def test_check_password_MD5k():
pass_string = crypt_password("secret", "MD5k")
assert check_password(pass_string,
"secret"), "Password verification failed"
pass_string = crypt_password("geheim", "MD5k")
assert check_password(
pass_string,
"secret") == False, "Password verification passed for wrong password"
def handle_reset(self, id):
if id is None:
abort(404)
s = Session()
reset_data = s.query(ResetData).filter_by(token=unicode(id)).first()
if reset_data is None:
abort(404)
# Just a small sanity check if the user was deleted between creating the
# reset request and resetting the password
user = s.query(User).filter_by(email=reset_data.email).first()
if user is None:
s.delete(reset_data)
s.commmit()
abort(404)
password = unicode(request.params.get('new_password'))
password_conf = unicode(request.params.get('new_password_conf'))
if password != password_conf:
session['messages'] = ["Password mismatch"]
session.save()
redirect_to(action='reset', id=reset_data.token)
user.password = crypt_password(password)
s.add(user)
s.delete(reset_data)
s.commit()
redirect_to(action='reset_complete', id=None)
def handle_reset(self, id):
if id is None:
abort(404)
s = Session()
reset_data = s.query(ResetData).filter_by(token=unicode(id)).first()
if reset_data is None:
abort(404)
# Just a small sanity check if the user was deleted between creating the
# reset request and resetting the password
user = s.query(User).filter_by(email=reset_data.email).first()
if user is None:
s.delete(reset_data)
s.commmit()
abort(404)
password = unicode(request.params.get('new_password'))
password_conf = unicode(request.params.get('new_password_conf'))
if password != password_conf:
session['messages'] = ["Password mismatch"]
session.save()
redirect_to(action='reset', id=reset_data.token)
user.password = crypt_password(password)
s.add(user)
s.delete(reset_data)
s.commit()
redirect_to(action='reset_complete', id=None)
def test_password_MD5():
pass_string = crypt_password("secret", "MD5")
method, salt, crypt = parse_pass(pass_string)
assert method == "{MD5}", "method is %s, not {MD5}" % method
assert salt is not None, "salt is None"
md5_hash = hashlib.md5(salt)
md5_hash.update(u"secret")
assert crypt == md5_hash.hexdigest(), "Crypted password did not match"
def test_password_MD5():
pass_string = crypt_password("secret", "MD5")
method, salt, crypt = parse_pass(pass_string)
assert method == "{MD5}", "method is %s, not {MD5}" % method
assert salt is not None, "salt is None"
md5_hash = hashlib.md5(salt)
md5_hash.update(u"secret")
assert crypt == md5_hash.hexdigest(), "Crypted password did not match"
def test_login(self):
res = self.app.get(url_for(controller='auth', action='login', id=None))
form = None
for key in res.forms.keys():
if 'email' in res.forms[key].fields:
form = res.forms[key]
self.assertNotEqual(form, None)
form['email'] = "test@localhost"
form['password'] = "******"
new_res = form.submit()
res = new_res.follow()
res.mustcontain("Password mismatch")
s = model.Session()
# create the user as "inactive"
user = model.User(u"test@localhost", crypt_password("secret"), False)
data = model.UserData(u"Test Testus", u"test", u"test", u"test")
data.user = user
s.save(user)
s.save(data)
s.commit()
# test that disabled users can't log in
form['email'] = "test@localhost"
form['password'] = "******"
new_res = form.submit()
res = new_res.follow()
res.mustcontain("Account disabled")
user.active = True
s.update(user)
s.commit()
form['email'] = "test@localhost"
form['password'] = "******"
new_res = form.submit()
res = new_res.follow()
res.mustcontain("Password mismatch")
form['email'] = "test@localhost"
form['password'] = "******"
new_res = form.submit()
res = new_res.follow()
res.mustcontain("Welcome test@localhost")
def test_index(self):
s = model.Session()
# create a user that's already active
user = model.User(u"test@localhost", crypt_password('secret'), True)
data = model.UserData(u"Test Testus", u"test", u"test", u"test")
data.user = user
s.save(user)
s.save(data)
s.commit()
# now log in
res = self.app.post(url_for(controller='auth', action='submit',
id='ajax'), {'email':'test@localhost', 'password':'******'})
