2012-12-22 23:00:15 +08:00
|
|
|
# -*- coding: utf-8 -*-
|
2012-06-08 00:08:47 +08:00
|
|
|
from __future__ import unicode_literals
|
|
|
|
|
2013-07-01 20:22:27 +08:00
|
|
|
from unittest import skipUnless
|
|
|
|
|
2014-11-19 04:45:12 +08:00
|
|
|
from django.conf.global_settings import PASSWORD_HASHERS
|
2015-01-28 20:35:27 +08:00
|
|
|
from django.contrib.auth.hashers import (
|
|
|
|
UNUSABLE_PASSWORD_PREFIX, UNUSABLE_PASSWORD_SUFFIX_LENGTH,
|
|
|
|
BasePasswordHasher, PBKDF2PasswordHasher, PBKDF2SHA1PasswordHasher,
|
|
|
|
check_password, get_hasher, identify_hasher, is_password_usable,
|
|
|
|
make_password,
|
|
|
|
)
|
2016-02-14 04:09:46 +08:00
|
|
|
from django.test import SimpleTestCase, mock
|
2014-11-19 04:45:12 +08:00
|
|
|
from django.test.utils import override_settings
|
2013-06-15 17:14:59 +08:00
|
|
|
from django.utils import six
|
2016-02-14 04:09:46 +08:00
|
|
|
from django.utils.encoding import force_bytes
|
2011-12-23 11:53:56 +08:00
|
|
|
|
|
|
|
try:
|
|
|
|
import crypt
|
|
|
|
except ImportError:
|
|
|
|
crypt = None
|
|
|
|
|
|
|
|
try:
|
|
|
|
import bcrypt
|
|
|
|
except ImportError:
|
|
|
|
bcrypt = None
|
|
|
|
|
2015-12-26 20:14:07 +08:00
|
|
|
try:
|
|
|
|
import argon2
|
|
|
|
except ImportError:
|
|
|
|
argon2 = None
|
|
|
|
|
2011-12-23 11:53:56 +08:00
|
|
|
|
2013-11-30 09:49:56 +08:00
|
|
|
class PBKDF2SingleIterationHasher(PBKDF2PasswordHasher):
|
|
|
|
iterations = 1
|
|
|
|
|
|
|
|
|
2014-11-19 04:45:12 +08:00
|
|
|
@override_settings(PASSWORD_HASHERS=PASSWORD_HASHERS)
|
2013-11-30 09:49:56 +08:00
|
|
|
class TestUtilsHashPass(SimpleTestCase):
|
2012-03-30 17:08:29 +08:00
|
|
|
|
2011-12-23 11:53:56 +08:00
|
|
|
def test_simple(self):
|
2012-12-22 23:00:15 +08:00
|
|
|
encoded = make_password('lètmein')
|
2011-12-23 11:53:56 +08:00
|
|
|
self.assertTrue(encoded.startswith('pbkdf2_sha256$'))
|
|
|
|
self.assertTrue(is_password_usable(encoded))
|
2012-12-22 23:00:15 +08:00
|
|
|
self.assertTrue(check_password('lètmein', encoded))
|
|
|
|
self.assertFalse(check_password('lètmeinz', encoded))
|
2013-06-18 00:06:26 +08:00
|
|
|
# Blank passwords
|
|
|
|
blank_encoded = make_password('')
|
|
|
|
self.assertTrue(blank_encoded.startswith('pbkdf2_sha256$'))
|
|
|
|
self.assertTrue(is_password_usable(blank_encoded))
|
|
|
|
self.assertTrue(check_password('', blank_encoded))
|
|
|
|
self.assertFalse(check_password(' ', blank_encoded))
|
2011-12-23 11:53:56 +08:00
|
|
|
|
2015-09-20 08:44:37 +08:00
|
|
|
def test_pbkdf2(self):
|
2012-12-22 23:00:15 +08:00
|
|
|
encoded = make_password('lètmein', 'seasalt', 'pbkdf2_sha256')
|
|
|
|
self.assertEqual(encoded,
|
2015-09-20 08:42:44 +08:00
|
|
|
'pbkdf2_sha256$30000$seasalt$VrX+V8drCGo68wlvy6rfu8i1d1pfkdeXA4LJkRGJodY=')
|
2011-12-23 11:53:56 +08:00
|
|
|
self.assertTrue(is_password_usable(encoded))
|
2012-12-22 23:00:15 +08:00
|
|
|
self.assertTrue(check_password('lètmein', encoded))
|
|
|
|
self.assertFalse(check_password('lètmeinz', encoded))
|
2012-06-06 17:06:33 +08:00
|
|
|
self.assertEqual(identify_hasher(encoded).algorithm, "pbkdf2_sha256")
|
2013-06-18 00:06:26 +08:00
