Mercurial > p > roundup > code
comparison test/test_cgi.py @ 7166:1549c7e74ef8
issue2551251 - migrate pbkdf2 passwords ... test fixes and doc update
Fixed a couple of tests where calls to needs_migration() was missing
its config parameter.
Documented need to update config.ini's password_pbkdf2_default_rounds.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Fri, 24 Feb 2023 23:47:28 -0500 |
| parents | 5487882ff17a |
| children | 8b2287d850c8 |
comparison
equal
deleted
inserted
replaced
| 7165:970cd6d2b8ea | 7166:1549c7e74ef8 |
|---|---|
| 558 form = dict(__login_name='Chef', __login_password='foo') | 558 form = dict(__login_name='Chef', __login_password='foo') |
| 559 cl = self._make_client(form) | 559 cl = self._make_client(form) |
| 560 # assume that the "best" algorithm is the first one and doesn't | 560 # assume that the "best" algorithm is the first one and doesn't |
| 561 # need migration, all others should be migrated. | 561 # need migration, all others should be migrated. |
| 562 cl.db.config.WEB_LOGIN_ATTEMPTS_MIN = 200 | 562 cl.db.config.WEB_LOGIN_ATTEMPTS_MIN = 200 |
| 563 | 563 cl.db.config.PASSWORD_PBKDF2_DEFAULT_ROUNDS = 10000 |
| 564 # The third item always fails. Regardless of what is there. | 564 # The third item always fails. Regardless of what is there. |
| 565 # ['plaintext', 'SHA', 'crypt', 'MD5']: | 565 # ['plaintext', 'SHA', 'crypt', 'MD5']: |
| 566 print(password.Password.deprecated_schemes) | 566 print(password.Password.deprecated_schemes) |
| 567 for scheme in password.Password.deprecated_schemes: | 567 for scheme in password.Password.deprecated_schemes: |
| 568 print(scheme) | 568 print(scheme) |
| 569 cl.db.Otk = self.db.Otk | 569 cl.db.Otk = self.db.Otk |
| 570 if scheme == 'crypt' and os.name == 'nt': | 570 if scheme == 'crypt' and os.name == 'nt': |
| 571 continue # crypt is not available on Windows | 571 continue # crypt is not available on Windows |
| 572 pw1 = password.Password('foo', scheme=scheme) | 572 pw1 = password.Password('foo', scheme=scheme) |
| 573 print(pw1) | 573 print(pw1) |
| 574 self.assertEqual(pw1.needs_migration(), True) | 574 self.assertEqual(pw1.needs_migration(config=cl.db.config), True) |
| 575 self.db.user.set(chef, password=pw1) | 575 self.db.user.set(chef, password=pw1) |
| 576 self.db.commit() | 576 self.db.commit() |
| 577 actions.LoginAction(cl).handle() | 577 actions.LoginAction(cl).handle() |
| 578 pw = cl.db.user.get(chef, 'password') | 578 pw = cl.db.user.get(chef, 'password') |
| 579 print(pw) | 579 print(pw) |
| 580 self.assertEqual(pw, 'foo') | 580 self.assertEqual(pw, 'foo') |
| 581 self.assertEqual(pw.needs_migration(), False) | 581 self.assertEqual(pw.needs_migration(config=cl.db.config), False) |
| 582 cl.db.Otk = self.db.Otk | 582 cl.db.Otk = self.db.Otk |
| 583 pw1 = pw | 583 pw1 = pw |
| 584 self.assertEqual(pw1.needs_migration(), False) | 584 self.assertEqual(pw1.needs_migration(config=cl.db.config), False) |
| 585 scheme = password.Password.known_schemes[0] | 585 scheme = password.Password.known_schemes[0] |
| 586 self.assertEqual(scheme, pw1.scheme) | 586 self.assertEqual(scheme, pw1.scheme) |
| 587 actions.LoginAction(cl).handle() | 587 actions.LoginAction(cl).handle() |
| 588 pw = cl.db.user.get(chef, 'password') | 588 pw = cl.db.user.get(chef, 'password') |
| 589 self.assertEqual(pw, 'foo') | 589 self.assertEqual(pw, 'foo') |
| 590 self.assertEqual(pw, pw1) | 590 self.assertEqual(pw, pw1) |
| 591 | |
| 592 # migrate if rounds has increased above rounds was 10000 | |
| 593 # below will be 100000 | |
| 594 cl.db.Otk = self.db.Otk | |
| 595 pw1 = pw | |
| 596 cl.db.config.PASSWORD_PBKDF2_DEFAULT_ROUNDS = 100000 | |
| 597 self.assertEqual(pw1.needs_migration(config=cl.db.config), True) | |
| 598 scheme = password.Password.known_schemes[0] | |
| 599 self.assertEqual(scheme, pw1.scheme) | |
| 600 actions.LoginAction(cl).handle() | |
| 601 pw = cl.db.user.get(chef, 'password') | |
| 602 self.assertEqual(pw, 'foo') | |
| 603 # do not assert self.assertEqual(pw, pw1) as pw is a 100,000 | |
| 604 # cycle while pw1 is only 10,000. They won't compare equally. | |
| 605 | |
| 591 cl.db.close() | 606 cl.db.close() |
| 592 | 607 |
| 593 def testPasswordConfigOption(self): | 608 def testPasswordConfigOption(self): |
| 594 chef = self.db.user.lookup('Chef') | 609 chef = self.db.user.lookup('Chef') |
| 595 form = dict(__login_name='Chef', __login_password='foo') | 610 form = dict(__login_name='Chef', __login_password='foo') |
| 596 cl = self._make_client(form) | 611 cl = self._make_client(form) |
| 597 self.db.config.PASSWORD_PBKDF2_DEFAULT_ROUNDS = 1000 | 612 self.db.config.PASSWORD_PBKDF2_DEFAULT_ROUNDS = 1000 |
| 598 pw1 = password.Password('foo', scheme='MD5') | 613 pw1 = password.Password('foo', scheme='MD5') |
| 599 self.assertEqual(pw1.needs_migration(), True) | 614 self.assertEqual(pw1.needs_migration(config=cl.db.config), True) |
| 600 self.db.user.set(chef, password=pw1) | 615 self.db.user.set(chef, password=pw1) |
| 601 self.db.commit() | 616 self.db.commit() |
| 602 actions.LoginAction(cl).handle() | 617 actions.LoginAction(cl).handle() |
| 603 pw = self.db.user.get(chef, 'password') | 618 pw = self.db.user.get(chef, 'password') |
| 604 self.assertEqual('PBKDF2', pw.scheme) | 619 self.assertEqual('PBKDF2', pw.scheme) |