def setUp(self):
MongoTestCase.setUp(self, None, None)
self.vccs_client = TestVCCSClient()
self.central_user = self.amdb.get_user_by_mail('*****@*****.**')
self.user = ChpassUser.from_central_user(self.central_user)
vccs_module.add_credentials('dummy', None, 'abcd', self.user,
vccs=self.vccs_client)
def test_add_credentials_bad_old_password(self):
added = vccs_module.add_credentials('dummy', 'fghi', 'wxyz', self.user,
vccs=self.vccs_client)
self.assertFalse(added)
result1 = self._check_credentials('abcd')
self.assertTrue(result1)
result2 = self._check_credentials('fghi')
self.assertFalse(result2)
result3 = self._check_credentials('wxyz')
self.assertFalse(result3)
def test_add_credentials_error_adding(self):
from eduid_common.authn.testing import TestVCCSClient
with patch.object(TestVCCSClient, 'add_credentials'):
TestVCCSClient.add_credentials.return_value = False
added = vccs_module.add_credentials('dummy', 'abcd', 'wxyz',
self.user, vccs=self.vccs_client)
self.assertFalse(added)
result1 = self._check_credentials('abcd')
self.assertTrue(result1)
result2 = self._check_credentials('fghi')
self.assertFalse(result2)
result3 = self._check_credentials('wxyz')
self.assertFalse(result3)
def test_add_credentials_error_revoking(self):
from eduid_common.authn.testing import TestVCCSClient
from vccs_client import VCCSClientHTTPError
def mock_revoke_creds(*args):
raise VCCSClientHTTPError('dummy', 500)
with patch.object(TestVCCSClient, 'revoke_credentials',
mock_revoke_creds):
added = vccs_module.add_credentials('dummy', None, 'wxyz',
self.user, vccs=self.vccs_client)
self.assertTrue(added)
result1 = self._check_credentials('abcd')
self.assertFalse(result1)
result2 = self._check_credentials('fghi')
self.assertFalse(result2)
result3 = self._check_credentials('wxyz')
self.assertTrue(result3)
def change_password(user, old_password, new_password):
"""
View to change the password
"""
security_user = SecurityUser.from_user(user, current_app.private_userdb)
authn_ts = session.get('reauthn-for-chpass', None)
if authn_ts is None:
return error_message('chpass.no_reauthn')
now = datetime.utcnow()
delta = now - datetime.fromtimestamp(authn_ts)
timeout = current_app.config.get('CHPASS_TIMEOUT', 600)
if int(delta.total_seconds()) > timeout:
return error_message('chpass.stale_reauthn')
vccs_url = current_app.config.get('VCCS_URL')
added = add_credentials(vccs_url, old_password, new_password, security_user, source='security')
if not added:
current_app.logger.debug('Problem verifying the old credentials for {}'.format(user))
return error_message('chpass.unable-to-verify-old-password')
security_user.terminated = False
try:
save_and_sync_user(security_user)
except UserOutOfSync:
return error_message('user-out-of-sync')
del session['reauthn-for-chpass']
current_app.stats.count(name='security_password_changed', value=1)
current_app.logger.info('Changed password for user {}'.format(security_user.eppn))
next_url = current_app.config.get('DASHBOARD_URL', '/profile')
credentials = {
'next_url': next_url,
'credentials': compile_credential_list(security_user),
'message': 'chpass.password-changed'
}
return CredentialList().dump(credentials).data
def change_password(user, old_password, new_password):
"""
View to change the password
"""
security_user = SecurityUser.from_user(user, current_app.private_userdb)
authn_ts = session.get('reauthn-for-chpass', None)
if authn_ts is None:
return error_message('chpass.no_reauthn')
now = datetime.utcnow()
delta = now - datetime.fromtimestamp(authn_ts)
timeout = current_app.config.get('CHPASS_TIMEOUT', 600)
if int(delta.total_seconds()) > timeout:
return error_message('chpass.stale_reauthn')
vccs_url = current_app.config.get('VCCS_URL')
added = add_credentials(vccs_url, old_password, new_password, security_user, source='security')
if not added:
current_app.logger.debug('Problem verifying the old credentials for {}'.format(user))
return error_message('chpass.unable-to-verify-old-password')
security_user.terminated = False
try:
save_and_sync_user(security_user)
except UserOutOfSync:
return error_message('user-out-of-sync')
del session['reauthn-for-chpass']
current_app.stats.count(name='security_password_changed', value=1)
current_app.logger.info('Changed password for user {}'.format(security_user.eppn))
next_url = current_app.config.get('DASHBOARD_URL', '/profile')
credentials = {
'next_url': next_url,
'credentials': compile_credential_list(security_user),
'message': 'chpass.password-changed'
}
return CredentialList().dump(credentials).data
def _change_password(self, request, user, old_password):
if request.POST.get('use_custom_password') == 'true':
# The user has entered his own password and it was verified by
# validators
logger.debug("Password change for user {!r} "
"(custom password).".format(user.user_id))
new_password = request.POST.get('custom_password')
else:
# If the user has selected the suggested password, then it should
# be in session
logger.debug("Password change for user {!r} "
"(suggested password).".format(user.user_id))
new_password = generate_suggested_password(request)
new_password = new_password.replace(' ', '')
vccs_url = request.registry.settings.get('vccs_url')
added = add_credentials(vccs_url, old_password, new_password, user,
source='change_passwd')
return added
def change_password(user):
"""
View to change the password
"""
security_user = SecurityUser.from_user(user, current_app.private_userdb)
min_entropy = current_app.config.password_entropy
schema = ChangePasswordSchema(zxcvbn_terms=get_zxcvbn_terms(
security_user.eppn),
min_entropy=int(min_entropy))
if not request.data:
return error_response(message='chpass.no-data')
try:
form = schema.load(json.loads(request.data))
current_app.logger.debug(form)
except ValidationError as e:
current_app.logger.error(e)
return error_response(message='chpass.weak-password')
else:
old_password = form.get('old_password')
new_password = form.get('new_password')
if session.get_csrf_token() != form['csrf_token']:
return error_response(message='csrf.try_again')
authn_ts = session.get('reauthn-for-chpass', None)
if authn_ts is None:
return error_response(message='chpass.no_reauthn')
now = datetime.utcnow()
delta = now - datetime.fromtimestamp(authn_ts)
timeout = current_app.config.chpass_timeout
if int(delta.total_seconds()) > timeout:
return error_response(message='chpass.stale_reauthn')
vccs_url = current_app.config.vccs_url
added = add_credentials(vccs_url,
old_password,
new_password,
security_user,
source='security')
if not added:
current_app.logger.debug(
'Problem verifying the old credentials for {}'.format(user))
return error_response(message='chpass.unable-to-verify-old-password')
security_user.terminated = False
try:
save_and_sync_user(security_user)
except UserOutOfSync:
return error_response(message='user-out-of-sync')
del session['reauthn-for-chpass']
current_app.stats.count(name='security_password_changed', value=1)
current_app.logger.info('Changed password for user {}'.format(
security_user.eppn))
next_url = current_app.config.dashboard_url
credentials = {
'next_url': next_url,
'credentials': compile_credential_list(security_user),
'message': 'chpass.password-changed',
}
return credentials