|
|
|
# Blank passwords
|
|
|
|
blank_encoded = make_password('', 'seasalt', 'pbkdf2_sha256')
|
|
|
|
self.assertTrue(blank_encoded.startswith('pbkdf2_sha256$'))
|
|
|
|
self.assertTrue(is_password_usable(blank_encoded))
|
|
|
|
self.assertTrue(check_password('', blank_encoded))
|
|
|
|
self.assertFalse(check_password(' ', blank_encoded))
|
2011-12-23 11:53:56 +08:00
|
|
|
|
2016-02-09 03:22:38 +08:00
|
|
|
@override_settings(PASSWORD_HASHERS=['django.contrib.auth.hashers.SHA1PasswordHasher'])
|
2011-12-23 11:53:56 +08:00
|
|
|
def test_sha1(self):
|
2012-12-22 23:00:15 +08:00
|
|
|
encoded = make_password('lètmein', 'seasalt', 'sha1')
|
|
|
|
self.assertEqual(encoded,
|
|
|
|
'sha1$seasalt$cff36ea83f5706ce9aa7454e63e431fc726b2dc8')
|
2011-12-23 11:53:56 +08:00
|
|
|
self.assertTrue(is_password_usable(encoded))
|
2012-12-22 23:00:15 +08:00
|
|
|
self.assertTrue(check_password('lètmein', encoded))
|
|
|
|
self.assertFalse(check_password('lètmeinz', encoded))
|
2012-06-06 17:06:33 +08:00
|
|
|
self.assertEqual(identify_hasher(encoded).algorithm, "sha1")
|
2013-06-18 00:06:26 +08:00
|
|
|
# Blank passwords
|
|
|
|
blank_encoded = make_password('', 'seasalt', 'sha1')
|
|
|
|
self.assertTrue(blank_encoded.startswith('sha1$'))
|
|
|
|
self.assertTrue(is_password_usable(blank_encoded))
|
|
|
|
self.assertTrue(check_password('', blank_encoded))
|
|
|
|
self.assertFalse(check_password(' ', blank_encoded))
|
2011-12-23 11:53:56 +08:00
|
|
|
|
2016-02-09 03:22:38 +08:00
|
|
|
@override_settings(PASSWORD_HASHERS=['django.contrib.auth.hashers.MD5PasswordHasher'])
|
2011-12-23 11:53:56 +08:00
|
|
|
def test_md5(self):
|
2012-12-22 23:00:15 +08:00
|
|
|
encoded = make_password('lètmein', 'seasalt', 'md5')
|
2013-02-26 03:01:57 +08:00
|
|
|
self.assertEqual(encoded,
|
2012-12-22 23:00:15 +08:00
|
|
|
'md5$seasalt$3f86d0d3d465b7b458c231bf3555c0e3')
|
2012-03-01 04:12:16 +08:00
|
|
|
self.assertTrue(is_password_usable(encoded))
|
2012-12-22 23:00:15 +08:00
|
|
|
self.assertTrue(check_password('lètmein', encoded))
|
|
|
|
self.assertFalse(check_password('lètmeinz', encoded))
|
2012-06-06 17:06:33 +08:00
|
|
|
self.assertEqual(identify_hasher(encoded).algorithm, "md5")
|
2013-06-18 00:06:26 +08:00
|
|
|
# Blank passwords
|
|
|
|
blank_encoded = make_password('', 'seasalt', 'md5')
|
|
|
|
self.assertTrue(blank_encoded.startswith('md5$'))
|
|
|
|
self.assertTrue(is_password_usable(blank_encoded))
|
|
|
|
self.assertTrue(check_password('', blank_encoded))
|
|
|
|
self.assertFalse(check_password(' ', blank_encoded))
|
2012-03-01 04:12:16 +08:00
|
|
|
|
2016-02-09 03:22:38 +08:00
|
|
|
@override_settings(PASSWORD_HASHERS=['django.contrib.auth.hashers.UnsaltedMD5PasswordHasher'])
|
2012-03-01 04:12:16 +08:00
|
|
|
def test_unsalted_md5(self):
|
2013-02-26 03:01:57 +08:00
|
|
|
encoded = make_password('lètmein', '', 'unsalted_md5')
|
2012-12-22 23:00:15 +08:00
|
|
|
self.assertEqual(encoded, '88a434c88cca4e900f7874cd98123f43')
|
2011-12-23 11:53:56 +08:00
|
|
|
self.assertTrue(is_password_usable(encoded))
|
2012-12-22 23:00:15 +08:00
|
|
|
self.assertTrue(check_password('lètmein', encoded))
