def test_hash_nocontext(self):
        '''This test case ensures an exception is raised if no hash context is given or if the context does not contain salt

        for hash_ctx in [None, {}, {"unknown_attr": "sample value"}]:
            passwd = self._hasher.hash_password("123",
                                           DictionaryObject({"salt": 9999})))
    def test_format_resource_none_ok(self):
        '''This test case ensures validation works correctly even when resource does not contain keys.'''

        desc = {}
        resource = DictionaryObject(desc, immutable=False)

        self._validator.format_resource(resource, None)

        self.assertEqual(desc, {})
    def test_hash_none(self):
        '''This test case ensures that a hash is generated for empty or null passwords.'''

        hash_ctx = DictionaryObject({"salt": 123})

        for plain_passwd in [None, "", "     "]:
            result = self._hasher.hash_password(plain_passwd, hash_ctx)

            self.assertEqual(expected_result, result)
    def test_hash_ok(self):
        '''This test case ensures a base64 encoded hash is return correctly by password hasher.'''

        plain_passwd = "abc123test"
        hash_ctx = DictionaryObject({"salt": 123})

        result = self._hasher.hash_password(plain_passwd, hash_ctx)

        self.assertEqual(expected_result, result)
    def test_dictionary_setnone_deletekey(self):
        '''This test case ensures that None values set on non immutable objects trigger a delete of the specified key.'''

        desc = {"attr1": "test", "attr2": "value"}

        obj = DictionaryObject(desc, immutable=False)

        obj.attr1 = None

        self.assertFalse("attr1" in desc)
    def test_format_resource_ok(self):
        '''This test case ensures format_resource works correctly for an expected resource.'''

        desc = {"username": "******", "password": "******"}
        resource = DictionaryObject(desc, immutable=False)

        self._validator.format_resource(resource, None)

        self.assertEqual(desc["username"], resource.username)
        self.assertTrue("password" not in desc)
Exemple #7
    def format_collection(self, resources, request):  # pylint: disable=W0613
        '''This method must be overriden by each subclass in order to provide custom logic which must be executed after
        a collection is fetched from database. By default, this method simply iterates over the list of available resources and
        invoke format_resource.

        Usually you will want to override this method in order to suppress sensitive data to be sent to clients.'''

        resources = resources or []

        for resource in resources:
            self.format_resource(DictionaryObject(resource, immutable=False),
    def hash_password(self, plain_passwd, hash_ctx=None):
        '''This method provides the sha512 with salt algorithm for a given plain password. In addition, the hash is base64

        if not hash_ctx or not hash_ctx.dictionary.get("salt"):
            hash_ctx = DictionaryObject({"salt": self._DEFAULT_SALT})

        plain_passwd = (plain_passwd or "").strip()

        salt = hash_ctx.salt

        text = (plain_passwd + str(salt)).encode()

        hashed_text = hashlib.sha512(text).hexdigest()

        return base64.b64encode(hashed_text.encode()).decode()
Exemple #9
    def _test_authenticate_ok(self, return_url, expected_url):
        '''This method provides a template test case for ensuring authenticate succeeds for various return_url values.'''

        user = User(username="******",
        user.user_id = 123

        creation_time, expiration_time = self._mock_creationexpiration_time()

        token = Token({
            "client_id": self._IDP_CLIENTID,
            "type": "login",
            "user_id": user.user_id,
            "creation_time": creation_time,
            "expiration_time": expiration_time

        request, user_repo_cls, user_repo, tokens_service_cls, \
            tokens_service, clienturl_facade = self._mock_authenticate_dependencies(token, user, return_url)

        response = self._idp_controller.authenticate(

        self.assertEqual(302, response.status_code)

        location = response.headers.get("Location")

        self.assertEqual(expected_url, location)

            user.password, DictionaryObject({"salt": user.user_id}))

                "client_id": self._IDP_CLIENTID,
                "user_id": user.user_id,
                "expires_in": self._EXPIRES_IN
            }, TokenGeneratorFactory.LOGIN_TOKEN)
        tokens_service.encrypt.assert_called_once_with(token, token.client_id)
    def _validate_user(self, username, password, user_repo):
        '''This method validates the given username and password against the record found in database. If no user is found or
        password does not match an exception is raised.'''

