rhodecode-enterprise-ce Commit - r1471:9ea7077d

password-reset: strengthten security on password reset logic....

marcink -

r1471:9ea7077d default

parent child

rhodecode/tests/functional/test_password_reset.py

0 created 644 +106 0

@@ -0,0 +1,106 b''
	1	# -- coding: utf-8 --
	2
	3	# Copyright (C) 2010-2017 RhodeCode GmbH
	4	#
	5	# This program is free software: you can redistribute it and/or modify
	6	# it under the terms of the GNU Affero General Public License, version 3
	7	# (only), as published by the Free Software Foundation.
	8	#
	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU General Public License for more details.
	13	#
	14	# You should have received a copy of the GNU Affero General Public License
	15	# along with this program. If not, see <http://www.gnu.org/licenses/>.
	16	#
	17	# This program is dual-licensed. If you wish to learn more about the
	18	# RhodeCode Enterprise Edition, including its added features, Support services,
	19	# and proprietary license terms, please see https://rhodecode.com/licenses/
	20
	21	import pytest
	22
	23	from rhodecode.config.routing import ADMIN_PREFIX
	24	from rhodecode.tests import (
	25	TestController, clear_all_caches, url,
	26	TEST_USER_ADMIN_LOGIN, TEST_USER_ADMIN_PASS)
	27	from rhodecode.tests.fixture import Fixture
	28	from rhodecode.tests.utils import AssertResponse
	29
	30	fixture = Fixture()
	31
	32	# Hardcode URLs because we don't have a request object to use
	33	# pyramids URL generation methods.
	34	index_url = '/'
	35	login_url = ADMIN_PREFIX + '/login'
	36	logut_url = ADMIN_PREFIX + '/logout'
	37	register_url = ADMIN_PREFIX + '/register'
	38	pwd_reset_url = ADMIN_PREFIX + '/password_reset'
	39	pwd_reset_confirm_url = ADMIN_PREFIX + '/password_reset_confirmation'
	40
	41
	42	class TestPasswordReset(TestController):
	43
	44	@pytest.mark.parametrize(
	45	'pwd_reset_setting, show_link, show_reset', [
	46	('hg.password_reset.enabled', True, True),
	47	('hg.password_reset.hidden', False, True),
	48	('hg.password_reset.disabled', False, False),
	49	])
	50	def test_password_reset_settings(
	51	self, pwd_reset_setting, show_link, show_reset):
	52	clear_all_caches()
	53	self.log_user(TEST_USER_ADMIN_LOGIN, TEST_USER_ADMIN_PASS)
	54	params = {
	55	'csrf_token': self.csrf_token,
	56	'anonymous': 'True',
	57	'default_register': 'hg.register.auto_activate',
	58	'default_register_message': '',
	59	'default_password_reset': pwd_reset_setting,
	60	'default_extern_activate': 'hg.extern_activate.auto',
	61	}
	62	resp = self.app.post(url('admin_permissions_application'), params=params)
	63	self.logout_user()
	64
	65	login_page = self.app.get(login_url)
	66	asr_login = AssertResponse(login_page)
	67	index_page = self.app.get(index_url)
	68	asr_index = AssertResponse(index_page)
	69
	70	if show_link:
	71	asr_login.one_element_exists('a.pwd_reset')
	72	asr_index.one_element_exists('a.pwd_reset')
	73	else:
	74	asr_login.no_element_exists('a.pwd_reset')
	75	asr_index.no_element_exists('a.pwd_reset')
	76
	77	response = self.app.get(pwd_reset_url)
	78
	79	assert_response = AssertResponse(response)
	80	if show_reset:
	81	response.mustcontain('Send password reset email')
	82	assert_response.one_element_exists('#email')
	83	assert_response.one_element_exists('#send')
	84	else:
	85	response.mustcontain('Password reset is disabled.')
	86	assert_response.no_element_exists('#email')
	87	assert_response.no_element_exists('#send')
	88
	89	def test_password_form_disabled(self):
	90	self.log_user(TEST_USER_ADMIN_LOGIN, TEST_USER_ADMIN_PASS)
	91	params = {
	92	'csrf_token': self.csrf_token,
	93	'anonymous': 'True',
	94	'default_register': 'hg.register.auto_activate',
	95	'default_register_message': '',
	96	'default_password_reset': 'hg.password_reset.disabled',
	97	'default_extern_activate': 'hg.extern_activate.auto',
	98	}
	99	self.app.post(url('admin_permissions_application'), params=params)
	100	self.logout_user()
	101
	102	response = self.app.post(
	103	pwd_reset_url, {'email': 'lisa@rhodecode.com',}
	104	)
	105	response = response.follow()
	106	response.mustcontain('Password reset is disabled.')

