kallithea Changeset - caaf0d07c168

Changeset - caaf0d07c168

Parent rev.

Child rev.

[Not reviewed]

default

0 4 0

Mads Kiilerich - 10 years ago 2015-07-31 15:44:07
madski@unity3d.com

auth: make ValidPasswordsMatch more explicit and strict about which fields are being checked

4 files changed with 14 insertions and 12 deletions:

kallithea/model/forms.py

kallithea/model/validators.py

kallithea/tests/functional/test_login.py

kallithea/tests/other/test_validators.py

0 comments (0 inline, 0 general)

kallithea/model/forms.py

➞

Show inline comments

@@ @@ -57,191 +57,195 @@ class LoginForm(formencode.Schema): @@
            'empty': _('Please enter a login'),
            'tooShort': _('Enter a value %(min)i characters long or more')}
+    )
     password = v.UnicodeString(
         strip=False,
         min=3,
         not_empty=True,
         messages={
             'empty': _('Please enter a password'),
             'tooShort': _('Enter %(min)i characters or more')}
+    )
     remember = v.StringBoolean(if_missing=False)
     chained_validators = [v.ValidAuth()]
 def PasswordChangeForm(username):
     class _PasswordChangeForm(formencode.Schema):
         allow_extra_fields = True
         filter_extra_fields = True
         current_password = v.ValidOldPassword(username)(not_empty=True)
         new_password = All(v.ValidPassword(), v.UnicodeString(strip=False, min=6))
         new_password_confirmation = All(v.ValidPassword(), v.UnicodeString(strip=False, min=6))
         chained_validators = [v.ValidPasswordsMatch('new_password',
                                                     'new_password_confirmation')]
     return _PasswordChangeForm
 def UserForm(edit=False, old_data={}):
     class _UserForm(formencode.Schema):
         allow_extra_fields = True
         filter_extra_fields = True
         username = All(v.UnicodeString(strip=True, min=1, not_empty=True),
                        v.ValidUsername(edit, old_data))
         if edit:
             new_password = All(
                 v.ValidPassword(),
                 v.UnicodeString(strip=False, min=6, not_empty=False)
+            )
             password_confirmation = All(
                 v.ValidPassword(),
                 v.UnicodeString(strip=False, min=6, not_empty=False),
+            )
             admin = v.StringBoolean(if_missing=False)
             chained_validators = [v.ValidPasswordsMatch('new_password',
                                                         'password_confirmation')]
         else:
             password = All(
                 v.ValidPassword(),
                 v.UnicodeString(strip=False, min=6, not_empty=True)
+            )
             password_confirmation = All(
                 v.ValidPassword(),
                 v.UnicodeString(strip=False, min=6, not_empty=False)
+            )
             chained_validators = [v.ValidPasswordsMatch('password',
                                                         'password_confirmation')]
         active = v.StringBoolean(if_missing=False)
         firstname = v.UnicodeString(strip=True, min=1, not_empty=False)
         lastname = v.UnicodeString(strip=True, min=1, not_empty=False)
         email = All(v.Email(not_empty=True), v.UniqSystemEmail(old_data))
         extern_name = v.UnicodeString(strip=True)
         extern_type = v.UnicodeString(strip=True)
         chained_validators = [v.ValidPasswordsMatch()]
     return _UserForm
 def UserGroupForm(edit=False, old_data={}, available_members=[]):
     class _UserGroupForm(formencode.Schema):
         allow_extra_fields = True
         filter_extra_fields = True
         users_group_name = All(
             v.UnicodeString(strip=True, min=1, not_empty=True),
             v.ValidUserGroup(edit, old_data)
+        )
         user_group_description = v.UnicodeString(strip=True, min=1,
                                                  not_empty=False)
         users_group_active = v.StringBoolean(if_missing=False)
         if edit:
             users_group_members = v.OneOf(
                 available_members, hideList=False, testValueList=True,
                 if_missing=None, not_empty=False
+            )
     return _UserGroupForm
 def RepoGroupForm(edit=False, old_data={}, repo_groups=[],
