diff options
author | Theo Chatzimichos <tampakrap@gentoo.org> | 2013-08-17 13:39:34 +0200 |
---|---|---|
committer | Theo Chatzimichos <tampakrap@gentoo.org> | 2013-08-17 13:39:34 +0200 |
commit | 621d5d6ba7e830d55589783b0d71274a2084b491 (patch) | |
tree | c6c7fc7162b43d24e37373a5ad4fcb4bac1308cf /okupy/tests/unit | |
parent | Add support for secondary password (diff) | |
download | identity.gentoo.org-621d5d6ba7e830d55589783b0d71274a2084b491.tar.gz identity.gentoo.org-621d5d6ba7e830d55589783b0d71274a2084b491.tar.bz2 identity.gentoo.org-621d5d6ba7e830d55589783b0d71274a2084b491.zip |
Tests for secondary password
Diffstat (limited to 'okupy/tests/unit')
-rw-r--r-- | okupy/tests/unit/__init__.py | 2 | ||||
-rw-r--r-- | okupy/tests/unit/login.py | 32 | ||||
-rw-r--r-- | okupy/tests/unit/secondary_password.py | 89 |
3 files changed, 121 insertions, 2 deletions
diff --git a/okupy/tests/unit/__init__.py b/okupy/tests/unit/__init__.py index 5c1286c..9b6f4ce 100644 --- a/okupy/tests/unit/__init__.py +++ b/okupy/tests/unit/__init__.py @@ -1,6 +1,6 @@ # vim:fileencoding=utf8:et:ts=4:sts=4:sw=4:ft=python -from .connection import * from .index import * from .login import * +from .secondary_password import * from .signup import * diff --git a/okupy/tests/unit/login.py b/okupy/tests/unit/login.py index 75775df..6d5e94d 100644 --- a/okupy/tests/unit/login.py +++ b/okupy/tests/unit/login.py @@ -7,10 +7,14 @@ from django.core.urlresolvers import resolve from django.template import RequestContext from django.test.utils import override_settings +from base64 import b64encode +from Crypto import Random +from passlib.hash import ldap_md5_crypt from mockldap import MockLdap -from ...accounts.views import login +from ...accounts.views import login, logout from ...accounts.forms import LoginForm +from ...common.crypto import cipher from ...common.test_helpers import OkupyTestCase, set_request, no_database, get_ldap_user, set_search_seed @@ -95,6 +99,24 @@ class LoginUnitTests(OkupyTestCase): login(request) self.assertEqual(User.objects.count(), 1) + def test_secondary_password_is_added_in_login(self): + self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice'))([get_ldap_user('alice')]) + request = set_request(uri='/login', post=account1) + login(request) + self.assertEqual(len(get_ldap_user('alice', directory=self.ldapobject.directory)[1]['userPassword']), 2) + self.assertEqual(len(request.session['secondary_password']), 48) + + def test_secondary_password_is_removed_in_logout(self): + secondary_password = Random.get_random_bytes(48) + secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(secondary_password)) + self.ldapobject.directory[get_ldap_user('alice')[0]]['userPassword'].append(secondary_password_crypt) + self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice'))([get_ldap_user('alice', directory=self.ldapobject.directory)]) + alice = User(username='alice') + request = set_request(uri='/login', post=account1, user=alice) + request.session['secondary_password'] = cipher.encrypt(secondary_password) + logout(request) + self.assertEqual(len(get_ldap_user('alice', directory=self.ldapobject.directory)[1]['userPassword']), 1) + class LoginUnitTestsNoLDAP(OkupyTestCase): def test_dont_authenticate_from_db_when_ldap_is_down(self): @@ -108,3 +130,11 @@ class LoginUnitTestsNoLDAP(OkupyTestCase): response = login(request) response.context = RequestContext(request) self.assertMessage(response, 'Login failed', 40) + + def test_no_ldap_connection_in_logout_sends_notification_mail(self): + alice = User(username='alice') + request = set_request(uri='/login', post=account1, user=alice) + request.session['secondary_password'] = 'test' + logout(request) + self.assertEqual(len(mail.outbox), 1) + self.assertTrue(mail.outbox[0].subject.startswith('%sERROR:' % settings.EMAIL_SUBJECT_PREFIX)) diff --git a/okupy/tests/unit/secondary_password.py b/okupy/tests/unit/secondary_password.py new file mode 100644 index 0000000..bc3faca --- /dev/null +++ b/okupy/tests/unit/secondary_password.py @@ -0,0 +1,89 @@ +# vim:fileencoding=utf8:et:ts=4:sts=4:sw=4:ft=python + +from django.conf import settings +from django.contrib.auth.models import User +from django.test import TestCase + +from base64 import b64encode +from Crypto import Random +from mockldap import MockLdap +from passlib.hash import ldap_md5_crypt + +from ...common.crypto import cipher +from ...common.ldap_helpers import set_secondary_password, remove_secondary_password +from ...common.test_helpers import