2017-01-19 17:16:04 +00:00
|
|
|
from unittest import mock, skipUnless
|
2013-07-01 12:22:27 +00:00
|
|
|
|
2014-11-18 20:45:12 +00:00
|
|
|
from django.conf.global_settings import PASSWORD_HASHERS
|
2015-01-28 12:35:27 +00:00
|
|
|
from django.contrib.auth.hashers import (
|
|
|
|
UNUSABLE_PASSWORD_PREFIX,
|
|
|
|
UNUSABLE_PASSWORD_SUFFIX_LENGTH,
|
2021-01-14 06:11:19 +00:00
|
|
|
BasePasswordHasher,
|
|
|
|
BCryptPasswordHasher,
|
|
|
|
BCryptSHA256PasswordHasher,
|
2021-07-22 07:42:07 +00:00
|
|
|
MD5PasswordHasher,
|
|
|
|
PBKDF2PasswordHasher,
|
|
|
|
PBKDF2SHA1PasswordHasher,
|
2020-12-27 02:54:47 +00:00
|
|
|
ScryptPasswordHasher,
|
2023-05-14 16:12:22 +00:00
|
|
|
acheck_password,
|
2020-12-27 02:54:47 +00:00
|
|
|
check_password,
|
|
|
|
get_hasher,
|
|
|
|
identify_hasher,
|
|
|
|
is_password_usable,
|
|
|
|
make_password,
|
2015-01-28 12:35:27 +00:00
|
|
|
)
|
2022-05-11 07:13:45 +00:00
|
|
|
from django.test import SimpleTestCase, ignore_warnings
|
2014-11-18 20:45:12 +00:00
|
|
|
from django.test.utils import override_settings
|
2023-01-13 08:09:58 +00:00
|
|
|
from django.utils.deprecation import RemovedInDjango51Warning
|
2011-12-23 03:53:56 +00:00
|
|
|
|
|
|
|
try:
|
|
|
|
import bcrypt
|
|
|
|
except ImportError:
|
|
|
|
bcrypt = None
|
|
|
|
|
2015-12-26 12:14:07 +00:00
|
|
|
try:
|
|
|
|
import argon2
|
|
|
|
except ImportError:
|
|
|
|
argon2 = None
|
|
|
|
|
2022-10-21 01:50:48 +00:00
|
|
|
# scrypt requires OpenSSL 1.1+
|
|
|
|
try:
|
|
|
|
import hashlib
|
|
|
|
|
|
|
|
scrypt = hashlib.scrypt
|
|
|
|
except ImportError:
|
|
|
|
scrypt = None
|
|
|
|
|
2011-12-23 03:53:56 +00:00
|
|
|
|
2013-11-30 01:49:56 +00:00
|
|
|
class PBKDF2SingleIterationHasher(PBKDF2PasswordHasher):
|
|
|
|
iterations = 1
|
|
|
|
|
|
|
|
|
2014-11-18 20:45:12 +00:00
|
|
|
@override_settings(PASSWORD_HASHERS=PASSWORD_HASHERS)
|
2013-11-30 01:49:56 +00:00
|
|
|
class TestUtilsHashPass(SimpleTestCase):
|
2011-12-23 03:53:56 +00:00
|
|
|
def test_simple(self):
|
2012-12-22 15:00:15 +00:00
|
|
|
encoded = make_password("lètmein")
|
2011-12-23 03:53:56 +00:00
|
|
|
self.assertTrue(encoded.startswith("pbkdf2_sha256$"))
|
|
|
|
self.assertTrue(is_password_usable(encoded))
|
2012-12-22 15:00:15 +00:00
|
|
|
self.assertTrue(check_password("lètmein", encoded))
|
|
|
|
self.assertFalse(check_password("lètmeinz", encoded))
|
2013-06-17 16:06:26 +00:00
|
|
|
# Blank passwords
|
|
|
|
blank_encoded = make_password("")
|
|
|
|
self.assertTrue(blank_encoded.startswith("pbkdf2_sha256$"))
|
|
|
|
self.assertTrue(is_password_usable(blank_encoded))
|
|
|
|
self.assertTrue(check_password("", blank_encoded))
|
|
|
|
self.assertFalse(check_password(" ", blank_encoded))
|
2011-12-23 03:53:56 +00:00
|
|
|
|
2023-05-14 16:12:22 +00:00
|
|
|
async def test_acheck_password(self):
|
|
|
|
encoded = make_password("lètmein")
|
|
|
|
self.assertIs(await acheck_password("lètmein", encoded), True)
|
|
|
|
self.assertIs(await acheck_password("lètmeinz", encoded), False)
|
|
|
|
# Blank passwords.
|
|
|
|
blank_encoded = make_password("")
|
|
|
|
self.assertIs(await acheck_password("", blank_encoded), True)
|
|
|
|
self.assertIs(await acheck_password(" ", blank_encoded), False)
|
|
|
|
|
2020-03-26 12:19:11 +00:00
|
|
|
def test_bytes(self):
|
|
|
|
encoded = make_password(b"bytes_password")
|
|
|
|
self.assertTrue(encoded.startswith("pbkdf2_sha256$"))
|
|
|
|
self.assertIs(is_password_usable(encoded), True)
|
|
|
|
self.assertIs(check_password(b"bytes_password", encoded), True)
|
|
|
|
|
2020-03-26 12:23:32 +00:00
|
|
|
def test_invalid_password(self):
|
|
|
|
msg = "Password must be a string or bytes, got int."
|
|
|
|
with self.assertRaisesMessage(TypeError, msg):
|
|
|
|
make_password(1)
|
|
|
|
|
2015-09-20 00:44:37 +00:00
|
|
|
def test_pbkdf2(self):
|
2012-12-22 15:00:15 +00:00
|
|
|
encoded = make_password("lètmein", "seasalt", "pbkdf2_sha256")
|
2021-09-16 08:04:59 +00:00
|
|
|
self.assertEqual(
|
|
|
|
encoded,
|
2023-02-04 12:37:44 +00:00
|
|
|
"pbkdf2_sha256$720000$seasalt$eDupbcisD1UuIiou3hMuMu8oe/XwnpDw45r6AA5iv0E=",
|
2021-09-16 08:04:59 +00:00
|
|
|
)
|
2011-12-23 03:53:56 +00:00
|
|
|
self.assertTrue(is_password_usable(encoded))
|
2012-12-22 15:00:15 +00:00
|
|
|
self.assertTrue(check_password("lètmein", encoded))
|
|
|
|
self.assertFalse(check_password("lètmeinz", encoded))
|
2012-06-06 09:06:33 +00:00
|
|
|
self.assertEqual(identify_hasher(encoded).algorithm, "pbkdf2_sha256")
|
2013-06-17 16:06:26 +00:00
|
|
|
# Blank passwords
|
|
|
|
blank_encoded = make_password("", "seasalt", "pbkdf2_sha256")
|
|
|
|
self.assertTrue(blank_encoded.startswith("pbkdf2_sha256$"))
|
|
|
|
self.assertTrue(is_password_usable(blank_encoded))
|
|
|
|
self.assertTrue(check_password("", blank_encoded))
|
|
|
|
self.assertFalse(check_password(" ", blank_encoded))
