def test_all_default_phrase_checks(bad_phrase_password_strings):
"""
"""
cereconf.PASSWORD_CHECKS = {
'phrase': (
('length', {'min_length': 12, 'max_length': None}),
('num_words', {'min_words': 4, 'min_word_length': 2}),
('avg_word_length', {'avg_length': 4})
)}
with pytest.raises(PhrasePasswordNotGoodEnough):
check_password.cereconf = cereconf
check_password(bad_phrase_password_strings)
def test_all_default_rigid_checks(bad_rigid_password_strings):
"""
"""
cereconf.PASSWORD_CHECKS = {
'rigid': (
('length', {'min_length': 10}),
('ascii_characters_only', {}),
('space_or_null', {}),
('simple_character_groups', {'min_groups': 3}),
('repeated_pattern', {}),
('character_sequence', {'char_seq_length': 3}),
)}
with pytest.raises(RigidPasswordNotGoodEnough):
check_password.cereconf = cereconf # ugly hack
check_password(bad_rigid_password_strings)
def post(self, name):
"""Check if a password is valid according to rules."""
ac = find_account(name)
args = password_parser.parse_args()
password = args['password']
assert isinstance(password, text_type)
return check_password(password, account=ac, structured=True)
def post(self, name):
"""Check if a password is valid according to rules."""
ac = find_account(name)
data = request.get_json()
password = data.get('password', None)
assert isinstance(password, text_type)
return check_password(password, account=ac, structured=True)
def test_all_default_phrase_checks(bad_phrase_password_strings):
"""
"""
cereconf.PASSWORD_CHECKS = {
'phrase': (('length', {
'min_length': 12,
'max_length': None
}), ('num_words', {
'min_words': 4,
'min_word_length': 2
}), ('avg_word_length', {
'avg_length': 4
}))
}
with pytest.raises(PhrasePasswordNotGoodEnough):
check_password.cereconf = cereconf
check_password(bad_phrase_password_strings)
def set_password(self, uname, new_password, token, browser_token):
if not self.check_token(uname, token, browser_token):
return False
account = self.get_account(uname)
try:
check_password(new_password, account)
except PasswordNotGoodEnough as e:
m = str(e).decode('utf-8')
raise Errors.CerebrumRPCException('password_invalid', m)
# All data is good. Set password
account.set_password(new_password)
try:
account.write_db()
account._db.commit()
log.info("Password for %s altered." % uname)
except self.db.DatabaseError, m:
log.error("Error when setting password for %s: %s" % (uname, m))
raise Errors.CerebrumRPCException('error_unknown')
def set_password(self, uname, new_password, token, browser_token):
if not self.check_token(uname, token, browser_token):
return False
account = self.get_account(uname)
try:
check_password(new_password, account)
except PasswordNotGoodEnough as e:
m = str(e).decode('utf-8')
raise Errors.CerebrumRPCException('password_invalid', m)
# All data is good. Set password
account.set_password(new_password)
try:
account.write_db()
account._db.commit()
log.info("Password for %s altered." % uname)
except self.db.DatabaseError, m:
log.error("Error when setting password for %s: %s" % (uname, m))
raise Errors.CerebrumRPCException('error_unknown')
def post(self, name):
"""Change the password for this account."""
ac = find_account(name)
data = request.get_json()
password = data.get('password', None)
if password is None:
password = ac.make_passwd(ac.account_name)
assert isinstance(password, text_type)
try:
check_password(password, account=ac, structured=False)
except PasswordNotGoodEnough as e:
abort(400, 'Bad password: {}'.format(e))
ac.set_password(password)
# Remove "weak password" quarantine
for q in (db.const.quarantine_autopassord,
db.const.quarantine_svakt_passord):
ac.delete_entity_quarantine(q)
ac.write_db()
return {'password': password}
def post(self, name):
"""Change the password for this account."""
ac = find_account(name)
data = self.new_password_parser.parse_args()
password = data.get('password', None)
if password is None:
password = ac.make_passwd(ac.account_name)
assert isinstance(password, text_type)
try:
check_password(password, account=ac, structured=False)
except PasswordNotGoodEnough as e:
abort(400, 'Bad password: {}'.format(e))
ac.set_password(password)
# Remove "weak password" quarantine
for q in (db.const.quarantine_autopassord,
db.const.quarantine_svakt_passord):
ac.delete_entity_quarantine(q)
ac.write_db()
return {'password': password}
def post(self, id):
"""Change the password for this account."""
