def test_update_user_calls_db_access_to_update_user(self):
user_id = 'userid1'
password = '******'
valid_body = '{"user": {"password": "******"}}' % (password)
mock_db_access = MagicMock()
mock_db_access.update_user.return_value = 1
server.db_access = mock_db_access
self.app.post(UPDATE_USER_ROUTE_FORMAT.format(user_id),
data=valid_body,
headers=JSON_CONTENT_TYPE_HEADER)
expected_password_hash_to_pass = get_user_password_hash(
user_id, password, app.config['PASSWORD_SALT'])
mock_db_access.update_user.assert_called_once_with(
user_id=user_id, password_hash=expected_password_hash_to_pass)
def _handle_allowed_user_auth_request(user_id, password, failed_login_attempts):
password_salt = app.config['PASSWORD_SALT']
password_hash = security.get_user_password_hash(user_id, password, password_salt)
user = db_access.get_user(user_id, password_hash)
if user:
# Reset failed login attempts to zero and proceed
db_access.update_failed_logins(user_id, 0)
return Response(_authenticated_response_body(user), mimetype=JSON_CONTENT_TYPE)
else:
failed_login_attempts += 1
db_access.update_failed_logins(user_id, failed_login_attempts)
auditing.audit('Invalid credentials used. username: {}, attempt: {}.'.format(
user_id, failed_login_attempts
))
return Response(AUTH_FAILURE_RESPONSE_BODY, status=401, mimetype=JSON_CONTENT_TYPE)
def test_create_user_calls_db_access_to_create_user(self):
user_id = 'userid1'
password = '******'
valid_body_format = '{"user": {"user_id": "%s", "password": "******"}}'
valid_body = valid_body_format % (user_id, password)
mock_db_access = MagicMock()
mock_db_access.create_user.return_value = True
server.db_access = mock_db_access
self.app.post(CREATE_USER_ROUTE,
data=valid_body,
headers=JSON_CONTENT_TYPE_HEADER)
expected_password_hash_to_pass = get_user_password_hash(
user_id, password, app.config['PASSWORD_SALT'])
mock_db_access.create_user.assert_called_once_with(
user_id, expected_password_hash_to_pass)
def create_user():
request_json = _try_get_request_json(request)
if request_json and _is_create_request_data_valid(request_json):
user = request_json['user']
user_id = user['user_id']
password = user['password']
# TODO: common code
password_hash = security.get_user_password_hash(
user_id,
password,
app.config['PASSWORD_SALT']
)
if db_access.create_user(user_id, password_hash):
auditing.audit('Created user {}'.format(user_id))
return Response(json.dumps({'created': True}), mimetype=JSON_CONTENT_TYPE)
else:
response_body = json.dumps({'error': 'User already exists'})
return Response(response_body, 409, mimetype=JSON_CONTENT_TYPE)
else:
return INVALID_REQUEST_RESPONSE
def test_authenticate_user_calls_db_access_to_find_user(self):
user_id = 'userid1'
password = '******'
body_format = '{"credentials": {"user_id": "%s", "password": "******"}}'
valid_body = body_format % (user_id, password)
mock_db_access = MagicMock()
mock_db_access.get_user.return_value = FakeUser(
user_id, 'passwordhash', 0)
mock_db_access.get_failed_logins = lambda self, *args, **kwargs: 0
mock_db_access.update_failed_logins = lambda self, *args, **kwargs: 1
server.db_access = mock_db_access
self.app.post(AUTHENTICATE_ROUTE,
data=valid_body,
headers=JSON_CONTENT_TYPE_HEADER)
expected_password_hash_to_pass = get_user_password_hash(
user_id, password, app.config['PASSWORD_SALT'])
mock_db_access.get_user.assert_called_once_with(
user_id, expected_password_hash_to_pass)
def update_user(user_id):
request_json = _try_get_request_json(request)
if request_json and _is_update_request_data_valid(request_json):
new_password = request_json['user']['password']
new_password_hash = security.get_user_password_hash(
user_id,
new_password,
app.config['PASSWORD_SALT']
)
if db_access.update_user(
user_id=user_id,
password_hash=new_password_hash
):
auditing.audit('Updated user {}'.format(user_id))
return Response(
json.dumps({'updated': True}),
mimetype=JSON_CONTENT_TYPE
)
else:
return USER_NOT_FOUND_RESPONSE
else:
return INVALID_REQUEST_RESPONSE
def test_get_user_password_hash_returns_same_hash_for_same_data(self):
hash1 = security.get_user_password_hash('user1', 'password1', 'salt1')
hash2 = security.get_user_password_hash('user1', 'password1', 'salt1')
assert hash1 == hash2
def test_get_userpass_returns_different_hash_for_different_passwords(self):
hash1 = security.get_user_password_hash('user1', 'password1', 'salt1')
hash2 = security.get_user_password_hash('user1', 'password2', 'salt1')
assert hash1 != hash2
