def update_password(self, user_id, new_password, old_password):
"""Change the user password.
Uses the admin bind or the user bind if the old password is provided.
Args:
user_id: user id
new_password: new password
old_password: old password of the user (optional)
Returns:
True if the change was successful, False otherwise
"""
user_dn = self._userid2dn(user_id)
if user_dn is None:
raise BackendError('Unknown user "%s"' % user_id)
password_hash = ssha(new_password)
user = [(ldap.MOD_REPLACE, 'userPassword', [password_hash])]
try:
with self._conn(user_dn, old_password) as conn:
try:
res, __ = conn.modify_s(user_dn, user)
except (ldap.TIMEOUT, ldap.SERVER_DOWN, ldap.OTHER), e:
self.logger.debug('Could not update the password in ldap.')
raise BackendError(str(e))
except ldap.INVALID_CREDENTIALS:
return False
self._purge_conn(user_dn, new_password)
return res == ldap.RES_MODIFY
def _create_user(self, auth, user_name, password, email):
from services.auth.ldapsql import ssha, random, sha1
user_name = str(user_name)
user_id = auth._get_next_user_id()
password_hash = ssha(password)
key = '%s%s' % (random.randint(0, 9999999), user_name)
key = sha1(key).hexdigest()
user = {
'cn': user_name,
'sn': user_name,
'uid': user_name,
'uidNumber': str(user_id),
'primaryNode': 'weave:',
'rescueNode': 'weave:',
'userPassword': password_hash,
'account-enabled': 'Yes',
'mail': email,
'mail-verified': key,
'objectClass': ['dataStore', 'inetOrgPerson']
}
user = user.items()
dn = "uidNumber=%i,ou=users,dc=mozilla" % (user_id)
with auth._conn(auth.admin_user, auth.admin_password) as conn:
try:
res, __ = conn.add_s(dn, user)
except ldap.TIMEOUT:
raise BackendTimeoutError()
return res == ldap.RES_ADD
def create_user(self, user_name, password, email):
"""Creates a user. Returns True on success."""
user_name = str(user_name) # XXX only ASCII
user_id = self._get_next_user_id()
password_hash = ssha(password)
key = '%s%s' % (random.randint(0, 9999999), user_name)
key = sha1(key).hexdigest()
user = {'cn': user_name,
'sn': user_name,
'uid': user_name,
'uidNumber': str(user_id),
'primaryNode': 'weave:',
'userPassword': password_hash,
'account-enabled': 'Yes',
'mail': email,
'mail-verified': key,
'objectClass': ['dataStore', 'inetOrgPerson']}
user = user.items()
dn = "uidNumber=%i,%s" % (user_id, self.users_root)
with self._conn(self.admin_user, self.admin_password) as conn:
try:
res, __ = conn.add_s(dn, user)
except (ldap.TIMEOUT, ldap.SERVER_DOWN, ldap.OTHER), e:
logger.debug('Could not create the user.')
raise BackendError(str(e))
def update_password(self, user_id, new_password, old_password):
"""Change the user password.
Uses the admin bind or the user bind if the old password is provided.
Args:
user_id: user id
new_password: new password
old_password: old password of the user (optional)
Returns:
True if the change was successful, False otherwise
"""
user_dn = self._userid2dn(user_id)
if user_dn is None:
raise BackendError('Unknown user "%s"' % user_id)
password_hash = ssha(new_password)
user = [(ldap.MOD_REPLACE, 'userPassword', [password_hash])]
try:
with self._conn(user_dn, old_password) as conn:
try:
res, __ = conn.modify_s(user_dn, user)
except (ldap.TIMEOUT, ldap.SERVER_DOWN, ldap.OTHER), e:
self.logger.debug('Could not update the password in ldap.')
raise BackendError(str(e))
except ldap.INVALID_CREDENTIALS:
return False
self._purge_conn(user_dn, new_password)
return res == ldap.RES_MODIFY
def create_user(self, user_name, password, email):
"""Creates a user. Returns True on success."""
