issue2550949: Rate limit password guesses/login attempts. Generic rate limit mechanism added. Deployed for web page logins. Default is 3 login attempts/minute for a user. After which one login attempt every 20 seconds can be done. Uses gcra algorithm so all I need to store is a username and timestamp in the one time key database. This does mean I don't have a list of all failed login attempts as part of the rate limiter. Set up config setting as well so admin can tune the rate. Maybe 1 every 10 seconds is ok at a site with poor typists who need 6 attempts to get the password right 8-). The gcra method can also be used to limit the rest and xmlrpc interfaces if needed. The mechanism I added also supplies a status method that calculates the expected values for http headers returned as part of rate limiting. Also tests added to test all code paths I hope.

class StringFragmentCmpHelper:
    def compareStringFragments(self, s, fragments):
        """Compare a string agains a list of fragments where a tuple denotes a
        set of alternatives
        """
        pos = 0
        for frag in fragments:
            if type(frag) != tuple:
                self.assertEqual(s[pos:pos + len(frag)], frag)
                pos += len(frag)
            else:
                found = False
                for alt in frag:
                    if s[pos:pos + len(alt)] == alt:
                        pos += len(alt)
                        found = True
                        break

                if not found:
                    l = max(map(len, frag))
                    raise AssertionError('%s != %s' %
                                         (repr(s[pos:pos + l]), str(frag)))
        self.assertEqual(s[pos:], '')