|
2020-06-25 02:28:07 +00:00
|
|
|
# Salt entropy check.
|
|
|
|
hasher = get_hasher("pbkdf2_sha256")
|
|
|
|
encoded_weak_salt = make_password("lètmein", "iodizedsalt", "pbkdf2_sha256")
|
|
|
|
encoded_strong_salt = make_password("lètmein", hasher.salt(), "pbkdf2_sha256")
|
|
|
|
self.assertIs(hasher.must_update(encoded_weak_salt), True)
|
|
|
|
self.assertIs(hasher.must_update(encoded_strong_salt), False)
|
2011-12-23 03:53:56 +00:00
|
|
|
|
2022-07-23 10:45:24 +00:00
|
|
|
@ignore_warnings(category=RemovedInDjango51Warning)
|
2016-02-08 19:22:38 +00:00
|
|
|
@override_settings(
|
|
|
|
PASSWORD_HASHERS=["django.contrib.auth.hashers.SHA1PasswordHasher"]
|
|
|
|
)
|
2011-12-23 03:53:56 +00:00
|
|
|
def test_sha1(self):
|
2012-12-22 15:00:15 +00:00
|
|
|
encoded = make_password("lètmein", "seasalt", "sha1")
|
2016-04-08 02:04:45 +00:00
|
|
|
self.assertEqual(
|
|
|
|
encoded, "sha1$seasalt$cff36ea83f5706ce9aa7454e63e431fc726b2dc8"
|
|
|
|
)
|
2011-12-23 03:53:56 +00:00
|
|
|
self.assertTrue(is_password_usable(encoded))
|
2012-12-22 15:00:15 +00:00
|
|
|
self.assertTrue(check_password("lètmein", encoded))
|
|
|
|
self.assertFalse(check_password("lètmeinz", encoded))
|
2012-06-06 09:06:33 +00:00
|
|
|
self.assertEqual(identify_hasher(encoded).algorithm, "sha1")
|
2013-06-17 16:06:26 +00:00
|
|
|
# Blank passwords
|
|
|
|
blank_encoded = make_password("", "seasalt", "sha1")
|
|
|
|
self.assertTrue(blank_encoded.startswith("sha1$"))
|
|
|
|
self.assertTrue(is_password_usable(blank_encoded))
|
|
|
|
self.assertTrue(check_password("", blank_encoded))
|
|
|
|
self.assertFalse(check_password(" ", blank_encoded))
|
2020-06-25 02:28:07 +00:00
|
|
|
# Salt entropy check.
|
|
|
|
hasher = get_hasher("sha1")
|
|
|
|
encoded_weak_salt = make_password("lètmein", "iodizedsalt", "sha1")
|
|
|
|
encoded_strong_salt = make_password("lètmein", hasher.salt(), "sha1")
|
|
|
|
self.assertIs(hasher.must_update(encoded_weak_salt), True)
|
|
|
|
self.assertIs(hasher.must_update(encoded_strong_salt), False)
|
2011-12-23 03:53:56 +00:00
|
|
|
|
2022-07-23 10:45:24 +00:00
|
|
|
@override_settings(
|
|
|
|
PASSWORD_HASHERS=["django.contrib.auth.hashers.SHA1PasswordHasher"]
|
|
|
|
)
|
|
|
|
def test_sha1_deprecation_warning(self):
|
|
|
|
msg = "django.contrib.auth.hashers.SHA1PasswordHasher is deprecated."
|
|
|
|
with self.assertRaisesMessage(RemovedInDjango51Warning, msg):
|
|
|
|
get_hasher("sha1")
|
|
|
|
|
2016-02-08 19:22:38 +00:00
|
|
|
@override_settings(
|
|
|
|
PASSWORD_HASHERS=["django.contrib.auth.hashers.MD5PasswordHasher"]
|
|
|
|
)
|
2011-12-23 03:53:56 +00:00
|
|
|
def test_md5(self):
|
2012-12-22 15:00:15 +00:00
|
|
|
encoded = make_password("lètmein", "seasalt", "md5")
|
2016-04-08 02:04:45 +00:00
|
|
|
self.assertEqual(encoded, "md5$seasalt$3f86d0d3d465b7b458c231bf3555c0e3")
|
2012-02-29 20:12:16 +00:00
|
|
|
self.assertTrue(is_password_usable(encoded))
|
2012-12-22 15:00:15 +00:00
|
|
|
self.assertTrue(check_password("lètmein", encoded))
|
|
|
|
self.assertFalse(check_password("lètmeinz", encoded))
|
2012-06-06 09:06:33 +00:00
|
|
|
self.assertEqual(identify_hasher(encoded).algorithm, "md5")
|
2013-06-17 16:06:26 +00:00
|
|
|
# Blank passwords
|
|
|
|
blank_encoded = make_password("", "seasalt", "md5")
|
|
|
|
self.assertTrue(blank_encoded.startswith("md5$"))
|
|
|
|
self.assertTrue(is_password_usable(blank_encoded))
|
|
|
|
self.assertTrue(check_password("", blank_encoded))
|
|
|
|
self.assertFalse(check_password(" ", blank_encoded))
|
2020-06-25 02:28:07 +00:00
|
|
|
# Salt entropy check.
|
|
|
|
hasher = get_hasher("md5")
|
|
|
|
encoded_weak_salt = make_password("lètmein", "iodizedsalt", "md5")
|
|
|
|
encoded_strong_salt = make_password("lètmein", hasher.salt(), "md5")
|
|
|
|
self.assertIs(hasher.must_update(encoded_weak_salt), True)
|
|
|
|
self.assertIs(hasher.must_update(encoded_strong_salt), False)
|
2012-02-29 20:12:16 +00:00
|
|
|
|
2022-07-23 10:45:24 +00:00
|
|
|
@ignore_warnings(category=RemovedInDjango51Warning)
|
2016-02-08 19:22:38 +00:00
|
|
|
@override_settings(
|
|
|
|
PASSWORD_HASHERS=["django.contrib.auth.hashers.UnsaltedMD5PasswordHasher"]
|
|
|
|
)
|
2012-02-29 20:12:16 +00:00
|
|
|
def test_unsalted_md5(self):
|
2013-02-25 19:01:57 +00:00
|
|
|
encoded = make_password("lètmein", "", "unsalted_md5")
|
2012-12-22 15:00:15 +00:00
|
|
|
self.assertEqual(encoded, "88a434c88cca4e900f7874cd98123f43")
|
2011-12-23 03:53:56 +00:00
|
|
|
self.assertTrue(is_password_usable(encoded))
|
2012-12-22 15:00:15 +00:00
|
|
|
self.assertTrue(check_password("lètmein", encoded))
|
|
|
|
self.assertFalse(check_password("lètmeinz", encoded))
|
2012-06-06 09:06:33 +00:00
|
|
|
self.assertEqual(identify_hasher(encoded).algorithm, "unsalted_md5")
|
2013-02-02 10:57:25 +00:00
|
|
|
# Alternate unsalted syntax
|
|
|
|
alt_encoded = "md5$$%s" % encoded
|
|
|
|
self.assertTrue(is_password_usable(alt_encoded))
|
|
|
|
self.assertTrue(check_password("lètmein", alt_encoded))
|
|
|
|
self.assertFalse(check_password("lètmeinz", alt_encoded))
|
2013-06-17 16:06:26 +00:00
|
|
|
# Blank passwords
|
|
|
|
blank_encoded = make_password("", "", "unsalted_md5")
|
|
|
|
self.assertTrue(is_password_usable(blank_encoded))
|
|
|
|
self.assertTrue(check_password("", blank_encoded))
|
|
|
|
self.assertFalse(check_password(" ", blank_encoded))
|
2011-12-23 03:53:56 +00:00
|
|
|
|
2022-07-23 10:45:24 +00:00
|
|
|
@ignore_warnings(category=RemovedInDjango51Warning)
|
2021-09-05 15:24:09 +00:00
|
|
|
@override_settings(
|
|
|
|
PASSWORD_HASHERS=["django.contrib.auth.hashers.UnsaltedMD5PasswordHasher"]
|
|
|
|
)
|
|
|
|
def test_unsalted_md5_encode_invalid_salt(self):
|
|
|
|
hasher = get_hasher("unsalted_md5")
|
|
|
|
msg = "salt must be empty."
