def test_passwords_api(session, users, http_client, base_url, graph):
user = users['*****@*****.**']
TEST_PASSWORD = "******"
add_new_user_password(session, "test", TEST_PASSWORD, user.id)
assert len(user_passwords(session, user)) == 1, "The user should only have a single password"
graph.update_from_db(session)
c = Counter.get(session, name="updates")
api_url = url(base_url, '/users/{}'.format(user.username))
resp = yield http_client.fetch(api_url)
body = json.loads(resp.body)
assert body["checkpoint"] == c.count, "The API response is not up to date"
assert body["data"]["user"]["passwords"] != [], "The user should not have an empty passwords field"
assert body["data"]["user"]["passwords"][0]["name"] == "test", "The password should have the same name"
assert body["data"]["user"]["passwords"][0]["func"] == "crypt(3)-$6$", "This test does not support any hash functions other than crypt(3)-$6$"
assert body["data"]["user"]["passwords"][0]["hash"] == crypt.crypt(TEST_PASSWORD, body["data"]["user"]["passwords"][0]["salt"]), "The hash should be the same as hashing the password and the salt together using the hashing function"
assert body["data"]["user"]["passwords"][0]["hash"] != crypt.crypt("hello", body["data"]["user"]["passwords"][0]["salt"]), "The hash should not be the same as hashing the wrong password and the salt together using the hashing function"
delete_user_password(session, "test", user.id)
c = Counter.get(session, name="updates")
graph.update_from_db(session)
api_url = url(base_url, '/users/{}'.format(user.username))
resp = yield http_client.fetch(api_url)
body = json.loads(resp.body)
assert body["checkpoint"] == c.count, "The API response is not up to date"
assert body["data"]["user"]["passwords"] == [], "The user should not have any passwords"
def test_passwords(session, users):
user = users["*****@*****.**"]
add_new_user_password(session, "test", TEST_PASSWORD, user.id)
assert len(user_passwords(session, user)) == 1, "The user should only have a single password"
password = user_passwords(session, user)[0]
assert password.name == "test", "The password should have the name we gave it"
assert password.password_hash != TEST_PASSWORD, "The password should not be what is passed in"
assert password.check_password(TEST_PASSWORD), "The password should validate when given the same password"
assert not password.check_password("sadfjhsdf"), "Incorrect passwords should fail"
add_new_user_password(session, "test2", TEST_PASSWORD, user.id)
assert len(user_passwords(session, user)) == 2, "The user should have 2 passwords"
password2 = user_passwords(session, user)[1]
assert password2.name == "test2", "The password should have the name we gave it"
assert password2.password_hash != TEST_PASSWORD, "The password should not be what is passed in"
assert password2.check_password(TEST_PASSWORD), "The password should validate when given the same password"
assert not password2.check_password("sadfjhsdf"), "Incorrect passwords should fail"
with pytest.raises(PasswordAlreadyExists):
add_new_user_password(session, "test", TEST_PASSWORD, user.id)
session.rollback()
# Technically there's a very very very small O(1/2^160) chance that this will fail for a correct implementation
assert (
password.password_hash != password2.password_hash
), "2 passwords that are identical should hash differently because of the salts"
delete_user_password(session, "test", user.id)
assert len(user_passwords(session, user)) == 1, "The user should only have a single password"
assert user_passwords(session, user)[0].name == "test2", "The password named test should have been deleted"
def post(self, *args: Any, **kwargs: Any) -> None:
name = self.get_path_argument("name")
password_id = int(self.get_path_argument("password_id"))
user = User.get(self.session, name=name)
if not user:
return self.notfound()
if not self.check_access(self.session, self.current_user, user):
return self.forbidden()
password = UserPassword.get(self.session, user=user, id=password_id)
try:
delete_user_password(self.session, password.name, user.id)
except PasswordDoesNotExist:
# if the password doesn't exist, we can pretend like it did and that we deleted it
return self.redirect("/users/{}?refresh=yes".format(user.username))
AuditLog.log(
self.session,
self.current_user.id,
"delete_password",
"Deleted password: {}".format(password.name),
on_user_id=user.id,
)
self.session.commit()