res.mustcontain("success")
res = self.app.get(url_for(controller='account', id=None))
self.assertEqual(len(res.c.accounts), 1)
acc = res.c.accounts[0]
self.assertEqual(acc.id, user.id)
def setup_superuser(model):
"""Set up the superuser account"""
s = meta.Session()
print "Enter email for the super user"
email = unicode(sys.stdin.readline().strip())
print "Enter superuser password"
passwd = crypt_password(sys.stdin.readline().strip())
user = model.User(email, passwd, True)
admin = s.query(model.Role).filter_by(name=u"admin").first()
#TODO remove the lead role
lead = s.query(model.Role).filter_by(name=u"lead").first()
if lead is not None:
user.roles.append(lead)
if admin is not None:
user.roles.append(admin)
s.add(user)
data = model.UserData(u"System Administrator", u"admin")
data.user = user
s.add(data)
s.commit()
def setup_superuser(model):
"""Set up the superuser account"""
s = meta.Session()
print "Enter email for the super user"
email = unicode(sys.stdin.readline().strip())
print "Enter superuser password"
passwd = crypt_password(sys.stdin.readline().strip())
user = model.User(email, passwd, True)
admin = s.query(model.Role).filter_by(name=u"admin").first()
#TODO remove the lead role
lead = s.query(model.Role).filter_by(name=u"lead").first()
if lead is not None:
user.roles.append(lead)
if admin is not None:
user.roles.append(admin)
s.add(user)
data = model.UserData(u"System Administrator", u"admin")
data.user = user
s.add(data)
s.commit()
def test_check(self):
res = self.app.get(url_for(controller='auth', action='check'))
res.mustcontain("Not logged in")
s = model.Session()
# create a user that's already set "active"
user = model.User(u"test@localhost", crypt_password('secret'), True)
data = model.UserData(u"Test Testus", u"test", u"test", u"test")
data.user = user
s.save(user)
s.save(data)
s.commit()
res = self.app.post(url_for(controller='auth', action='submit', id='ajax'),
params={'email':'test@localhost', 'password':'******'})
res.mustcontain("success")
self.assertEqual(res.session['user'], user.id)
res = self.app.get(url_for(controller='auth', action='check'))
res.mustcontain("Logged in as test@localhost")
def test_logout(self):
# This should work without user
res = self.app.get(url_for(controller='auth', action='logout'))
res.mustcontain("logged out")
# and with user
s = model.Session()
# create a user that's already active
user = model.User(u"test@localhost", crypt_password('secret'), True)
data = model.UserData(u"Test Testus", u"test", u"test", u"test")
data.user = user
s.save(user)
s.save(data)
s.commit()
res = self.app.post(url_for(controller='auth', action='submit', id='ajax'),
params={'email':'test@localhost', 'password':'******'})
res.mustcontain("success")
# This should work without user
res = self.app.get(url_for(controller='auth', action='logout', id=None))
res.mustcontain("logged out")
def signup(self, id=None):
user_email = unicode(request.params.get('user_email'))
user_email_c = unicode(request.params.get('user_email_confirm'))
s = Session()
if user_email != user_email_c:
if id == "ajax":
return "email address mismatch"
else:
session['messages'] = ["Email address mismatch"]
session.save()
redirect_to(action="register")
if not self._is_email_valid(user_email):
if id == "ajax":
return "invalid email address"
else:
session['messages'] = ["Invalid email address"]
session.save()
redirect_to(action="register")
if s.query(User).filter_by(email=user_email).first() is not None:
if id == "ajax":
return "email already associated with an account"
else:
session['messages'] = [
"Email already associated with an account"
]
session.save()
redirect_to(action="register")
user_pass = unicode(request.params.get('user_pass'))
user_pass_c = unicode(request.params.get('user_pass_confirm'))
if user_pass != user_pass_c:
if id == "ajax":
return "password mismatch"
else:
session['messages'] = ["Password mismatch"]
session.save()
redirect_to(action="register")
if request.params.get('user_vcs_pass') is not None:
vcs_pass = unicode(request.params.get('user_vcs_pass'))
vcs_pass_c = unicode(request.params.get('user_vcs_pass_confirm'))
if vcs_pass != vcs_pass_c:
if id == "ajax":