                    can_create_in_root=False):
     repo_group_ids = [rg[0] for rg in repo_groups]
     class _RepoGroupForm(formencode.Schema):
         allow_extra_fields = True
         filter_extra_fields = False
         group_name = All(v.UnicodeString(strip=True, min=1, not_empty=True),
                          v.SlugifyName(),
                          v.ValidRegex(msg=_('Name must not contain only digits'))(r'(?!^\d+$)^.+$'))
         group_description = v.UnicodeString(strip=True, min=1,
                                             not_empty=False)
         group_copy_permissions = v.StringBoolean(if_missing=False)
         if edit:
             #FIXME: do a special check that we cannot move a group to one of
             #its children
             pass
         group_parent_id = All(v.CanCreateGroup(can_create_in_root),
                               v.OneOf(repo_group_ids, hideList=False,
                                       testValueList=True,
                                       if_missing=None, not_empty=True),
                               v.Int(min=-1, not_empty=True))
         enable_locking = v.StringBoolean(if_missing=False)
         chained_validators = [v.ValidRepoGroup(edit, old_data)]
     return _RepoGroupForm
 def RegisterForm(edit=False, old_data={}):
     class _RegisterForm(formencode.Schema):
         allow_extra_fields = True
         filter_extra_fields = True
         username = All(
             v.ValidUsername(edit, old_data),
             v.UnicodeString(strip=True, min=1, not_empty=True)
+        )
         password = All(
             v.ValidPassword(),
             v.UnicodeString(strip=False, min=6, not_empty=True)
+        )
         password_confirmation = All(
             v.ValidPassword(),
             v.UnicodeString(strip=False, min=6, not_empty=True)
+        )
         active = v.StringBoolean(if_missing=False)
         firstname = v.UnicodeString(strip=True, min=1, not_empty=False)
         lastname = v.UnicodeString(strip=True, min=1, not_empty=False)
         email = All(v.Email(not_empty=True), v.UniqSystemEmail(old_data))
         chained_validators = [v.ValidPasswordsMatch()]
         chained_validators = [v.ValidPasswordsMatch('password',
                                                     'password_confirmation')]
     return _RegisterForm
 def PasswordResetForm():
     class _PasswordResetForm(formencode.Schema):
         allow_extra_fields = True
         filter_extra_fields = True
         email = v.Email(not_empty=True)
     return _PasswordResetForm
 def RepoForm(edit=False, old_data={}, supported_backends=BACKENDS.keys(),
              repo_groups=[], landing_revs=[]):
     repo_group_ids = [rg[0] for rg in repo_groups]
     class _RepoForm(formencode.Schema):
         allow_extra_fields = True
         filter_extra_fields = False
         repo_name = All(v.UnicodeString(strip=True, min=1, not_empty=True),
                         v.SlugifyName())
         repo_group = All(v.CanWriteGroup(old_data),
                          v.OneOf(repo_group_ids, hideList=True),
                          v.Int(min=-1, not_empty=True))
         repo_type = v.OneOf(supported_backends, required=False,
                             if_missing=old_data.get('repo_type'))
         repo_description = v.UnicodeString(strip=True, min=1, not_empty=False)
         repo_private = v.StringBoolean(if_missing=False)
         repo_landing_rev = v.OneOf(landing_revs, hideList=True)
         repo_copy_permissions = v.StringBoolean(if_missing=False)
         clone_uri = All(v.UnicodeString(strip=True, min=1, not_empty=False))
         repo_enable_statistics = v.StringBoolean(if_missing=False)
         repo_enable_downloads = v.StringBoolean(if_missing=False)
         repo_enable_locking = v.StringBoolean(if_missing=False)
         if edit:
             #this is repo owner
             user = All(v.UnicodeString(not_empty=True), v.ValidRepoUser())
             # Not a real field - just for reference for validation:
             # clone_uri_hidden = v.UnicodeString(if_missing='')
         chained_validators = [v.ValidCloneUri(),
                               v.ValidRepoName(edit, old_data)]
     return _RepoForm
 def RepoPermsForm():
     class _RepoPermsForm(formencode.Schema):