|
|
|
|
with self.assertRaisesMessage(ValueError, msg):
|
|
|
|
hasher.encode("password", salt="salt")
|
|
|
|
|
2022-07-23 10:45:24 +00:00
|
|
|
@override_settings(
|
|
|
|
PASSWORD_HASHERS=["django.contrib.auth.hashers.UnsaltedMD5PasswordHasher"]
|
|
|
|
)
|
|
|
|
def test_unsalted_md5_deprecation_warning(self):
|
|
|
|
msg = "django.contrib.auth.hashers.UnsaltedMD5PasswordHasher is deprecated."
|
|
|
|
with self.assertRaisesMessage(RemovedInDjango51Warning, msg):
|
|
|
|
get_hasher("unsalted_md5")
|
|
|
|
|
|
|
|
@ignore_warnings(category=RemovedInDjango51Warning)
|
2016-02-08 19:22:38 +00:00
|
|
|
@override_settings(
|
|
|
|
PASSWORD_HASHERS=["django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher"]
|
|
|
|
)
|
2013-02-25 19:01:57 +00:00
|
|
|
def test_unsalted_sha1(self):
|
|
|
|
encoded = make_password("lètmein", "", "unsalted_sha1")
|
|
|
|
self.assertEqual(encoded, "sha1$$6d138ca3ae545631b3abd71a4f076ce759c5700b")
|
|
|
|
self.assertTrue(is_password_usable(encoded))
|
|
|
|
self.assertTrue(check_password("lètmein", encoded))
|
|
|
|
self.assertFalse(check_password("lètmeinz", encoded))
|
|
|
|
self.assertEqual(identify_hasher(encoded).algorithm, "unsalted_sha1")
|
|
|
|
# Raw SHA1 isn't acceptable
|
|
|
|
alt_encoded = encoded[6:]
|
|
|
|
self.assertFalse(check_password("lètmein", alt_encoded))
|
2013-06-17 16:06:26 +00:00
|
|
|
# Blank passwords
|
|
|
|
blank_encoded = make_password("", "", "unsalted_sha1")
|
|
|
|
self.assertTrue(blank_encoded.startswith("sha1$"))
|
|
|
|
self.assertTrue(is_password_usable(blank_encoded))
|
|
|
|
self.assertTrue(check_password("", blank_encoded))
|
|
|
|
self.assertFalse(check_password(" ", blank_encoded))
|
2013-02-25 19:01:57 +00:00
|
|
|
|
2022-07-23 10:45:24 +00:00
|
|
|
@ignore_warnings(category=RemovedInDjango51Warning)
|
2021-09-05 15:24:09 +00:00
|
|
|
@override_settings(
|
|
|
|
PASSWORD_HASHERS=["django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher"]
|
|
|
|
)
|
|
|
|
def test_unsalted_sha1_encode_invalid_salt(self):
|
|
|
|
hasher = get_hasher("unsalted_sha1")
|
|
|
|
msg = "salt must be empty."
|
|
|
|
with self.assertRaisesMessage(ValueError, msg):
|
|
|
|
hasher.encode("password", salt="salt")
|
|
|
|
|
2022-07-23 10:45:24 +00:00
|
|
|
@override_settings(
|
|
|
|
PASSWORD_HASHERS=["django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher"]
|
|
|
|
)
|
|
|
|
def test_unsalted_sha1_deprecation_warning(self):
|
|
|
|
msg = "django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher is deprecated."
|
|
|
|
with self.assertRaisesMessage(RemovedInDjango51Warning, msg):
|
|
|
|
get_hasher("unsalted_sha1")
|
|
|
|
|
2013-05-14 03:39:50 +00:00
|
|
|
@skipUnless(bcrypt, "bcrypt not installed")
|
2013-03-26 15:44:26 +00:00
|
|
|
def test_bcrypt_sha256(self):
|
|
|
|
encoded = make_password("lètmein", hasher="bcrypt_sha256")
|
|
|
|
self.assertTrue(is_password_usable(encoded))
|
|
|
|
self.assertTrue(encoded.startswith("bcrypt_sha256$"))
|
|
|
|
self.assertTrue(check_password("lètmein", encoded))
|
|
|
|
self.assertFalse(check_password("lètmeinz", encoded))
|
|
|
|
self.assertEqual(identify_hasher(encoded).algorithm, "bcrypt_sha256")
|
|
|
|
|
2016-10-27 07:53:39 +00:00
|
|
|
# password truncation no longer works
|
2016-04-08 02:04:45 +00:00
|
|
|
password = (
|
|
|
|
"VSK0UYV6FFQVZ0KG88DYN9WADAADZO1CTSIVDJUNZSUML6IBX7LN7ZS3R5"
|
|
|
|
"JGB3RGZ7VI7G7DJQ9NI8BQFSRPTG6UWTTVESA5ZPUN"
|
|
|
|
)
|
2013-03-26 15:44:26 +00:00
|
|
|
encoded = make_password(password, hasher="bcrypt_sha256")
|
|
|
|
self.assertTrue(check_password(password, encoded))
|
|
|
|
self.assertFalse(check_password(password[:72], encoded))
|
2013-06-17 16:06:26 +00:00
|
|
|
# Blank passwords
|
|
|
|
blank_encoded = make_password("", hasher="bcrypt_sha256")
|
|
|
|
self.assertTrue(blank_encoded.startswith("bcrypt_sha256$"))
|
|
|
|
self.assertTrue(is_password_usable(blank_encoded))
|
|
|
|
self.assertTrue(check_password("", blank_encoded))
|
|
|
|
self.assertFalse(check_password(" ", blank_encoded))
|
2013-03-26 15:44:26 +00:00
|
|
|
|
2013-05-14 03:39:50 +00:00
|
|
|
@skipUnless(bcrypt, "bcrypt not installed")
|
2018-02-26 14:05:18 +00:00
|
|
|
@override_settings(
|
|
|
|
PASSWORD_HASHERS=["django.contrib.auth.hashers.BCryptPasswordHasher"]
|
|
|
|
)
|
2011-12-23 03:53:56 +00:00
|
|
|
def test_bcrypt(self):
|
2012-12-22 15:00:15 +00:00
|
|
|
encoded = make_password("lètmein", hasher="bcrypt")
|
2011-12-23 03:53:56 +00:00
|
|
|
self.assertTrue(is_password_usable(encoded))
|
|
|
|
self.assertTrue(encoded.startswith("bcrypt$"))
|
2012-12-22 15:00:15 +00:00
|
|
|
self.assertTrue(check_password("lètmein", encoded))
|
|
|
|
self.assertFalse(check_password("lètmeinz", encoded))
|
2012-06-06 09:06:33 +00:00
|
|
|
self.assertEqual(identify_hasher(encoded).algorithm, "bcrypt")
|
2013-06-17 16:06:26 +00:00
|
|
|
# Blank passwords
|
|
|
|
blank_encoded = make_password("", hasher="bcrypt")
|
|
|
|
self.assertTrue(blank_encoded.startswith("bcrypt$"))
|
|
|
|
self.assertTrue(is_password_usable(blank_encoded))
|
|
|
|
self.assertTrue(check_password("", blank_encoded))
|
|
|
|
self.assertFalse(check_password(" ", blank_encoded))
|
2011-12-23 03:53:56 +00:00
|
|
|
|
2015-02-26 19:04:24 +00:00
|
|
|
@skipUnless(bcrypt, "bcrypt not installed")
|
2018-02-26 14:05:18 +00:00
|
|
|
@override_settings(
|
|
|
|
PASSWORD_HASHERS=["django.contrib.auth.hashers.BCryptPasswordHasher"]
|
|
|
|
)
|
2015-02-26 19:04:24 +00:00
|
|
|
def test_bcrypt_upgrade(self):
|
|
|
|
hasher = get_hasher("bcrypt")
|
|
|
|
self.assertEqual("bcrypt", hasher.algorithm)
|
|
|
|
self.assertNotEqual(hasher.rounds, 4)
|
|
|
|
|
|
|
|
old_rounds = hasher.rounds
|
|
|
|
try:
|
|
|
|
# Generate a password with 4 rounds.
|
|
|
|
hasher.rounds = 4
|
|
|
|
encoded = make_password("letmein", hasher="bcrypt")
|
|
|
|
rounds = hasher.safe_summary(encoded)["work factor"]
|
2020-04-06 20:14:17 +00:00
|
|
|
self.assertEqual(rounds, 4)
|
2015-02-26 19:04:24 +00:00
|
|
|
|
|
|
|
state = {"upgraded": False}
|
|
|
|
|
|
|
|
def setter(password):
|
|
|
|
state["upgraded"] = True
|
|
|
|
|
2016-10-27 07:53:39 +00:00
|
|
|
# No upgrade is triggered.
|
2015-02-26 19:04:24 +00:00
|
|
|
self.assertTrue(check_password("letmein", encoded, setter, "bcrypt"))
|
|
|
|
self.assertFalse(state["upgraded"])
|
|
|
|
|
|
|
|
# Revert to the old rounds count and ...
|
|
|
|
hasher.rounds = old_rounds
|
|
|
|
|
|
|
|
# ... check if the password would get updated to the new count.
|
|
|
|
self.assertTrue(check_password("letmein", encoded, setter, "bcrypt"))
|
|
|
|
self.assertTrue(state["upgraded"])
|
|
|
|
finally:
|
|
|
|
hasher.rounds = old_rounds
|
|
|
|
|
2016-02-13 20:09:46 +00:00
|
|
|
@skipUnless(bcrypt, "bcrypt not installed")
|
2018-02-26 14:05:18 +00:00
|
|
|
@override_settings(
|
|
|
|
PASSWORD_HASHERS=["django.contrib.auth.hashers.BCryptPasswordHasher"]
|
|
|
|
)
|
2016-02-13 20:09:46 +00:00
|
|
|
def test_bcrypt_harden_runtime(self):
|
|
|
|
hasher = get_hasher("bcrypt")
|
|
|
|
self.assertEqual("bcrypt", hasher.algorithm)
|
|
|
|
|
|
|
|
with mock.patch.object(hasher, "rounds", 4):
|
|
|
|
encoded = make_password("letmein", hasher="bcrypt")
|
|
|
|
|
|
|
|
with mock.patch.object(hasher, "rounds", 6), mock.patch.object(
|
|
|
|
hasher, "encode", side_effect=hasher.encode
|
|
|
|
):
|
|
|
|
hasher.harden_runtime("wrong_password", encoded)
|
|
|
|
|
|
|
|
# Increasing rounds from 4 to 6 means an increase of 4 in workload,
|
|
|
|
# therefore hardening should run 3 times to make the timing the
|
|
|
|
# same (the original encode() call already ran once).
|
|
|
|
self.assertEqual(hasher.encode.call_count, 3)
|
|
|
|
|
|
|
|
# Get the original salt (includes the original workload factor)
|
|
|
|
algorithm, data = encoded.split("$", 1)
|
2018-02-07 19:20:04 +00:00
|
|
|
expected_call = (("wrong_password", data[:29].encode()),)
|
2016-02-13 20:09:46 +00:00
|
|
|
self.assertEqual(hasher.encode.call_args_list, [expected_call] * 3)
|
|
|
|
|
2011-12-23 03:53:56 +00:00
|
|
|
def test_unusable(self):
|
|
|
|
encoded = make_password(None)
|
2013-06-18 18:02:00 +00:00
|
|
|
self.assertEqual(
|
|
|
|
len(encoded),
|
|
|
|
len(UNUSABLE_PASSWORD_PREFIX) + UNUSABLE_PASSWORD_SUFFIX_LENGTH,
|
|
|
|
)
|
2011-12-23 03:53:56 +00:00
|
|
|
self.assertFalse(is_password_usable(encoded))
|
|
|
|
self.assertFalse(check_password(None, encoded))
|
2013-06-18 18:02:00 +00:00
|
|
|
self.assertFalse(check_password(encoded, encoded))
|
|
|
|
self.assertFalse(check_password(UNUSABLE_PASSWORD_PREFIX, encoded))
|
2011-12-23 03:53:56 +00:00
|
|
|
self.assertFalse(check_password("", encoded))
|
2012-12-22 15:00:15 +00:00
|
|
|
self.assertFalse(check_password("lètmein", encoded))
|
|
|
|
self.assertFalse(check_password("lètmeinz", encoded))
|
2023-03-20 07:07:23 +00:00
|
|
|
with self.assertRaisesMessage(ValueError, "Unknown password hashing algorithm"):
|
2016-01-17 11:26:39 +00:00
|
|
|
identify_hasher(encoded)
|
2013-06-18 18:02:00 +00:00
|
|
|
# Assert that the unusable passwords actually contain a random part.
|
|
|
|
# This might fail one day due to a hash collision.
|
|
|
|
self.assertNotEqual(encoded, make_password(None), "Random password collision?")
|
2011-12-23 03:53:56 +00:00
|
|
|
|
2013-07-03 17:13:47 +00:00
|
|
|
def test_unspecified_password(self):
|
|
|
|
"""
|
|
|
|
Makes sure specifying no plain password with a valid encoded password
|
|
|
|
returns `False`.
|
|
|
|
"""
|
|
|
|
self.assertFalse(check_password(None, make_password("lètmein")))
|
|
|
|
|
2011-12-23 03:53:56 +00:00
|
|
|
def test_bad_algorithm(self):
|
2017-01-20 02:10:33 +00:00
|
|
|
msg = (
|
|
|
|
"Unknown password hashing algorithm '%s'. Did you specify it in "
|
|
|
|
"the PASSWORD_HASHERS setting?"