return "VCS password mismatch"
else:
session['messages'] = ["VCS password mismatch"]
session.save()
redirect_to(action="register")
else:
vcs_pass = None
if request.params.get('user_name') is not None:
user_name = unicode(request.params.get('user_name'))
else:
user_name = u"Unnamed User"
if request.params.get('user_nick') is not None:
user_nick = unicode(request.params.get('user_nick'))
else:
user_nick = u"Anonymous"
if request.params.get('user_vcs_user') is not None:
vcs_user = unicode(request.params.get('user_vcs_user'))
else:
vcs_user = None
user = User(user_email, crypt_password(user_pass))
data = UserData(user_name, user_nick, vcs_user, vcs_pass)
data.user = user
s.add(user)
s.add(data)
token = random_token()
msg = create_account_activation_msg(user.email, token)
act_data = EmailConfirm(token, user.email)
s.add(act_data)
s.commit()
try:
send_mail(user.email, msg)
except EmailException, e:
if id == "ajax":
return "sending account registration failed: %s" % e.message
session['email_error'] = e.message
session.save()
def change(self, id=None):
user_email = unicode(request.params.get('user_email'))
user_email_c = unicode(request.params.get('user_email_confirm'))
current_password = str(request.params.get('current_password'))
edit_user = session.get('edit_user')
if edit_user is None:
abort(404)
del session['edit_user']
session.save()
s = Session()
user = s.query(User).get(edit_user)
if user is None:
abort(404)
if not check_role("admin"):
if not check_password(user.password, current_password):
if id == "ajax":
return "incorrect password"
session['messages'] = ["Incorrect password"]
session.save()
redirect_to(action="edit", id=edit_user)
if user_email != user_email_c:
if id == "ajax":
return "email address mismatch"
else:
session['messages'] = ["Email address mismatch"]
session.save()
redirect_to(action="edit", id=edit_user)
if not self._is_email_valid(user_email):
if id == "ajax":
return "invalid email address"
else:
session['messages'] = ["Invalid email address"]
session.save()
redirect_to(action="edit", id=edit_user)
# check if the email matches the current user's email
u_by_email = s.query(User).filter_by(email=user_email).first()
if u_by_email is not None:
if u_by_email.id != user.id:
if id == "ajax":
return "email already associated with an account"
else:
session['messages'] = [
"Email already associated with an account"
]
session.save()
redirect_to(action="edit", id=edit_user)
user.email = user_email
user_pass = unicode(request.params.get('user_pass'))
user_pass_c = unicode(request.params.get('user_pass_confirm'))
if user_pass != user_pass_c:
if id == "ajax":
return "password mismatch"
else:
session['messages'] = ["Password mismatch"]
session.save()
redirect_to(action="edit", id=edit_user)
if user_pass != "":
user.password = crypt_password(user_pass)
if request.params.get('user_vcs_pass') is not None:
vcs_pass = unicode(request.params.get('user_vcs_pass'))
vcs_pass_c = unicode(request.params.get('user_vcs_pass_confirm'))
if vcs_pass != vcs_pass_c:
if id == "ajax":
return "VCS password mismatch"
else:
session['messages'] = ["VCS password mismatch"]
session.save()
redirect_to(action="edit", id=edit_user)
user.user_data.vcs_pass = vcs_pass
if request.params.get('user_name') is not None:
user_name = unicode(request.params.get('user_name'))
else:
user_name = u"Unnamed User"
user.user_data.name = user_name
if request.params.get('user_nick') is not None:
user_nick = unicode(request.params.get('user_nick'))
else:
user_nick = u"anonymous"
user.user_data.nick = user_nick
if request.params.get('user_vcs_user') is not None:
vcs_user = unicode(request.params.get('user_vcs_user'))
user.user_data.vcs_user = vcs_user
else:
vcs_user = None
s.add(user)
s.commit()
if id == "ajax":
return "user data updated"
else:
redirect_to(action='changed', id=None)
def test_check_password_MD5k():
pass_string = crypt_password("secret", "MD5k")
assert check_password(pass_string, "secret"), "Password verification failed"
pass_string = crypt_password("geheim", "MD5k")
assert check_password(pass_string, "secret") == False, "Password verification passed for wrong password"
def test_edit(self):
s = model.Session()
