diff options
author | Eli Collins <elic@assurancetechnologies.com> | 2012-04-27 02:30:21 -0400 |
---|---|---|
committer | Eli Collins <elic@assurancetechnologies.com> | 2012-04-27 02:30:21 -0400 |
commit | 7a0d65a5a6d61a976daf311fec63171df49ecb37 (patch) | |
tree | a7ef0ea2fdb19e41edd2279a73269435ce8db740 /passlib/tests | |
parent | a01c5e6e1d1a1d770d431702882de49faa586075 (diff) | |
download | passlib-7a0d65a5a6d61a976daf311fec63171df49ecb37.tar.gz |
added support for the new Django 1.4 hash formats
- updated salt handling of the existing django hashes, in a way which should be backwards compatible w/ django 1.0
- UTs now test Django hasher output against passlib handlers (reverse was already being done)
- refactor of fuzz testing to reuse some of the methods.
Diffstat (limited to 'passlib/tests')
-rw-r--r-- | passlib/tests/test_handlers.py | 149 | ||||
-rw-r--r-- | passlib/tests/utils.py | 33 |
2 files changed, 162 insertions, 20 deletions
diff --git a/passlib/tests/test_handlers.py b/passlib/tests/test_handlers.py index 4e7c040..81a67fd 100644 --- a/passlib/tests/test_handlers.py +++ b/passlib/tests/test_handlers.py @@ -678,27 +678,64 @@ class _DjangoHelper(object): # NOTE: not testing against Django < 1.0 since it doesn't support # most of these hash formats. + # flag if hash wasn't added until Django 1.4 + requires14 = False + def fuzz_verifier_django(self): - from passlib.tests.test_ext_django import has_django1 + from passlib.tests.test_ext_django import has_django1, has_django14 if not has_django1: return None + if self.requires14 and not has_django14: + return None from django.contrib.auth.models import check_password def verify_django(secret, hash): - "django check_password()" + "django/check_password" + if has_django14 and not secret: + return "skip" + if self.handler.name == "django_bcrypt" and hash.startswith("bcrypt$$2y$"): + hash = hash.replace("$$2y$", "$$2a$") return check_password(secret, hash) return verify_django def test_90_django_reference(self): "run known correct hashes through Django's check_password()" - if not self.known_correct_hashes: - return self.skipTest("no known correct hashes specified") - from passlib.tests.test_ext_django import has_django1 + from passlib.tests.test_ext_django import has_django1, has_django14 + if self.requires14 and not has_django14: + raise self.skipTest("Django >= 1.4 not installed") if not has_django1: - return self.skipTest("Django >= 1.0 not installed") + raise self.skipTest("Django >= 1.0 not installed") from django.contrib.auth.models import check_password + assert self.known_correct_hashes for secret, hash in self.iter_known_hashes(): - self.assertTrue(check_password(secret, hash)) - self.assertFalse(check_password('x' + secret, hash)) + if has_django14 and not secret: + # django 1.4 rejects empty passwords + self.assertFalse(check_password(secret, hash), + "empty string should not have verified") + continue + self.assertTrue(check_password(secret, hash), + "secret=%r hash=%r failed to verify" % + (secret, hash)) + self.assertFalse(check_password('x' + secret, hash), + "mangled secret=%r hash=%r incorrect verified" % + (secret, hash)) + + def test_91_django_generation(self): + "test against output of Django's make_password()" + from passlib.tests.test_ext_django import has_django14 + if not has_django14: + raise self.skipTest("Django >= 1.4 not installed") + from passlib.utils import tick + from django.contrib.auth.hashers import make_password + name = self.handler.django_name # set for all the django_* handlers + end = tick() + self.max_fuzz_time/2 + while tick() < end: + secret, other = self.get_fuzz_password_pair() + if not secret: # django 1.4 rejects empty passwords. + continue + hash = make_password(secret, hasher=name) + self.assertTrue(self.do_identify(hash)) + self.assertTrue(self.do_verify(secret, hash)) + self.assertFalse(self.do_verify(other, hash)) class