|
|
|
|
)
|
|
|
|
with self.assertRaisesMessage(ValueError, msg % "lolcat"):
|
2012-12-22 15:00:15 +00:00
|
|
|
make_password("lètmein", hasher="lolcat")
|
2017-01-20 02:10:33 +00:00
|
|
|
with self.assertRaisesMessage(ValueError, msg % "lolcat"):
|
2016-01-17 11:26:39 +00:00
|
|
|
identify_hasher("lolcat$salt$hash")
|
2011-12-23 03:53:56 +00:00
|
|
|
|
2018-03-20 21:19:27 +00:00
|
|
|
def test_is_password_usable(self):
|
|
|
|
passwords = ("lètmein_badencoded", "", None)
|
|
|
|
for password in passwords:
|
|
|
|
with self.subTest(password=password):
|
|
|
|
self.assertIs(is_password_usable(password), True)
|
2012-09-12 09:21:58 +00:00
|
|
|
|
2015-09-20 00:44:37 +00:00
|
|
|
def test_low_level_pbkdf2(self):
|
2011-12-23 03:53:56 +00:00
|
|
|
hasher = PBKDF2PasswordHasher()
|
2013-09-19 16:39:43 +00:00
|
|
|
encoded = hasher.encode("lètmein", "seasalt2")
|
2021-09-16 08:04:59 +00:00
|
|
|
self.assertEqual(
|
|
|
|
encoded,
|
2023-02-04 12:37:44 +00:00
|
|
|
"pbkdf2_sha256$720000$"
|
|
|
|
"seasalt2$e8hbsPnTo9qWhT3xYfKWoRth0h0J3360yb/tipPhPtY=",
|
2021-09-16 08:04:59 +00:00
|
|
|
)
|
2012-12-22 15:00:15 +00:00
|
|
|
self.assertTrue(hasher.verify("lètmein", encoded))
|
2011-12-23 03:53:56 +00:00
|
|
|
|
|
|
|
def test_low_level_pbkdf2_sha1(self):
|
|
|
|
hasher = PBKDF2SHA1PasswordHasher()
|
2013-09-19 16:39:43 +00:00
|
|
|
encoded = hasher.encode("lètmein", "seasalt2")
|
2021-09-16 08:04:59 +00:00
|
|
|
self.assertEqual(
|
2023-02-04 12:37:44 +00:00
|
|
|
encoded, "pbkdf2_sha1$720000$seasalt2$2DDbzziqCtfldrRSNAaF8oA9OMw="
|
2021-09-16 08:04:59 +00:00
|
|
|
)
|
2012-12-22 15:00:15 +00:00
|
|
|
self.assertTrue(hasher.verify("lètmein", encoded))
|
2011-12-23 03:53:56 +00:00
|
|
|
|
2021-01-14 06:11:19 +00:00
|
|
|
@skipUnless(bcrypt, "bcrypt not installed")
|
|
|
|
def test_bcrypt_salt_check(self):
|
|
|
|
hasher = BCryptPasswordHasher()
|
|
|
|
encoded = hasher.encode("lètmein", hasher.salt())
|
|
|
|
self.assertIs(hasher.must_update(encoded), False)
|
|
|
|
|
|
|
|
@skipUnless(bcrypt, "bcrypt not installed")
|
|
|
|
def test_bcryptsha256_salt_check(self):
|
|
|
|
hasher = BCryptSHA256PasswordHasher()
|
|
|
|
encoded = hasher.encode("lètmein", hasher.salt())
|
|
|
|
self.assertIs(hasher.must_update(encoded), False)
|
|
|
|
|
2016-02-08 19:22:38 +00:00
|
|
|
@override_settings(
|
|
|
|
PASSWORD_HASHERS=[
|
|
|
|
"django.contrib.auth.hashers.PBKDF2PasswordHasher",
|
2022-07-23 10:45:24 +00:00
|
|
|
"django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher",
|
2016-02-08 19:22:38 +00:00
|
|
|
"django.contrib.auth.hashers.MD5PasswordHasher",
|
|
|
|
],
|
|
|
|
)
|
2011-12-23 03:53:56 +00:00
|
|
|
def test_upgrade(self):
|
|
|
|
self.assertEqual("pbkdf2_sha256", get_hasher("default").algorithm)
|
2022-07-23 10:45:24 +00:00
|
|
|
for algo in ("pbkdf2_sha1", "md5"):
|
2017-03-07 21:00:43 +00:00
|
|
|
with self.subTest(algo=algo):
|
|
|
|
encoded = make_password("lètmein", hasher=algo)
|
|
|
|
state = {"upgraded": False}
|
2013-10-22 10:21:07 +00:00
|
|
|
|
2017-03-07 21:00:43 +00:00
|
|
|
def setter(password):
|
|
|
|
state["upgraded"] = True
|
2022-02-03 19:24:19 +00:00
|
|
|
|
2017-03-07 21:00:43 +00:00
|
|
|
self.assertTrue(check_password("lètmein", encoded, setter))
|
|
|
|
self.assertTrue(state["upgraded"])
|
2011-12-23 03:53:56 +00:00
|
|
|
|
|
|
|
def test_no_upgrade(self):
|
2012-12-22 15:00:15 +00:00
|
|
|
encoded = make_password("lètmein")
|
2011-12-23 03:53:56 +00:00
|
|
|
state = {"upgraded": False}
|
2013-10-22 10:21:07 +00:00
|
|
|
|
2011-12-23 03:53:56 +00:00
|
|
|
def setter():
|
|
|
|
state["upgraded"] = True
|
2022-02-03 19:24:19 +00:00
|
|
|
|
2011-12-23 03:53:56 +00:00
|
|
|
self.assertFalse(check_password("WRONG", encoded, setter))
|
|
|
|
self.assertFalse(state["upgraded"])
|
|
|
|
|
2016-02-08 19:22:38 +00:00
|
|
|
@override_settings(
|
|
|
|
PASSWORD_HASHERS=[
|
|
|
|
"django.contrib.auth.hashers.PBKDF2PasswordHasher",
|
2022-07-23 10:45:24 +00:00
|
|
|
"django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher",
|
2016-02-08 19:22:38 +00:00
|
|
|
"django.contrib.auth.hashers.MD5PasswordHasher",
|
|
|
|
],
|
|
|
|
)
|
2011-12-23 03:53:56 +00:00
|
|
|
def test_no_upgrade_on_incorrect_pass(self):
|
|
|
|
self.assertEqual("pbkdf2_sha256", get_hasher("default").algorithm)
|
2022-07-23 10:45:24 +00:00
|
|
|
for algo in ("pbkdf2_sha1", "md5"):
|
2017-03-07 21:00:43 +00:00
|
|
|
with self.subTest(algo=algo):
|
|
|
|
encoded = make_password("lètmein", hasher=algo)
|
|
|
|
state = {"upgraded": False}
|
|
|
|
|
|
|
|
def setter():
|
|
|
|
state["upgraded"] = True
|
2022-02-03 19:24:19 +00:00
|
|
|
|
2017-03-07 21:00:43 +00:00
|
|
|
self.assertFalse(check_password("WRONG", encoded, setter))
|
|
|
|
self.assertFalse(state["upgraded"])
|
2013-06-14 14:19:53 +00:00
|
|
|
|
2013-09-24 18:52:20 +00:00
|
|
|
def test_pbkdf2_upgrade(self):
|
|
|
|
hasher = get_hasher("default")
|
2014-11-18 20:45:12 +00:00
|
|
|
self.assertEqual("pbkdf2_sha256", hasher.algorithm)
|
2013-09-24 18:52:20 +00:00
|
|
|
self.assertNotEqual(hasher.iterations, 1)
|
|
|
|
|
|
|
|
old_iterations = hasher.iterations
|
|
|
|
try:
|
|
|
|
# Generate a password with 1 iteration.
|
|
|
|
hasher.iterations = 1
|
|
|
|
encoded = make_password("letmein")
|
|
|
|
algo, iterations, salt, hash = encoded.split("$", 3)
|
|
|
|
self.assertEqual(iterations, "1")
|
|
|
|
|
|
|
|
state = {"upgraded": False}
|
2013-10-22 10:21:07 +00:00
|
|
|
|
2013-09-24 18:52:20 +00:00
|
|
|
def setter(password):
|
|
|
|
state["upgraded"] = True
|
|
|
|
|
2016-10-27 07:53:39 +00:00
|
|
|
# No upgrade is triggered
|
2013-09-24 18:52:20 +00:00
|
|
|
self.assertTrue(check_password("letmein", encoded, setter))
|
|
|
|
self.assertFalse(state["upgraded"])
