can_reset_password(app, db, mailoutbox):
-    user = User.objects.create(email='john.doe@example.com')
+    user = User(email='john.doe@example.com')
+    user.set_unusable_password()
+    user.save()
     # No FC account, forbidden to set a password
     response = app.get('/login/')
     response = response.click('Reset it!').maybe_follow()

tests/test_migrations.py

@@ -16,6 +16,7 @@
 
 import mock
 
+from django.contrib.auth.models import AbstractUser
 from django.db.utils import ProgrammingError
 
 
@@ -49,3 +50,16 @@ def test_migration_0028_trigram_unaccent_index(transactional_db, migration):
     with mock.patch('django.db.backends.postgresql.schema.DatabaseSchemaEditor.execute') as mocked:
         mocked.side_effect = programming_error
         migration.apply([('authentic2', '0028_trigram_unaccent_index')])
+
+
+def test_migration_custom_user_0021_set_unusable_password(transactional_db, migration):
+    old_apps = migration.before([('custom_user', '0020_deleteduser')])
+
+    User = old_apps.get_model('custom_user', 'User')
+    user = User.objects.create()
+    assert user.password == ''
+
+    new_apps = migration.apply([('custom_user', '0021_set_unusable_password')])
+    User = new_apps.get_model('custom_user', 'User')
+    user = User.objects.get()
+    assert not AbstractUser.has_usable_password(user)