/
test_user.py
146 lines (113 loc) · 5.21 KB
/
test_user.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
import os
import hashlib
import unittest
import nose.tools as nt
import passlib.hash as plh
import ckan.new_tests.factories as factories
import ckan.new_tests.helpers as helpers
import ckan.model as model
class TestPassword(unittest.TestCase):
@classmethod
def teardown_class(clss):
model.repo.rebuild_db()
def setup(self):
helpers.reset_db()
def teardown(self):
helpers.reset_db()
def _set_password(self, password):
'''Copy of the old password hashing function
This is needed to create old password hashes in the tests
'''
if isinstance(password, unicode):
password_8bit = password.encode('ascii', 'ignore')
else:
password_8bit = password
salt = hashlib.sha1(os.urandom(60))
hash = hashlib.sha1(password_8bit + salt.hexdigest())
hashed_password = salt.hexdigest() + hash.hexdigest()
if not isinstance(hashed_password, unicode):
hashed_password = hashed_password.decode('utf-8')
return hashed_password
def test_upgrade_from_sha(self):
user = factories.User()
user_obj = model.User.by_name(user['name'])
# setup our user with an old password hash
old_hash = self._set_password('testpass')
user_obj._password = old_hash
user_obj.save()
user_obj.validate_password('testpass')
nt.assert_not_equals(old_hash, user_obj.password)
nt.assert_true(plh.pbkdf2_sha512.identify(user_obj.password))
nt.assert_true(plh.pbkdf2_sha512.verify('testpass', user_obj.password))
def test_upgrade_from_sha_with_unicode_password(self):
user = factories.User()
password = u'testpassword\xc2\xa0'
user_obj = model.User.by_name(user['name'])
# setup our user with an old password hash
old_hash = self._set_password(password)
user_obj._password = old_hash
user_obj.save()
nt.assert_true(user_obj.validate_password(password))
nt.assert_not_equals(old_hash, user_obj.password)
nt.assert_true(plh.pbkdf2_sha512.identify(user_obj.password))
nt.assert_true(plh.pbkdf2_sha512.verify(password, user_obj.password))
# check that we now allow unicode characters
nt.assert_false(plh.pbkdf2_sha512.verify('testpassword',
user_obj.password))
def test_upgrade_from_sha_with_wrong_password_fails_to_upgrade(self):
user = factories.User()
password = u'testpassword'
user_obj = model.User.by_name(user['name'])
old_hash = self._set_password(password)
user_obj._password = old_hash
user_obj.save()
nt.assert_false(user_obj.validate_password('wrongpass'))
nt.assert_equals(old_hash, user_obj.password)
nt.assert_false(plh.pbkdf2_sha512.identify(user_obj.password))
def test_upgrade_from_pbkdf2_with_less_rounds(self):
'''set up a pbkdf key with less than the default rounds
If the number of default_rounds is increased in a later version of
passlib, ckan should upgrade the password hashes for people without
involvement from users'''
user = factories.User()
password = u'testpassword'
user_obj = model.User.by_name(user['name'])
# setup hash with salt/rounds less than the default
old_hash = plh.pbkdf2_sha512.encrypt(password, salt_size=2, rounds=10)
user_obj._password = old_hash
user_obj.save()
nt.assert_true(user_obj.validate_password(password.encode('utf-8')))
# check that the hash has been updated
nt.assert_not_equals(old_hash, user_obj.password)
new_hash = plh.pbkdf2_sha512.from_string(user_obj.password)
nt.assert_true(plh.pbkdf2_sha512.default_rounds > 10)
nt.assert_equals(plh.pbkdf2_sha512.default_rounds, new_hash.rounds)
nt.assert_true(plh.pbkdf2_sha512.default_salt_size, 2)
nt.assert_equals(plh.pbkdf2_sha512.default_salt_size,
len(new_hash.salt))
nt.assert_true(plh.pbkdf2_sha512.verify(password, user_obj.password))
def test_upgrade_from_pbkdf2_fails_with_wrong_password(self):
user = factories.User()
password = u'testpassword'
user_obj = model.User.by_name(user['name'])
# setup hash with salt/rounds less than the default
old_hash = plh.pbkdf2_sha512.encrypt(password, salt_size=2, rounds=10)
user_obj._password = old_hash
user_obj.save()
nt.assert_false(user_obj.validate_password('wrong_pass'))
# check that the hash has _not_ been updated
nt.assert_equals(old_hash, user_obj.password)
def test_pbkdf2_password_auth(self):
user = factories.User()
password = u'testpassword'
user_obj = model.User.by_name(user['name'])
user_obj._set_password(password)
user_obj.save()
nt.assert_true(user_obj.validate_password(password))
def test_pbkdf2_password_auth_unicode(self):
user = factories.User()
password = u'testpassword\xc2\xa0'
user_obj = model.User.by_name(user['name'])
user_obj._set_password(password)
user_obj.save()
nt.assert_true(user_obj.validate_password(password))