kallithea/model/validators.py

➞

Show inline comments

@@ @@ -235,109 +235,107 @@ def ValidRepoGroup(edit=False, old_data= @@
+                    )
                 # check for same repo
                 repo = Repository.query()\
                       .filter(Repository.repo_name == slug)\
                       .scalar()
                 if repo is not None:
                     msg = M(self, 'repo_exists', state, group_name=slug)
                     raise formencode.Invalid(msg, value, state,
                             error_dict=dict(group_name=msg)
+                    )
     return _validator
 def ValidPassword():
     class _validator(formencode.validators.FancyValidator):
         messages = {
             'invalid_password':
                 _('Invalid characters (non-ascii) in password')
+        }
         def validate_python(self, value, state):
             try:
                 (value or '').decode('ascii')
             except UnicodeError:
                 msg = M(self, 'invalid_password', state)
                 raise formencode.Invalid(msg, value, state,)
     return _validator
 def ValidOldPassword(username):
     class _validator(formencode.validators.FancyValidator):
         messages = {
             'invalid_password': _('Invalid old password')
+        }
         def validate_python(self, value, state):
             from kallithea.lib import auth_modules
             if not auth_modules.authenticate(username, value, ''):
                 msg = M(self, 'invalid_password', state)
                 raise formencode.Invalid(msg, value, state,
                     error_dict=dict(current_password=msg)
+                )
     return _validator
-def ValidPasswordsMatch(passwd='new_password', passwd_confirmation='password_confirmation'):
+def ValidPasswordsMatch(password_field, password_confirmation_field):
     class _validator(formencode.validators.FancyValidator):
         messages = {
             'password_mismatch': _('Passwords do not match'),
+        }
         def validate_python(self, value, state):
             pass_val = value.get('password') or value.get(passwd)
             if pass_val != value[passwd_confirmation]:
             if value.get(password_field) != value[password_confirmation_field]:
                 msg = M(self, 'password_mismatch', state)
                 raise formencode.Invalid(msg, value, state,
-                     error_dict={passwd:msg, passwd_confirmation: msg}
+                     error_dict={password_field:msg, password_confirmation_field: msg}
+                )
     return _validator
 def ValidAuth():
     class _validator(formencode.validators.FancyValidator):
         messages = {
             'invalid_password': _('Invalid password'),
             'invalid_username': _('Invalid username'),
             'disabled_account': _('Account has been disabled')
+        }
         def validate_python(self, value, state):
             from kallithea.lib import auth_modules
             password = value['password']
             username = value['username']
             if not auth_modules.authenticate(username, password):
                 user = User.get_by_username(username)
                 if user and not user.active:
                     log.warning('user %s is disabled' % username)
                     msg = M(self, 'disabled_account', state)
                     raise formencode.Invalid(msg, value, state,
                         error_dict=dict(username=msg)
+                    )
                 else:
                     log.warning('user %s failed to authenticate' % username)
                     msg = M(self, 'invalid_username', state)
                     msg2 = M(self, 'invalid_password', state)
                     raise formencode.Invalid(msg, value, state,
                         error_dict=dict(username=msg, password=msg2)
+                    )
     return _validator
 def ValidAuthToken():
     class _validator(formencode.validators.FancyValidator):
         messages = {
             'invalid_token': _('Token mismatch')
+        }
         def validate_python(self, value, state):
             if value != authentication_token():
                 msg = M(self, 'invalid_token', state)
                 raise formencode.Invalid(msg, value, state)
     return _validator

