def test_check_password_MD5k(): pass_string = crypt_password("secret", "MD5k") assert check_password(pass_string, "secret"), "Password verification failed" pass_string = crypt_password("geheim", "MD5k") assert check_password( pass_string, "secret") == False, "Password verification passed for wrong password"
def handle_reset(self, id): if id is None: abort(404) s = Session() reset_data = s.query(ResetData).filter_by(token=unicode(id)).first() if reset_data is None: abort(404) # Just a small sanity check if the user was deleted between creating the # reset request and resetting the password user = s.query(User).filter_by(email=reset_data.email).first() if user is None: s.delete(reset_data) s.commmit() abort(404) password = unicode(request.params.get('new_password')) password_conf = unicode(request.params.get('new_password_conf')) if password != password_conf: session['messages'] = ["Password mismatch"] session.save() redirect_to(action='reset', id=reset_data.token) user.password = crypt_password(password) s.add(user) s.delete(reset_data) s.commit() redirect_to(action='reset_complete', id=None)
def test_password_MD5(): pass_string = crypt_password("secret", "MD5") method, salt, crypt = parse_pass(pass_string) assert method == "{MD5}", "method is %s, not {MD5}" % method assert salt is not None, "salt is None" md5_hash = hashlib.md5(salt) md5_hash.update(u"secret") assert crypt == md5_hash.hexdigest(), "Crypted password did not match"
def test_login(self): res = self.app.get(url_for(controller='auth', action='login', id=None)) form = None for key in res.forms.keys(): if 'email' in res.forms[key].fields: form = res.forms[key] self.assertNotEqual(form, None) form['email'] = "test@localhost" form['password'] = "******" new_res = form.submit() res = new_res.follow() res.mustcontain("Password mismatch") s = model.Session() # create the user as "inactive" user = model.User(u"test@localhost", crypt_password("secret"), False) data = model.UserData(u"Test Testus", u"test", u"test", u"test") data.user = user s.save(user) s.save(data) s.commit() # test that disabled users can't log in form['email'] = "test@localhost" form['password'] = "******" new_res = form.submit() res = new_res.follow() res.mustcontain("Account disabled") user.active = True s.update(user) s.commit() form['email'] = "test@localhost" form['password'] = "******" new_res = form.submit() res = new_res.follow() res.mustcontain("Password mismatch") form['email'] = "test@localhost" form['password'] = "******" new_res = form.submit() res = new_res.follow() res.mustcontain("Welcome test@localhost")
def test_index(self): s = model.Session() # create a user that's already active user = model.User(u"test@localhost", crypt_password('secret'), True) data = model.UserData(u"Test Testus", u"test", u"test", u"test") data.user = user s.save(user) s.save(data) s.commit() # now log in res = self.app.post(url_for(controller='auth', action='submit', id='ajax'), {'email':'test@localhost', 'password':'******'}) res.mustcontain("success") res = self.app.get(url_for(controller='account', id=None)) self.assertEqual(len(res.c.accounts), 1) acc = res.c.accounts[0] self.assertEqual(acc.id, user.id)
def setup_superuser(model): """Set up the superuser account""" s = meta.Session() print "Enter email for the super user" email = unicode(sys.stdin.readline().strip()) print "Enter superuser password" passwd = crypt_password(sys.stdin.readline().strip()) user = model.User(email, passwd, True) admin = s.query(model.Role).filter_by(name=u"admin").first() #TODO remove the lead role lead = s.query(model.Role).filter_by(name=u"lead").first() if lead is not None: user.roles.append(lead) if admin is not None: user.roles.append(admin) s.add(user) data = model.UserData(u"System Administrator", u"admin") data.user = user s.add(data) s.commit()
def test_check(self): res = self.app.get(url_for(controller='auth', action='check')) res.mustcontain("Not logged in") s = model.Session() # create a user that's already set "active" user = model.User(u"test@localhost", crypt_password('secret'), True) data = model.UserData(u"Test Testus", u"test", u"test", u"test") data.user = user s.save(user) s.save(data) s.commit() res = self.app.post(url_for(controller='auth', action='submit', id='ajax'), params={'email':'test@localhost', 'password':'******'}) res.mustcontain("success") self.assertEqual(res.session['user'], user.id) res = self.app.get(url_for(controller='auth', action='check')) res.mustcontain("Logged in as test@localhost")