|
|
|
|
self.assertFalse(check_password('lètmeinz', encoded))
|
2012-06-06 17:06:33 +08:00
|
|
|
self.assertEqual(identify_hasher(encoded).algorithm, "unsalted_md5")
|
2013-02-02 18:57:25 +08:00
|
|
|
# Alternate unsalted syntax
|
|
|
|
alt_encoded = "md5$$%s" % encoded
|
|
|
|
self.assertTrue(is_password_usable(alt_encoded))
|
|
|
|
self.assertTrue(check_password('lètmein', alt_encoded))
|
|
|
|
self.assertFalse(check_password('lètmeinz', alt_encoded))
|
2013-06-18 00:06:26 +08:00
|
|
|
# Blank passwords
|
|
|
|
blank_encoded = make_password('', '', 'unsalted_md5')
|
|
|
|
self.assertTrue(is_password_usable(blank_encoded))
|
|
|
|
self.assertTrue(check_password('', blank_encoded))
|
|
|
|
self.assertFalse(check_password(' ', blank_encoded))
|
2011-12-23 11:53:56 +08:00
|
|
|
|
2016-02-09 03:22:38 +08:00
|
|
|
@override_settings(PASSWORD_HASHERS=['django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher'])
|
2013-02-26 03:01:57 +08:00
|
|
|
def test_unsalted_sha1(self):
|
|
|
|
encoded = make_password('lètmein', '', 'unsalted_sha1')
|
|
|
|
self.assertEqual(encoded, 'sha1$$6d138ca3ae545631b3abd71a4f076ce759c5700b')
|
|
|
|
self.assertTrue(is_password_usable(encoded))
|
|
|
|
self.assertTrue(check_password('lètmein', encoded))
|
|
|
|
self.assertFalse(check_password('lètmeinz', encoded))
|
|
|
|
self.assertEqual(identify_hasher(encoded).algorithm, "unsalted_sha1")
|
|
|
|
# Raw SHA1 isn't acceptable
|
|
|
|
alt_encoded = encoded[6:]
|
|
|
|
self.assertFalse(check_password('lètmein', alt_encoded))
|
2013-06-18 00:06:26 +08:00
|
|
|
# Blank passwords
|
|
|
|
blank_encoded = make_password('', '', 'unsalted_sha1')
|
|
|
|
self.assertTrue(blank_encoded.startswith('sha1$'))
|
|
|
|
self.assertTrue(is_password_usable(blank_encoded))
|
|
|
|
self.assertTrue(check_password('', blank_encoded))
|
|
|
|
self.assertFalse(check_password(' ', blank_encoded))
|
2013-02-26 03:01:57 +08:00
|
|
|
|
2011-12-23 11:53:56 +08:00
|
|
|
@skipUnless(crypt, "no crypt module to generate password.")
|
2016-02-09 03:22:38 +08:00
|
|
|
@override_settings(PASSWORD_HASHERS=['django.contrib.auth.hashers.CryptPasswordHasher'])
|
2011-12-23 11:53:56 +08:00
|
|
|
def test_crypt(self):
|
2012-12-22 23:00:15 +08:00
|
|
|
encoded = make_password('lètmei', 'ab', 'crypt')
|
|
|
|
self.assertEqual(encoded, 'crypt$$ab1Hv2Lg7ltQo')
|
2011-12-23 11:53:56 +08:00
|
|
|
self.assertTrue(is_password_usable(encoded))
|
2012-12-22 23:00:15 +08:00
|
|
|
self.assertTrue(check_password('lètmei', encoded))
|
|
|
|
self.assertFalse(check_password('lètmeiz', encoded))
|
2012-06-06 17:06:33 +08:00
|
|
|
self.assertEqual(identify_hasher(encoded).algorithm, "crypt")
|
2013-06-18 00:06:26 +08:00
|
|
|
# Blank passwords
|
|
|
|
blank_encoded = make_password('', 'ab', 'crypt')
|
|
|
|
self.assertTrue(blank_encoded.startswith('crypt$'))
|
|
|
|
self.assertTrue(is_password_usable(blank_encoded))
|
|
|
|
self.assertTrue(check_password('', blank_encoded))
|
|
|
|
self.assertFalse(check_password(' ', blank_encoded))
|
2011-12-23 11:53:56 +08:00
|
|
|
|
2013-05-14 11:39:50 +08:00
|
|
|