user_name = str(user_name) # XXX only ASCII
user_id = self._get_next_user_id()
password_hash = ssha(password)
key = '%s%s' % (random.randint(0, 9999999), user_name)
key = sha1(key).hexdigest()
user = {
'cn': user_name,
'sn': user_name,
'uid': user_name,
'uidNumber': str(user_id),
'primaryNode': 'weave:',
'userPassword': password_hash,
'account-enabled': 'Yes',
'mail': email,
'mail-verified': key,
'objectClass': ['dataStore', 'inetOrgPerson']
}
user = user.items()
dn = "uidNumber=%i,%s" % (user_id, self.users_root)
with self._conn(self.admin_user, self.admin_password) as conn:
try:
res, __ = conn.add_s(dn, user)
except (ldap.TIMEOUT, ldap.SERVER_DOWN, ldap.OTHER), e:
logger.debug('Could not create the user.')
raise BackendError(str(e))
def _create_user(self, auth, user_name, password, email):
from services.auth.ldapsql import ssha, random, sha1
user_name = str(user_name)
user_id = auth._get_next_user_id()
password_hash = ssha(password)
key = '%s%s' % (random.randint(0, 9999999), user_name)
key = sha1(key).hexdigest()
user = {'cn': user_name,
'sn': user_name,
'uid': user_name,
'uidNumber': str(user_id),
'primaryNode': 'weave:',
'rescueNode': 'weave:',
'userPassword': password_hash,
'account-enabled': 'Yes',
'mail': email,
'mail-verified': key,
'objectClass': ['dataStore', 'inetOrgPerson']}
user = user.items()
dn = "uidNumber=%i,ou=users,dc=mozilla" % (user_id)
with auth._conn(auth.admin_user, auth.admin_password) as conn:
try:
res, __ = conn.add_s(dn, user)
except ldap.TIMEOUT:
raise BackendTimeoutError()
return res == ldap.RES_ADD
def create_user(self, user_name, password, email):
"""Creates a user. Returns a user object on success."""
if not self.allow_new_users:
raise BackendError("Creation of new users is disabled")
# no unicode
user_name = user_name.encode('utf8')
password = password.encode('utf8')
email = email.encode('utf8')
#First make sure the username isn't taken. There'll still be a race
#condition, but it's pretty small
test_user = User()
test_user['username'] = user_name
dn = self._get_dn(test_user)
if dn is not None:
return False
user_id = self._get_next_user_id()
password_hash = ssha(password)
key = '%s%s' % (random.randint(0, 9999999), user_name)
key = sha1(key).hexdigest()
user = {
'cn': user_name,
'sn': user_name,
'uid': user_name,
'uidNumber': str(user_id),
'userPassword': password_hash,
'primaryNode': 'weave:',
'accountStatus': '1',
'account-enabled': 'Yes',
'mail': email,
'mail-verified': key,
'objectClass': ['dataStore', 'inetOrgPerson']
}
dn = "uidNumber=%i,%s" % (user_id, self.users_root)
#need a copy with some of the info for the return value
userobj = User()
userobj['username'] = user['uid']
userobj['userid'] = user['uidNumber']
userobj['mail'] = email
userobj['dn'] = dn
#need to turn the user hash into tuples
user = user.items()
with self._conn() as conn:
try:
res, __ = conn.add_s(dn, user)
except (ldap.TIMEOUT, ldap.SERVER_DOWN, ldap.OTHER), e:
self.logger.debug('Could not create the user.')
raise BackendError(str(e))
def setUp(self):
self.appdir, self.config, self.auth = initenv()
# we don't support other storages for this test
assert self.auth.sqluri.split(':/')[0] in ('mysql', 'sqlite')
# lets add a user tarek/tarek
password = ssha('tarek')
query = text('insert into users (username, password_hash, status) '
'values (:username, :password, 1)')
self.auth._engine.execute(query, username='******', password=password)
self.user_id = self.auth._engine.execute('select id from users where'
' username="******"').fetchone().id
def create_user(self, user_name, password, email):
"""Creates a user. Returns a user object on success."""