kallithea/tests/functional/test_login.py

➞

Show inline comments

@@ @@ -253,97 +253,97 @@ class TestLoginController(TestController @@
                                             {'username': 'error user',
                                              'password': 'test12',
                                              'password_confirmation': 'test12',
                                              'email': 'goodmailm',
                                              'firstname': 'test',
                                              'lastname': 'test'})
         response.mustcontain('An email address must contain a single @')
         response.mustcontain('Username may only contain '
                 'alphanumeric characters underscores, '
                 'periods or dashes and must begin with an '
                 'alphanumeric character')
     def test_register_err_case_sensitive(self):
         usr = TEST_USER_ADMIN_LOGIN.title()
         response = self.app.post(url(controller='login', action='register'),
                                             {'username': usr,
                                              'password': 'test12',
                                              'password_confirmation': 'test12',
                                              'email': 'goodmailm',
                                              'firstname': 'test',
                                              'lastname': 'test'})
         response.mustcontain('An email address must contain a single @')
         msg = validators.ValidUsername()._messages['username_exists']
         msg = h.html_escape(msg % {'username': usr})
         response.mustcontain(msg)
     def test_register_special_chars(self):
         response = self.app.post(url(controller='login', action='register'),
                                         {'username': 'xxxaxn',
                                          'password': 'ąćźżąśśśś',
                                          'password_confirmation': 'ąćźżąśśśś',
                                          'email': 'goodmailm@test.plx',
                                          'firstname': 'test',
                                          'lastname': 'test'})
         msg = validators.ValidPassword()._messages['invalid_password']
         response.mustcontain(msg)
     def test_register_password_mismatch(self):
         response = self.app.post(url(controller='login', action='register'),
                                             {'username': 'xs',
                                              'password': '123qwe',
                                              'password_confirmation': 'qwe123',
                                              'email': 'goodmailm@test.plxa',
                                              'firstname': 'test',
                                              'lastname': 'test'})
         msg = validators.ValidPasswordsMatch()._messages['password_mismatch']
+        msg = validators.ValidPasswordsMatch('password', 'password_confirmation')._messages['password_mismatch']
         response.mustcontain(msg)
     def test_register_ok(self):
         username = 'test_regular4'
         password = 'qweqwe'
         email = 'username@test.com'
         name = 'testname'
         lastname = 'testlastname'
         response = self.app.post(url(controller='login', action='register'),
                                             {'username': username,
                                              'password': password,
                                              'password_confirmation': password,
                                              'email': email,
                                              'firstname': name,
                                              'lastname': lastname,
                                              'admin': True})  # This should be overriden
         self.assertEqual(response.status, '302 Found')
         self.checkSessionFlash(response, 'You have successfully registered into Kallithea')
         ret = Session().query(User).filter(User.username == 'test_regular4').one()
         self.assertEqual(ret.username, username)
         self.assertEqual(check_password(password, ret.password), True)
         self.assertEqual(ret.email, email)
         self.assertEqual(ret.name, name)
         self.assertEqual(ret.lastname, lastname)
         self.assertNotEqual(ret.api_key, None)
         self.assertEqual(ret.admin, False)
     def test_forgot_password_wrong_mail(self):
         bad_email = 'username%wrongmail.org'
         response = self.app.post(
                         url(controller='login', action='password_reset'),
                             {'email': bad_email, }
+        )
         response.mustcontain('An email address must contain a single @')
     def test_forgot_password(self):
         response = self.app.get(url(controller='login',
                                     action='password_reset'))
         self.assertEqual(response.status, '200 OK')
         username = 'test_password_reset_1'
         password = 'qweqwe'
         email = 'username@python-works.com'
         name = 'passwd'
         lastname = 'reset'

