[ci] Update tests in relation to possibilities of both backend and clientside key derivation

Author: evilaliv3

backend/globaleaks/tests/handlers/admin/test_operation.py

@@ -64,7 +64,7 @@ def test_admin_test_mail(self):
     def test_admin_test_set_user_password(self):
         return self._test_operation_handler('set_user_password',
                                            {'user_id': self.dummyReceiver_1['id'],
-                                            'password': 'GlobaLeaks123!'})
+                                            'password': helpers.VALID_PASSWORD1})
 
     def test_admin_test_send_password_reset_email(self):
         return self._test_operation_handler('send_password_reset_email',

backend/globaleaks/tests/handlers/auth/__init__.py

@@ -257,7 +257,7 @@ def test_single_session_per_whistleblower(self):
         valid_session = Sessions.get(second_id)
         self.assertTrue(valid_session is not None)
 
-        self.assertEqual(valid_session.user_role, 'whistleblower')
+        self.assertEqual(valid_session.role, 'whistleblower')
 
         wbtip_handler = self.request(headers={'x-session': second_id},
                                      handler_cls=WBTipInstance)

backend/globaleaks/tests/handlers/auth/test_auth.py

@@ -12,6 +12,47 @@
 from globaleaks.tests import helpers
 
 
+class TestAuthTypeHandler(helpers.TestHandlerWithPopulatedDB):
+    _handler = auth.AuthTypeHandler
+
+    # since all logins for roles admin, receiver and custodian happen
+    # in the same way, the following tests are performed on the recipient user.
+
+    @inlineCallbacks
+    def test_whistleblower_request(self):
+        handler = self.request({
+            'username': '',
+        })
+
+        response = yield handler.post()
+        self.assertTrue('type' in response)
+        self.assertEqual(response['type'], 'key')
+        self.assertTrue('salt' in response)
+        self.assertEqual(response['salt'], helpers.VALID_SALT1)
+
+    @inlineCallbacks
+    def test_receiver1_request(self):
+        handler = self.request({
+            'username': 'receiver1',
+        })
+
+        response = yield handler.post()
+        self.assertTrue('type' in response)
+        self.assertEqual(response['type'], 'key')
+        self.assertTrue('salt' in response)
+        self.assertEqual(response['salt'], helpers.VALID_SALT1)
+
+    @inlineCallbacks
+    def test_receiver2_request(self):
+        handler = self.request({
+            'username': 'receiver2',
+        })
+
+        response = yield handler.post()
+        self.assertTrue('type' in response)
+        self.assertEqual(response['type'], 'password')
+
+
 class TestAuthentication(helpers.TestHandlerWithPopulatedDB):
     _handler = auth.AuthenticationHandler
 
@@ -23,7 +64,7 @@ def test_successful_login(self):
         handler = self.request({
             'tid': 1,
             'username': 'admin',
-            'password': helpers.VALID_PASSWORD1,
+            'password': helpers.VALID_KEY1,
             'authcode': '',
         })
         response = yield handler.post()
@@ -34,7 +75,7 @@ def test_successful_multitenant_login_switch(self):
         handler = self.request({
             'tid': 1,
             'username': 'admin',
-            'password': helpers.VALID_PASSWORD1,
+            'password': helpers.VALID_KEY1,
             'authcode': ''
         })
 
@@ -52,7 +93,7 @@ def test_accept_login_in_https(self):
         handler = self.request({
             'tid': 1,
             'username': 'admin',
-            'password': helpers.VALID_PASSWORD1,
+            'password': helpers.VALID_KEY1,
             'authcode': ''
         })
         State.tenants[1].cache['https_admin'] = True
@@ -64,7 +105,7 @@ def test_deny_login_in_https(self):
         handler = self.request({
             'tid': 1,
             'username': 'admin',
-            'password': helpers.VALID_PASSWORD1,
+            'password': helpers.VALID_KEY1,
             'authcode': ''
         })
         State.tenants[1].cache['https_admin'] = False
@@ -101,7 +142,7 @@ def test_single_session_per_user(self):
         handler = self.request({
             'tid': 1,
             'username': 'admin',
-            'password': helpers.VALID_PASSWORD1,
+            'password': helpers.VALID_KEY1,
             'authcode': '',
         })
 
@@ -110,7 +151,7 @@ def test_single_session_per_user(self):
         handler = self.request({
             'tid': 1,
             'username': 'admin',
-            'password': helpers.VALID_PASSWORD1,
+            'password': helpers.VALID_KEY1,
             'authcode': '',
         })
 
@@ -124,7 +165,7 @@ def test_session_is_revoked(self):
         auth_handler = self.request({
             'tid': 1,
             'username': 'receiver1',
-            'password': helpers.VALID_PASSWORD1,
+            'password': helpers.VALID_KEY1,
             'authcode': '',
         })
 
@@ -140,7 +181,7 @@ def test_session_is_revoked(self):
         auth_handler = self.request({
             'tid': 1,
             'username': 'receiver1',
-            'password': helpers.VALID_PASSWORD1,
+            'password': helpers.VALID_KEY1,
             'authcode': '',
         })
 