@skipUnless(bcrypt, "bcrypt not installed")
|
2013-03-26 23:44:26 +08:00
|
|
|
def test_bcrypt_sha256(self):
|
|
|
|
encoded = make_password('lètmein', hasher='bcrypt_sha256')
|
|
|
|
self.assertTrue(is_password_usable(encoded))
|
|
|
|
self.assertTrue(encoded.startswith('bcrypt_sha256$'))
|
|
|
|
self.assertTrue(check_password('lètmein', encoded))
|
|
|
|
self.assertFalse(check_password('lètmeinz', encoded))
|
|
|
|
self.assertEqual(identify_hasher(encoded).algorithm, "bcrypt_sha256")
|
|
|
|
|
|
|
|
# Verify that password truncation no longer works
|
|
|
|
password = ('VSK0UYV6FFQVZ0KG88DYN9WADAADZO1CTSIVDJUNZSUML6IBX7LN7ZS3R5'
|
|
|
|
'JGB3RGZ7VI7G7DJQ9NI8BQFSRPTG6UWTTVESA5ZPUN')
|
|
|
|
encoded = make_password(password, hasher='bcrypt_sha256')
|
|
|
|
self.assertTrue(check_password(password, encoded))
|
|
|
|
self.assertFalse(check_password(password[:72], encoded))
|
2013-06-18 00:06:26 +08:00
|
|
|
# Blank passwords
|
|
|
|
blank_encoded = make_password('', hasher='bcrypt_sha256')
|
|
|
|
self.assertTrue(blank_encoded.startswith('bcrypt_sha256$'))
|
|
|
|
self.assertTrue(is_password_usable(blank_encoded))
|
|
|
|
self.assertTrue(check_password('', blank_encoded))
|
|
|
|
self.assertFalse(check_password(' ', blank_encoded))
|
2013-03-26 23:44:26 +08:00
|
|
|
|
2013-05-14 11:39:50 +08:00
|
|
|
@skipUnless(bcrypt, "bcrypt not installed")
|
2011-12-23 11:53:56 +08:00
|
|
|
def test_bcrypt(self):
|
2012-12-22 23:00:15 +08:00
|
|
|
encoded = make_password('lètmein', hasher='bcrypt')
|
2011-12-23 11:53:56 +08:00
|
|
|
self.assertTrue(is_password_usable(encoded))
|
|
|
|
self.assertTrue(encoded.startswith('bcrypt$'))
|
2012-12-22 23:00:15 +08:00
|
|
|
self.assertTrue(check_password('lètmein', encoded))
|
|
|
|
self.assertFalse(check_password('lètmeinz', encoded))
|
2012-06-06 17:06:33 +08:00
|
|
|
self.assertEqual(identify_hasher(encoded).algorithm, "bcrypt")
|
2013-06-18 00:06:26 +08:00
|
|
|
# Blank passwords
|
|
|
|
blank_encoded = make_password('', hasher='bcrypt')
|
|
|
|
self.assertTrue(blank_encoded.startswith('bcrypt$'))
|
|
|
|
self.assertTrue(is_password_usable(blank_encoded))
|
|
|
|
self.assertTrue(check_password('', blank_encoded))
|
|
|
|
self.assertFalse(check_password(' ', blank_encoded))
|
2011-12-23 11:53:56 +08:00
|
|
|
|
2015-02-27 03:04:24 +08:00
|
|
|
@skipUnless(bcrypt, "bcrypt not installed")
|
|
|
|
def test_bcrypt_upgrade(self):
|
|
|
|
hasher = get_hasher('bcrypt')
|
|
|
|
self.assertEqual('bcrypt', hasher.algorithm)
|
|
|
|
self.assertNotEqual(hasher.rounds, 4)
|
|
|
|
|
|
|
|
old_rounds = hasher.rounds
|
|
|
|
try:
|
|
|
|
# Generate a password with 4 rounds.
|
|
|
|
hasher.rounds = 4
|
|
|
|
encoded = make_password('letmein', hasher='bcrypt')
|
|
|
|
rounds = hasher.safe_summary(encoded)['work factor']
|
|
|
|
self.assertEqual(rounds, '04')
|
|
|
|
|
|
|
|
state = {'upgraded': False}
|
|
|
|
|
|
|
|
def setter(password):
|
|
|
|
state['upgraded'] = True
|
|
|
|
|
|
|
|
# Check that no upgrade is triggered.
|
|
|
|
self.assertTrue(check_password('letmein', encoded, setter, 'bcrypt'))
|
|
|
|
self.assertFalse(state['upgraded'])
