summaryrefslogtreecommitdiff
path: root/passlib/tests/test_totp.py
Commit message (Collapse)AuthorAgeFilesLines
* python compat cleanup -- use magic super() callsEli Collins2020-10-061-1/+1
|
* cleanup old python compat -- replaced "unicode" alias in favor of "str"Eli Collins2020-10-061-2/+1
|
* cleanup old python compat -- removed some sys.version_info refsEli Collins2020-10-061-16/+6
|
* Merge from stableEli Collins2020-10-061-0/+2
|\
| * passlib.tests: silence some warnings, fix some MissingBackendError messagesEli Collins2020-10-031-0/+2
| | | | | | | | | | | | | | | | | | * tests now filter out some passlib deprecation warnings * bugfix: @doesnt_require_backend() decorator (rev XXX) now silences MissingBackendError exceptions thrown during HandlerCase.setUp() * simplified some monkeypatching within test_registry
* | Merge from stableEli Collins2019-11-101-3/+3
|\ \ | |/
| * bugfix: passlib.totp: always prepend issuer to URIs (fixes issue 92)Eli Collins2019-11-091-3/+3
| | | | | | | | | | | | For all prior releases of passlib, `TOTP().to_uri()` would only output an "issuer" parameter. Per the KeyURI spec, issuer should also be prepended to the label for backward compatibility.
* | compat cleanup: replaced all u("") instances with u""Eli Collins2017-02-171-8/+8
|/ | | | | | | realized can do this now that we're requiring python3 >= 3.3. had to keep u() helper around for u(r"") instances, since py3 doesn't have ur"". but switched it to use ascii decoding for py2, to make sure things are clean.
* passlib.tests: silence some more scrypt backend warnings,Eli Collins2017-01-301-3/+12
| | | | fix max_time_t to catch yet another utcfromtimestamp() error.
* passlib.tests.test_totp: fixed max_time_t calculation to trap some errorsEli Collins2017-01-221-9/+39
| | | | it was errorneously letting through; also workaround for python 3.6 issue 29346.
* passlib.tests: large refactor to make all tests that depend on RNG behaveEli Collins2016-11-211-18/+22
| | | | | | | | | | | | | | | | | | | | | | in reproducible manner. * added TestCase.getRandom() helper, which creates RNG initialized from ${RANDOM_TEST_SEED} or ${PYTHONHASHSEED} when possible, and logs the seed so that exact test can be reproduced in future. * replaced all test references to 'passlib.utils.rng' or other random source with TestCase().getRandom() call. * once remaining bit was all the hash fuzz tests. since these are called over multiple threads, would either have to pass around a per-thread RNG to every call, or refactor fuzz generator into separate class, so we could make a separate instance per thread. latter choice seemed generally cleaner anyways, so... * Refactored fuzz generator methods into FuzzHashGeneator class. - Uses separate RNG per thread, seeded from .getRandom() using thread name. - removed class-scanning magic, now uses explicit lists of verifiers & parameter generation helpers.
* totp: TOTP.normalize_token() turned into hybrid method, made public;Eli Collins2016-11-101-7/+26
| | | | TOTP.normalize_time() turned into class method, made public.
* totp: added cache_seconds to TotpMatch repr, fixed py3 bug in UTsEli Collins2016-11-101-1/+1
|
* totp: removed 'reuse' keyword from match(), no valid use-caseEli Collins2016-11-101-10/+2
|
* totp: fixed edge case where default issuer was being inserted into json string.Eli Collins2016-11-091-0/+9
|
* totp: simplified AppWallet secret resolution codeEli Collins2016-11-091-4/+4
|
* totp: consolidated key parsing code, clarified AppWallet behavior,Eli Collins2016-11-091-2/+2
| | | | | | | | | | | | | | | | * renamed AppWallet.can_encrypt -> AppWallet.has_secrets, no longer set to False if AES support is missing -- that way if app provides a secret, we either encrypt or throw error, rather than silently not encrypting. * .to_dict()'s "encrypt" keyword now uses None as default, rather than special string "auto" * hmac function now cached across multiple ._generate() calls, making ._find_match() a lot faster. * .key now a property, so that setting it clears encrypt key & hmac cache * factored out encrypted key code into .encrypted_key property.