rhodecode/login/views.py

0 +57 -25

             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
+            import time
             import collections
             import datetime
             import formencode
             from rhodecode.lib.base import get_ip_addr
             from rhodecode.lib.exceptions import UserCreationError
             from rhodecode.lib.utils2 import safe_str
-            from rhodecode.model.db import User
+            from rhodecode.model.db import User, UserApiKeys
             from rhodecode.model.forms import LoginForm, RegisterForm, PasswordResetForm
             from rhodecode.model.meta import Session
+            from rhodecode.model.auth_token import AuthTokenModel
             from rhodecode.model.settings import SettingsModel
             from rhodecode.model.user import UserModel
             from rhodecode.translation import _
                         'errors': {},
                     }
+                    # always send implicit message to prevent from discovery of
+                    # matching emails
+                    msg = _('If such email exists, a password reset link was sent to it.')
                     if self.request.POST:
+                        if h.HasPermissionAny('hg.password_reset.disabled')():
+                            _email = self.request.POST.get('email', '')
+                            log.error('Failed attempt to reset password for `%s`.', _email)
+                            self.session.flash(_('Password reset has been disabled.'),
+                                               queue='error')
+                            return HTTPFound(self.request.route_path('reset_password'))
                         password_reset_form = PasswordResetForm()()
                         try:
                             form_result = password_reset_form.to_python(
                                 self.request.params)
-                            if h.HasPermissionAny('hg.password_reset.disabled')():
+                            user_email = form_result['email']
-                                log.error('Failed attempt to reset password for %s.', form_result['email'] )
-                                self.session.flash(
-                                    _('Password reset has been disabled.'),
-                                    queue='error')
-                                return HTTPFound(self.request.route_path('reset_password'))
                             if captcha.active:
                                 response = submit(
                                     self.request.params.get('recaptcha_challenge_field'),
                                     _value = form_result
                                     _msg = _('Bad captcha')
                                     error_dict = {'recaptcha_field': _msg}
-                                    raise formencode.Invalid(_msg, _value, None,
+                                    raise formencode.Invalid(
-                                                             error_dict=error_dict)
+                                        _msg, _value, None, error_dict=error_dict)
+                            # Generate reset URL and send mail.
+                            user = User.get_by_email(user_email)
-                            # Generate reset URL and send mail.
+                            # generate password reset token that expires in 10minutes
-                            user_email = form_result['email']
+                            desc = 'Generated token for password reset from {}'.format(
-                            user = User.get_by_email(user_email)
+                                datetime.datetime.now().isoformat())
+                            reset_token = AuthTokenModel().create(
+                                user, lifetime=10,
+                                description=desc,
+                                role=UserApiKeys.ROLE_PASSWORD_RESET)
+                            Session().commit()
+                            log.debug('Successfully created password recovery token')
                             password_reset_url = self.request.route_url(
                                 'reset_password_confirmation',
-                                _query={'key': user.api_key})
+                                _query={'key': reset_token.api_key})
                             UserModel().reset_password_link(
                                 form_result, password_reset_url)
                             # Display success message and redirect.
-                            self.session.flash(
+                            self.session.flash(msg, queue='success')
-                                _('Your password reset link was sent'),
+                            return HTTPFound(self.request.route_path('reset_password'))
-                                queue='success')
-                            return HTTPFound(self.request.route_path('login'))
                         except formencode.Invalid as errors:
                             render_ctx.update({
                                 'defaults': errors.value,
-                                'errors': errors.error_dict,
                             })
+                        log.debug('faking response on invalid password reset')
+                        # make this take 2s, to prevent brute forcing.
+                        time.sleep(2)
+                        self.session.flash(msg, queue='success')
+                        return HTTPFound(self.request.route_path('reset_password'))
                     return render_ctx
                 @view_config(route_name='reset_password_confirmation',
                              request_method='GET')
                 def password_reset_confirmation(self):
                     if self.request.GET and self.request.GET.get('key'):
+                        # make this take 2s, to prevent brute forcing.
+                        time.sleep(2)
+                        token = AuthTokenModel().get_auth_token(
+                            self.request.GET.get('key'))
+                        # verify token is the correct role
+                        if token is None or token.role != UserApiKeys.ROLE_PASSWORD_RESET:
+                            log.debug('Got token with role:%s expected is %s',
+                                      getattr(token, 'role', 'EMPTY_TOKEN'),
+                                      UserApiKeys.ROLE_PASSWORD_RESET)
+                            self.session.flash(
+                                _('Given reset token is invalid'), queue='error')
+                            return HTTPFound(self.request.route_path('reset_password'))
                         try:
-                            user = User.get_by_auth_token(self.request.GET.get('key'))
+                            owner = token.user
-                            password_reset_url = self.request.route_url(
+                            data = {'email': owner.email, 'token': token.api_key}
-                                'reset_password_confirmation',
+                            UserModel().reset_password(data)
-                                _query={'key': user.api_key})
-                            data = {'email': user.email}
-                            UserModel().reset_password(data, password_reset_url)
                             self.session.flash(
                                 _('Your password reset was successful, '
                                   'a new password has been sent to your email'),

