def test_revoke_creds2(self):
"""
Test revocation reason/reference bad types.
"""
FakeVCCSClient(None)
with self.assertRaises(TypeError):
vccs_client.VCCSRevokeFactor(4712, 1234, 'foobar')
with self.assertRaises(TypeError):
vccs_client.VCCSRevokeFactor(4712, 'foobar', 2345)
def test_revoke_creds1(self):
"""
Test parsing of unsuccessful revoke_creds response.
"""
resp = {
'revoke_creds_response': {
'version': 1,
'success': False,
},
}
c = FakeVCCSClient(json.dumps(resp))
r = vccs_client.VCCSRevokeFactor('4712', 'testing revoke', 'foobar')
self.assertFalse(c.revoke_credentials('*****@*****.**', [r]))
def revoke_all_credentials(vccs_url, user):
vccs = get_vccs_client(vccs_url)
passwords = user.credentials.filter(Password).to_list()
to_revoke = []
for passwd in passwords:
credential_id = str(passwd.credential_id)
factor = vccs_client.VCCSRevokeFactor(
credential_id,
'subscriber requested termination',
reference='dashboard')
log.debug("Revoked old credential (account termination)"
" {!s} (user {!r})".format(credential_id, user))
to_revoke.append(factor)
userid = str(user.user_id)
vccs.revoke_credentials(userid, to_revoke)
def revoke_all_credentials(vccs_url, user, source='dashboard', vccs=None):
if vccs is None:
vccs = get_vccs_client(vccs_url)
if isinstance(user, DashboardLegacyUser):
user = DashboardUser(data=user._mongo_doc)
to_revoke = []
for passwd in user.passwords.to_list():
credential_id = str(passwd.id)
factor = vccs_client.VCCSRevokeFactor(
credential_id,
'subscriber requested termination',
reference=source)
logger.debug("Revoked old credential (account termination)"
" {!s} (user {!s})".format(credential_id, user))
to_revoke.append(factor)
userid = str(user.user_id)
vccs.revoke_credentials(userid, to_revoke)
def add_credentials(vccs_url,
old_password,
new_password,
user,
source='dashboard',
vccs=None):
"""
Add a new password to a user. Revokes the old one, if one is given.
Returns True on success.
:param vccs_url: URL to VCCS authentication backend
:param old_password: plaintext current password
:param new_password: plaintext new password
:param user: user object
:type vccs_url: string
:type old_password: string
:type user: User | DashboardLegacyUser
:rtype: bool
"""
password_id = ObjectId()
if vccs is None:
vccs = get_vccs_client(vccs_url)
new_factor = vccs_client.VCCSPasswordFactor(new_password,
credential_id=str(password_id))
if isinstance(user, DashboardLegacyUser):
user = DashboardUser(data=user._mongo_doc)
old_factor = None
checked_password = None
# remember if an old password was supplied or not, without keeping it in
# memory longer than we have to
old_password_supplied = bool(old_password)
if user.passwords.count > 0 and old_password:
# Find the old credential to revoke
checked_password = check_password(vccs_url,
old_password,
user,
vccs=vccs)
del old_password # don't need it anymore, try to forget it
if not checked_password:
return False
old_factor = vccs_client.VCCSRevokeFactor(
str(checked_password.id),
'changing password',
reference=source,
)
if not vccs.add_credentials(str(user.user_id), [new_factor]):
logger.warning("Failed adding password credential "
"{!r} for user {!r}".format(new_factor.credential_id,
user))
return False # something failed
logger.debug("Added password credential {!s} for user {!s}".format(
new_factor.credential_id, user))
if old_factor:
vccs.revoke_credentials(str(user.user_id), [old_factor])
user.passwords.remove(checked_password.id)
logger.debug("Revoked old credential {!s} (user {!s})".format(
old_factor.credential_id, user))
if not old_password_supplied:
# TODO: Revoke all current credentials on password reset for now
revoked = []
for password in user.passwords.to_list():
revoked.append(
vccs_client.VCCSRevokeFactor(str(password.id),
'reset password',
reference=source))
logger.debug("Revoking old credential (password reset) "
"{!s} (user {!s})".format(password.id, user))
user.passwords.remove(password.id)
if revoked:
try:
vccs.revoke_credentials(str(user.user_id), revoked)
except vccs_client.VCCSClientHTTPError:
# Password already revoked
# TODO: vccs backend should be changed to return something more informative than
# TODO: VCCSClientHTTPError when the credential is already revoked or just return success.
logger.warning("VCCS failed to revoke all passwords for "
"user {!s}".format(user))
new_password = Password(
credential_id=password_id,
salt=new_factor.salt,
application=source,
)
user.passwords.add(new_password)
return user