def test_revoke_creds2(self): """ Test revocation reason/reference bad types. """ FakeVCCSClient(None) with self.assertRaises(TypeError): vccs_client.VCCSRevokeFactor(4712, 1234, 'foobar') with self.assertRaises(TypeError): vccs_client.VCCSRevokeFactor(4712, 'foobar', 2345)
def test_revoke_creds1(self): """ Test parsing of unsuccessful revoke_creds response. """ resp = { 'revoke_creds_response': { 'version': 1, 'success': False, }, } c = FakeVCCSClient(json.dumps(resp)) r = vccs_client.VCCSRevokeFactor('4712', 'testing revoke', 'foobar') self.assertFalse(c.revoke_credentials('*****@*****.**', [r]))
def revoke_all_credentials(vccs_url, user): vccs = get_vccs_client(vccs_url) passwords = user.credentials.filter(Password).to_list() to_revoke = [] for passwd in passwords: credential_id = str(passwd.credential_id) factor = vccs_client.VCCSRevokeFactor( credential_id, 'subscriber requested termination', reference='dashboard') log.debug("Revoked old credential (account termination)" " {!s} (user {!r})".format(credential_id, user)) to_revoke.append(factor) userid = str(user.user_id) vccs.revoke_credentials(userid, to_revoke)
def revoke_all_credentials(vccs_url, user, source='dashboard', vccs=None): if vccs is None: vccs = get_vccs_client(vccs_url) if isinstance(user, DashboardLegacyUser): user = DashboardUser(data=user._mongo_doc) to_revoke = [] for passwd in user.passwords.to_list(): credential_id = str(passwd.id) factor = vccs_client.VCCSRevokeFactor( credential_id, 'subscriber requested termination', reference=source) logger.debug("Revoked old credential (account termination)" " {!s} (user {!s})".format(credential_id, user)) to_revoke.append(factor) userid = str(user.user_id) vccs.revoke_credentials(userid, to_revoke)
def add_credentials(vccs_url, old_password, new_password, user, source='dashboard', vccs=None): """ Add a new password to a user. Revokes the old one, if one is given. Returns True on success. :param vccs_url: URL to VCCS authentication backend :param old_password: plaintext current password :param new_password: plaintext new password :param user: user object :type vccs_url: string :type old_password: string :type user: User | DashboardLegacyUser :rtype: bool """ password_id = ObjectId() if vccs is None: vccs = get_vccs_client(vccs_url) new_factor = vccs_client.VCCSPasswordFactor(new_password, credential_id=str(password_id)) if isinstance(user, DashboardLegacyUser): user = DashboardUser(data=user._mongo_doc) old_factor = None checked_password = None # remember if an old password was supplied or not, without keeping it in # memory longer than we have to old_password_supplied = bool(old_password) if user.passwords.count > 0 and old_password: # Find the old credential to revoke checked_password = check_password(vccs_url, old_password, user, vccs=vccs) del old_password # don't need it anymore, try to forget it if not checked_password: return False old_factor = vccs_client.VCCSRevokeFactor( str(checked_password.id), 'changing password', reference=source, ) if not vccs.add_credentials(str(user.user_id), [new_factor]): logger.warning("Failed adding password credential " "{!r} for user {!r}".format(new_factor.credential_id, user)) return False # something failed logger.debug("Added password credential {!s} for user {!s}".format( new_factor.credential_id, user)) if old_factor: vccs.revoke_credentials(str(user.user_id), [old_factor]) user.passwords.remove(checked_password.id) logger.debug("Revoked old credential {!s} (user {!s})".format( old_factor.credential_id, user)) if not old_password_supplied: # TODO: Revoke all current credentials on password reset for now revoked = [] for password in user.passwords.to_list(): revoked.append( vccs_client.VCCSRevokeFactor(str(password.id), 'reset password', reference=source)) logger.debug("Revoking old credential (password reset) " "{!s} (user {!s})".format(password.id, user)) user.passwords.remove(password.id) if revoked: try: vccs.revoke_credentials(str(user.user_id), revoked) except vccs_client.VCCSClientHTTPError: # Password already revoked # TODO: vccs backend should be changed to return something more informative than # TODO: VCCSClientHTTPError when the credential is already revoked or just return success. logger.warning("VCCS failed to revoke all passwords for " "user {!s}".format(user)) new_password = Password( credential_id=password_id, salt=new_factor.salt, application=source, ) user.passwords.add(new_password) return user