kallithea/tests/other/test_validators.py

➞

Show inline comments

@@ @@ -55,113 +55,113 @@ class TestRepoGroups(BaseTestCase): @@
         validator = v.ValidUserGroup()
         self.assertRaises(formencode.Invalid, validator.to_python, 'default')
         self.assertRaises(formencode.Invalid, validator.to_python, '.,')
         gr = fixture.create_user_group('test')
         gr2 = fixture.create_user_group('tes2')
         Session().commit()
         self.assertRaises(formencode.Invalid, validator.to_python, 'test')
         assert gr.users_group_id is not None
         validator = v.ValidUserGroup(edit=True,
                                     old_data={'users_group_id':
                                               gr2.users_group_id})
         self.assertRaises(formencode.Invalid, validator.to_python, 'test')
         self.assertRaises(formencode.Invalid, validator.to_python, 'TesT')
         self.assertRaises(formencode.Invalid, validator.to_python, 'TEST')
         UserGroupModel().delete(gr)
         UserGroupModel().delete(gr2)
         Session().commit()
     def test_ValidRepoGroup(self):
         validator = v.ValidRepoGroup()
         model = RepoGroupModel()
         self.assertRaises(formencode.Invalid, validator.to_python,
                           {'group_name': HG_REPO, })
         gr = model.create(group_name='test_gr', group_description='desc',
                           parent=None,
                           just_db=True,
                           owner=TEST_USER_ADMIN_LOGIN)
         self.assertRaises(formencode.Invalid,
                           validator.to_python, {'group_name': gr.group_name, })
         validator = v.ValidRepoGroup(edit=True,
                                       old_data={'group_id':  gr.group_id})
         self.assertRaises(formencode.Invalid,
                           validator.to_python, {
                                         'group_name': gr.group_name + 'n',
                                         'group_parent_id': gr.group_id
                                         })
         model.delete(gr)
     def test_ValidPassword(self):
         validator = v.ValidPassword()
         self.assertEqual('lol', validator.to_python('lol'))
         self.assertEqual(None, validator.to_python(None))
         self.assertRaises(formencode.Invalid, validator.to_python, 'ąćżź')
     def test_ValidPasswordsMatch(self):
         validator = v.ValidPasswordsMatch()
+        validator = v.ValidPasswordsMatch('new_password', 'password_confirmation')
         self.assertRaises(formencode.Invalid,
-                    validator.to_python, {'password': 'pass',
+                    validator.to_python, {'new_password': 'pass',
                                           'password_confirmation': 'pass2'})
         self.assertRaises(formencode.Invalid,
                     validator.to_python, {'new_password': 'pass',
                                           'password_confirmation': 'pass2'})
         self.assertEqual({'new_password': 'pass',
                           'password_confirmation': 'pass'},
                     validator.to_python({'new_password': 'pass',
                                          'password_confirmation': 'pass'}))
-        self.assertEqual({'password': 'pass',
+        self.assertEqual({'new_password': 'pass',
                           'password_confirmation': 'pass'},
-                    validator.to_python({'password': 'pass',
+                    validator.to_python({'new_password': 'pass',
                                          'password_confirmation': 'pass'}))
     def test_ValidAuth(self):
         validator = v.ValidAuth()
         valid_creds = {
             'username': TEST_USER_REGULAR2_LOGIN,
             'password': TEST_USER_REGULAR2_PASS,
+        }
         invalid_creds = {
             'username': 'err',
             'password': 'err',
+        }
         self.assertEqual(valid_creds, validator.to_python(valid_creds))
         self.assertRaises(formencode.Invalid,
                           validator.to_python, invalid_creds)
     def test_ValidAuthToken(self):
         validator = v.ValidAuthToken()
         # this is untestable without a threadlocal
 #        self.assertRaises(formencode.Invalid,
 #                          validator.to_python, 'BadToken')
         validator
     def test_ValidRepoName(self):
         validator = v.ValidRepoName()
         self.assertRaises(formencode.Invalid,
                           validator.to_python, {'repo_name': ''})
         self.assertRaises(formencode.Invalid,
                           validator.to_python, {'repo_name': HG_REPO})
         gr = RepoGroupModel().create(group_name='group_test',
                                       group_description='desc',
                                       parent=None,
                                       owner=TEST_USER_ADMIN_LOGIN)
         self.assertRaises(formencode.Invalid,
                           validator.to_python, {'repo_name': gr.group_name})
         #TODO: write an error case for that ie. create a repo withinh a group
 #        self.assertRaises(formencode.Invalid,
 #                          validator.to_python, {'repo_name': 'some',
 #                                                'repo_group': gr.group_id})
     def test_ValidForkName(self):
         # this uses ValidRepoName validator
         assert True

0 comments (0 inline, 0 general)