def test_update_user_calls_db_access_to_update_user(self): user_id = 'userid1' password = '******' valid_body = '{"user": {"password": "******"}}' % (password) mock_db_access = MagicMock() mock_db_access.update_user.return_value = 1 server.db_access = mock_db_access self.app.post(UPDATE_USER_ROUTE_FORMAT.format(user_id), data=valid_body, headers=JSON_CONTENT_TYPE_HEADER) expected_password_hash_to_pass = get_user_password_hash( user_id, password, app.config['PASSWORD_SALT']) mock_db_access.update_user.assert_called_once_with( user_id=user_id, password_hash=expected_password_hash_to_pass)
def _handle_allowed_user_auth_request(user_id, password, failed_login_attempts): password_salt = app.config['PASSWORD_SALT'] password_hash = security.get_user_password_hash(user_id, password, password_salt) user = db_access.get_user(user_id, password_hash) if user: # Reset failed login attempts to zero and proceed db_access.update_failed_logins(user_id, 0) return Response(_authenticated_response_body(user), mimetype=JSON_CONTENT_TYPE) else: failed_login_attempts += 1 db_access.update_failed_logins(user_id, failed_login_attempts) auditing.audit('Invalid credentials used. username: {}, attempt: {}.'.format( user_id, failed_login_attempts )) return Response(AUTH_FAILURE_RESPONSE_BODY, status=401, mimetype=JSON_CONTENT_TYPE)
def test_create_user_calls_db_access_to_create_user(self): user_id = 'userid1' password = '******' valid_body_format = '{"user": {"user_id": "%s", "password": "******"}}' valid_body = valid_body_format % (user_id, password) mock_db_access = MagicMock() mock_db_access.create_user.return_value = True server.db_access = mock_db_access self.app.post(CREATE_USER_ROUTE, data=valid_body, headers=JSON_CONTENT_TYPE_HEADER) expected_password_hash_to_pass = get_user_password_hash( user_id, password, app.config['PASSWORD_SALT']) mock_db_access.create_user.assert_called_once_with( user_id, expected_password_hash_to_pass)
def create_user(): request_json = _try_get_request_json(request) if request_json and _is_create_request_data_valid(request_json): user = request_json['user'] user_id = user['user_id'] password = user['password'] # TODO: common code password_hash = security.get_user_password_hash( user_id, password, app.config['PASSWORD_SALT'] ) if db_access.create_user(user_id, password_hash): auditing.audit('Created user {}'.format(user_id)) return Response(json.dumps({'created': True}), mimetype=JSON_CONTENT_TYPE) else: response_body = json.dumps({'error': 'User already exists'}) return Response(response_body, 409, mimetype=JSON_CONTENT_TYPE) else: return INVALID_REQUEST_RESPONSE
def test_authenticate_user_calls_db_access_to_find_user(self): user_id = 'userid1' password = '******' body_format = '{"credentials": {"user_id": "%s", "password": "******"}}' valid_body = body_format % (user_id, password) mock_db_access = MagicMock() mock_db_access.get_user.return_value = FakeUser( user_id, 'passwordhash', 0) mock_db_access.get_failed_logins = lambda self, *args, **kwargs: 0 mock_db_access.update_failed_logins = lambda self, *args, **kwargs: 1 server.db_access = mock_db_access self.app.post(AUTHENTICATE_ROUTE, data=valid_body, headers=JSON_CONTENT_TYPE_HEADER) expected_password_hash_to_pass = get_user_password_hash( user_id, password, app.config['PASSWORD_SALT']) mock_db_access.get_user.assert_called_once_with( user_id, expected_password_hash_to_pass)
def update_user(user_id): request_json = _try_get_request_json(request) if request_json and _is_update_request_data_valid(request_json): new_password = request_json['user']['password'] new_password_hash = security.get_user_password_hash( user_id, new_password, app.config['PASSWORD_SALT'] ) if db_access.update_user( user_id=user_id, password_hash=new_password_hash ): auditing.audit('Updated user {}'.format(user_id)) return Response( json.dumps({'updated': True}), mimetype=JSON_CONTENT_TYPE ) else: return USER_NOT_FOUND_RESPONSE else: return INVALID_REQUEST_RESPONSE
def test_get_user_password_hash_returns_same_hash_for_same_data(self): hash1 = security.get_user_password_hash('user1', 'password1', 'salt1') hash2 = security.get_user_password_hash('user1', 'password1', 'salt1') assert hash1 == hash2
def test_get_userpass_returns_different_hash_for_different_passwords(self): hash1 = security.get_user_password_hash('user1', 'password1', 'salt1') hash2 = security.get_user_password_hash('user1', 'password2', 'salt1') assert hash1 != hash2