|
|
|
|
|
|
|
|
# Revert to the old rounds count and ...
|
|
|
|
hasher.rounds = old_rounds
|
|
|
|
|
|
|
|
# ... check if the password would get updated to the new count.
|
|
|
|
self.assertTrue(check_password('letmein', encoded, setter, 'bcrypt'))
|
|
|
|
self.assertTrue(state['upgraded'])
|
|
|
|
finally:
|
|
|
|
hasher.rounds = old_rounds
|
|
|
|
|
2016-02-14 04:09:46 +08:00
|
|
|
@skipUnless(bcrypt, "bcrypt not installed")
|
|
|
|
def test_bcrypt_harden_runtime(self):
|
|
|
|
hasher = get_hasher('bcrypt')
|
|
|
|
self.assertEqual('bcrypt', hasher.algorithm)
|
|
|
|
|
|
|
|
with mock.patch.object(hasher, 'rounds', 4):
|
|
|
|
encoded = make_password('letmein', hasher='bcrypt')
|
|
|
|
|
|
|
|
with mock.patch.object(hasher, 'rounds', 6), \
|
|
|
|
mock.patch.object(hasher, 'encode', side_effect=hasher.encode):
|
|
|
|
hasher.harden_runtime('wrong_password', encoded)
|
|
|
|
|
|
|
|
# Increasing rounds from 4 to 6 means an increase of 4 in workload,
|
|
|
|
# therefore hardening should run 3 times to make the timing the
|
|
|
|
# same (the original encode() call already ran once).
|
|
|
|
self.assertEqual(hasher.encode.call_count, 3)
|
|
|
|
|
|
|
|
# Get the original salt (includes the original workload factor)
|
|
|
|
algorithm, data = encoded.split('$', 1)
|
|
|
|
expected_call = (('wrong_password', force_bytes(data[:29])),)
|
|
|
|
self.assertEqual(hasher.encode.call_args_list, [expected_call] * 3)
|
|
|
|
|
2011-12-23 11:53:56 +08:00
|
|
|
def test_unusable(self):
|
|
|
|
encoded = make_password(None)
|
2013-06-19 02:02:00 +08:00
|
|
|
self.assertEqual(len(encoded), len(UNUSABLE_PASSWORD_PREFIX) + UNUSABLE_PASSWORD_SUFFIX_LENGTH)
|
2011-12-23 11:53:56 +08:00
|
|
|
self.assertFalse(is_password_usable(encoded))
|
|
|
|
self.assertFalse(check_password(None, encoded))
|
2013-06-19 02:02:00 +08:00
|
|
|
self.assertFalse(check_password(encoded, encoded))
|
|
|
|
self.assertFalse(check_password(UNUSABLE_PASSWORD_PREFIX, encoded))
|
2011-12-23 11:53:56 +08:00
|
|
|
self.assertFalse(check_password('', encoded))
|
2012-12-22 23:00:15 +08:00
|
|
|
self.assertFalse(check_password('lètmein', encoded))
|
|
|
|
self.assertFalse(check_password('lètmeinz', encoded))
|
2016-01-17 19:26:39 +08:00
|
|
|
with self.assertRaises(ValueError):
|
|
|
|
identify_hasher(encoded)
|
2013-06-19 02:02:00 +08:00
|
|
|
# Assert that the unusable passwords actually contain a random part.
|
|
|
|
# This might fail one day due to a hash collision.
|
|
|
|
self.assertNotEqual(encoded, make_password(None), "Random password collision?")
|
2011-12-23 11:53:56 +08:00
|
|
|
|
2013-07-04 01:13:47 +08:00
|
|
|
def test_unspecified_password(self):
|
|
|
|
"""
|
|
|
|
Makes sure specifying no plain password with a valid encoded password
|
|
|
|
returns `False`.
|
|
|
|
"""
|
|
|
|
self.assertFalse(check_password(None, make_password('lètmein')))
|
|
|
|
|
2011-12-23 11:53:56 +08:00
|
|
|
def test_bad_algorithm(self):
|
2013-06-14 22:19:53 +08:00
|
|
|
with self.assertRaises(ValueError):
|
2012-12-22 23:00:15 +08:00
|
|
|
make_password('lètmein', hasher='lolcat')
|
2016-01-17 19:26:39 +08:00
|
|
|
with self.assertRaises(ValueError):
|
|
|
|
identify_hasher('lolcat$salt$hash')
|
2011-12-23 11:53:56 +08:00
|
|
|
|
2012-09-12 17:21:58 +08:00
|
|
|
def test_bad_encoded(self):
|
2012-12-22 23:00:15 +08:00
|
|
|
self.assertFalse(is_password_usable('lètmein_badencoded'))
|
2012-09-12 17:21:58 +08:00
|
|
|
self.assertFalse(is_password_usable(''))
|
|
|
|
|