@@ -166,7 +207,7 @@ def test_login_reject_on_ip_filtering(self):
         handler = self.request({
             'tid': 1,
             'username': 'admin',
-            'password': helpers.VALID_PASSWORD1,
+            'password': helpers.VALID_KEY1,
             'authcode': ''
         }, client_addr=b'192.168.1.1')
         yield self.assertFailure(handler.post(), errors.AccessLocationInvalid)
@@ -179,7 +220,7 @@ def test_login_success_on_ip_filtering(self):
         handler = self.request({
             'tid': 1,
             'username': 'admin',
-            'password': helpers.VALID_PASSWORD1,
+            'password': helpers.VALID_KEY1,
             'authcode': ''
         }, client_addr=b'192.168.2.1')
         response = yield handler.post()
@@ -192,15 +233,15 @@ class TestReceiptAuth(helpers.TestHandlerWithPopulatedDB):
     @inlineCallbacks
     def test_invalid_whistleblower_login(self):
         handler = self.request({
-            'receipt': 'INVALIDRECEIPT',
+            'receipt': 'INVALIDRECEIPT'
         })
         yield self.assertFailure(handler.post(), errors.InvalidAuthentication)
 
     @inlineCallbacks
     def test_successful_whistleblower_login(self):
         yield self.perform_full_submission_actions()
         handler = self.request({
-            'receipt': self.lastReceipt,
+            'receipt': self.lastReceipt
         })
         handler.request.client_using_tor = True
         response = yield handler.post()
@@ -257,7 +298,7 @@ def test_single_session_per_whistleblower(self):
         valid_session = Sessions.get(second_id)
         self.assertTrue(valid_session is not None)
 
-        self.assertEqual(valid_session.user_role, 'whistleblower')
+        self.assertEqual(valid_session.role, 'whistleblower')
 
         wbtip_handler = self.request(headers={'x-session': second_id},
                                      handler_cls=WBTipInstance)
@@ -276,7 +317,7 @@ def test_successful_admin_session_setup_renewal_and_logout(self):
         handler = self.request({
             'tid': 1,
             'username': 'admin',
-            'password': helpers.VALID_PASSWORD1,
+            'password': helpers.VALID_KEY1,
             'authcode': ''
         })
 

backend/globaleaks/tests/handlers/user/test_user.py

@@ -1,11 +1,12 @@
 # -*- coding: utf-8 -*
-import base64
 import time
 
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.twofactor.totp import TOTP
 from cryptography.hazmat.primitives.hashes import SHA1
 
+from nacl.encoding import Base32Encoder
+
 from twisted.internet.defer import inlineCallbacks
 
 from globaleaks.handlers import user
@@ -116,7 +117,7 @@ def test_2fa(self):
         self.assertFailure(handler.put(), errors.InvalidTwoFactorAuthCode)
 
         # Attempt enrolling for 2FA with a valid token
-        totp = TOTP(base64.b32decode(totp_secret), 6, SHA1(), 30, default_backend())
+        totp = TOTP(Base32Encoder.decode(totp_secret), 6, SHA1(), 30, default_backend())
         current_token = totp.generate(time.time()).decode()
 
         data_request = {
@@ -158,30 +159,10 @@ def _test_operation_handler(self, operation, args={}):
 
     @inlineCallbacks
     def test_user_change_password(self):
-        valid_password = 'validPassword1!'
-
-        weak_passwords = [
-            'invalidpassword1!', # no uppercase characters
-            'INVALIDPASSWORD1!', # no lowercase characters
-            'invalidPassword!!', # no number characters
-            'invalidPassword11', # no symbol characters
-            'shortP1!'           # short password below 10 characters
-        ]
-
-        for password in weak_passwords:
-            yield self.assertFailure(self._test_operation_handler('change_password',
-                                                                  {'password': password,
-                                                                   'current': helpers.VALID_PASSWORD1}),
-                                     errors.InputValidationError)
-
-        yield self.assertFailure(self._test_operation_handler('change_password',
-                                                              {'password': valid_password,
-                                                               'current': 'INVALID_OLD_PASSWORD'}),
-                                     errors.InvalidOldPassword)
-
-        yield self._test_operation_handler('change_password',
-                                           {'password': valid_password,
-                                            'current': helpers.VALID_PASSWORD1})
+        yield self.assertFailure(self._test_operation_handler('change_password', {'password': helpers.VALID_KEY1}),
+                                 errors.PasswordReuseError)
+
+        yield self._test_operation_handler('change_password', {'password': helpers.VALID_KEY2})
 
     def test_user_get_recovery_key(self):
         return self._test_operation_handler('get_recovery_key')

backend/globaleaks/tests/handlers/whistleblower/test_submission.py

@@ -8,6 +8,7 @@
 from globaleaks.orm import tw
 from globaleaks.rest import errors
 from globaleaks.tests import helpers
+from globaleaks.utils.crypto import GCE
 
