23 from logilab.common.testlib import unittest_main, TestCase |
23 from logilab.common.testlib import unittest_main, TestCase |
24 |
24 |
25 from rql import RQLException |
25 from rql import RQLException |
26 |
26 |
27 from cubicweb.devtools.testlib import CubicWebTC |
27 from cubicweb.devtools.testlib import CubicWebTC |
28 from cubicweb import Unauthorized, ValidationError, QueryError |
28 from cubicweb import Unauthorized, ValidationError, QueryError, Binary |
29 from cubicweb.schema import ERQLExpression |
29 from cubicweb.schema import ERQLExpression |
30 from cubicweb.server.querier import check_read_access |
30 from cubicweb.server.querier import check_read_access |
|
31 from cubicweb.server.utils import _CRYPTO_CTX |
31 |
32 |
32 |
33 |
33 class BaseSecurityTC(CubicWebTC): |
34 class BaseSecurityTC(CubicWebTC): |
34 |
35 |
35 def setup_database(self): |
36 def setup_database(self): |
36 super(BaseSecurityTC, self).setup_database() |
37 super(BaseSecurityTC, self).setup_database() |
37 self.create_user(self.request(), 'iaminusersgrouponly') |
38 self.create_user(self.request(), 'iaminusersgrouponly') |
38 |
39 hash = _CRYPTO_CTX.encrypt('oldpassword', scheme='des_crypt') |
|
40 self.create_user(self.request(), 'oldpassword', password=Binary(hash)) |
39 |
41 |
40 class LowLevelSecurityFunctionTC(BaseSecurityTC): |
42 class LowLevelSecurityFunctionTC(BaseSecurityTC): |
41 |
43 |
42 def test_check_read_access(self): |
44 def test_check_read_access(self): |
43 rql = u'Personne U where U nom "managers"' |
45 rql = u'Personne U where U nom "managers"' |
57 self.execute, 'Any X,P WHERE X is CWUser, X upassword P') |
59 self.execute, 'Any X,P WHERE X is CWUser, X upassword P') |
58 self.rollback() |
60 self.rollback() |
59 with self.login('iaminusersgrouponly') as cu: |
61 with self.login('iaminusersgrouponly') as cu: |
60 self.assertRaises(Unauthorized, |
62 self.assertRaises(Unauthorized, |
61 cu.execute, 'Any X,P WHERE X is CWUser, X upassword P') |
63 cu.execute, 'Any X,P WHERE X is CWUser, X upassword P') |
|
64 |
|
65 def test_update_password(self): |
|
66 """Ensure that if a user's password is stored with a deprecated hash, it will be updated on next login""" |
|
67 oldhash = str(self.session.system_sql("SELECT cw_upassword FROM cw_CWUser WHERE cw_login = 'oldpassword'").fetchone()[0]) |
|
68 with self.login('oldpassword') as cu: |
|
69 pass |
|
70 newhash = str(self.session.system_sql("SELECT cw_upassword FROM cw_CWUser WHERE cw_login = 'oldpassword'").fetchone()[0]) |
|
71 self.assertNotEqual(oldhash, newhash) |
|
72 self.assertTrue(newhash.startswith('$6$')) |
|
73 with self.login('oldpassword') as cu: |
|
74 pass |
|
75 self.assertEqual(newhash, str(self.session.system_sql("SELECT cw_upassword FROM cw_CWUser WHERE cw_login = 'oldpassword'").fetchone()[0])) |
62 |
76 |
63 |
77 |
64 class SecurityRewritingTC(BaseSecurityTC): |
78 class SecurityRewritingTC(BaseSecurityTC): |
65 def hijack_source_execute(self): |
79 def hijack_source_execute(self): |
66 def syntax_tree_search(*args, **kwargs): |
80 def syntax_tree_search(*args, **kwargs): |