return self.redirect("/users/{}?refresh=yes".format(user.username))
def test_passwords_api(session, users, http_client, base_url, graph):
user = users['*****@*****.**']
TEST_PASSWORD = "******"
add_new_user_password(session, "test", TEST_PASSWORD, user.id)
assert len(user_passwords(session, user)) == 1, "The user should only have a single password"
graph.update_from_db(session)
c = Counter.get(session, name="updates")
api_url = url(base_url, '/users/{}'.format(user.username))
resp = yield http_client.fetch(api_url)
body = json.loads(resp.body)
assert body["checkpoint"] == c.count, "The API response is not up to date"
assert body["data"]["user"]["passwords"] != [], "The user should not have an empty passwords field"
assert body["data"]["user"]["passwords"][0]["name"] == "test", "The password should have the same name"
assert body["data"]["user"]["passwords"][0]["func"] == "crypt(3)-$6$", "This test does not support any hash functions other than crypt(3)-$6$"
assert body["data"]["user"]["passwords"][0]["hash"] == crypt.crypt(TEST_PASSWORD, body["data"]["user"]["passwords"][0]["salt"]), "The hash should be the same as hashing the password and the salt together using the hashing function"
assert body["data"]["user"]["passwords"][0]["hash"] != crypt.crypt("hello", body["data"]["user"]["passwords"][0]["salt"]), "The hash should not be the same as hashing the wrong password and the salt together using the hashing function"
delete_user_password(session, "test", user.id)
c = Counter.get(session, name="updates")
graph.update_from_db(session)
api_url = url(base_url, '/users/{}'.format(user.username))
resp = yield http_client.fetch(api_url)
body = json.loads(resp.body)
assert body["checkpoint"] == c.count, "The API response is not up to date"
assert body["data"]["user"]["passwords"] == [], "The user should not have any passwords"
def test_passwords(session, users):
user = users['*****@*****.**']
add_new_user_password(session, "test", TEST_PASSWORD, user.id)
assert len(user_passwords(session, user)) == 1, "The user should only have a single password"
password = user_passwords(session, user)[0]
assert password.name == "test", "The password should have the name we gave it"
assert password.password_hash != TEST_PASSWORD, "The password should not be what is passed in"
assert password.check_password(TEST_PASSWORD), "The password should validate when given the same password"
assert not password.check_password("sadfjhsdf"), "Incorrect passwords should fail"
add_new_user_password(session, "test2", TEST_PASSWORD, user.id)
assert len(user_passwords(session, user)) == 2, "The user should have 2 passwords"
password2 = user_passwords(session, user)[1]
assert password2.name == "test2", "The password should have the name we gave it"
assert password2.password_hash != TEST_PASSWORD, "The password should not be what is passed in"
assert password2.check_password(TEST_PASSWORD), "The password should validate when given the same password"
assert not password2.check_password("sadfjhsdf"), "Incorrect passwords should fail"
with pytest.raises(PasswordAlreadyExists):
add_new_user_password(session, "test", TEST_PASSWORD, user.id)
session.rollback()
# Technically there's a very very very small O(1/2^160) chance that this will fail for a correct implementation
assert password.password_hash != password2.password_hash, "2 passwords that are identical should hash differently because of the salts"
delete_user_password(session, "test", user.id)
assert len(user_passwords(session, user)) == 1, "The user should only have a single password"
assert user_passwords(session, user)[0].name == "test2", "The password named test should have been deleted"
def post(self, user_id=None, name=None, pass_id=None):
user = User.get(self.session, user_id, name)
if not user:
return self.notfound()
if not self.check_access(self.session, self.current_user, user):
return self.forbidden()
password = UserPassword.get(self.session, user=user, id=pass_id)
try:
delete_user_password(self.session, password.name, user.id)
except PasswordDoesNotExist:
# if the password doesn't exist, we can pretend like it did and that we deleted it
return self.redirect("/users/{}?refresh=yes".format(user.id))
AuditLog.log(self.session, self.current_user.id, 'delete_password',
'Deleted password: {}'.format(password.name),
on_user_id=user.id)
self.session.commit()
return self.redirect("/users/{}?refresh=yes".format(user.id))