def test_logout(self): # This should work without user res = self.app.get(url_for(controller='auth', action='logout')) res.mustcontain("logged out") # and with user s = model.Session() # create a user that's already active user = model.User(u"test@localhost", crypt_password('secret'), True) data = model.UserData(u"Test Testus", u"test", u"test", u"test") data.user = user s.save(user) s.save(data) s.commit() res = self.app.post(url_for(controller='auth', action='submit', id='ajax'), params={'email':'test@localhost', 'password':'******'}) res.mustcontain("success") # This should work without user res = self.app.get(url_for(controller='auth', action='logout', id=None)) res.mustcontain("logged out")
def signup(self, id=None): user_email = unicode(request.params.get('user_email')) user_email_c = unicode(request.params.get('user_email_confirm')) s = Session() if user_email != user_email_c: if id == "ajax": return "email address mismatch" else: session['messages'] = ["Email address mismatch"] session.save() redirect_to(action="register") if not self._is_email_valid(user_email): if id == "ajax": return "invalid email address" else: session['messages'] = ["Invalid email address"] session.save() redirect_to(action="register") if s.query(User).filter_by(email=user_email).first() is not None: if id == "ajax": return "email already associated with an account" else: session['messages'] = [ "Email already associated with an account" ] session.save() redirect_to(action="register") user_pass = unicode(request.params.get('user_pass')) user_pass_c = unicode(request.params.get('user_pass_confirm')) if user_pass != user_pass_c: if id == "ajax": return "password mismatch" else: session['messages'] = ["Password mismatch"] session.save() redirect_to(action="register") if request.params.get('user_vcs_pass') is not None: vcs_pass = unicode(request.params.get('user_vcs_pass')) vcs_pass_c = unicode(request.params.get('user_vcs_pass_confirm')) if vcs_pass != vcs_pass_c: if id == "ajax": return "VCS password mismatch" else: session['messages'] = ["VCS password mismatch"] session.save() redirect_to(action="register") else: vcs_pass = None if request.params.get('user_name') is not None: user_name = unicode(request.params.get('user_name')) else: user_name = u"Unnamed User" if request.params.get('user_nick') is not None: user_nick = unicode(request.params.get('user_nick')) else: user_nick = u"Anonymous" if request.params.get('user_vcs_user') is not None: vcs_user = unicode(request.params.get('user_vcs_user')) else: vcs_user = None user = User(user_email, crypt_password(user_pass)) data = UserData(user_name, user_nick, vcs_user, vcs_pass) data.user = user s.add(user) s.add(data) token = random_token() msg = create_account_activation_msg(user.email, token) act_data = EmailConfirm(token, user.email) s.add(act_data) s.commit() try: send_mail(user.email, msg) except EmailException, e: if id == "ajax": return "sending account registration failed: %s" % e.message session['email_error'] = e.message session.save()
def change(self, id=None): user_email = unicode(request.params.get('user_email')) user_email_c = unicode(request.params.get('user_email_confirm')) current_password = str(request.params.get('current_password')) edit_user = session.get('edit_user') if edit_user is None: abort(404) del session['edit_user'] session.save() s = Session() user = s.query(User).get(edit_user) if user is None: abort(404) if not check_role("admin"): if not check_password(user.password, current_password): if id == "ajax": return "incorrect password" session['messages'] = ["Incorrect password"] session.save() redirect_to(action="edit", id=edit_user) if user_email != user_email_c: if id == "ajax": return "email address mismatch" else: session['messages'] = ["Email address mismatch"] session.save() redirect_to(action="edit", id=edit_user) if not self._is_email_valid(user_email): if id == "ajax": return "invalid email address" else: session['messages'] = ["Invalid email address"] session.save() redirect_to(action="edit", id=edit_user) # check if the email matches the current user's email u_by_email = s.query(User).filter_by(email=user_email).first() if u_by_email is not None: if u_by_email.id != user.id: if id == "ajax": return "email already associated with an account" else: session['messages'] = [ "Email already associated with an account" ] session.save() redirect_to(action="edit", id=edit_user) user.email = user_email user_pass = unicode(request.params.get('user_pass')) user_pass_c = unicode(request.params.get('user_pass_confirm')) if user_pass != user_pass_c: if id == "ajax": return "password mismatch" else: session['messages'] = ["Password mismatch"] session.save() redirect_to(action="edit", id=edit_user) if user_pass != "": user.password = crypt_password(user_pass) if request.params.get('user_vcs_pass') is not None: vcs_pass = unicode(request.params.get('user_vcs_pass')) vcs_pass_c = unicode(request.params.get('user_vcs_pass_confirm')) if vcs_pass != vcs_pass_c: if id == "ajax": return "VCS password mismatch" else: session['messages'] = ["VCS password mismatch"] session.save() redirect_to(action="edit", id=edit_user) user.user_data.vcs_pass = vcs_pass if request.params.get('user_name') is not None: user_name = unicode(request.params.get('user_name')) else: user_name = u"Unnamed User" user.user_data.name = user_name if request.params.get('user_nick') is not None: user_nick = unicode(request.params.get('user_nick')) else: user_nick = u"anonymous" user.user_data.nick = user_nick if request.params.get('user_vcs_user') is not None: vcs_user = unicode(request.params.get('user_vcs_user')) user.user_data.vcs_user = vcs_user else: vcs_user = None s.add(user) s.commit() if id == "ajax": return "user data updated" else: redirect_to(action='changed', id=None)
def test_check_password_MD5k(): pass_string = crypt_password("secret", "MD5k") assert check_password(pass_string, "secret"), "Password verification failed" pass_string = crypt_password("geheim", "MD5k") assert check_password(pass_string, "secret") == False, "Password verification passed for wrong password"
def test_edit(self): s = model.Session() # create two activated users. user = model.User(u"test@localhost", crypt_password('secret'), True) data = model.UserData(u"Test Testus", u"test", u"test", u"test") data.user = user s.save(user) s.save(data) user2 = model.User(u"test2@localhost", crypt_password('secret'), True) data2 = model.UserData(u"Test2 Testus", u"test2", u"test2", u"test") data2.user = user2 s.save(user2) s.save(data2) s.commit() # Log in res = self.app.post(url_for(controller='auth', action='submit', id='ajax'), params={'email':'test@localhost', 'password':'******'}) res.mustcontain("success") res = self.app.get(url_for(controller='account', action='edit', id=1)) form = None for key in res.forms.keys(): if 'user_email' in res.forms[key].fields: form = res.forms[key] self.assertNotEqual(form, None) # check the default values are ok self.assertEqual(form['user_email'].value, user.email) self.assertEqual(form['user_email_confirm'].value, user.email) self.assertEqual(form['user_name'].value, data.name) self.assertEqual(form['user_nick'].value, data.nick) self.assertEqual(form['user_vcs_user'].value, data.vcs_user) # Now try to save changes # first do it wrong form['user_email'] = "testus" form['user_email_confirm'] = "testus" new_res = form.submit() res = new_res.follow() res.mustcontain("Invalid email address") form['user_email'] = "test@localhost" form['user_email_confirm'] = "test@test" new_res = form.submit() res = new_res.follow() res.mustcontain("Email address mismatch") form = None for key in res.forms.keys(): if 'user_email' in res.forms[key].fields: form = res.forms[key] self.assertNotEqual(form, None) form['user_pass'] = "******" new_res = form.submit() res = new_res.follow() res.mustcontain("Password mismatch") # finally do everything right form = None for key in res.forms.keys(): if 'user_email' in res.forms[key].fields: form = res.forms[key] self.assertNotEqual(form, None) form['user_nick'] = "testus" new_res = form.submit() res = new_res.follow() res.mustcontain("Account information successfully updated") user = s.query(model.User).get(user.id) self.assertEqual(user.user_data.nick, u"testus") # Now let's try and edit user2's data, should get a 403 res = self.app.get(url_for(controller='account', action='edit', id=2), status=403) # Make sure we're an admin now. admin = model.Role(u'admin') s.save(admin) user.roles.append(admin) s.update(user) s.commit() # And now it should work. res = self.app.get(url_for(controller='account', action='edit', id=1))