ac = find_account(id)
data = request.json
plaintext = data.get('password', None)
if plaintext is None:
plaintext = ac.make_passwd(ac.account_name)
try:
check_password(plaintext, account=ac, structured=False)
except PasswordNotGoodEnough as err:
abort(400, 'Bad password: {}'.format(err))
if isinstance(plaintext, unicode):
try:
plaintext = plaintext.encode('ISO-8859-1')
except UnicodeEncodeError:
abort(400, 'Bad password: Contains illegal characters')
ac.set_password(plaintext)
ac.write_db()
return {'password': plaintext}
def post(self, id):
"""Check if a password is valid according to rules."""
ac = find_account(id)
data = request.json
plaintext = data.get('password', None)
if plaintext is None:
abort(400, 'No password specified')
if isinstance(plaintext, unicode):
try:
plaintext = plaintext.encode('ISO-8859-1')
except UnicodeEncodeError:
abort(400, 'Bad password: Contains illegal characters')
return check_password(plaintext, account=ac, structured=True)
def test_all_default_rigid_checks(bad_rigid_password_strings):
"""
"""
cereconf.PASSWORD_CHECKS = {
'rigid': (
('length', {
'min_length': 10
}),
('ascii_characters_only', {}),
('space_or_null', {}),
('simple_character_groups', {
'min_groups': 3
}),
('repeated_pattern', {}),
('character_sequence', {
'char_seq_length': 3
}),
)
}
with pytest.raises(RigidPasswordNotGoodEnough):
check_password.cereconf = cereconf # ugly hack
check_password(bad_rigid_password_strings)
def misc_check_password(self, operator, password):
ac = self.Account_class(self.db)
try:
check_password(password, ac, structured=False)
except RigidPasswordNotGoodEnough as e:
raise CerebrumError('Bad password: {err_msg}'.format(
err_msg=str(e).decode('utf-8').encode('latin-1')))
except PhrasePasswordNotGoodEnough as e:
raise CerebrumError('Bad passphrase: {err_msg}'.format(
err_msg=str(e).decode('utf-8').encode('latin-1')))
except PasswordNotGoodEnough as e:
raise CerebrumError('Bad password: {err_msg}'.format(err_msg=e))
crypt = ac.encrypt_password(
self.const.Authentication("crypt3-DES"), password)
md5 = ac.encrypt_password(
self.const.Authentication("MD5-crypt"), password)
sha256 = ac.encrypt_password(
self.const.auth_type_sha256_crypt, password)
sha512 = ac.encrypt_password(
self.const.auth_type_sha512_crypt, password)
return ("OK.\n crypt3-DES: %s\n MD5-crypt: %s\n"
" SHA256-crypt: %s\n SHA512-crypt: %s") % (
crypt, md5, sha256, sha512)
def misc_check_password(self, operator, password):
ac = self.Account_class(self.db)
try:
check_password(password, ac, structured=False)
except RigidPasswordNotGoodEnough as e:
raise CerebrumError('Bad password: {err_msg}'.format(
err_msg=str(e).decode('utf-8').encode('latin-1')))
except PhrasePasswordNotGoodEnough as e:
raise CerebrumError('Bad passphrase: {err_msg}'.format(
err_msg=str(e).decode('utf-8').encode('latin-1')))
except PasswordNotGoodEnough as e:
raise CerebrumError('Bad password: {err_msg}'.format(err_msg=e))
crypt = ac.encrypt_password(self.const.Authentication("crypt3-DES"),
password)
md5 = ac.encrypt_password(self.const.Authentication("MD5-crypt"),
password)
sha256 = ac.encrypt_password(self.const.auth_type_sha256_crypt,
password)
sha512 = ac.encrypt_password(self.const.auth_type_sha512_crypt,
password)
return ("OK.\n crypt3-DES: %s\n MD5-crypt: %s\n"
" SHA256-crypt: %s\n SHA512-crypt: %s") % (crypt, md5,
sha256, sha512)
def set_password(self, uname, new_password, token, browser_token):
if not self.check_token(uname, token, browser_token):
return False
account = self.get_account(uname)
try:
check_password(new_password, account)
except PasswordNotGoodEnough as e:
m = text_type(e)
raise Errors.CerebrumRPCException('password_invalid', m)
# All data is good. Set password
account.set_password(new_password)
try:
account.write_db()
account._db.commit()
logger.info("Password for %r altered", uname)
except self.db.DatabaseError as m:
logger.error("Error when setting password for %r: %s", uname, m)
raise Errors.CerebrumRPCException('error_unknown')
# Remove "weak password" quarantine
for r in account.get_entity_quarantine():
for qua in (self.co.quarantine_autopassord,
self.co.quarantine_svakt_passord):
if int(r['quarantine_type']) == qua:
account.delete_entity_quarantine(qua)
account.write_db()
account._db.commit()
