Example #1
0
def test_passwords(session, users):
    user = users["[email protected]"]

    add_new_user_password(session, "test", TEST_PASSWORD, user.id)
    assert len(user_passwords(session, user)) == 1, "The user should only have a single password"
    password = user_passwords(session, user)[0]
    assert password.name == "test", "The password should have the name we gave it"
    assert password.password_hash != TEST_PASSWORD, "The password should not be what is passed in"
    assert password.check_password(TEST_PASSWORD), "The password should validate when given the same password"
    assert not password.check_password("sadfjhsdf"), "Incorrect passwords should fail"

    add_new_user_password(session, "test2", TEST_PASSWORD, user.id)
    assert len(user_passwords(session, user)) == 2, "The user should have 2 passwords"
    password2 = user_passwords(session, user)[1]
    assert password2.name == "test2", "The password should have the name we gave it"
    assert password2.password_hash != TEST_PASSWORD, "The password should not be what is passed in"
    assert password2.check_password(TEST_PASSWORD), "The password should validate when given the same password"
    assert not password2.check_password("sadfjhsdf"), "Incorrect passwords should fail"

    with pytest.raises(PasswordAlreadyExists):
        add_new_user_password(session, "test", TEST_PASSWORD, user.id)

    session.rollback()

    # Technically there's a very very very small O(1/2^160) chance that this will fail for a correct implementation
    assert (
        password.password_hash != password2.password_hash
    ), "2 passwords that are identical should hash differently because of the salts"

    delete_user_password(session, "test", user.id)
    assert len(user_passwords(session, user)) == 1, "The user should only have a single password"
    assert user_passwords(session, user)[0].name == "test2", "The password named test should have been deleted"
Example #2
0
def test_passwords_api(session, users, http_client, base_url, graph):
    user = users['[email protected]']
    TEST_PASSWORD = "test_password_please_ignore"

    add_new_user_password(session, "test", TEST_PASSWORD, user.id)
    assert len(user_passwords(session, user)) == 1, "The user should only have a single password"

    graph.update_from_db(session)
    c = Counter.get(session, name="updates")
    api_url = url(base_url, '/users/{}'.format(user.username))
    resp = yield http_client.fetch(api_url)
    body = json.loads(resp.body)
    assert body["checkpoint"] == c.count, "The API response is not up to date"
    assert body["data"]["user"]["passwords"] != [], "The user should not have an empty passwords field"
    assert body["data"]["user"]["passwords"][0]["name"] == "test", "The password should have the same name"
    assert body["data"]["user"]["passwords"][0]["func"] == "crypt(3)-$6$", "This test does not support any hash functions other than crypt(3)-$6$"
    assert body["data"]["user"]["passwords"][0]["hash"] == crypt.crypt(TEST_PASSWORD, body["data"]["user"]["passwords"][0]["salt"]), "The hash should be the same as hashing the password and the salt together using the hashing function"
    assert body["data"]["user"]["passwords"][0]["hash"] != crypt.crypt("hello", body["data"]["user"]["passwords"][0]["salt"]), "The hash should not be the same as hashing the wrong password and the salt together using the hashing function"

    delete_user_password(session, "test", user.id)
    c = Counter.get(session, name="updates")
    graph.update_from_db(session)
    api_url = url(base_url, '/users/{}'.format(user.username))
    resp = yield http_client.fetch(api_url)
    body = json.loads(resp.body)
    assert body["checkpoint"] == c.count, "The API response is not up to date"
    assert body["data"]["user"]["passwords"] == [], "The user should not have any passwords"
Example #3
0
    def post(self, user_id=None, name=None, pass_id=None):
        user = User.get(self.session, user_id, name)
        if not user:
            return self.notfound()

        if not self.check_access(self.session, self.current_user, user):
            return self.forbidden()

        password = UserPassword.get(self.session, user=user, id=pass_id)

        try:
            delete_user_password(self.session, password.name, user.id)
        except PasswordDoesNotExist:
            # if the password doesn't exist, we can pretend like it did and that we deleted it
            return self.redirect("/users/{}?refresh=yes".format(user.id))
        AuditLog.log(self.session, self.current_user.id, 'delete_password',
                     'Deleted password: {}'.format(password.name),
                     on_user_id=user.id)
        self.session.commit()
        return self.redirect("/users/{}?refresh=yes".format(user.id))