2015-09-20 08:44:37 +08:00
|
|
|
def test_low_level_pbkdf2(self):
|
2011-12-23 11:53:56 +08:00
|
|
|
hasher = PBKDF2PasswordHasher()
|
2013-09-20 00:39:43 +08:00
|
|
|
encoded = hasher.encode('lètmein', 'seasalt2')
|
2012-12-22 23:00:15 +08:00
|
|
|
self.assertEqual(encoded,
|
2015-09-20 08:42:44 +08:00
|
|
|
'pbkdf2_sha256$30000$seasalt2$a75qzbogeVhNFeMqhdgyyoqGKpIzYUo651sq57RERew=')
|
2012-12-22 23:00:15 +08:00
|
|
|
self.assertTrue(hasher.verify('lètmein', encoded))
|
2011-12-23 11:53:56 +08:00
|
|
|
|
|
|
|
def test_low_level_pbkdf2_sha1(self):
|
|
|
|
hasher = PBKDF2SHA1PasswordHasher()
|
2013-09-20 00:39:43 +08:00
|
|
|
encoded = hasher.encode('lètmein', 'seasalt2')
|
2012-12-22 23:00:15 +08:00
|
|
|
self.assertEqual(encoded,
|
2015-09-20 08:42:44 +08:00
|
|
|
'pbkdf2_sha1$30000$seasalt2$pMzU1zNPcydf6wjnJFbiVKwgULc=')
|
2012-12-22 23:00:15 +08:00
|
|
|
self.assertTrue(hasher.verify('lètmein', encoded))
|
2011-12-23 11:53:56 +08:00
|
|
|
|
2016-02-09 03:22:38 +08:00
|
|
|
@override_settings(
|
|
|
|
PASSWORD_HASHERS=[
|
|
|
|
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
|
|
|
|
'django.contrib.auth.hashers.SHA1PasswordHasher',
|
|
|
|
'django.contrib.auth.hashers.MD5PasswordHasher',
|
|
|
|
],
|
|
|
|
)
|
2011-12-23 11:53:56 +08:00
|
|
|
def test_upgrade(self):
|
|
|
|
self.assertEqual('pbkdf2_sha256', get_hasher('default').algorithm)
|
|
|
|
for algo in ('sha1', 'md5'):
|
2012-12-22 23:00:15 +08:00
|
|
|
encoded = make_password('lètmein', hasher=algo)
|
2011-12-23 11:53:56 +08:00
|
|
|
state = {'upgraded': False}
|
2013-10-22 18:21:07 +08:00
|
|
|
|
2011-12-23 11:53:56 +08:00
|
|
|
def setter(password):
|
|
|
|
state['upgraded'] = True
|
2012-12-22 23:00:15 +08:00
|
|
|
self.assertTrue(check_password('lètmein', encoded, setter))
|
2011-12-23 11:53:56 +08:00
|
|
|
self.assertTrue(state['upgraded'])
|
|
|
|
|
|
|
|
def test_no_upgrade(self):
|
2012-12-22 23:00:15 +08:00
|
|
|
encoded = make_password('lètmein')
|
2011-12-23 11:53:56 +08:00
|
|
|
state = {'upgraded': False}
|
2013-10-22 18:21:07 +08:00
|
|
|
|
2011-12-23 11:53:56 +08:00
|
|
|
def setter():
|
|
|
|
state['upgraded'] = True
|
|
|
|
self.assertFalse(check_password('WRONG', encoded, setter))
|
|
|
|
self.assertFalse(state['upgraded'])
|
|
|
|
|
2016-02-09 03:22:38 +08:00
|
|
|
@override_settings(
|
|
|
|
PASSWORD_HASHERS=[
|
|
|
|
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
|
|
|
|
'django.contrib.auth.hashers.SHA1PasswordHasher',
|
|
|
|
'django.contrib.auth.hashers.MD5PasswordHasher',
|
|
|
|
],
|
|
|
|
)
|
2011-12-23 11:53:56 +08:00
|
|
|
def test_no_upgrade_on_incorrect_pass(self):
|
|
|
|
self.assertEqual('pbkdf2_sha256', get_hasher('default').algorithm)
|
|
|
|
for algo in ('sha1', 'md5'):
|
2012-12-22 23:00:15 +08:00
|
|
|
encoded = make_password('lètmein', hasher=algo)
|
2011-12-23 11:53:56 +08:00
|
|
|
state = {'upgraded': False}
|
2013-10-22 18:21:07 +08:00
|
|
|
|
2011-12-23 11:53:56 +08:00
|
|
|
def setter():
|
|
|
|
state['upgraded'] = True
|
|
|
|
self.assertFalse(check_password('WRONG', encoded, setter))
|
|
|
|
self.assertFalse(state['upgraded'])
|
2013-06-14 22:19:53 +08:00
|
|
|
|
2013-09-25 02:52:20 +08:00
|
|
|
def test_pbkdf2_upgrade(self):
|
|
|
|
hasher = get_hasher('default')
|
2014-11-19 04:45:12 +08:00
|
|
|
self.assertEqual('pbkdf2_sha256', hasher.algorithm)
|
2013-09-25 02:52:20 +08:00
|
|
|
self.assertNotEqual(hasher.iterations, 1)
|
|
|
|
|
|
|
|
old_iterations = hasher.iterations
|
|
|
|
try:
