Added test for acheck_password() to ensure make_password is called for unusable passwords.

This is a follow up for the fix of CVE-2024-39329 (5d86458579) where the timing of verify_password() was standardized when checking unusable passwords.
2024-12-22 17:16:24 +00:00 · 2024-08-08 11:29:00 -03:00 · 2024-08-08 11:29:00 -03:00 · e1606d27b4
commit e1606d27b4
parent f8ef4579ea
1 changed files with 41 additions and 20 deletions
--- a/tests/auth_tests/test_hashers.py
+++ b/tests/auth_tests/test_hashers.py
@ -1,3 +1,4 @@
+from contextlib import contextmanager
 from unittest import mock, skipUnless

 from django.conf.global_settings import PASSWORD_HASHERS
@ -452,16 +453,10 @@ class TestUtilsHashPass(SimpleTestCase):
            check_password("wrong_password", encoded)
            self.assertEqual(hasher.harden_runtime.call_count, 1)

-    def test_check_password_calls_make_password_to_fake_runtime(self):
+    @contextmanager
+    def assertMakePasswordCalled(self, password, encoded, hasher_side_effect):
        hasher = get_hasher("default")
-        cases = [
-            (None, None, None),  # no plain text password provided
-            ("foo", make_password(password=None), None),  # unusable encoded
-            ("letmein", make_password(password="letmein"), ValueError),  # valid encoded
-        ]
-        for password, encoded, hasher_side_effect in cases:
        with (
-                self.subTest(encoded=encoded),
            mock.patch(
                "django.contrib.auth.hashers.identify_hasher",
                side_effect=hasher_side_effect,
@ -476,7 +471,7 @@ class TestUtilsHashPass(SimpleTestCase):
            mock.patch.object(hasher, "verify"),
        ):
            # Ensure make_password is called to standardize timing.
-                check_password(password, encoded)
+            yield
            self.assertEqual(hasher.verify.call_count, 0)
            self.assertEqual(mock_identify_hasher.mock_calls, [mock.call(encoded)])
            self.assertEqual(
@ -484,6 +479,32 @@ class TestUtilsHashPass(SimpleTestCase):
                [mock.call("x" * UNUSABLE_PASSWORD_SUFFIX_LENGTH)],
            )

+    def test_check_password_calls_make_password_to_fake_runtime(self):
+        cases = [
+            (None, None, None),  # no plain text password provided
+            ("foo", make_password(password=None), None),  # unusable encoded
+            ("letmein", make_password(password="letmein"), ValueError),  # valid encoded
+        ]
+        for password, encoded, hasher_side_effect in cases:
+            with (
+                self.subTest(encoded=encoded),
+                self.assertMakePasswordCalled(password, encoded, hasher_side_effect),
+            ):
+                check_password(password, encoded)
+
+    async def test_acheck_password_calls_make_password_to_fake_runtime(self):
+        cases = [
+            (None, None, None),  # no plain text password provided
+            ("foo", make_password(password=None), None),  # unusable encoded
+            ("letmein", make_password(password="letmein"), ValueError),  # valid encoded
+        ]
+        for password, encoded, hasher_side_effect in cases:
+            with (
+                self.subTest(encoded=encoded),
+                self.assertMakePasswordCalled(password, encoded, hasher_side_effect),
+            ):
+                await acheck_password(password, encoded)
+
    def test_encode_invalid_salt(self):
        hasher_classes = [
            MD5PasswordHasher,