issue2550949: Rate limit password guesses/login attempts. Generic rate limit mechanism added. Deployed for web page logins. Default is 3 login attempts/minute for a user. After which one login attempt every 20 seconds can be done. Uses gcra algorithm so all I need to store is a username and timestamp in the one time key database. This does mean I don't have a list of all failed login attempts as part of the rate limiter. Set up config setting as well so admin can tune the rate. Maybe 1 every 10 seconds is ok at a site with poor typists who need 6 attempts to get the password right 8-). The gcra method can also be used to limit the rest and xmlrpc interfaces if needed. The mechanism I added also supplies a status method that calculates the expected values for http headers returned as part of rate limiting. Also tests added to test all code paths I hope.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
 <head>
  <link rel="stylesheet" type="text/css" href="@@file/style.css" />
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8;" />
  <meta name="robots" content="noindex, nofollow" />
  <title tal:content="string:Roundup Calendar"></title>
  <script language="Javascript"
          type="text/javascript"
          tal:content="structure string:
          // this is the name of the field in the original form that we're working on
          form  = window.opener.document.${request/form/form/value};
          field = '${request/form/property/value}';" >
  </script>
 </head>
 <body class="body"
       tal:content="structure python:utils.html_calendar(request)">
 </body>
</html>