# create two activated users.
user = model.User(u"test@localhost", crypt_password('secret'), True)
data = model.UserData(u"Test Testus", u"test", u"test", u"test")
data.user = user
s.save(user)
s.save(data)
user2 = model.User(u"test2@localhost", crypt_password('secret'), True)
data2 = model.UserData(u"Test2 Testus", u"test2", u"test2", u"test")
data2.user = user2
s.save(user2)
s.save(data2)
s.commit()
# Log in
res = self.app.post(url_for(controller='auth', action='submit', id='ajax'),
params={'email':'test@localhost', 'password':'******'})
res.mustcontain("success")
res = self.app.get(url_for(controller='account', action='edit', id=1))
form = None
for key in res.forms.keys():
if 'user_email' in res.forms[key].fields:
form = res.forms[key]
self.assertNotEqual(form, None)
# check the default values are ok
self.assertEqual(form['user_email'].value, user.email)
self.assertEqual(form['user_email_confirm'].value, user.email)
self.assertEqual(form['user_name'].value, data.name)
self.assertEqual(form['user_nick'].value, data.nick)
self.assertEqual(form['user_vcs_user'].value, data.vcs_user)
# Now try to save changes
# first do it wrong
form['user_email'] = "testus"
form['user_email_confirm'] = "testus"
new_res = form.submit()
res = new_res.follow()
res.mustcontain("Invalid email address")
form['user_email'] = "test@localhost"
form['user_email_confirm'] = "test@test"
new_res = form.submit()
res = new_res.follow()
res.mustcontain("Email address mismatch")
form = None
for key in res.forms.keys():
if 'user_email' in res.forms[key].fields:
form = res.forms[key]
self.assertNotEqual(form, None)
form['user_pass'] = "******"
new_res = form.submit()
res = new_res.follow()
res.mustcontain("Password mismatch")
# finally do everything right
form = None
for key in res.forms.keys():
if 'user_email' in res.forms[key].fields:
form = res.forms[key]
self.assertNotEqual(form, None)
form['user_nick'] = "testus"
new_res = form.submit()
res = new_res.follow()
res.mustcontain("Account information successfully updated")
user = s.query(model.User).get(user.id)
self.assertEqual(user.user_data.nick, u"testus")
# Now let's try and edit user2's data, should get a 403
res = self.app.get(url_for(controller='account', action='edit', id=2),
status=403)
# Make sure we're an admin now.
admin = model.Role(u'admin')
s.save(admin)
user.roles.append(admin)
s.update(user)
s.commit()