|
|
|
|
|
|
|
|
# Revert to the old iteration count and ...
|
|
|
|
hasher.iterations = old_iterations
|
|
|
|
|
|
|
|
# ... check if the password would get updated to the new iteration count.
|
|
|
|
self.assertTrue(check_password("letmein", encoded, setter))
|
|
|
|
self.assertTrue(state["upgraded"])
|
|
|
|
finally:
|
|
|
|
hasher.iterations = old_iterations
|
|
|
|
|
2016-02-13 20:09:46 +00:00
|
|
|
def test_pbkdf2_harden_runtime(self):
|
|
|
|
hasher = get_hasher("default")
|
|
|
|
self.assertEqual("pbkdf2_sha256", hasher.algorithm)
|
|
|
|
|
|
|
|
with mock.patch.object(hasher, "iterations", 1):
|
|
|
|
encoded = make_password("letmein")
|
|
|
|
|
|
|
|
with mock.patch.object(hasher, "iterations", 6), mock.patch.object(
|
|
|
|
hasher, "encode", side_effect=hasher.encode
|
|
|
|
):
|
|
|
|
hasher.harden_runtime("wrong_password", encoded)
|
|
|
|
|
|
|
|
# Encode should get called once ...
|
|
|
|
self.assertEqual(hasher.encode.call_count, 1)
|
|
|
|
|
|
|
|
# ... with the original salt and 5 iterations.
|
|
|
|
algorithm, iterations, salt, hash = encoded.split("$", 3)
|
|
|
|
expected_call = (("wrong_password", salt, 5),)
|
|
|
|
self.assertEqual(hasher.encode.call_args, expected_call)
|
|
|
|
|
2013-11-30 01:49:56 +00:00
|
|
|
def test_pbkdf2_upgrade_new_hasher(self):
|
|
|
|
hasher = get_hasher("default")
|
2014-11-18 20:45:12 +00:00
|
|
|
self.assertEqual("pbkdf2_sha256", hasher.algorithm)
|
2013-11-30 01:49:56 +00:00
|
|
|
self.assertNotEqual(hasher.iterations, 1)
|
|
|
|
|
|
|
|
state = {"upgraded": False}
|
|
|
|
|
|
|
|
def setter(password):
|
|
|
|
state["upgraded"] = True
|
|
|
|
|
|
|
|
with self.settings(
|
2015-02-10 14:17:08 +00:00
|
|
|
PASSWORD_HASHERS=["auth_tests.test_hashers.PBKDF2SingleIterationHasher"]
|
|
|
|
):
|
2013-11-30 01:49:56 +00:00
|
|
|
encoded = make_password("letmein")
|
|
|
|
algo, iterations, salt, hash = encoded.split("$", 3)
|
|
|
|
self.assertEqual(iterations, "1")
|
|
|
|
|
2016-10-27 07:53:39 +00:00
|
|
|
# No upgrade is triggered
|
2013-11-30 01:49:56 +00:00
|
|
|
self.assertTrue(check_password("letmein", encoded, setter))
|
|
|
|
self.assertFalse(state["upgraded"])
|
|
|
|
|
|
|
|
# Revert to the old iteration count and check if the password would get
|
|
|
|
# updated to the new iteration count.
|
|
|
|
with self.settings(
|
|
|
|
PASSWORD_HASHERS=[
|
|
|
|
"django.contrib.auth.hashers.PBKDF2PasswordHasher",
|
2015-02-10 14:17:08 +00:00
|
|
|
"auth_tests.test_hashers.PBKDF2SingleIterationHasher",
|
2022-02-03 19:24:19 +00:00
|
|
|
]
|
2015-02-10 14:17:08 +00:00
|
|
|
):
|
2013-11-30 01:49:56 +00:00
|
|
|
self.assertTrue(check_password("letmein", encoded, setter))
|
|
|
|
self.assertTrue(state["upgraded"])
|
|
|
|
|
2016-02-13 20:09:46 +00:00
|
|
|
def test_check_password_calls_harden_runtime(self):
|
|
|
|
hasher = get_hasher("default")
|
|
|
|
encoded = make_password("letmein")
|
|
|
|
|
|
|
|
with mock.patch.object(hasher, "harden_runtime"), mock.patch.object(
|
|
|
|
hasher, "must_update", return_value=True
|
|
|
|
):
|
|
|
|
# Correct password supplied, no hardening needed
|
|
|
|
check_password("letmein", encoded)
|
|
|
|
self.assertEqual(hasher.harden_runtime.call_count, 0)
|
|
|
|
|
|
|
|
# Wrong password supplied, hardening needed
|
|
|
|
check_password("wrong_password", encoded)
|
|
|
|
self.assertEqual(hasher.harden_runtime.call_count, 1)
|
|
|
|
|
2021-07-22 07:42:07 +00:00
|
|
|
def test_encode_invalid_salt(self):
|
|
|
|
hasher_classes = [
|
|
|
|
MD5PasswordHasher,
|
|
|
|
PBKDF2PasswordHasher,
|
|
|
|
PBKDF2SHA1PasswordHasher,
|
2020-12-27 02:54:47 +00:00
|
|
|
ScryptPasswordHasher,
|
2021-07-22 07:42:07 +00:00
|
|
|
]
|
|
|
|
msg = "salt must be provided and cannot contain $."
|
|
|
|
for hasher_class in hasher_classes:
|
|
|
|
hasher = hasher_class()
|
|
|
|
for salt in [None, "", "sea$salt"]:
|
|
|
|
with self.subTest(hasher_class.__name__, salt=salt):
|
|
|
|
with self.assertRaisesMessage(ValueError, msg):
|
|
|
|
hasher.encode("password", salt)
|
|
|
|
|
|
|
|
def test_encode_password_required(self):
|
|
|
|
hasher_classes = [
|
|
|
|
MD5PasswordHasher,
|
|
|
|
PBKDF2PasswordHasher,
|
|
|
|
PBKDF2SHA1PasswordHasher,
|
2020-12-27 02:54:47 +00:00
|
|
|
ScryptPasswordHasher,
|
2021-07-22 07:42:07 +00:00
|
|
|
]
|
|
|
|
msg = "password must be provided."
