Exemple #1
0
    def create(self, form_data, cur_user=None):
        if not cur_user:
            cur_user = getattr(get_current_authuser(), 'username', None)

        from kallithea.lib.hooks import log_create_user, \
            check_allowed_create_user
        _fd = form_data
        user_data = {
            'username': _fd['username'],
            'password': _fd['password'],
            'email': _fd['email'],
            'firstname': _fd['firstname'],
            'lastname': _fd['lastname'],
            'active': _fd['active'],
            'admin': False
        }
        # raises UserCreationError if it's not allowed
        check_allowed_create_user(user_data, cur_user)
        from kallithea.lib.auth import get_crypt_password

        new_user = User()
        for k, v in form_data.items():
            if k == 'password':
                v = get_crypt_password(v)
            if k == 'firstname':
                k = 'name'
            setattr(new_user, k, v)

        new_user.api_key = generate_api_key()
        Session().add(new_user)
        Session().flush() # make database assign new_user.user_id

        log_create_user(new_user.get_dict(), cur_user)
        return new_user
Exemple #2
0
    def create(self, form_data, cur_user=None):
        if not cur_user:
            cur_user = getattr(get_current_authuser(), 'username', None)

        from kallithea.lib.hooks import log_create_user, check_allowed_create_user
        _fd = form_data
        user_data = {
            'username': _fd['username'], 'password': _fd['password'],
            'email': _fd['email'], 'firstname': _fd['firstname'], 'lastname': _fd['lastname'],
            'active': _fd['active'], 'admin': False
        }
        # raises UserCreationError if it's not allowed
        check_allowed_create_user(user_data, cur_user)
        from kallithea.lib.auth import get_crypt_password

        new_user = User()
        for k, v in form_data.items():
            if k == 'password':
                v = get_crypt_password(v)
            if k == 'firstname':
                k = 'name'
            setattr(new_user, k, v)

        new_user.api_key = generate_api_key(form_data['username'])
        self.sa.add(new_user)

        log_create_user(new_user.get_dict(), cur_user)
        return new_user
Exemple #3
0
    def test_forgot_password(self):
        response = self.app.get(
            url(controller='login', action='password_reset'))
        self.assertEqual(response.status, '200 OK')

        username = '******'
        password = '******'
        email = '*****@*****.**'
        name = 'passwd'
        lastname = 'reset'

        new = User()
        new.username = username
        new.password = password
        new.email = email
        new.name = name
        new.lastname = lastname
        new.api_key = generate_api_key(username)
        Session().add(new)
        Session().commit()

        response = self.app.post(
            url(controller='login', action='password_reset'), {
                'email': email,
            })

        self.checkSessionFlash(response, 'Your password reset link was sent')

        response = response.follow()

        # BAD KEY

        key = "bad"
        response = self.app.get(
            url(controller='login',
                action='password_reset_confirmation',
                key=key))
        self.assertEqual(response.status, '302 Found')
        self.assertTrue(response.location.endswith(url('reset_password')))

        # GOOD KEY

        key = User.get_by_username(username).api_key
        response = self.app.get(
            url(controller='login',
                action='password_reset_confirmation',
                key=key))
        self.assertEqual(response.status, '302 Found')
        self.assertTrue(response.location.endswith(url('login_home')))

        self.checkSessionFlash(response,
                               ('Your password reset was successful, '
                                'new password has been sent to your email'))

        response = response.follow()
Exemple #4
0
    def test_forgot_password(self):
        response = self.app.get(url(controller='login',
                                    action='password_reset'))
        self.assertEqual(response.status, '200 OK')

        username = '******'
        password = '******'
        email = '*****@*****.**'
        name = 'passwd'
        lastname = 'reset'

        new = User()
        new.username = username
        new.password = password
        new.email = email
        new.name = name
        new.lastname = lastname
        new.api_key = generate_api_key(username)
        Session().add(new)
        Session().commit()

        response = self.app.post(url(controller='login',
                                     action='password_reset'),
                                 {'email': email, })

        self.checkSessionFlash(response, 'Your password reset link was sent')

        response = response.follow()