def signup(self, id=None): user_email = unicode(request.params.get('user_email')) user_email_c = unicode(request.params.get('user_email_confirm')) s = Session() if user_email != user_email_c: if id == "ajax": return "email address mismatch" else: session['messages'] = ["Email address mismatch"] session.save() redirect_to(action="register") if not self._is_email_valid(user_email): if id == "ajax": return "invalid email address" else: session['messages'] = ["Invalid email address"] session.save() redirect_to(action="register") if s.query(User).filter_by(email=user_email).first() is not None: if id == "ajax": return "email already associated with an account" else: session['messages'] = ["Email already associated with an account"] session.save() redirect_to(action="register") user_pass = unicode(request.params.get('user_pass')) user_pass_c = unicode(request.params.get('user_pass_confirm')) if user_pass != user_pass_c: if id == "ajax": return "password mismatch" else: session['messages'] = ["Password mismatch"] session.save() redirect_to(action="register") if request.params.get('user_vcs_pass') is not None: vcs_pass = unicode(request.params.get('user_vcs_pass')) vcs_pass_c = unicode(request.params.get('user_vcs_pass_confirm')) if vcs_pass != vcs_pass_c: if id == "ajax": return "VCS password mismatch" else: session['messages'] = ["VCS password mismatch"] session.save() redirect_to(action="register") else: vcs_pass = None if request.params.get('user_name') is not None: user_name = unicode(request.params.get('user_name')) else: user_name = u"Unnamed User" if request.params.get('user_nick') is not None: user_nick = unicode(request.params.get('user_nick')) else: user_nick = u"Anonymous" if request.params.get('user_vcs_user') is not None: vcs_user = unicode(request.params.get('user_vcs_user')) else: vcs_user = None user = User(user_email, crypt_password(user_pass)) data = UserData(user_name, user_nick, vcs_user, vcs_pass) data.user = user s.add(user) s.add(data) token = random_token() msg = create_account_activation_msg(user.email, token) act_data = EmailConfirm(token, user.email) s.add(act_data) s.commit() try: send_mail(user.email, msg) except EmailException, e: if id == "ajax": return "sending account registration failed: %s" % e.message session['email_error'] = e.message session.save()
def change(self, id=None): user_email = unicode(request.params.get('user_email')) user_email_c = unicode(request.params.get('user_email_confirm')) current_password = str(request.params.get('current_password')) edit_user = session.get('edit_user') if edit_user is None: abort(404) del session['edit_user'] session.save() s = Session() user = s.query(User).get(edit_user) if user is None: abort(404) if not check_role("admin"): if not check_password(user.password, current_password): if id == "ajax": return "incorrect password" session['messages'] = ["Incorrect password"] session.save() redirect_to(action="edit", id=edit_user) if user_email != user_email_c: if id == "ajax": return "email address mismatch" else: session['messages'] = ["Email address mismatch"] session.save() redirect_to(action="edit", id=edit_user) if not self._is_email_valid(user_email): if id == "ajax": return "invalid email address" else: session['messages'] = ["Invalid email address"] session.save() redirect_to(action="edit", id=edit_user) # check if the email matches the current user's email u_by_email = s.query(User).filter_by(email=user_email).first() if u_by_email is not None: if u_by_email.id != user.id: if id == "ajax": return "email already associated with an account" else: session['messages'] = ["Email already associated with an account"] session.save() redirect_to(action="edit",id=edit_user) user.email = user_email user_pass = unicode(request.params.get('user_pass')) user_pass_c = unicode(request.params.get('user_pass_confirm')) if user_pass != user_pass_c: if id == "ajax": return "password mismatch" else: session['messages'] = ["Password mismatch"] session.save() redirect_to(action="edit", id=edit_user) if user_pass != "": user.password = crypt_password(user_pass) if request.params.get('user_vcs_pass') is not None: vcs_pass = unicode(request.params.get('user_vcs_pass')) vcs_pass_c = unicode(request.params.get('user_vcs_pass_confirm')) if vcs_pass != vcs_pass_c: if id == "ajax": return "VCS password mismatch" else: session['messages'] = ["VCS password mismatch"] session.save() redirect_to(action="edit", id=edit_user) user.user_data.vcs_pass = vcs_pass if request.params.get('user_name') is not None: user_name = unicode(request.params.get('user_name')) else: user_name = u"Unnamed User" user.user_data.name = user_name if request.params.get('user_nick') is not None: user_nick = unicode(request.params.get('user_nick')) else: user_nick = u"anonymous" user.user_data.nick = user_nick if request.params.get('user_vcs_user') is not None: vcs_user = unicode(request.params.get('user_vcs_user')) user.user_data.vcs_user = vcs_user else: vcs_user = None s.add(user) s.commit() if id == "ajax": return "user data updated" else: redirect_to(action='changed', id=None)