|
|
|
|
for hasher_class in hasher_classes:
|
|
|
|
hasher = hasher_class()
|
|
|
|
with self.subTest(hasher_class.__name__):
|
|
|
|
with self.assertRaisesMessage(TypeError, msg):
|
|
|
|
hasher.encode(None, "seasalt")
|
|
|
|
|
2017-09-28 19:52:11 +00:00
|
|
|
|
|
|
|
class BasePasswordHasherTests(SimpleTestCase):
|
2017-09-28 19:53:59 +00:00
|
|
|
not_implemented_msg = "subclasses of BasePasswordHasher must provide %s() method"
|
|
|
|
|
2017-09-28 19:52:11 +00:00
|
|
|
def setUp(self):
|
|
|
|
self.hasher = BasePasswordHasher()
|
|
|
|
|
2013-06-14 14:19:53 +00:00
|
|
|
def test_load_library_no_algorithm(self):
|
2017-01-20 02:10:33 +00:00
|
|
|
msg = "Hasher 'BasePasswordHasher' doesn't specify a library attribute"
|
|
|
|
with self.assertRaisesMessage(ValueError, msg):
|
2017-09-28 19:52:11 +00:00
|
|
|
self.hasher._load_library()
|
2013-06-14 14:19:53 +00:00
|
|
|
|
|
|
|
def test_load_library_importerror(self):
|
2017-01-19 14:48:01 +00:00
|
|
|
PlainHasher = type(
|
|
|
|
"PlainHasher",
|
|
|
|
(BasePasswordHasher,),
|
|
|
|
{"algorithm": "plain", "library": "plain"},
|
|
|
|
)
|
2017-01-20 02:10:33 +00:00
|
|
|
msg = "Couldn't load 'PlainHasher' algorithm library: No module named 'plain'"
|
|
|
|
with self.assertRaisesMessage(ValueError, msg):
|
2013-06-14 14:19:53 +00:00
|
|
|
PlainHasher()._load_library()
|
2015-12-26 12:14:07 +00:00
|
|
|
|
2017-09-28 19:53:59 +00:00
|
|
|
def test_attributes(self):
|
|
|
|
self.assertIsNone(self.hasher.algorithm)
|
|
|
|
self.assertIsNone(self.hasher.library)
|
|
|
|
|
|
|
|
def test_encode(self):
|
|
|
|
msg = self.not_implemented_msg % "an encode"
|
|
|
|
with self.assertRaisesMessage(NotImplementedError, msg):
|
|
|
|
self.hasher.encode("password", "salt")
|
|
|
|
|
2020-04-06 20:14:17 +00:00
|
|
|
def test_decode(self):
|
|
|
|
msg = self.not_implemented_msg % "a decode"
|
|
|
|
with self.assertRaisesMessage(NotImplementedError, msg):
|
|
|
|
self.hasher.decode("encoded")
|
|
|
|
|
2017-09-28 19:53:59 +00:00
|
|
|
def test_harden_runtime(self):
|
|
|
|
msg = (
|
|
|
|
"subclasses of BasePasswordHasher should provide a harden_runtime() method"
|
2022-02-03 19:24:19 +00:00
|
|
|
)
|
2020-01-30 09:35:02 +00:00
|
|
|
with self.assertWarnsMessage(Warning, msg):
|
2017-09-28 19:53:59 +00:00
|
|
|
self.hasher.harden_runtime("password", "encoded")
|
|
|
|
|
|
|
|
def test_must_update(self):
|
|
|
|
self.assertIs(self.hasher.must_update("encoded"), False)
|
|
|
|
|
|
|
|
def test_safe_summary(self):
|
|
|
|
msg = self.not_implemented_msg % "a safe_summary"
|
|
|
|
with self.assertRaisesMessage(NotImplementedError, msg):
|
|
|
|
self.hasher.safe_summary("encoded")
|
|
|
|
|
|
|
|
def test_verify(self):
|
|
|
|
msg = self.not_implemented_msg % "a verify"
|
|
|
|
with self.assertRaisesMessage(NotImplementedError, msg):
|
|
|
|
self.hasher.verify("password", "encoded")
|
|
|
|
|
2015-12-26 12:14:07 +00:00
|
|
|
|
|
|
|
@skipUnless(argon2, "argon2-cffi not installed")
|
|
|
|
@override_settings(PASSWORD_HASHERS=PASSWORD_HASHERS)
|
|
|
|
class TestUtilsHashPassArgon2(SimpleTestCase):
|
|
|
|
def test_argon2(self):
|
|
|
|
encoded = make_password("lètmein", hasher="argon2")
|
|
|
|
self.assertTrue(is_password_usable(encoded))
|
2020-06-17 06:07:10 +00:00
|
|
|
self.assertTrue(encoded.startswith("argon2$argon2id$"))
|
2015-12-26 12:14:07 +00:00
|
|
|
self.assertTrue(check_password("lètmein", encoded))
|
|
|
|
self.assertFalse(check_password("lètmeinz", encoded))
|
|
|
|
self.assertEqual(identify_hasher(encoded).algorithm, "argon2")
|
|
|
|
# Blank passwords
|
|
|
|
blank_encoded = make_password("", hasher="argon2")
|
2020-06-17 06:07:10 +00:00
|
|
|
self.assertTrue(blank_encoded.startswith("argon2$argon2id$"))
|
2015-12-26 12:14:07 +00:00
|
|
|
self.assertTrue(is_password_usable(blank_encoded))
|
|
|
|
self.assertTrue(check_password("", blank_encoded))
|
|
|
|
self.assertFalse(check_password(" ", blank_encoded))
|
2016-04-22 11:26:41 +00:00
|
|
|
# Old hashes without version attribute
|
|
|
|
encoded = (
|
|
|
|
"argon2$argon2i$m=8,t=1,p=1$c29tZXNhbHQ$gwQOXSNhxiOxPOA0+PY10P9QFO"
|
|
|
|
"4NAYysnqRt1GSQLE55m+2GYDt9FEjPMHhP2Cuf0nOEXXMocVrsJAtNSsKyfg"
|
|
|
|
)
|
|
|
|
self.assertTrue(check_password("secret", encoded))
|
|
|
|
self.assertFalse(check_password("wrong", encoded))
|
2020-06-17 05:52:31 +00:00
|
|
|
# Old hashes with version attribute.
|
|
|
|
encoded = "argon2$argon2i$v=19$m=8,t=1,p=1$c2FsdHNhbHQ$YC9+jJCrQhs5R6db7LlN8Q"
|
|
|
|
self.assertIs(check_password("secret", encoded), True)
|
|
|
|
self.assertIs(check_password("wrong", encoded), False)