if not self.allow_new_users:
raise BackendError("Creation of new users is disabled")
# no unicode
user_name = user_name.encode('utf8')
password = password.encode('utf8')
email = email.encode('utf8')
#First make sure the username isn't taken. There'll still be a race
#condition, but it's pretty small
test_user = User()
test_user['username'] = user_name
dn = self._get_dn(test_user)
if dn is not None:
return False
user_id = self._get_next_user_id()
password_hash = ssha(password)
key = '%s%s' % (random.randint(0, 9999999), user_name)
key = sha1(key).hexdigest()
user = {'cn': user_name,
'sn': user_name,
'uid': user_name,
'uidNumber': str(user_id),
'userPassword': password_hash,
'primaryNode': 'weave:',
'accountStatus': '1',
'account-enabled': 'Yes',
'mail': email,
'mail-verified': key,
'objectClass': ['dataStore', 'inetOrgPerson']}
dn = "uidNumber=%i,%s" % (user_id, self.users_root)
#need a copy with some of the info for the return value
userobj = User()
userobj['username'] = user['uid']
userobj['userid'] = user['uidNumber']
userobj['mail'] = email
userobj['dn'] = dn
#need to turn the user hash into tuples
user = user.items()
with self._conn() as conn:
try:
res, __ = conn.add_s(dn, user)
except (ldap.TIMEOUT, ldap.SERVER_DOWN, ldap.OTHER), e:
self.logger.debug('Could not create the user.')
raise BackendError(str(e))
def setUp(self):
self.appdir, self.config, self.auth = initenv()
# we don't support other storages for this test
assert self.auth.sqluri.split(':/')[0] in ('mysql', 'sqlite')
# lets add a user tarek/tarek
password = ssha('tarek')
query = text('insert into users (username, password_hash, status) '
'values (:username, :password, 1)')
self.auth._engine.execute(query, username='******', password=password)
self.user_id = self.auth._engine.execute('select id from users where'
' username="******"').fetchone().id
def update_password(self,
user_id,
new_password,
old_password=None,
key=None):
"""Change the user password.
Uses the admin bind or the user bind if the old password is provided.
Args:
user_id: user id
new_password: new password
old_password: old password of the user (optional)
Returns:
True if the change was successful, False otherwise
"""
user_name = self._get_username(user_id)
user_dn = self._get_dn(user_name)
if old_password is None:
if key:
#using a key, therefore we should check it
if self.verify_reset_code(user_id, key):
self.clear_reset_code(user_id)
else:
logger.error("bad key used for update password")
return False
# we will use admin auth
dn = self.admin_user
ldap_password = self.admin_password
else:
# user auth
dn = user_dn
ldap_password = old_password
# we need a password
password_hash = ssha(new_password)
user = [(ldap.MOD_REPLACE, 'userPassword', [password_hash])]
try:
with self._conn(dn, ldap_password) as conn:
try:
res, __ = conn.modify_s(user_dn, user)
except (ldap.TIMEOUT, ldap.SERVER_DOWN, ldap.OTHER), e:
logger.debug('Could not update the password in ldap.')
raise BackendError(str(e))
except ldap.INVALID_CREDENTIALS:
return False
self._purge_conn(user_dn, new_password)
return res == ldap.RES_MODIFY
def admin_update_password(self, user, new_password, code=None):
"""
Change the user password. Does this as admin. This assumes that a reset
code or something similar has already been verified by the application.
Args:
user: user object
new_password: new password
Returns:
True if the change was successful, False otherwise
"""
password_hash = ssha(new_password.encode('utf8'))
return self._modify_record(user, 'userPassword', password_hash)
def admin_update_password(self, user, new_password, code=None):
"""
Change the user password. Does this as admin. This assumes that a reset
code or something similar has already been verified by the application.