|
|
|
|
# Generate a password with 1 iteration.
|
|
|
|
hasher.iterations = 1
|
|
|
|
encoded = make_password('letmein')
|
|
|
|
algo, iterations, salt, hash = encoded.split('$', 3)
|
|
|
|
self.assertEqual(iterations, '1')
|
|
|
|
|
|
|
|
state = {'upgraded': False}
|
2013-10-22 18:21:07 +08:00
|
|
|
|
2013-09-25 02:52:20 +08:00
|
|
|
def setter(password):
|
|
|
|
state['upgraded'] = True
|
|
|
|
|
2015-01-20 22:54:12 +08:00
|
|
|
# Check that no upgrade is triggered
|
2013-09-25 02:52:20 +08:00
|
|
|
self.assertTrue(check_password('letmein', encoded, setter))
|
|
|
|
self.assertFalse(state['upgraded'])
|
|
|
|
|
|
|
|
# Revert to the old iteration count and ...
|
|
|
|
hasher.iterations = old_iterations
|
|
|
|
|
|
|
|
# ... check if the password would get updated to the new iteration count.
|
|
|
|
self.assertTrue(check_password('letmein', encoded, setter))
|
|
|
|
self.assertTrue(state['upgraded'])
|
|
|
|
finally:
|
|
|
|
hasher.iterations = old_iterations
|
|
|
|
|
2016-02-14 04:09:46 +08:00
|
|
|
def test_pbkdf2_harden_runtime(self):
|
|
|
|
hasher = get_hasher('default')
|
|
|
|
self.assertEqual('pbkdf2_sha256', hasher.algorithm)
|
|
|
|
|
|
|
|
with mock.patch.object(hasher, 'iterations', 1):
|
|
|
|
encoded = make_password('letmein')
|
|
|
|
|
|
|
|
with mock.patch.object(hasher, 'iterations', 6), \
|
|
|
|
mock.patch.object(hasher, 'encode', side_effect=hasher.encode):
|
|
|
|
hasher.harden_runtime('wrong_password', encoded)
|
|
|
|
|
|
|
|
# Encode should get called once ...
|
|
|
|
self.assertEqual(hasher.encode.call_count, 1)
|
|
|
|
|
|
|
|
# ... with the original salt and 5 iterations.
|
|
|
|
algorithm, iterations, salt, hash = encoded.split('$', 3)
|
|
|
|
expected_call = (('wrong_password', salt, 5),)
|
|
|
|
self.assertEqual(hasher.encode.call_args, expected_call)
|
|
|
|
|
2013-11-30 09:49:56 +08:00
|
|
|
def test_pbkdf2_upgrade_new_hasher(self):
|
|
|
|
hasher = get_hasher('default')
|
2014-11-19 04:45:12 +08:00
|
|
|
self.assertEqual('pbkdf2_sha256', hasher.algorithm)
|
2013-11-30 09:49:56 +08:00
|
|
|
self.assertNotEqual(hasher.iterations, 1)
|
|
|
|
|
|
|
|
state = {'upgraded': False}
|
|
|
|
|
|
|
|
def setter(password):
|
|
|
|
state['upgraded'] = True
|
|
|
|
|
|
|
|
with self.settings(PASSWORD_HASHERS=[
|
2015-02-10 22:17:08 +08:00
|
|
|
'auth_tests.test_hashers.PBKDF2SingleIterationHasher']):
|
2013-11-30 09:49:56 +08:00
|
|
|
encoded = make_password('letmein')
|
|
|
|
algo, iterations, salt, hash = encoded.split('$', 3)
|
|
|
|
self.assertEqual(iterations, '1')
|
|
|
|
|
2015-01-20 22:54:12 +08:00
|
|
|
# Check that no upgrade is triggered
|
2013-11-30 09:49:56 +08:00
|
|
|
self.assertTrue(check_password('letmein', encoded, setter))
|
|
|
|
self.assertFalse(state['upgraded'])