set_request, set_search_seed, get_ldap_user + + +class SecondaryPassword(TestCase): + @classmethod + def setUpClass(cls): + cls.mockldap = MockLdap(settings.DIRECTORY) + + def setUp(self): + self.mockldap.start() + self.ldapobject = self.mockldap[settings.AUTH_LDAP_SERVER_URI] + + def tearDown(self): + self.mockldap.stop() + + def test_secondary_password_gets_added_in_session(self): + self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice'))([get_ldap_user('alice')]) + alice = User.objects.create(username='alice', password='ldaptest') + request = set_request(uri='/', user=alice) + set_secondary_password(request, 'ldaptest') + self.assertEqual(len(request.session['secondary_password']), 48) + + def test_secondary_password_gets_added_in_ldap(self): + self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice'))([get_ldap_user('alice')]) + alice = User.objects.create(username='alice', password='ldaptest') + request = set_request(uri='/', user=alice) + self.assertEqual(len(get_ldap_user('alice')[1]['userPassword']), 1) + set_secondary_password(request, 'ldaptest') + self.assertEqual(len(get_ldap_user('alice', directory=self.ldapobject.directory)[1]['userPassword']), 2) + + def test_remove_leftovers_before_adding_secondary_password(self): + leftover = ldap_md5_crypt.encrypt('leftover_password') + self.ldapobject.directory[get_ldap_user('alice')[0]]['userPassword'].append(leftover) + self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice'))([get_ldap_user('alice', directory=self.ldapobject.directory)]) + alice = User.objects.create(username='alice', password='ldaptest') + request = set_request(uri='/', user=alice) + set_secondary_password(request, 'ldaptest') + self.assertNotIn(leftover, get_ldap_user('alice', directory=self.ldapobject.directory)[1]['userPassword']) + + def test_dont_remove_primary_password_while_cleaning_leftovers(self): + leftover = ldap_md5_crypt.encrypt('leftover_password') + self.ldapobject.directory[get_ldap_user('alice')[0]]['userPassword'].append(leftover) + self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice'))([get_ldap_user('alice', directory=self.ldapobject.directory)]) + alice = User.objects.create(username='alice', password='ldaptest') + request = set_request(uri='/', user=alice) + set_secondary_password(request, 'ldaptest') + self.assertTrue(ldap_md5_crypt.verify('ldaptest',get_ldap_user('alice', directory=self.ldapobject.directory)[1]['userPassword'][0])) + + def test_session_and_ldap_secondary_passwords_match(self): + self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice'))([get_ldap_user('alice')]) + alice = User.objects.create(username='alice', password='ldaptest') + request = set_request(uri='/', user=alice) + set_secondary_password(request, 'ldaptest') + self.assertTrue(ldap_md5_crypt.verify(b64encode(cipher.decrypt(request.session['secondary_password'], 48)), get_ldap_user('alice', directory=self.ldapobject.directory)[1]['userPassword'][1])) + + def test_remove_secondary_password_from_ldap(self): + secondary_password = Random.get_random_bytes(48) + secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(secondary_password)) + self.ldapobject.directory[get_ldap_user('alice')[0]]['userPassword'].append(secondary_password_crypt) + self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice'))([get_ldap_user('alice', directory=self.ldapobject.directory)]) + alice = User.objects.create(username='alice', password='ldaptest') + request = set_request(uri='/', user=alice) + request.session['secondary_password'] = cipher.encrypt(secondary_password) + remove_secondary_password(request) + self.assertNotIn(secondary_password_crypt, get_ldap_user('alice', directory=self.ldapobject.directory)[1]['userPassword']) + + def test_dont_remove_primary_password_while_removing_secondary_password(self): + secondary_password = Random.get_random_bytes(48) + secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(secondary_password)) + self.ldapobject.directory[get_ldap_user('alice')[0]]['userPassword'].append(secondary_password_crypt) + self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice'))([get_ldap_user('alice', directory=self.ldapobject.directory)]) + alice = User.objects.create(username='alice', password='ldaptest') + request = set_request(uri='/', user=alice) + request.session['secondary_password'] = cipher.encrypt(secondary_password) + remove_secondary_password(request) + self.assertTrue(ldap_md5_crypt.verify('ldaptest',get_ldap_user('alice', directory=self.ldapobject.directory)[1]['userPassword'][0])) |