 
 class TestSubmission(helpers.TestHandlerWithPopulatedDB):
@@ -61,7 +62,7 @@ def test_update_submission(self):
         self.submission_desc = yield self.get_dummy_submission(self.dummyContext['id'])
 
         self.submission_desc['answers'] = yield self.fill_random_answers(self.dummyContext['questionnaire_id'])
-        receipt = yield self.create_submission(self.submission_desc)
+        receipt = GCE.derive_key((yield self.create_submission(self.submission_desc)), helpers.VALID_SALT1)
 
         session = yield auth.login_whistleblower(1, receipt, True)
 

backend/globaleaks/tests/helpers.py

@@ -43,7 +43,7 @@
 from globaleaks.settings import Settings
 from globaleaks.state import State, TenantState
 from globaleaks.utils import tempdict, token
-from globaleaks.utils.crypto import generateRandomKey, GCE
+from globaleaks.utils.crypto import GCE, generateRandomKey, sha512
 from globaleaks.utils.securetempfile import SecureTemporaryFile
 from globaleaks.utils.utility import datetime_now, uuid4
 from globaleaks.utils.log import log
@@ -64,11 +64,7 @@
 INVALID_PASSWORD = 'antani'
 
 KEY = GCE.generate_key()
-<<<<<<< HEAD
 USER_KEY = GCE.derive_key(VALID_PASSWORD1, VALID_SALT1)
-=======
-USER_KEY = Base64Encoder.decode(GCE.derive_key(VALID_PASSWORD1, VALID_SALT1).encode())
->>>>>>> c06715e00 (...)
 USER_PRV_KEY, USER_PUB_KEY = GCE.generate_keypair()
 USER_PRV_KEY_ENC = Base64Encoder.encode(GCE.symmetric_encrypt(USER_KEY, USER_PRV_KEY))
 USER_BKP_KEY, USER_REC_KEY = GCE.generate_recovery_key(USER_PRV_KEY)
@@ -163,9 +159,16 @@ def init_state():
 
 @transact
 def mock_users_keys(session):
+    session.query(models.Config).filter(models.Config.tid == 1, models.Config.var_name == u'receipt_salt').one().value = VALID_SALT1
+
     for user in session.query(models.User):
-        user.hash = VALID_HASH1
-        user.salt = VALID_SALT1
+        if user.username == 'receiver2':
+            user.salt = VALID_SALT2
+            user.hash = VALID_HASH2
+        else:
+            user.salt = VALID_SALT1
+            user.hash = VALID_HASH1
+
         user.crypto_prv_key = USER_PRV_KEY_ENC
         user.crypto_pub_key = USER_PUB_KEY
         user.crypto_bkp_key = USER_BKP_KEY
@@ -257,7 +260,7 @@ def __init__(self):
         self.dummyUser = {
             'id': '',
             'username': '[email protected]',
-            'password': VALID_PASSWORD1,
+            'password': VALID_KEY1,
             'old_password': '',
             'salt': VALID_SALT1,
             'role': 'receiver',
@@ -326,7 +329,7 @@ def __init__(self):
             'languages_supported': [],  # ignored
             'languages_enabled': ['it', 'en'],
             'latest_version': __version__,
-            'receipt_salt': '<<the Lannisters send their regards>>',
+            'receipt_salt': VALID_SALT1,
             'maximum_filesize': 30,
             'allow_indexing': False,
             'disable_submissions': False,
@@ -400,12 +403,12 @@ def __init__(self):
             'node_name': 'test',
             'admin_username': 'admin',
             'admin_name': 'Giovanni Pellerano',
-            'admin_password': 'P4ssword!@#',
+            'admin_password': VALID_KEY1,
             'admin_mail_address': '[email protected]',
             'admin_escrow': True,
             'receiver_username': 'receipient',
             'receiver_name': 'Fabio Pietrosanti',
-            'receiver_password': 'P4ssword!@#',
+            'receiver_password': VALID_KEY1,
             'receiver_mail_address': '[email protected]',
             'profile': 'default',
             'skip_admin_account_creation': False,
@@ -653,7 +656,7 @@ def get_dummy_user(self, role, username):
         new_u['username'] = username
         new_u['name'] = new_u['public_name'] = new_u['mail_address'] = "%s@%s.xxx" % (username, username)
         new_u['description'] = ''
-        new_u['password'] = VALID_PASSWORD1
+        new_u['password'] = VALID_KEY1
         new_u['enabled'] = True
         new_u['salt'] = VALID_SALT1
 
@@ -875,11 +878,11 @@ def perform_submission_actions(self, session_id):
         self.dummySubmission['score'] = 0
         self.dummySubmission['removed_files'] = []
 
-        self.lastReceipt = (yield create_submission(1,
-                                                   self.dummySubmission,
-                                                   session,
-                                                   True,
-                                                   False))['receipt']
+        self.lastReceipt = GCE.derive_key((yield create_submission(1,
+                                                                  self.dummySubmission,
+                                                                  session,
+                                                                  True,
+                                                                  False))['receipt'], VALID_SALT1)
 
     @inlineCallbacks
     def perform_post_submission_actions(self):