* totp tests: merged old _BaseOTPTest class into primary TotpTest class.Eli Collins2016-11-081-222/+151
|
* totp: renamed TOTP.verify() to TOTP.match(); added new TOTP.verify() in it's ↵Eli Collins2016-11-081-37/+73
| | | | | | | | | | | place. * renamed TOTP.verify() to TOTP.match() -- this matches the TotpMatch class name a little better, and frees up TOTP.verify() for something new. * added new TOTP.verify() which handles parsing TOTP config source, and calling TOTP.match(), in one go. Main purpose of this is that it has same signature (and roughly the same behavior) as PasswordHash.verify().
* totp: OTPContext no longer frontend, reduced down to merely holdingEli Collins2016-11-081-135/+106
| | | | | | | | | | | | | | | | | | | | | the application secrets needing for encryption -- renamed to AppWallet() * AppWallet class dedicated to just holding application secrets, rather than providing awkward frontend for TOTP construction. Intended method for invoking it is through TOTP.using(), which handles the details of construction. * Renamed TOTP.context attr to TOTP.wallet * Removed 'context' keyword from TOTP.from_source() etc, callers should now bind the wallet via TOTP.using().from_source(). * Made AppWallet.default_tag a public attr, renamed 'cost' attr to 'encrypt_cost' * Removed the passlib.totp toplevel constructors (new, from_uri, from_json) -- can now do all that from TOTP class.
* totp: added TOTP.using() for constructing TOTP factories with custom ↵Eli Collins2016-11-081-19/+42
| | | | | | | | | | | | | configuration options (such as secrets) already bound to the class. * added TOTP.using() helper * removed 'now' keyword from TOTP() constructor, can now only be specified via TOTP.using() -- adjusted UTs accordingly *
* bugfix: totp: TOTP.from_source() should return new object if contexts are ↵Eli Collins2016-11-081-0/+10
| | | | | | different. otherwise get unexpected results when outputting encrypted objects.
* totp: added TOTP.from_source() frontend which detects serialization format,Eli Collins2016-11-081-10/+192
| | | | and added TOTP.from_dict() for explicitly deserializing from dict format.
* totp: in place of stateful TOTP methods, expanded the TotpMatch() objectEli Collins2016-11-071-1/+10
| | | | | to provider .cache_seconds & .cache_time attributes to help applications decide how long the counter value should be cached.
* totp: stripped out the 'stateful' methods (TOTP.advance, TOTP.consume, and ↵Eli Collins2016-11-071-198/+18
| | | | | | | TOTP.last_counter). switching to purely stateless object, will update docs so that apps are instructed to persist verify()'s last_counter value independantly.
* totp: no functional code changes, just combined the BaseOTP and TOTP classes,Eli Collins2016-11-071-0/+3
| | | | since there's no need for the subdivision.
* totp: stripping out HOTP support -- not generally used/useful in the real worldEli Collins2016-11-071-684/+1
| | | | to justify the contortions it requires in the shared BaseOTP api.