        # BAD KEY

        key = "bad"
        response = self.app.get(url(controller='login',
                                    action='password_reset_confirmation',
                                    key=key))
        self.assertEqual(response.status, '302 Found')
        self.assertTrue(response.location.endswith(url('reset_password')))

        # GOOD KEY

        key = User.get_by_username(username).api_key
        response = self.app.get(url(controller='login',
                                    action='password_reset_confirmation',
                                    key=key))
        self.assertEqual(response.status, '302 Found')
        self.assertTrue(response.location.endswith(url('login_home')))

        self.checkSessionFlash(response,
                               ('Your password reset was successful, '
                                'new password has been sent to your email'))

        response = response.follow()
    def my_account_api_keys_delete(self):
        api_key = request.POST.get('del_api_key')
        if request.POST.get('del_api_key_builtin'):
            user = User.get(request.authuser.user_id)
            user.api_key = generate_api_key()
            Session().commit()
            h.flash(_("API key successfully reset"), category='success')
        elif api_key:
            ApiKeyModel().delete(api_key, request.authuser.user_id)
            Session().commit()
            h.flash(_("API key successfully deleted"), category='success')

        raise HTTPFound(location=url('my_account_api_keys'))
Exemple #6
0
    def delete_api_key(self, id):
        c.user = self._get_user_or_raise_if_default(id)

        api_key = request.POST.get('del_api_key')
        if request.POST.get('del_api_key_builtin'):
            c.user.api_key = generate_api_key()
            Session().commit()
            h.flash(_("API key successfully reset"), category='success')
        elif api_key:
            ApiKeyModel().delete(api_key, c.user.user_id)
            Session().commit()
            h.flash(_("API key successfully deleted"), category='success')

        raise HTTPFound(location=url('edit_user_api_keys', id=c.user.user_id))
Exemple #7
0
    def create(self, user, description, lifetime=-1):
        """
        :param user: user or user_id
        :param description: description of ApiKey
        :param lifetime: expiration time in seconds
        """
        user = self._get_user(user)

        new_api_key = UserApiKeys()
        new_api_key.api_key = generate_api_key(user.username)
        new_api_key.user_id = user.user_id
        new_api_key.description = description
        new_api_key.expires = time.time() + (lifetime * 60) if lifetime != -1 else -1
        Session().add(new_api_key)

        return new_api_key
Exemple #8
0
    def my_account_api_keys_delete(self):
        api_key = request.POST.get('del_api_key')
        user_id = self.authuser.user_id
        if request.POST.get('del_api_key_builtin'):
            user = User.get(user_id)
            if user:
                user.api_key = generate_api_key(user.username)
                Session().add(user)
                Session().commit()
                h.flash(_("Api key successfully reset"), category='success')
        elif api_key:
            ApiKeyModel().delete(api_key, self.authuser.user_id)
            Session().commit()
            h.flash(_("Api key successfully deleted"), category='success')

        return redirect(url('my_account_api_keys'))
Exemple #9
0
    def my_account_api_keys_delete(self):
        api_key = request.POST.get('del_api_key')
        user_id = self.authuser.user_id
        if request.POST.get('del_api_key_builtin'):
            user = User.get(user_id)
            if user:
                user.api_key = generate_api_key(user.username)
                Session().add(user)
                Session().commit()
                h.flash(_("Api key successfully reset"), category='success')
        elif api_key:
            ApiKeyModel().delete(api_key, self.authuser.user_id)
            Session().commit()
            h.flash(_("Api key successfully deleted"), category='success')

        return redirect(url('my_account_api_keys'))
Exemple #10
0
    def create(cls, form_data):
        from kallithea.lib.auth import get_crypt_password

        try:
            new_user = cls()
            for k, v in form_data.items():
                if k == 'password':
                    v = get_crypt_password(v)
                setattr(new_user, k, v)

            new_user.api_key = generate_api_key(form_data['username'])
            Session.add(new_user)
            Session.commit()
            return new_user
        except:
            log.error(traceback.format_exc())
            Session.rollback()
            raise
Exemple #11
0
    def create_or_update(self, username, password, email, firstname='',
                         lastname='', active=True, admin=False,
                         extern_type=None, extern_name=None, cur_user=None):
        """
        Creates a new instance if not found, or updates current one

