pagure

Clone

#3517 Ensured the hashed password is unicode
Merged 5 years ago by pingou. Opened 5 years ago by pingou.
fix_local_login  into  master

file modified
+2 -2 
@@ -61,8 +61,8 @@ 
 

      if not isinstance(password, six.text_type):
 

          raise ValueError("Password supplied is not unicode text")
 

  

-     return b'$2$' + bcrypt.hashpw(password.encode('utf-8'),
 

-                                   bcrypt.gensalt())
 

+     return (b'$2$' + bcrypt.hashpw(password.encode('utf-8'),
 

+                                    bcrypt.gensalt())).decode('utf-8')
 

  

  

  def check_password(entered_password, user_password, seed=None):

file modified
+10 -10 
@@ -242,13 +242,13 @@ 
 

              else:
 

                  self.assertIn(
 

                      '<a class="dropdown-item" '
 

-                     'href="/logout/?next=http://localhost/">', output_text)
 

+                     'href="/logout/?next=http://localhost/dashboard/projects">', output_text)
 

  

          # Make the password invalid
 

          self.session.commit()
 

          item = pagure.lib.search_user(self.session, username='foouser')
 

          self.assertEqual(item.user, 'foouser')
 

-         self.assertTrue(item.password.startswith(b'$2$'))
 

+         self.assertTrue(item.password.startswith('$2$'))
 

  

          # Remove the $2$
 

          item.password = item.password[3:]
 
@@ -259,7 +259,7 @@ 
 

          self.session.commit()
 

          item = pagure.lib.search_user(self.session, username='foouser')
 

          self.assertEqual(item.user, 'foouser')
 

-         self.assertFalse(item.password.startswith(b'$2$'))
 

+         self.assertFalse(item.password.startswith('$2$'))
 

  

          # Try login again
 

          output = self.app.post(
 
@@ -275,8 +275,8 @@ 
 

          self.session.commit()
 

          item = pagure.lib.search_user(self.session, username='foouser')
 

          self.assertEqual(item.user, 'foouser')
 

-         self.assertFalse(item.password.startswith(b'$1$'))
 

-         self.assertFalse(item.password.startswith(b'$2$'))
 

+         self.assertFalse(item.password.startswith('$1$'))
 

+         self.assertFalse(item.password.startswith('$2$'))
 

  

          # V1 password
 

          password = '%s%s' % ('barpass', None)
 
@@ -307,7 +307,7 @@ 
 

          self.session.commit()
 

          item = pagure.lib.search_user(self.session, username='foouser')
 

          self.assertEqual(item.user, 'foouser')
 

-         self.assertTrue(item.password.startswith(b'$2$'))
 

+         self.assertTrue(item.password.startswith('$2$'))
 

  

          # We have set the REMOTE_ADDR in the request, so this works with all
 

          # versions of Flask.
 
@@ -584,7 +584,7 @@ 
 

              else:
 

                  self.assertIn(
 

                      '<a class="dropdown-item" '
 

-                     'href="/logout/?next=http://localhost/">', output_text)
 

+                     'href="/logout/?next=http://localhost/dashboard/projects">', output_text)
 

  

          # Check the user
 

          item = pagure.lib.search_user(self.session, username='foobar')
 
@@ -607,7 +607,7 @@ 
 

          self.assertEqual(3, len(items))
 

          item = pagure.lib.search_user(self.session, username='foouser')
 

          self.assertEqual(item.user, 'foouser')
 

-         self.assertTrue(item.password.startswith(b'$2$'))
 

+         self.assertTrue(item.password.startswith('$2$'))
 

          self.assertNotEqual(item.token, None)
 

  

          output = self.app.get(
 
@@ -689,7 +689,7 @@ 
 

          item = pagure.lib.search_user(self.session, username='foouser')
 

          self.assertEqual(item.user, 'foouser')
 

          self.assertNotEqual(item.token, None)
 

-         self.assertTrue(item.password.startswith(b'$2$'))
 

+         self.assertTrue(item.password.startswith('$2$'))
 

  

          old_password = item.password
 

          token = item.token
 
@@ -784,7 +784,7 @@ 
 

          item = pagure.lib.search_user(self.session, username='foouser')
 

          self.assertEqual(item.user, 'foouser')
 

          self.assertNotEqual(item.token, None)
 

-         self.assertTrue(item.password.startswith(b'$2$'))
 

+         self.assertTrue(item.password.startswith('$2$'))
 

          item.token = None
 

          self.session.add(item)
 

          self.session.commit()

file modified
+1 -1 
@@ -51,7 +51,7 @@ 
 

      def test_generate_hashed_value(self):
 

          ''' Test pagure.lib.login.generate_hashed_value. '''
 

          password = pagure.lib.login.generate_hashed_value('foo')
 

-         self.assertTrue(password.startswith(b'$2$'))
 

+         self.assertTrue(password.startswith('$2$'))
 

          self.assertEqual(len(password), 63)
 

  

      def test_check_password(self):

Otherwise it is returned as bytes which is stored in postgresql
incorrectly leading to failure to login (while registering works
just fine).

Fixes https://pagure.io/pagure/issue/3491

Signed-off-by: Pierre-Yves Chibon pingou@pingoured.fr

rebased onto 1b102d34862b24b6ffbef1f3dabe07740a9f4fff
5 years ago

1 new commit added

  • Fix unit-tests
5 years ago

Verified it works for me!

:thumbsup:

2 new commits added

  • Fix unit-tests
  • Ensured the hashed password is unicode
5 years ago

rebased onto 29b1ab5
5 years ago

:thumbsup:

Thanks! :)

Pull-Request has been merged by pingou
5 years ago
Changes Summary 3
+2 -2
file changed
pagure/lib/login.py
+10 -10
file changed
tests/test_pagure_flask_ui_login.py
+1 -1
file changed
tests/test_pagure_lib_login.py
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.