* totp: large cleanup of the API: removed skew prediction, tweaked structureEli Collins2016-10-031-263/+212
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | of the verify() return types, other related changes. This commit updates a bunch of the TOTP API, in an attempt to finalize it for release. TOTP ---- * The client clock-skew prediction code was stripped out from TOTP.consume() and elsewhere, along with the internal "history" attribute. This code wasn't going to be much use unless much better statistical analysis was added, so stripping out the non-functional code that was present. All that's left is the ability to pass an externally calculated 'skew' value into TOTP.verify() / .consume() (keyword previously named 'offset', which was deemed too ambigious). * TOTP.verify() / TotpMatch: Iterable signature changed from (matched_counter, estimated_skew) to (matched_counter, time). This reflects the underlying source data, eliminating the need to needlessly calculate derived values. It also aligns better with HotpMatch, and removes the 'skew' parameter (which has been stripped out). '.counter_skipped' attribute was renamed to '.skipped' * TOTP.verify() now handles token-reuse detection: Relocated code handling this from TOTP.consume(), renamed 'min_start' renamed to 'last_counter', and added 'reuse=False' keyword. This makes it easier to test & use independantly, as well as making TOTP.consume() more of just a wrapper for .verify(). * TOTP.consume() now returns TotpMatch() object from .verify(), rather than just "True"; more consistent as just a wrapper for .verify() * internal TOTP._time_to_counter() no longer passing input through normalize_time(), removing some redundant calls. HOTP ---- * HOTP.verify() / HotpMatch: Iterable content changed from (next_counter, skipped) to (matched_counter, expected_counter). This reflects the underlying source data, eliminating the need to needlessly calculate derived values. It also aligns better with TotpMatch. '.counter_skipped' attribute was renamed to '.skipped' * HTOP.verify(): now compares token against last counter value, so that it can raise a UsedTokenError() when appropriate. * HOTP.consume() now returns HotpMatch() object from .verify(), rather than just "True"; more consistent as just a wrapper for .verify() Other ----- * OTPContext: stripped out support for XOR-based encryption scheme (only used during alpha development) * HotpMatch, TotpToken, and TotpMatch now have custom reprs, to highlight that they aren't just tuples. Tests ----- * removed clock-skew prediction tests * removed legacy XOR-based encryption tests * consolidated some boilerplate arrays of tests into some helper methods. this includes .assertHotpMatch(), .assertTotpMatch(), .assertVerifyMatches(), .assertVerifyRaises() * added tests for TOTP.verify()/.consume()'s "skew" and "reuse" parameters * various updates to account for call signature changes above
* bugfix: test_totp: py3 compat fixes (forgot to mark some byte strings)Eli Collins2016-07-171-4/+4
|
* bugfix: test_totp: skip encryption tests when AES support not presentEli Collins2016-07-151-8/+12
|
* passlib.totp: large refactoring of API, added support for migration ↵Eli Collins2016-07-121-369/+513
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | application secrets This reworks a large portion of the totp module's API, to make it fit better with the needs of the applications it's been integrated into so far. * Key encryption encapsulated in new OTPContext() class, which not only handles encryption of keys, but supports multiple application secrets, allowing migration to new secrets (whether periodic, or after a breach). This makes workflow of OTP object serialization *much* simpler. * encryption format changed to use a simple dict, which gets embedded into overall json data; eliminates need for custom binary format. * BaseOTP.generate_next() has been renamed to .advance(), to make it distinct from .generate(), and give better hinting that it modifies the internal state BaseOTP.verify_next() has been renamed to .consume() for similar reasons. * All .verify() and .verify_next() methods have been modified so they throw an InvalidTokenError if the token doesn't match, instead of returning False. This reduces the boilerplate needed to implement them, as code already had to catch ValueErrors for malformed tokens & reused tokens. - the HotpMatch / TotpMatch objects were adjusted to account for fact that they're only used when token matches successfully. * better exception hierarchy: added base TokenError, as well as subclasses for specific cases (MalformedTokenError, InvalidTokenError, UsedTokenError). * renamed BaseOTP.dirty -> BaseOTP.changed * BaseOTP now detects if encryption is old, and flags that re-encryption + re-serialization is needed. * .from_string() / .to_string() renamed to .from_json() / .to_json() to disambiguate with .from_uri() / .to_uri(), which also returns a string.
* bugfix: test_totp: dynamically work out max value of host's time_t;Eli Collins2016-06-261-1/+11
| | | | prevents crash under e.g. py27/win32, where time_t is limited to 34 bits.
* bugfix: passlib.totp: add missing import to UTs; add 'cryptography' package ↵Eli Collins2016-06-101-0/+1
| | | | to tox.ini
* passlib.tests.test_totp: use proper timing tool for runtime measurement,Eli Collins2016-06-101-9/+6
| | | | prevents some spurious test failures when under erratic system load
* passlib.totp: converted encrypt_key() helper to use AES-CTR via ↵Eli Collins2016-06-101-20/+46
| | | | 'cryptography' package
* relocated many of the crypto routes inside passlib.utils,Eli Collins2016-02-101-15/+8
| | | | | | | | | | | | | | | | | | | and moved them to a separate passlib.crypto subpackage. along with this move, made a few api cleanups: * unified all code that's looking up hashes to use new passlib.crypto.lookup_hash() wrapper, which takes care of hash name normalization, loading fallback implementations, and alg metadata inspection, all hidden behind a memoized function. * deprecated pbkdf2() in favor of pbkdf2_hmac() -- only real use, and new signature matches stdlib function. additionally, this version is a bit faster, due to some assumptions that can be made due to the PRF always being HMAC based. * added compile_hmac() helper which does an even more efficient job of pre-compiling a keyed HMAC function; this helped speed up pbkdf2 a bit more.
