def testGoodPassword(schema_id, password):
enc = AuthEncoding.pw_encrypt(password, schema_id)
assert enc != password
assert AuthEncoding.pw_validate(enc, password)
assert AuthEncoding.pw_validate(u(enc), password)
assert AuthEncoding.is_encrypted(enc)
assert not AuthEncoding.is_encrypted(password)
def testGoodPassword(schema_id, password):
enc = AuthEncoding.pw_encrypt(password, schema_id)
assert enc != password
assert AuthEncoding.pw_validate(enc, password)
assert AuthEncoding.pw_validate(u(enc), password)
assert AuthEncoding.is_encrypted(enc)
assert not AuthEncoding.is_encrypted(password)
def _pw_encrypt(self, password):
"""Returns the AuthEncoding encrypted password
If 'password' is already encrypted, it is returned
as is and not encrypted again.
"""
if AuthEncoding.is_encrypted(password):
return password
return AuthEncoding.pw_encrypt(password)
def authenticateCredentials(self, credentials):
""" See IAuthenticationPlugin.
o We expect the credentials to be those returned by
ILoginPasswordExtractionPlugin.
"""
login = credentials.get('login')
password = credentials.get('password')
if login is None or password is None:
return None
# Do we have a link between login and userid? Do NOT fall
# back to using the login as userid when there is no match, as
# that gives a high chance of seeming to log in successfully,
# but in reality failing.
userid = self._login_to_userid.get(login)
if userid is None:
# Someone may be logging in with a userid instead of a
# login name and the two are not the same. We could try
# turning those around, but really we should just fail.
#
# userid = login
# login = self._userid_to_login.get(userid)
# if login is None:
# return None
return None
reference = self._user_passwords.get(userid)
if reference is None:
return None
if AuthEncoding.is_encrypted(reference):
if AuthEncoding.pw_validate(reference, password):
return userid, login
# Support previous naive behavior
if isinstance(password, six.text_type):
password = password.encode('utf8')
digested = sha(password).hexdigest()
if reference == digested:
return userid, login
return None
def testIsEncryptedAcceptsTextAndBinary():
assert AuthEncoding.is_encrypted(b'{SHA}')
assert AuthEncoding.is_encrypted(u'{SHA}')
assert not AuthEncoding.is_encrypted(b'foo')
assert not AuthEncoding.is_encrypted(u'foo')
def _isPasswordEncrypted(self, pw):
return AuthEncoding.is_encrypted(pw)
