def test_upgrade_from_pbkdf2_with_less_rounds(self): """set up a pbkdf key with less than the default rounds If the number of default_rounds is increased in a later version of passlib, ckan should upgrade the password hashes for people without involvement from users""" user = factories.User() password = u"testpassword" user_obj = model.User.by_name(user["name"]) # setup hash with salt/rounds less than the default old_hash = pbkdf2_sha512.encrypt(password, salt_size=2, rounds=10) user_obj._password = old_hash user_obj.save() assert user_obj.validate_password(password.encode("utf-8")) # check that the hash has been updated assert old_hash != user_obj.password new_hash = pbkdf2_sha512.from_string(user_obj.password) assert pbkdf2_sha512.default_rounds > 10 assert pbkdf2_sha512.default_rounds == new_hash.rounds assert pbkdf2_sha512.default_salt_size, 2 assert pbkdf2_sha512.default_salt_size == len(new_hash.salt) assert pbkdf2_sha512.verify(password, user_obj.password)
def test_upgrade_from_pbkdf2_with_less_rounds(self): '''set up a pbkdf key with less than the default rounds If the number of default_rounds is increased in a later version of passlib, ckan should upgrade the password hashes for people without involvement from users''' user = factories.User() password = u'testpassword' user_obj = model.User.by_name(user['name']) # setup hash with salt/rounds less than the default old_hash = pbkdf2_sha512.encrypt(password, salt_size=2, rounds=10) user_obj._password = old_hash user_obj.save() nt.assert_true(user_obj.validate_password(password.encode('utf-8'))) # check that the hash has been updated nt.assert_not_equals(old_hash, user_obj.password) new_hash = pbkdf2_sha512.from_string(user_obj.password) nt.assert_true(pbkdf2_sha512.default_rounds > 10) nt.assert_equals(pbkdf2_sha512.default_rounds, new_hash.rounds) nt.assert_true(pbkdf2_sha512.default_salt_size, 2) nt.assert_equals(pbkdf2_sha512.default_salt_size, len(new_hash.salt)) nt.assert_true(pbkdf2_sha512.verify(password, user_obj.password))
def validate_password(self, password): ''' Check the password against existing credentials. :param password: the password that was provided by the user to try and authenticate. This is the clear text version that we will need to match against the hashed one in the database. :type password: unicode object. :return: Whether the password is valid. :rtype: bool ''' if not password or not self.password: return False if not pbkdf2_sha512.identify(self.password): return self._verify_and_upgrade_from_sha1(password) else: current_hash = pbkdf2_sha512.from_string(self.password) if (current_hash.rounds < pbkdf2_sha512.default_rounds or len(current_hash.salt) < pbkdf2_sha512.default_salt_size): return self._verify_and_upgrade_pbkdf2(password) else: return pbkdf2_sha512.verify(password, self.password)