# And now it should work.
res = self.app.get(url_for(controller='account', action='edit', id=1))
def signup(self, id=None):
user_email = unicode(request.params.get('user_email'))
user_email_c = unicode(request.params.get('user_email_confirm'))
s = Session()
if user_email != user_email_c:
if id == "ajax":
return "email address mismatch"
else:
session['messages'] = ["Email address mismatch"]
session.save()
redirect_to(action="register")
if not self._is_email_valid(user_email):
if id == "ajax":
return "invalid email address"
else:
session['messages'] = ["Invalid email address"]
session.save()
redirect_to(action="register")
if s.query(User).filter_by(email=user_email).first() is not None:
if id == "ajax":
return "email already associated with an account"
else:
session['messages'] = ["Email already associated with an account"]
session.save()
redirect_to(action="register")
user_pass = unicode(request.params.get('user_pass'))
user_pass_c = unicode(request.params.get('user_pass_confirm'))
if user_pass != user_pass_c:
if id == "ajax":
return "password mismatch"
else:
session['messages'] = ["Password mismatch"]
session.save()
redirect_to(action="register")
if request.params.get('user_vcs_pass') is not None:
vcs_pass = unicode(request.params.get('user_vcs_pass'))
vcs_pass_c = unicode(request.params.get('user_vcs_pass_confirm'))
if vcs_pass != vcs_pass_c:
if id == "ajax":
return "VCS password mismatch"
else:
session['messages'] = ["VCS password mismatch"]
session.save()
redirect_to(action="register")
else:
vcs_pass = None
if request.params.get('user_name') is not None:
user_name = unicode(request.params.get('user_name'))
else:
user_name = u"Unnamed User"
if request.params.get('user_nick') is not None:
user_nick = unicode(request.params.get('user_nick'))
else:
user_nick = u"Anonymous"
if request.params.get('user_vcs_user') is not None:
vcs_user = unicode(request.params.get('user_vcs_user'))
else:
vcs_user = None
user = User(user_email, crypt_password(user_pass))
data = UserData(user_name, user_nick, vcs_user, vcs_pass)
data.user = user
s.add(user)
s.add(data)
token = random_token()
msg = create_account_activation_msg(user.email, token)
act_data = EmailConfirm(token, user.email)
s.add(act_data)
s.commit()
try:
send_mail(user.email, msg)
except EmailException, e:
if id == "ajax":
return "sending account registration failed: %s" % e.message
session['email_error'] = e.message
session.save()
def change(self, id=None):
user_email = unicode(request.params.get('user_email'))
user_email_c = unicode(request.params.get('user_email_confirm'))
current_password = str(request.params.get('current_password'))
edit_user = session.get('edit_user')
if edit_user is None:
abort(404)
del session['edit_user']
session.save()
s = Session()
user = s.query(User).get(edit_user)
if user is None:
abort(404)
if not check_role("admin"):
if not check_password(user.password, current_password):
if id == "ajax":
return "incorrect password"
session['messages'] = ["Incorrect password"]
session.save()
redirect_to(action="edit", id=edit_user)
if user_email != user_email_c:
if id == "ajax":
return "email address mismatch"
else:
session['messages'] = ["Email address mismatch"]
session.save()
redirect_to(action="edit", id=edit_user)
if not self._is_email_valid(user_email):
if id == "ajax":
return "invalid email address"
else:
session['messages'] = ["Invalid email address"]
session.save()
redirect_to(action="edit", id=edit_user)
# check if the email matches the current user's email
u_by_email = s.query(User).filter_by(email=user_email).first()
if u_by_email is not None:
if u_by_email.id != user.id:
if id == "ajax":
return "email already associated with an account"
else:
session['messages'] = ["Email already associated with an account"]
session.save()
redirect_to(action="edit",id=edit_user)
user.email = user_email
user_pass = unicode(request.params.get('user_pass'))
user_pass_c = unicode(request.params.get('user_pass_confirm'))
if user_pass != user_pass_c:
if id == "ajax":
return "password mismatch"
else:
session['messages'] = ["Password mismatch"]
session.save()
redirect_to(action="edit", id=edit_user)
if user_pass != "":
user.password = crypt_password(user_pass)
if request.params.get('user_vcs_pass') is not None:
vcs_pass = unicode(request.params.get('user_vcs_pass'))
vcs_pass_c = unicode(request.params.get('user_vcs_pass_confirm'))
if vcs_pass != vcs_pass_c:
if id == "ajax":
return "VCS password mismatch"
else:
session['messages'] = ["VCS password mismatch"]
session.save()
redirect_to(action="edit", id=edit_user)
user.user_data.vcs_pass = vcs_pass
if request.params.get('user_name') is not None:
user_name = unicode(request.params.get('user_name'))
else:
user_name = u"Unnamed User"
user.user_data.name = user_name
if request.params.get('user_nick') is not None:
user_nick = unicode(request.params.get('user_nick'))
else:
user_nick = u"anonymous"
user.user_data.nick = user_nick
if request.params.get('user_vcs_user') is not None:
vcs_user = unicode(request.params.get('user_vcs_user'))
user.user_data.vcs_user = vcs_user
else:
vcs_user = None
s.add(user)
s.commit()
if id == "ajax":
return "user data updated"
else:
redirect_to(action='changed', id=None)
