def test_upgrade_from_pbkdf2_with_less_rounds(self):
"""set up a pbkdf key with less than the default rounds
If the number of default_rounds is increased in a later version of
passlib, ckan should upgrade the password hashes for people without
involvement from users"""
user = factories.User()
password = u"testpassword"
user_obj = model.User.by_name(user["name"])
# setup hash with salt/rounds less than the default
old_hash = pbkdf2_sha512.encrypt(password, salt_size=2, rounds=10)
user_obj._password = old_hash
user_obj.save()
assert user_obj.validate_password(password.encode("utf-8"))
# check that the hash has been updated
assert old_hash != user_obj.password
new_hash = pbkdf2_sha512.from_string(user_obj.password)
assert pbkdf2_sha512.default_rounds > 10
assert pbkdf2_sha512.default_rounds == new_hash.rounds
assert pbkdf2_sha512.default_salt_size, 2
assert pbkdf2_sha512.default_salt_size == len(new_hash.salt)
assert pbkdf2_sha512.verify(password, user_obj.password)
def test_upgrade_from_pbkdf2_with_less_rounds(self):
'''set up a pbkdf key with less than the default rounds
If the number of default_rounds is increased in a later version of
passlib, ckan should upgrade the password hashes for people without
involvement from users'''
user = factories.User()
password = u'testpassword'
user_obj = model.User.by_name(user['name'])
# setup hash with salt/rounds less than the default
old_hash = pbkdf2_sha512.encrypt(password, salt_size=2, rounds=10)
user_obj._password = old_hash
user_obj.save()
nt.assert_true(user_obj.validate_password(password.encode('utf-8')))
# check that the hash has been updated
nt.assert_not_equals(old_hash, user_obj.password)
new_hash = pbkdf2_sha512.from_string(user_obj.password)
nt.assert_true(pbkdf2_sha512.default_rounds > 10)
nt.assert_equals(pbkdf2_sha512.default_rounds, new_hash.rounds)
nt.assert_true(pbkdf2_sha512.default_salt_size, 2)
nt.assert_equals(pbkdf2_sha512.default_salt_size, len(new_hash.salt))
nt.assert_true(pbkdf2_sha512.verify(password, user_obj.password))
def test_upgrade_from_pbkdf2_with_less_rounds(self):
'''set up a pbkdf key with less than the default rounds
If the number of default_rounds is increased in a later version of
passlib, ckan should upgrade the password hashes for people without
involvement from users'''
user = factories.User()
password = u'testpassword'
user_obj = model.User.by_name(user['name'])
# setup hash with salt/rounds less than the default
old_hash = pbkdf2_sha512.encrypt(password, salt_size=2, rounds=10)
user_obj._password = old_hash
user_obj.save()
nt.assert_true(user_obj.validate_password(password.encode('utf-8')))
# check that the hash has been updated
nt.assert_not_equals(old_hash, user_obj.password)
new_hash = pbkdf2_sha512.from_string(user_obj.password)
nt.assert_true(pbkdf2_sha512.default_rounds > 10)
nt.assert_equals(pbkdf2_sha512.default_rounds, new_hash.rounds)
nt.assert_true(pbkdf2_sha512.default_salt_size, 2)
nt.assert_equals(pbkdf2_sha512.default_salt_size,
len(new_hash.salt))
nt.assert_true(pbkdf2_sha512.verify(password, user_obj.password))
def validate_password(self, password):
'''
Check the password against existing credentials.
:param password: the password that was provided by the user to
try and authenticate. This is the clear text version that we will
need to match against the hashed one in the database.
:type password: unicode object.
:return: Whether the password is valid.
:rtype: bool
'''
if not password or not self.password:
return False
if not pbkdf2_sha512.identify(self.password):
return self._verify_and_upgrade_from_sha1(password)
else:
current_hash = pbkdf2_sha512.from_string(self.password)
if (current_hash.rounds < pbkdf2_sha512.default_rounds or
len(current_hash.salt) < pbkdf2_sha512.default_salt_size):
return self._verify_and_upgrade_pbkdf2(password)
else:
return pbkdf2_sha512.verify(password, self.password)
def validate_password(self, password):
'''
Check the password against existing credentials.
:param password: the password that was provided by the user to
try and authenticate. This is the clear text version that we will
need to match against the hashed one in the database.
:type password: unicode object.
:return: Whether the password is valid.
:rtype: bool
'''
if not password or not self.password:
return False
if not pbkdf2_sha512.identify(self.password):
return self._verify_and_upgrade_from_sha1(password)
else:
current_hash = pbkdf2_sha512.from_string(self.password)
if (current_hash.rounds < pbkdf2_sha512.default_rounds or
len(current_hash.salt) < pbkdf2_sha512.default_salt_size):
return self._verify_and_upgrade_pbkdf2(password)
else:
return pbkdf2_sha512.verify(password, self.password)