# TODO: move these checks up and raise exceptions? Wouldn't happen,
# since generate_token() checks this already, but might get other
# authentication methods later.
if account.is_deleted():
logger.warning("user %r is deleted", uname)
elif account.is_expired():
logger.warning("user %r is expired", uname)
elif QuarantineHandler.check_entity_quarantines(
self.db, account.entity_id).is_locked():
logger.info("user %r has an active quarantine", uname)
return True
def set_password(self, uname, new_password, token, browser_token):
if not self.check_token(uname, token, browser_token):
return False
account = self.get_account(uname)
try:
check_password(new_password, account)
except PasswordNotGoodEnough as e:
m = text_type(e)
raise Errors.CerebrumRPCException('password_invalid', m)
# All data is good. Set password
account.set_password(new_password)
try:
account.write_db()
account._db.commit()
logger.info("Password for %r altered", uname)
except self.db.DatabaseError as m:
logger.error("Error when setting password for %r: %s", uname, m)
raise Errors.CerebrumRPCException('error_unknown')
# Remove "weak password" quarantine
for r in account.get_entity_quarantine():
for qua in (self.co.quarantine_autopassord,
self.co.quarantine_svakt_passord):
if int(r['quarantine_type']) == qua:
account.delete_entity_quarantine(qua)
account.write_db()
account._db.commit()
# TODO: move these checks up and raise exceptions? Wouldn't happen,
# since generate_token() checks this already, but might get other
# authentication methods later.
if account.is_deleted():
logger.warning("user %r is deleted", uname)
elif account.is_expired():
logger.warning("user %r is expired", uname)
elif QuarantineHandler.check_entity_quarantines(
self.db, account.entity_id).is_locked():
logger.info("user %r has an active quarantine", uname)
return True
def validate_password(self, password, account_name, structured):
"""
Validate any password
:param password: the password to be validated
:type password: string
:param account_name: the account name to be used or ''
:type account_name: string
:param structured: whether to ask for a strctured (json) output
:type structured: bool
"""
account = None
if account_name:
try:
account = Factory.get('Account')(self.db)
account.find_by_name(account_name)
except Errors.NotFoundError:
raise Errors.CerebrumRPCException('unknown_error')
try:
result = check_password(password, account, structured)
# exceptions are obsolete and used only for backward
# compatibility here (f.i. old brukerinfo clients)
except PhrasePasswordNotGoodEnough as e:
# assume that structured is False
m = text_type(e)
# separate exception for phrases on the client??
# no point of having separate except block otherwise
raise Errors.CerebrumRPCException('password_invalid', m)
except PasswordNotGoodEnough as e:
# assume that structured is False
m = text_type(e)
raise Errors.CerebrumRPCException('password_invalid', m)
else:
if structured:
# success or error data sent to the caller
return json.dumps(result, indent=4)
else:
# no PasswordNotGoodEnough exception thrown
return 'OK'
def validate_password(self, password, account_name, structured):
"""
Validate any password
:param password: the password to be validated
:type password: str
:param account_name: the account name to be used or ''
:type account_name: str
:param structured: whether to ask for a strctured (json) output
:type structured: bool
"""
account = None
if account_name:
try:
account = Factory.get('Account')(self.db)
account.find_by_name(account_name)
except Errors.NotFoundError:
raise Errors.CerebrumRPCException('unknown_error')
try:
result = check_password(password, account, structured)
# exceptions are obsolete and used only for backward
# compatibility here (f.i. old brukerinfo clients)
except PhrasePasswordNotGoodEnough as e:
# assume that structured is False
m = str(e).decode('utf-8')
# separate exception for phrases on the client??
# no point of having separate except block otherwise
raise Errors.CerebrumRPCException('password_invalid', m)
except PasswordNotGoodEnough as e:
# assume that structured is False
m = str(e).decode('utf-8')
raise Errors.CerebrumRPCException('password_invalid', m)
else:
if structured:
# success or error data sent to the caller
return json.dumps(result, indent=4)
else:
# no PasswordNotGoodEnough exception thrown
return 'OK'
def test_all_default_phrase_checks(cereconf_phrase,
bad_phrase_password_strings):
"""
"""
with pytest.raises(checker.PhrasePasswordNotGoodEnough):
checker.check_password(bad_phrase_password_strings)
def test_all_default_rigid_checks(cereconf_rigid, bad_rigid_password_strings):
"""
"""
with pytest.raises(checker.RigidPasswordNotGoodEnough):
checker.check_password(bad_rigid_password_strings)