        :param username:
        :param password:
        :param email:
        :param active:
        :param firstname:
        :param lastname:
        :param active:
        :param admin:
        :param extern_name:
        :param extern_type:
        :param cur_user:
        """
        if not cur_user:
            cur_user = getattr(get_current_authuser(), 'username', None)

        from kallithea.lib.auth import get_crypt_password, check_password
        from kallithea.lib.hooks import log_create_user, \
            check_allowed_create_user
        user_data = {
            'username': username, 'password': password,
            'email': email, 'firstname': firstname, 'lastname': lastname,
            'active': active, 'admin': admin
        }
        # raises UserCreationError if it's not allowed
        check_allowed_create_user(user_data, cur_user)

        log.debug('Checking for %s account in Kallithea database', username)
        user = User.get_by_username(username, case_insensitive=True)
        if user is None:
            log.debug('creating new user %s', username)
            new_user = User()
            edit = False
        else:
            log.debug('updating user %s', username)
            new_user = user
            edit = True

        try:
            new_user.username = username
            new_user.admin = admin
            new_user.email = email
            new_user.active = active
            new_user.extern_name = extern_name
            new_user.extern_type = extern_type
            new_user.name = firstname
            new_user.lastname = lastname

            if not edit:
                new_user.api_key = generate_api_key()

            # set password only if creating an user or password is changed
            password_change = new_user.password and \
                not check_password(password, new_user.password)
            if not edit or password_change:
                reason = 'new password' if edit else 'new user'
                log.debug('Updating password reason=>%s', reason)
                new_user.password = get_crypt_password(password) \
                    if password else ''

            if user is None:
                Session().add(new_user)
                Session().flush() # make database assign new_user.user_id

            if not edit:
                log_create_user(new_user.get_dict(), cur_user)

            return new_user
        except (DatabaseError,):
            log.error(traceback.format_exc())
            raise
Exemple #12
0
    def create_or_update(self, username, password, email, firstname='',
                         lastname='', active=True, admin=False,
                         extern_type=None, extern_name=None, cur_user=None):
        """
        Creates a new instance if not found, or updates current one

        :param username:
        :param password:
        :param email:
        :param active:
        :param firstname:
        :param lastname:
        :param active:
        :param admin:
        :param extern_name:
        :param extern_type:
        :param cur_user:
        """
        if not cur_user:
            cur_user = getattr(get_current_authuser(), 'username', None)

        from kallithea.lib.auth import get_crypt_password, check_password
        from kallithea.lib.hooks import log_create_user, check_allowed_create_user
        user_data = {
            'username': username, 'password': password,
            'email': email, 'firstname': firstname, 'lastname': lastname,
            'active': active, 'admin': admin
        }
        # raises UserCreationError if it's not allowed
        check_allowed_create_user(user_data, cur_user)

        log.debug('Checking for %s account in Kallithea database' % username)
        user = User.get_by_username(username, case_insensitive=True)
        if user is None:
            log.debug('creating new user %s' % username)
            new_user = User()
            edit = False
        else:
            log.debug('updating user %s' % username)
            new_user = user
            edit = True

        try:
            new_user.username = username
            new_user.admin = admin
            new_user.email = email
            new_user.active = active
            new_user.extern_name = safe_unicode(extern_name) if extern_name else None
            new_user.extern_type = safe_unicode(extern_type) if extern_type else None
            new_user.name = firstname
            new_user.lastname = lastname

            if not edit:
                new_user.api_key = generate_api_key(username)