* misc test bugfixesEli Collins2015-07-261-3/+15
| | | | | | | | | | | | | | | | | | | | | * test_handlers: fix py3 u() compat issue * test_totp: clean norm_hash_name() caches so warnings repeat per-test, added/fixed some warnings checks. * HandlerCase: HasRounds.using() test: hack so bsdi_crypt can pass (the 'odd rounds only' was playing havoc w/ the test's expectations) * HandlerCase: effective_rounds() / effective_ident() helpers now unwrap PrefixWrappers first; wrappers aren't callable like classes. * HandlerCase: HasRounds.using() test: don't check min_rounds-1 if min_rounds is 0. * HandlerCase: multithreaded fuzz test -- detect & log errors if stalled thread, rather than main thread stalling forever. reduced thread count down to 10. * reset_warning_filter() context manager -- simplified __exit__() cleanup code
* passlib.totp: py26 compat fix: patch urlparse to recognize otpauth schemeEli Collins2015-07-231-1/+1
| | | | as using query params.
* test_totp: base64.b16decode() error type has different cross-version behaviorEli Collins2015-01-251-9/+12
| | | | from base64.b32decode(). gah!
* relaxed time limit on totp test for slow jenkins server :)Eli Collins2015-01-251-1/+1
|
* bugfix: test_totp: binascii.Error() new in py33, py32 still has py2x behaviorEli Collins2015-01-251-1/+1
|
* totp: changed DEFAULT_OFFSET to 0.Eli Collins2015-01-101-2/+4
| | | | | | | | | | | | | | | would like to keep it at more accurate real-world value, but it fouls up the verify_next() testing under certain conditions for example: key='TTZV5K3V536R6Q4ICERGI3CNRHIXVD3RVZ264HIDMBGASIPEXT3Q' alg='sha256' period=25 time=121360270503.61707 token=u'932169' test_time=time-period verify_next(token, window=period) should be true, returns false.
* removed a LOT of compatibility shims -- dropped python 2.5, 3.0, and 3.1 ↵Eli Collins2015-01-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | support; as well as PyPy 1.x and Jython 2.5. shims removed ------------- * b() shim replaced with b'' (py25) * 'bytes' alias no longer needed (py25) * callable() shim no longer needed (py30,31) * PY_MIN_32 flag replaced with PY3 flag (py30,31) * removed 'abc' module stub used by passlib.ifc (py25) * removed chain_from_iterable() backport (py25) * tests: removed catch_warnings() backport, replaced refs with real warnings.catch_warnings() (py25) * tests: removed unittest2 backports (py25, py30, py31) -- now throw hard error if unittest2 not present under py26 (the only release remaining which lacks the unittest2 features) * removed SUPPORTS_DIR_METHOD conditional (py25, pypy 1.x) * some other minor workarounds other ----- * added check in passlib.compat which now throws error telling user version isn't supported (to prevent spurious errors later)
* TOTP implementation mostly finalizeEli Collins2015-01-091-10/+2075
| | | | | | | | | | | | | | | | | | | | TOTP module reworked drastically. Should have committed this a long time ago. Now have what is (hopefully) the final API for the TOTP module. * Supports TOTP & HOTP * Supports URI rendering & parsing * Highlevel methods to handle state management, client clock skew estimation, etc. * Unittests mostly complete (a few edge cases) * Persistent serialization supports encrypting secrets with a password, to mitigate exposure of storage medium. * Basic API documentation. Should be suitable for following use-cases: * lowlevel methods for implementing HOTP/TOTP on server * highlevel methods for implementing HOTP/TOTP on server, and letting them handle details of tracking client state. * methods for implementing an HOTP / TOTP client.
* added passlib.totp -- TOTP (google authenticator) support.Eli Collins2013-05-071-0/+33
module contains lowlevel functionality, but needs a bunch of other bits before it's ready for release