Args:
user: user object
new_password: new password
Returns:
True if the change was successful, False otherwise
"""
password_hash = ssha(new_password.encode('utf8'))
return self._modify_record(user, 'userPassword', password_hash)
def update_password(self, user_id, new_password,
old_password=None, key=None):
"""Change the user password.
Uses the admin bind or the user bind if the old password is provided.
Args:
user_id: user id
new_password: new password
old_password: old password of the user (optional)
Returns:
True if the change was successful, False otherwise
"""
user_name = self._get_username(user_id)
user_dn = self._get_dn(user_name)
if old_password is None:
if key:
#using a key, therefore we should check it
if self.verify_reset_code(user_id, key):
self.clear_reset_code(user_id)
else:
logger.error("bad key used for update password")
return False
# we will use admin auth
dn = self.admin_user
ldap_password = self.admin_password
else:
# user auth
dn = user_dn
ldap_password = old_password
# we need a password
password_hash = ssha(new_password)
user = [(ldap.MOD_REPLACE, 'userPassword', [password_hash])]
try:
with self._conn(dn, ldap_password) as conn:
try:
res, __ = conn.modify_s(user_dn, user)
except (ldap.TIMEOUT, ldap.SERVER_DOWN, ldap.OTHER), e:
logger.debug('Could not update the password in ldap.')
raise BackendError(str(e))
except ldap.INVALID_CREDENTIALS:
return False
self._purge_conn(user_dn, new_password)
return res == ldap.RES_MODIFY
def admin_update_password(self, user_id, new_password, key):
"""Change the user password.
Uses the admin bind or the user bind if the old password is provided.
Args:
user_id: user id
new_password: new password
key: password reset key
Returns:
True if the change was successful, False otherwise
"""
user_dn = self._userid2dn(user_id)
if user_dn is None:
raise BackendError('Unknown user "%s"' % user_id)
# using a key, therefore we should check it
if self.verify_reset_code(user_id, key):
self.clear_reset_code(user_id)
else:
self.logger.error("bad key used for update password")
return False
password_hash = ssha(new_password)
user = [(ldap.MOD_REPLACE, 'userPassword', [password_hash])]
try:
with self._conn(self.admin_user, self.admin_password) as conn:
try:
res, __ = conn.modify_s(user_dn, user)
except (ldap.TIMEOUT, ldap.SERVER_DOWN, ldap.OTHER), e:
self.logger.debug('Could not update the password in ldap.')
raise BackendError(str(e))
except ldap.INVALID_CREDENTIALS:
return False
self._purge_conn(user_dn, new_password)
return res == ldap.RES_MODIFY
def admin_update_password(self, user_id, new_password, key):
"""Change the user password.
Uses the admin bind or the user bind if the old password is provided.
Args:
user_id: user id
new_password: new password
key: password reset key
Returns:
True if the change was successful, False otherwise
"""
user_dn = self._userid2dn(user_id)
if user_dn is None:
raise BackendError('Unknown user "%s"' % user_id)
# using a key, therefore we should check it
if self.verify_reset_code(user_id, key):
self.clear_reset_code(user_id)
else:
self.logger.error("bad key used for update password")
return False
password_hash = ssha(new_password)
user = [(ldap.MOD_REPLACE, 'userPassword', [password_hash])]
try:
with self._conn(self.admin_user, self.admin_password) as conn:
try:
res, __ = conn.modify_s(user_dn, user)
except (ldap.TIMEOUT, ldap.SERVER_DOWN, ldap.OTHER), e:
self.logger.debug('Could not update the password in ldap.')
raise BackendError(str(e))
except ldap.INVALID_CREDENTIALS:
return False
self._purge_conn(user_dn, new_password)
return res == ldap.RES_MODIFY
def update_password(self, user, credentials, new_password):
"""
Change the user password. Uses the user bind.
Args:
user: user object
credentials: a dict with the user's auth credentials
new_password: new password of the user
Returns:
True if the change was successful, False otherwise
"""
if not credentials:
return False
old_password = credentials.get("password")
if not old_password:
return False
dn = self._get_dn(user)
password_hash = ssha(new_password.encode('utf8'))
if not self._modify_record(user, 'userPassword', password_hash, dn,
old_password):
return False
return True
def update_password(self, user, credentials, new_password):
"""
Change the user password. Uses the user bind.