            # set password only if creating an user or password is changed
            password_change = new_user.password and not check_password(password,
                                                            new_user.password)
            if not edit or password_change:
                reason = 'new password' if edit else 'new user'
                log.debug('Updating password reason=>%s' % (reason,))
                new_user.password = get_crypt_password(password) if password else None

            self.sa.add(new_user)

            if not edit:
                log_create_user(new_user.get_dict(), cur_user)
            return new_user
        except (DatabaseError,):
            log.error(traceback.format_exc())
            raise
Exemple #13
0
    def test_forgot_password(self):
        response = self.app.get(base.url(controller='login',
                                    action='password_reset'))
        assert response.status == '200 OK'

        username = '******'
        password = '******'
        email = '*****@*****.**'
        name = 'passwd'
        lastname = 'reset'
        timestamp = int(time.time())

        new = User()
        new.username = username
        new.password = password
        new.email = email
        new.name = name
        new.lastname = lastname
        new.api_key = generate_api_key()
        Session().add(new)
        Session().commit()

        token = UserModel().get_reset_password_token(
            User.get_by_username(username), timestamp, self.session_csrf_secret_token())

        collected = []
        def mock_send_email(recipients, subject, body='', html_body='', headers=None, from_name=None):
            collected.append((recipients, subject, body, html_body))

        with mock.patch.object(kallithea.lib.celerylib.tasks, 'send_email', mock_send_email), \
                mock.patch.object(time, 'time', lambda: timestamp):
            response = self.app.post(base.url(controller='login',
                                         action='password_reset'),
                                     {'email': email,
                                      '_session_csrf_secret_token': self.session_csrf_secret_token()})

        self.checkSessionFlash(response, 'A password reset confirmation code has been sent')

        ((recipients, subject, body, html_body),) = collected
        assert recipients == ['*****@*****.**']
        assert subject == 'Password reset link'
        assert '\n%s\n' % token in body
        (confirmation_url,) = (line for line in body.splitlines() if line.startswith('http://'))
        assert ' href="%s"' % confirmation_url.replace('&', '&').replace('@', '%40') in html_body

        d = urllib.parse.parse_qs(urllib.parse.urlparse(confirmation_url).query)
        assert d['token'] == [token]
        assert d['timestamp'] == [str(timestamp)]
        assert d['email'] == [email]

        response = response.follow()

        # BAD TOKEN

        bad_token = "bad"

        response = self.app.post(base.url(controller='login',
                                     action='password_reset_confirmation'),
                                 {'email': email,
                                  'timestamp': timestamp,
                                  'password': "******",
                                  'password_confirm': "p@ssw0rd",
                                  'token': bad_token,
                                  '_session_csrf_secret_token': self.session_csrf_secret_token(),
                                 })
        assert response.status == '200 OK'
        response.mustcontain('Invalid password reset token')

        # GOOD TOKEN

        response = self.app.get(confirmation_url)
        assert response.status == '200 OK'
        response.mustcontain("You are about to set a new password for the email address %s" % email)
        response.mustcontain('<form action="%s" method="post">' % base.url(controller='login', action='password_reset_confirmation'))
        response.mustcontain('value="%s"' % self.session_csrf_secret_token())
        response.mustcontain('value="%s"' % token)
        response.mustcontain('value="%s"' % timestamp)
        response.mustcontain('value="*****@*****.**"')