django_disabled_test(HandlerCase): "test django_disabled" @@ -732,6 +769,12 @@ class django_des_crypt_test(HandlerCase, _DjangoHelper): ("foo", 'crypt$MNVY.9ajgdvDQ$MNVY.9ajgdvDQ'), ] + known_alternate_hashes = [ + # ensure django 1.4 empty salt field is accepted; + # but that salt field is re-filled (for django 1.0 compatibility) + ('crypt$$c2M87q...WWcU', "password", 'crypt$c2$c2M87q...WWcU'), + ] + known_unidentified_hashes = [ 'sha1$aa$bb', ] @@ -741,11 +784,9 @@ class django_des_crypt_test(HandlerCase, _DjangoHelper): 'crypt$c2$c2M87q', # salt must be >2 - 'crypt$$c2M87q...WWcU', 'crypt$f$c2M87q...WWcU', - # this format duplicates salt inside checksum, - # reject any where the two copies don't match + # make sure first 2 chars of salt & chk field agree. 'crypt$ffe86$c2M87q...WWcU', ] @@ -757,6 +798,9 @@ class django_salted_md5_test(HandlerCase, _DjangoHelper): # test extra large salt ("password", 'md5$123abcdef$c8272612932975ee80e8a35995708e80'), + # test django 1.4 alphanumeric salt + ("test", 'md5$3OpqnFAHW5CT$54b29300675271049a1ebae07b395e20'), + # ensures utf-8 used for unicode (UPASS_USD, 'md5$c2e86$92105508419a81a6babfaecf876a2fa0'), (UPASS_TABLE, 'md5$d9eb8$01495b32852bffb27cf5d4394fe7a54c'), @@ -779,6 +823,9 @@ class django_salted_sha1_test(HandlerCase, _DjangoHelper): # test extra large salt ("password",'sha1$123abcdef$e4a1877b0e35c47329e7ed7e58014276168a37ba'), + # test django 1.4 alphanumeric salt + ("test", 'sha1$bcwHF9Hy8lxS$6b4cfa0651b43161c6f1471ce9523acf1f751ba3'), + # ensures utf-8 used for unicode (UPASS_USD, 'sha1$c2e86$0f75c5d7fbd100d587c127ef0b693cde611b4ada'), (UPASS_TABLE, 'sha1$6d853$ef13a4d8fb57aed0cb573fe9c82e28dc7fd372d4'), @@ -796,6 +843,82 @@ class django_salted_sha1_test(HandlerCase, _DjangoHelper): 'sha1$c2e86$0f75', ] +class django_pbkdf2_sha256_test(HandlerCase, _DjangoHelper): + "test django_pbkdf2_sha256" + handler = hash.django_pbkdf2_sha256 + requires14 = True + + known_correct_hashes = [ + # + # custom - generated via django 1.4 hasher + # + ('not a password', + 'pbkdf2_sha256$10000$kjVJaVz6qsnJ$5yPHw3rwJGECpUf70daLGhOrQ5+AMxIJdz1c3bqK1Rs='), + (UPASS_TABLE, + 'pbkdf2_sha256$10000$bEwAfNrH1TlQ$OgYUblFNUX1B8GfMqaCYUK/iHyO0pa7STTDdaEJBuY0='), + ] + +class django_pbkdf2_sha1_test(HandlerCase, _DjangoHelper): + "test django_pbkdf2_sha1" + handler = hash.django_pbkdf2_sha1 + requires14 = True + + known_correct_hashes = [ + # + # custom - generated via django 1.4 hashers + # + ('not a password', + 'pbkdf2_sha1$10000$wz5B6WkasRoF$atJmJ1o+XfJxKq1+Nu1f1i57Z5I='), + (UPASS_TABLE, + 'pbkdf2_sha1$10000$KZKWwvqb8BfL$rw5pWsxJEU4JrZAQhHTCO+u0f5Y='), + ] + +class django_bcrypt_test(HandlerCase, _DjangoHelper): + "test django_bcrypt" + handler = hash.django_bcrypt + secret_size = 72 + requires14 = True + + known_correct_hashes = [ + # + # just copied and adapted a few test vectors from bcrypt (above), + # since django_bcrypt is just a wrapper for the real bcrypt class. + # + ('', 'bcrypt$$2a$06$DCq7YPn5Rq63x1Lad4cll.TV4S6ytwfsfvkgY8jIucDrjc8deX1s.'), + ('abcdefghijklmnopqrstuvwxyz', + 'bcrypt$$2a$10$fVH8e28OQRj9tqiDXs1e1uxpsjN0c7II7YPKXua2NAKYvM6iQk7dq'), + (UPASS_TABLE, + 'bcrypt$$2a$05$Z17AXnnlpzddNUvnC6cZNOSwMA/8oNiKnHTHTwLlBijfucQQlHjaG'), + ] + + # NOTE: the following have been cloned from _bcrypt_test() + + def do_genconfig(self, **kwds): + # override default to speed up tests + kwds.setdefault("rounds", 5) + + # correct unused bits in provided salts, to silence some warnings. + if 'salt' in kwds: + from passlib.utils import bcrypt64 + kwds['salt'] = bcrypt64.repair_unused(kwds['salt']) + return self.handler.genconfig(**kwds) + + def do_encrypt(self, secret, **kwds): + # override default to speed up tests + kwds.setdefault("rounds", 5) + return self.handler.encrypt(secret, **kwds) + + def get_fuzz_rounds(self): + # decrease default rounds for fuzz testing to speed up volume. + return randintgauss(5, 