Args:
user: user object
credentials: a dict with the user's auth credentials
new_password: new password of the user
Returns:
True if the change was successful, False otherwise
"""
if not credentials:
return False
old_password = credentials.get("password")
if not old_password:
return False
dn = self._get_dn(user)
password_hash = ssha(new_password.encode('utf8'))
if not self._modify_record(user, 'userPassword', password_hash,
dn, old_password):
return False
return True
from services.auth.ldapconnection import StateConnector
from services.auth.ldapsql import LDAPAuth
LDAP = True
except ImportError:
LDAP = False
from services.util import validate_password, ssha
if LDAP:
# memory ldap connector for the tests
users = {
'uidNumber=1,ou=users,dc=mozilla':
{'uidNumber': ['1'],
'userPassword': [ssha('bind')],
'uid': ['testuser'],
'account-enabled': ['Yes'],
'mail': ['*****@*****.**'],
'cn': ['tarek'],
'primaryNode': ['weave:'],
'rescueNode': ['weave:'],
},
'uid=adminuser,ou=users,dc=mozilla':
{'uidNumber': ['-1'],
'userPassword': [ssha('admin')],
'uid': ['adminuser'],
'account-enabled': ['Yes'],
'mail': ['*****@*****.**'],
def test_validate_password(self):
one = ssha('one')
two = ssha256('two')
self.assertTrue(validate_password('one', one))
self.assertTrue(validate_password('two', two))
elif _CPT == 1:
r = Response()
r.status = '400 Bad Request'
r.body = str(ERROR_INVALID_RESET_CODE)
_CPT += 1
return r
# returns a body that has all the responses we need
def bad_reset_code_resp():
return Response("")
_USER = {'uidNumber': ['1234'],
'userPassword': [ssha('tarek')],
'uid': ['tarek'],
'account-enabled': ['Yes'],
'mail': ['*****@*****.**'],
'cn': ['tarek'],
'primaryNode': ['weave:'],
'rescueNode': ['weave:']}
class TestMozillaSRegAuth(unittest.TestCase):
def setUp(self):
global _CPT
_CPT = 0
if DO_TESTS:
install_opener()
try:
import ldap
from services.auth.ldapconnection import StateConnector
from services.auth.ldapsql import LDAPAuth
LDAP = True
except ImportError:
LDAP = False
from services.util import validate_password, ssha
if LDAP:
# memory ldap connector for the tests
users = {
'uidNumber=1,ou=users,dc=mozilla': {
'uidNumber': ['1'],
'userPassword': [ssha('bind')],
'uid': ['testuser'],
'account-enabled': ['Yes'],
'mail': ['*****@*****.**'],
'cn': ['tarek'],
'primaryNode': ['weave:'],
'rescueNode': ['weave:'],
},
'uid=adminuser,ou=users,dc=mozilla': {
'uidNumber': ['-1'],
'userPassword': [ssha('admin')],
'uid': ['adminuser'],
'account-enabled': ['Yes'],
'mail': ['*****@*****.**'],
'cn': ['tarek'],
'primaryNode': ['weave:'],
r = Response()
r.status = '400 Bad Request'
r.body = str(WEAVE_INVALID_RESET_CODE)
_CPT += 1
return r
# returns a body that has all the responses we need
def bad_reset_code_resp():
return Response("")
_USER = {
'uidNumber': ['1234'],
'userPassword': [ssha('tarek')],
'uid': ['tarek'],
'account-enabled': ['Yes'],
'mail': ['*****@*****.**'],
'cn': ['tarek'],
'primaryNode': ['weave:'],
'rescueNode': ['weave:']
}
class TestMozillaSRegAuth(unittest.TestCase):
def setUp(self):
global _CPT
_CPT = 0
def test_mozilla_auth(self):