        # fake a submit of that form
        response = self.app.post(base.url(controller='login',
                                     action='password_reset_confirmation'),
                                 {'email': email,
                                  'timestamp': timestamp,
                                  'password': "******",
                                  'password_confirm': "p@ssw0rd",
                                  'token': token,
                                  '_session_csrf_secret_token': self.session_csrf_secret_token(),
                                 })
        assert response.status == '302 Found'
        self.checkSessionFlash(response, 'Successfully updated password')

        response = response.follow()
Exemple #14
0
    def test_forgot_password(self):
        response = self.app.get(url(controller='login',
                                    action='password_reset'))
        self.assertEqual(response.status, '200 OK')

        username = '******'
        password = '******'
        email = '*****@*****.**'
        name = u'passwd'
        lastname = u'reset'
        timestamp = int(time.time())

        new = User()
        new.username = username
        new.password = password
        new.email = email
        new.name = name
        new.lastname = lastname
        new.api_key = generate_api_key()
        Session().add(new)
        Session().commit()

        response = self.app.post(url(controller='login',
                                     action='password_reset'),
                                 {'email': email, })

        self.checkSessionFlash(response, 'A password reset confirmation code has been sent')

        response = response.follow()

        # BAD TOKEN

        token = "bad"

        response = self.app.post(url(controller='login',
                                     action='password_reset_confirmation'),
                                 {'email': email,
                                  'timestamp': timestamp,
                                  'password': "******",
                                  'password_confirm': "p@ssw0rd",
                                  'token': token,
                                 })
        self.assertEqual(response.status, '200 OK')
        response.mustcontain('Invalid password reset token')

        # GOOD TOKEN

        # TODO: The token should ideally be taken from the mail sent
        # above, instead of being recalculated.

        token = UserModel().get_reset_password_token(
            User.get_by_username(username), timestamp, self.authentication_token())

        response = self.app.get(url(controller='login',
                                    action='password_reset_confirmation',
                                    email=email,
                                    timestamp=timestamp,
                                    token=token))
        self.assertEqual(response.status, '200 OK')
        response.mustcontain("You are about to set a new password for the email address %s" % email)

        response = self.app.post(url(controller='login',
                                     action='password_reset_confirmation'),
                                 {'email': email,
                                  'timestamp': timestamp,
                                  'password': "******",
                                  'password_confirm': "p@ssw0rd",
                                  'token': token,
                                 })
        self.assertEqual(response.status, '302 Found')
        self.checkSessionFlash(response, 'Successfully updated password')

        response = response.follow()
Exemple #15
0
    def test_forgot_password(self):
        response = self.app.get(
            url(controller='login', action='password_reset'))
        assert response.status == '200 OK'

        username = '******'
        password = '******'
        email = '*****@*****.**'
        name = u'passwd'
        lastname = u'reset'
        timestamp = int(time.time())

        new = User()
        new.username = username
        new.password = password
        new.email = email
        new.name = name
        new.lastname = lastname
        new.api_key = generate_api_key()
        Session().add(new)
        Session().commit()

        response = self.app.post(
            url(controller='login', action='password_reset'), {
                'email': email,
            })

        self.checkSessionFlash(
            response, 'A password reset confirmation code has been sent')

        response = response.follow()

        # BAD TOKEN

        token = "bad"

        response = self.app.post(
            url(controller='login', action='password_reset_confirmation'), {
                'email': email,
                'timestamp': timestamp,
                'password': "******",
                'password_confirm': "p@ssw0rd",
                'token': token,
            })
        assert response.status == '200 OK'
        response.mustcontain('Invalid password reset token')

        # GOOD TOKEN

        # TODO: The token should ideally be taken from the mail sent
        # above, instead of being recalculated.

        token = UserModel().get_reset_password_token(
            User.get_by_username(username), timestamp,
            self.authentication_token())

        response = self.app.get(
            url(controller='login',
                action='password_reset_confirmation',
                email=email,
                timestamp=timestamp,
                token=token))
        assert response.status == '200 OK'
        response.mustcontain(
            "You are about to set a new password for the email address %s" %
            email)

        response = self.app.post(
            url(controller='login', action='password_reset_confirmation'), {
                'email': email,
                'timestamp': timestamp,
                'password': "******",
                'password_confirm': "p@ssw0rd",
                'token': token,
            })
        assert response.status == '302 Found'
        self.checkSessionFlash(response, 'Successfully updated password')

        response = response.follow()