8, 6, 1) + + def get_fuzz_ident(self): + ident = super(django_bcrypt_test,self).get_fuzz_ident() + if ident == u("$2x$"): + # just recognized, not currently supported. + return None + return ident + #========================================================= #fshp #========================================================= @@ -888,7 +1011,7 @@ class hex_md4_test(HandlerCase): (UPASS_TABLE, '876078368c47817ce5f9115f3a42cf74'), ] -class hex_md5_test(HandlerCase): +class hex_md5_test(HandlerCase, _DjangoHelper): handler = hash.hex_md5 known_correct_hashes = [ ("password", '5f4dcc3b5aa765d61d8327deb882cf99'), @@ -2534,5 +2657,5 @@ class unix_fallback_test(HandlerCase): self.assertFalse(h.verify('password',c)) #========================================================= -#EOF +# eof #========================================================= diff --git a/passlib/tests/utils.py b/passlib/tests/utils.py index aec23e8..35a7b50 100644 --- a/passlib/tests/utils.py +++ b/passlib/tests/utils.py @@ -979,6 +979,7 @@ class HandlerCase(TestCase): @property def salt_bits(self): "calculate number of salt bits in hash" + # XXX: replace this with bitsize() method? handler = self.handler assert has_salt_info(handler), "need explicit bit-size for " + handler.name from math import log @@ -1604,6 +1605,10 @@ class HandlerCase(TestCase): fuzz_password_encoding = "utf-8" fuzz_settings = ["rounds", "salt_size", "ident"] + @property + def max_fuzz_time(self): + return float(os.environ.get("PASSLIB_TESTS_FUZZ_TIME") or 1) + def test_77_fuzz_input(self): """test random passwords and options""" if self.is_disabled_handler: @@ -1613,7 +1618,7 @@ class HandlerCase(TestCase): from passlib.utils import tick handler = self.handler disabled = self.is_disabled_handler - max_time = float(os.environ.get("PASSLIB_TESTS_FUZZ_TIME") or 1) + max_time = self.max_fuzz_time verifiers = self.get_fuzz_verifiers() def vname(v): return (v.__doc__ or v.__name__).splitlines()[0] @@ -1623,11 +1628,7 @@ class HandlerCase(TestCase): count = 0 while tick() <= stop: # generate random password & options - secret = self.get_fuzz_password() - other = self.mangle_fuzz_password(secret) - if rng.randint(0,1): - secret = secret.encode(self.fuzz_password_encoding) - other = other.encode(self.fuzz_password_encoding) + secret, other = self.get_fuzz_password_pair() kwds = self.get_fuzz_settings() ctx = dict((k,kwds[k]) for k in handler.context_kwds if k in kwds) @@ -1726,15 +1727,31 @@ class HandlerCase(TestCase): def get_fuzz_password(self): "generate random passwords (for fuzz testing)" + # occasionally try an empty password if rng.random() < .0001: return u('') - return getrandstr(rng, self.fuzz_password_alphabet, rng.randint(5,99)) + # otherwise alternate between large and small passwords. + if rng.random() < .5: + size = randintgauss(1, 50, 15, 15) + else: + size = randintgauss(50, 99, 70, 20) + return getrandstr(rng, self.fuzz_password_alphabet, size) def mangle_fuzz_password(self, secret): "mangle fuzz-testing password so it doesn't match" secret = secret.strip()[1:] return secret or self.get_fuzz_password() + def get_fuzz_password_pair(self): + "generate random password, and non-matching alternate password" + secret = self.get_fuzz_password() + other = self.mangle_fuzz_password(secret) + if rng.randint(0,1): + secret = secret.encode(self.fuzz_password_encoding) + if rng.randint(0,1): + other = other.encode(self.fuzz_password_encoding) + return secret, other + def get_fuzz_settings(self): "generate random settings (for fuzz testing)" kwds = {} @@ -1771,6 +1788,8 @@ class HandlerCase(TestCase): handler = self.handler if 'ident' in handler.setting_kwds and hasattr(handler, "ident_values"): if rng.random() < .5: + # resolve wrappers before reading values + handler = getattr(handler, "wrapped", handler) return rng.choice(handler.ident_values) #========================================================= |