        user = user_repo.load_by_username(username)
        if not user:
            raise OAuth2AuthenticationError("Username or password do not match.")

        password_hash = self._passwords_hasher.hash_password(password, DictionaryObject({"salt": user.user_id}))

        if password_hash != user.password:
            # when the account is created for the first time there is no user_id available so a default salt is used.
            password_hash_default = self._passwords_hasher.hash_password(password)

            if password_hash_default != user.password:
                raise OAuth2AuthenticationError("Username or password do not match.")

        return user
    def test_dictionary_notimmutable(self):
        '''This test case ensures a dictionary object can be built so that his attributes and underlining dictionaries can be
        changed at runtime.'''

        new_attr2 = "abc_altered"

        desc = {"attr1": "abcd", "attr2": "abc"}

        obj = DictionaryObject(desc, immutable=False)

        self.assertEqual(desc["attr1"], obj.attr1)
        self.assertEqual(desc["attr2"], obj.attr2)

        obj.attr2 = new_attr2
        obj.new_attr2 = new_attr2

        self.assertEqual(new_attr2, desc["attr2"])
        self.assertEqual(new_attr2, obj.attr2)
        self.assertEqual(new_attr2, obj.new_attr2)
    def _test_validate_user_template(self, resource, request):
        '''This method provides a template for validate user test cases.'''

        request.request_id = 9876

        default_person = Person(first_name="-",
        person_id = 1

        plain_passwd = resource.password
        user_id = resource.user_id

        hashed_passwd = "123"

        self._hasher.hash_password = Mock(return_value=hashed_passwd)

        if request.method.lower() == "post":
            self._person_facade.new_model = Mock(return_value=default_person)
            self._person_facade.create = Mock(return_value=[person_id])

        self._validator.validate(resource, request)

        self.assertEqual(hashed_passwd, resource.password)
            plain_passwd, DictionaryObject({"salt": user_id}))

        if request.method.lower() == "post":
            self.assertEqual(person_id, resource.person_id)

                Person, self._db_conn)
                first_name="-", last_name="-", email_address=resource.username)
    def _hash_password(self, resource):
        '''This method hashes the password from the given resource.'''

        hash_ctx = {"salt": resource.user_id}
        resource.password = self._passwd_hasher.hash_password(resource.password, DictionaryObject(hash_ctx))
    def get_item(self, request, version, resource_url, resource_id):
        '''This method provides the API for retrieving a single item from a collection. The item is uniquely identified by
        resource_id. Below you can find a success response example:

        .. code-block:: html

            GET - /api/1.0/simple-resources/1 HTTP/1.1

            200 OK
            Content-Type: application/json
            Content-Length: ...

                "id": 1,
                "name": "Test resource",
                "description": "Simple description"

        Of course there are cases when exceptions might occur. Below, you can find a list of error response retrieved from
        get_item API:

            * **10000** - Whenever we try to retrieve a resource with unknown type. (Not registered to ROA).
            * **10030** - Whenever we try to retrieve a resource and an unexpected database exception occurs.
            * **10040** - Whenever we try to retrieve a resource which does not exist.

        if version != "latest":
            version = float(version)

        fields = request.params.get("fields")

        resource = self._resources_registry.find_by_url(resource_url, version)

        if not resource:
            return self._handle_resource_notfound(version, resource_url)

        self._inject_security_context(request, resource.model)
        access_token = self.validate_security_context(request, "read")

        model_facade = self._model_facade_cls(
            resource.model, self._get_current_connection(request))

            model = model_facade.find_by_pk(
                {model_facade.model_pk_cols[0]: resource_id})

            if not self._is_model_owned_by(model, access_token, resource):
                model = None
        except FantasticoDbError as dbex:
            return self._handle_resource_dberror(version, resource_url, dbex)

        if not model:
            return self._handle_resource_item_notfound(version, resource_url,

        json_serializer = self._json_serializer_cls(resource)

        resource_body = json_serializer.serialize(model, fields)

        if resource.validator and model:
                DictionaryObject(resource_body, immutable=False), request)

        resource_body = json.dumps(resource_body)

        response = Response(body=resource_body.encode(),

        return response