|
|
|
|
|
|
|
|
# Revert to the old iteration count and check if the password would get
|
|
|
|
# updated to the new iteration count.
|
|
|
|
with self.settings(PASSWORD_HASHERS=[
|
|
|
|
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
|
2015-02-10 22:17:08 +08:00
|
|
|
'auth_tests.test_hashers.PBKDF2SingleIterationHasher']):
|
2013-11-30 09:49:56 +08:00
|
|
|
self.assertTrue(check_password('letmein', encoded, setter))
|
|
|
|
self.assertTrue(state['upgraded'])
|
|
|
|
|
2016-02-14 04:09:46 +08:00
|
|
|
def test_check_password_calls_harden_runtime(self):
|
|
|
|
hasher = get_hasher('default')
|
|
|
|
encoded = make_password('letmein')
|
|
|
|
|
|
|
|
with mock.patch.object(hasher, 'harden_runtime'), \
|
|
|
|
mock.patch.object(hasher, 'must_update', return_value=True):
|
|
|
|
# Correct password supplied, no hardening needed
|
|
|
|
check_password('letmein', encoded)
|
|
|
|
self.assertEqual(hasher.harden_runtime.call_count, 0)
|
|
|
|
|
|
|
|
# Wrong password supplied, hardening needed
|
|
|
|
check_password('wrong_password', encoded)
|
|
|
|
self.assertEqual(hasher.harden_runtime.call_count, 1)
|
|
|
|
|
2013-06-14 22:19:53 +08:00
|
|
|
def test_load_library_no_algorithm(self):
|
|
|
|
with self.assertRaises(ValueError) as e:
|
|
|
|
BasePasswordHasher()._load_library()
|
|
|
|
self.assertEqual("Hasher 'BasePasswordHasher' doesn't specify a "
|
|
|
|
"library attribute", str(e.exception))
|
|
|
|
|
|
|
|
def test_load_library_importerror(self):
|
|
|
|
PlainHasher = type(str('PlainHasher'), (BasePasswordHasher,),
|
|
|
|
{'algorithm': 'plain', 'library': 'plain'})
|
2015-06-15 21:43:35 +08:00
|
|
|
# Python 3 adds quotes around module name
|
2013-06-15 17:14:59 +08:00
|
|
|
with six.assertRaisesRegex(self, ValueError,
|
|
|
|
"Couldn't load 'PlainHasher' algorithm library: No module named '?plain'?"):
|
2013-06-14 22:19:53 +08:00
|
|
|
PlainHasher()._load_library()
|
2015-12-26 20:14:07 +08:00
|
|
|
|
|
|
|
|
|
|
|
@skipUnless(argon2, "argon2-cffi not installed")
|
|
|
|
@override_settings(PASSWORD_HASHERS=PASSWORD_HASHERS)
|
|
|
|
class TestUtilsHashPassArgon2(SimpleTestCase):
|
|
|
|
|
|
|
|
def test_argon2(self):
|
|
|
|
encoded = make_password('lètmein', hasher='argon2')
|
|
|
|
self.assertTrue(is_password_usable(encoded))
|
|
|
|
self.assertTrue(encoded.startswith('argon2$'))
|
|
|
|
self.assertTrue(check_password('lètmein', encoded))
|
|
|
|
self.assertFalse(check_password('lètmeinz', encoded))
|
|
|
|
self.assertEqual(identify_hasher(encoded).algorithm, 'argon2')
|
|
|
|
# Blank passwords
|
|
|
|
blank_encoded = make_password('', hasher='argon2')
|
|
|
|
self.assertTrue(blank_encoded.startswith('argon2$'))
|
|
|
|
self.assertTrue(is_password_usable(blank_encoded))
|
|
|
|
self.assertTrue(check_password('', blank_encoded))
|
|
|
|
self.assertFalse(check_password(' ', blank_encoded))
|
|
|
|
|
|
|
|
def test_argon2_upgrade(self):
|
|
|
|
self._test_argon2_upgrade('time_cost', 'time cost', 1)
|
|
|
|
self._test_argon2_upgrade('memory_cost', 'memory cost', 16)
|
|
|
|
self._test_argon2_upgrade('parallelism', 'parallelism', 1)
|
|
|
|
|
|
|
|
def _test_argon2_upgrade(self, attr, summary_key, new_value):
|
|
|
|
hasher = get_hasher('argon2')
|
|
|
|
self.assertEqual('argon2', hasher.algorithm)
|
|
|
|
self.assertNotEqual(getattr(hasher, attr), new_value)
|
|
|
|
|
|
|
|
old_value = getattr(hasher, attr)
|
|
|
|
try:
|
|
|
|
# Generate hash with attr set to 1
|
|
|
|
setattr(hasher, attr, new_value)
|
|
|
|
encoded = make_password('letmein', hasher='argon2')
|
|
|
|
attr_value = hasher.safe_summary(encoded)[summary_key]
|
|
|
|
self.assertEqual(attr_value, new_value)
|
|
|
|
|
|
|
|
state = {'upgraded': False}
|
|
|
|
|
|
|
|
def setter(password):
|
|
|
|
state['upgraded'] = True
|
|
|
|
|
|
|
|
# Check that no upgrade is triggered.
|
|
|
|
self.assertTrue(check_password('letmein', encoded, setter, 'argon2'))
|
|
|
|
self.assertFalse(state['upgraded'])
|
|
|
|
|
|
|
|
# Revert to the old rounds count and ...
|
|
|
|
setattr(hasher, attr, old_value)
|
|
|
|
|
|
|
|
# ... check if the password would get updated to the new count.
|
|
|
|
self.assertTrue(check_password('letmein', encoded, setter, 'argon2'))
|
|
|
|
self.assertTrue(state['upgraded'])
|
|
|
|
finally:
|
|
|
|
setattr(hasher, attr, old_value)
|