|
2020-06-25 02:28:07 +00:00
|
|
|
# Salt entropy check.
|
|
|
|
hasher = get_hasher("argon2")
|
|
|
|
encoded_weak_salt = make_password("lètmein", "iodizedsalt", "argon2")
|
|
|
|
encoded_strong_salt = make_password("lètmein", hasher.salt(), "argon2")
|
|
|
|
self.assertIs(hasher.must_update(encoded_weak_salt), True)
|
|
|
|
self.assertIs(hasher.must_update(encoded_strong_salt), False)
|
2015-12-26 12:14:07 +00:00
|
|
|
|
2020-12-27 16:25:22 +00:00
|
|
|
def test_argon2_decode(self):
|
|
|
|
salt = "abcdefghijk"
|
|
|
|
encoded = make_password("lètmein", salt=salt, hasher="argon2")
|
|
|
|
hasher = get_hasher("argon2")
|
|
|
|
decoded = hasher.decode(encoded)
|
|
|
|
self.assertEqual(decoded["memory_cost"], hasher.memory_cost)
|
|
|
|
self.assertEqual(decoded["parallelism"], hasher.parallelism)
|
|
|
|
self.assertEqual(decoded["salt"], salt)
|
|
|
|
self.assertEqual(decoded["time_cost"], hasher.time_cost)
|
|
|
|
|
2015-12-26 12:14:07 +00:00
|
|
|
def test_argon2_upgrade(self):
|
|
|
|
self._test_argon2_upgrade("time_cost", "time cost", 1)
|
2020-06-17 06:07:10 +00:00
|
|
|
self._test_argon2_upgrade("memory_cost", "memory cost", 64)
|
2015-12-26 12:14:07 +00:00
|
|
|
self._test_argon2_upgrade("parallelism", "parallelism", 1)
|
|
|
|
|
2016-04-22 11:26:41 +00:00
|
|
|
def test_argon2_version_upgrade(self):
|
|
|
|
hasher = get_hasher("argon2")
|
|
|
|
state = {"upgraded": False}
|
|
|
|
encoded = (
|
2020-06-17 06:07:10 +00:00
|
|
|
"argon2$argon2id$v=19$m=102400,t=2,p=8$Y041dExhNkljRUUy$TMa6A8fPJh"
|
|
|
|
"CAUXRhJXCXdw"
|
2016-04-22 11:26:41 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
def setter(password):
|
|
|
|
state["upgraded"] = True
|
|
|
|
|
|
|
|
old_m = hasher.memory_cost
|
|
|
|
old_t = hasher.time_cost
|
|
|
|
old_p = hasher.parallelism
|
|
|
|
try:
|
|
|
|
hasher.memory_cost = 8
|
|
|
|
hasher.time_cost = 1
|
|
|
|
hasher.parallelism = 1
|
|
|
|
self.assertTrue(check_password("secret", encoded, setter, "argon2"))
|
|
|
|
self.assertTrue(state["upgraded"])
|
|
|
|
finally:
|
|
|
|
hasher.memory_cost = old_m
|
|
|
|
hasher.time_cost = old_t
|
|
|
|
hasher.parallelism = old_p
|
|
|
|
|
2015-12-26 12:14:07 +00:00
|
|
|
def _test_argon2_upgrade(self, attr, summary_key, new_value):
|
|
|
|
hasher = get_hasher("argon2")
|
|
|
|
self.assertEqual("argon2", hasher.algorithm)
|
|
|
|
self.assertNotEqual(getattr(hasher, attr), new_value)
|
|
|
|
|
|
|
|
old_value = getattr(hasher, attr)
|
|
|
|
try:
|
|
|
|
# Generate hash with attr set to 1
|
|
|
|
setattr(hasher, attr, new_value)
|
|
|
|
encoded = make_password("letmein", hasher="argon2")
|
|
|
|
attr_value = hasher.safe_summary(encoded)[summary_key]
|
|
|
|
self.assertEqual(attr_value, new_value)
|
|
|
|
|
|
|
|
state = {"upgraded": False}
|
|
|
|
|
|
|
|
def setter(password):
|
|
|
|
state["upgraded"] = True
|
|
|
|
|
2016-10-27 07:53:39 +00:00
|
|
|
# No upgrade is triggered.
|
2015-12-26 12:14:07 +00:00
|
|
|
self.assertTrue(check_password("letmein", encoded, setter, "argon2"))
|
|
|
|
self.assertFalse(state["upgraded"])
|
|
|
|
|
|
|
|
# Revert to the old rounds count and ...
|
|
|
|
setattr(hasher, attr, old_value)
|
|
|
|
|
|
|
|
# ... check if the password would get updated to the new count.
|
|
|
|
self.assertTrue(check_password("letmein", encoded, setter, "argon2"))
|
|
|
|
self.assertTrue(state["upgraded"])
|
|
|
|
finally:
|
|
|
|
setattr(hasher, attr, old_value)
|
2020-12-27 02:54:47 +00:00
|
|
|
|
|
|
|
|
2022-10-21 01:50:48 +00:00
|
|
|
@skipUnless(scrypt, "scrypt not available")
|
2020-12-27 02:54:47 +00:00
|
|
|
@override_settings(PASSWORD_HASHERS=PASSWORD_HASHERS)
|
|
|
|
class TestUtilsHashPassScrypt(SimpleTestCase):
|
|
|
|
def test_scrypt(self):
|
|
|
|
encoded = make_password("lètmein", "seasalt", "scrypt")
|
|
|
|
self.assertEqual(
|
|
|
|
encoded,
|
|
|
|
"scrypt$16384$seasalt$8$1$Qj3+9PPyRjSJIebHnG81TMjsqtaIGxNQG/aEB/NY"
|
|
|
|
"afTJ7tibgfYz71m0ldQESkXFRkdVCBhhY8mx7rQwite/Pw==",
|
|
|
|
)
|
|
|
|
self.assertIs(is_password_usable(encoded), True)
|
|
|
|
self.assertIs(check_password("lètmein", encoded), True)
|
|
|
|
self.assertIs(check_password("lètmeinz", encoded), False)
|
|
|
|
self.assertEqual(identify_hasher(encoded).algorithm, "scrypt")
|
|
|
|
# Blank passwords.
|
|
|
|
blank_encoded = make_password("", "seasalt", "scrypt")
|
|
|
|
self.assertIs(blank_encoded.startswith("scrypt$"), True)
|
|
|
|
self.assertIs(is_password_usable(blank_encoded), True)
|
|
|
|
self.assertIs(check_password("", blank_encoded), True)
|
|
|
|
self.assertIs(check_password(" ", blank_encoded), False)
|
|
|
|
|
|
|
|
def test_scrypt_decode(self):
|
|
|
|
encoded = make_password("lètmein", "seasalt", "scrypt")
|
|
|
|
hasher = get_hasher("scrypt")
|
|
|
|
decoded = hasher.decode(encoded)
|
|
|
|
tests = [
|
|
|
|
("block_size", hasher.block_size),
|
|
|
|
("parallelism", hasher.parallelism),
|
|
|
|
("salt", "seasalt"),
|
|
|
|
("work_factor", hasher.work_factor),
|
|
|
|
]
|
|
|
|
for key, excepted in tests:
|
|
|
|
with self.subTest(key=key):
|
|
|
|
self.assertEqual(decoded[key], excepted)
|
|
|
|
|
|
|
|
def _test_scrypt_upgrade(self, attr, summary_key, new_value):
|
|
|
|
hasher = get_hasher("scrypt")
|
|
|
|
self.assertEqual(hasher.algorithm, "scrypt")
|
|
|
|
self.assertNotEqual(getattr(hasher, attr), new_value)
|
|
|
|
|
|
|
|
old_value = getattr(hasher, attr)
|
|
|
|
try:
|
|
|
|
# Generate hash with attr set to the new value.
|
|
|
|
setattr(hasher, attr, new_value)
|
|
|
|
encoded = make_password("lètmein", "seasalt", "scrypt")
|
|
|
|
attr_value = hasher.safe_summary(encoded)[summary_key]
|
|
|
|
self.assertEqual(attr_value, new_value)
|
|
|
|
|
|
|
|
state = {"upgraded": False}
|
|
|
|
|
|
|
|
def setter(password):
|
|
|
|
state["upgraded"] = True
|
|
|
|
|
|
|
|
# No update is triggered.
|
|
|
|
self.assertIs(check_password("lètmein", encoded, setter, "scrypt"), True)
|
|
|
|
self.assertIs(state["upgraded"], False)
|
|
|
|
# Revert to the old value.
|
|
|
|
setattr(hasher, attr, old_value)
|
|
|
|
# Password is updated.
|
|
|
|
self.assertIs(check_password("lètmein", encoded, setter, "scrypt"), True)
|
|
|
|
self.assertIs(state["upgraded"], True)
|
|
|
|
finally:
|
|
|
|
setattr(hasher, attr, old_value)
|
|
|
|
|
|
|
|
def test_scrypt_upgrade(self):
|
|
|
|
tests = [
|
|
|
|
("work_factor", "work factor", 2**11),
|
|
|
|
("block_size", "block size", 10),
|
|
|
|
("parallelism", "parallelism", 2),
|
|
|
|
]
|
|
|
|
for attr, summary_key, new_value in tests:
|
|
|
|
with self.subTest(attr=attr):
|
|
|
|
self._test_scrypt_upgrade(attr, summary_key, new_value)
|