MAGETWO-68794: Password policy does not work correctly

Author: viktym

app/code/Magento/User/Model/Backend/Config/ObserverConfig.php

@@ -35,11 +35,11 @@ public function __construct(
      */
     public function _isLatestPasswordExpired($latestPassword)
     {
-        if (!isset($latestPassword['expires']) || $this->getAdminPasswordLifetime() == 0) {
+        if (!isset($latestPassword['last_updated']) || $this->getAdminPasswordLifetime() == 0) {
             return false;
-        } else {
-            return (int)$latestPassword['expires'] < time();
         }
+
+        return (int)$latestPassword['last_updated'] + $this->getAdminPasswordLifetime() < time();
     }
 
     /**

app/code/Magento/User/Model/ResourceModel/User.php

@@ -9,6 +9,9 @@
 use Magento\Authorization\Model\Acl\Role\Group as RoleGroup;
 use Magento\Authorization\Model\Acl\Role\User as RoleUser;
 use Magento\Authorization\Model\UserContextInterface;
+use Magento\Framework\Acl\Data\CacheInterface;
+use Magento\Framework\App\ObjectManager;
+use Magento\User\Model\Backend\Config\ObserverConfig;
 use Magento\User\Model\User as ModelUser;
 
 /**
@@ -32,32 +35,38 @@ class User extends \Magento\Framework\Model\ResourceModel\Db\AbstractDb
     protected $dateTime;
 
     /**
-     * @var \Magento\Framework\Acl\Data\CacheInterface
+     * @var CacheInterface
      */
     private $aclDataCache;
 
+    /**
+     * @var ObserverConfig|null
+     */
+    private $observerConfig;
+
     /**
      * Construct
      *
      * @param \Magento\Framework\Model\ResourceModel\Db\Context $context
      * @param \Magento\Authorization\Model\RoleFactory $roleFactory
      * @param \Magento\Framework\Stdlib\DateTime $dateTime
      * @param string $connectionName
-     * @param \Magento\Framework\Acl\Data\CacheInterface $aclDataCache
+     * @param CacheInterface $aclDataCache
+     * @param ObserverConfig|null $observerConfig
      */
     public function __construct(
         \Magento\Framework\Model\ResourceModel\Db\Context $context,
         \Magento\Authorization\Model\RoleFactory $roleFactory,
         \Magento\Framework\Stdlib\DateTime $dateTime,
         $connectionName = null,
-        \Magento\Framework\Acl\Data\CacheInterface $aclDataCache = null
+        CacheInterface $aclDataCache = null,
+        ObserverConfig $observerConfig = null
     ) {
         parent::__construct($context, $connectionName);
         $this->_roleFactory = $roleFactory;
         $this->dateTime = $dateTime;
-        $this->aclDataCache = $aclDataCache ?: \Magento\Framework\App\ObjectManager::getInstance()->get(
-            \Magento\Framework\Acl\Data\CacheInterface::class
-        );
+        $this->aclDataCache = $aclDataCache ?: ObjectManager::getInstance()->get(CacheInterface::class);
+        $this->observerConfig = $observerConfig ?: ObjectManager::getInstance()->get(ObserverConfig::class);
     }
 
     /**
@@ -559,12 +568,14 @@ public function getOldPasswords($user, $retainLimit = 4)
                 ->select()
                 ->from($table, 'password_id')
                 ->where('user_id = :user_id')
-                ->order('expires ' . \Magento\Framework\DB\Select::SQL_DESC)
                 ->order('password_id ' . \Magento\Framework\DB\Select::SQL_DESC)
                 ->limit($retainLimit),
             [':user_id' => $userId]
         );
-        $where = ['user_id = ?' => $userId, 'expires <= ?' => time()];
+        $where = [
+            'user_id = ?' => $userId,
+            'last_updated <= ?' => time() - $this->observerConfig->getAdminPasswordLifetime()
+        ];
         if ($retainPasswordIds) {
             $where['password_id NOT IN (?)'] = $retainPasswordIds;
         }
@@ -585,19 +596,21 @@ public function getOldPasswords($user, $retainLimit = 4)
      *
      * @param ModelUser $user
      * @param string $passwordHash
-     * @param int $lifetime
+     * @param int $lifetime deprecated, password expiration date doesn't save anymore,
+     *        it is calculated in runtime based on password created date and lifetime config value
      * @return void
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     *
+     * @see \Magento\User\Model\Backend\Config\ObserverConfig::_isLatestPasswordExpired()
      */
-    public function trackPassword($user, $passwordHash, $lifetime)
+    public function trackPassword($user, $passwordHash, $lifetime = 0)
     {
-        $now = time();
         $this->getConnection()->insert(
             $this->getTable('admin_passwords'),
             [
                 'user_id' => $user->getId(),
                 'password_hash' => $passwordHash,
-                'expires' => $now + $lifetime,
-                'last_updated' => $now
+                'last_updated' => time()
             ]
         );
     }

app/code/Magento/User/Observer/Backend/TrackAdminNewPasswordObserver.php

@@ -72,9 +72,8 @@ public function execute(EventObserver $observer)
         $user = $observer->getEvent()->getObject();
         if ($user->getId()) {
             $passwordHash = $user->getPassword();
-            $passwordLifetime = $this->observerConfig->getAdminPasswordLifetime();
-            if ($passwordLifetime && $passwordHash && !$user->getForceNewPassword()) {
-                $this->userResource->trackPassword($user, $passwordHash, $passwordLifetime);
+            if ($passwordHash && !$user->getForceNewPassword()) {
+                $this->userResource->trackPassword($user, $passwordHash);
                 $this->messageManager->getMessages()->deleteMessageByIdentifier('magento_user_password_expired');
                 $this->authSession->unsPciAdminUserIsPasswordExpired();
             }