rhodecode/model/auth_token.py

0 +11 -1

                     """
                     :param user: user or user_id
                     :param description: description of ApiKey
-                    :param lifetime: expiration time in seconds
+                    :param lifetime: expiration time in minutes
                     :param role: role for the apikey
                     """
                     from rhodecode.lib.auth import generate_auth_token
                             .filter(or_(UserApiKeys.expires == -1,
                                         UserApiKeys.expires >= time.time()))
                     return user_auth_tokens
+                def get_auth_token(self, auth_token):
+                    auth_token = UserApiKeys.query().filter(
+                        UserApiKeys.api_key == auth_token)
+                    auth_token = auth_token \
+                        .filter(or_(UserApiKeys.expires == -1,
+                                    UserApiKeys.expires >= time.time()))\
+                        .first()
+                    return auth_token

rhodecode/model/db.py

0 +2 0

                 ROLE_VCS = 'token_role_vcs'
                 ROLE_API = 'token_role_api'
                 ROLE_FEED = 'token_role_feed'
+                ROLE_PASSWORD_RESET = 'token_password_reset'
                 ROLES = [ROLE_ALL, ROLE_HTTP, ROLE_VCS, ROLE_API, ROLE_FEED]
                 user_api_key_id = Column("user_api_key_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)

rhodecode/model/user.py

0 +10 -3

                     return True
-                def reset_password(self, data, pwd_reset_url):
+                def reset_password(self, data):
                     from rhodecode.lib.celerylib import tasks, run_task
                     from rhodecode.model.notification import EmailNotificationModel
                     from rhodecode.lib import auth
                             user.update_userdata(force_password_change=True)
                             Session().add(user)
+                            # now delete the token in question
+                            UserApiKeys = AuthTokenModel.cls
+                            UserApiKeys().query().filter(
+                                UserApiKeys.api_key == data['token']).delete()
                             Session().commit()
                             log.info('successfully reset password for `%s`', user_email)
                         if new_passwd is None:
                             raise Exception('unable to generate new password')
                         email_kwargs = {
                             'new_password': new_passwd,
-                            'password_reset_url': pwd_reset_url,
                             'user': user,
                             'email': user_email,
                             'date': datetime.datetime.now()
                         (subject, headers, email_body,
                          email_body_plaintext) = EmailNotificationModel().render_email(
-                            EmailNotificationModel.TYPE_PASSWORD_RESET_CONFIRMATION, **email_kwargs)
+                            EmailNotificationModel.TYPE_PASSWORD_RESET_CONFIRMATION,
+                            **email_kwargs)
                         recipients = [user_email]

rhodecode/templates/email_templates/password_reset.mako

0 +2 0

             You can continue, and generate new password by clicking following URL:
             ${password_reset_url}
+            This link will be active for 10 minutes.
             ${self.plaintext_footer()}
             </%def>
             <strong>If you did not request a password reset, please contact your RhodeCode administrator.</strong>
             </p><p>
             <a href="${password_reset_url}">${_('Generate new password here')}.</a>
+            This link will be active for 10 minutes.
             </p>

rhodecode/templates/email_templates/password_reset_confirmation.mako

0 +3 -4

             <%def name="body_plaintext()" filter="n,trim">
             Hi ${user.username},
-            There was a request to reset your password using the email address ${email} on ${h.format_date(date)}
+            Below is your new access password for RhodeCode.
             *If you didn't do this, please contact your RhodeCode administrator.*
-            You can continue, and generate new password by clicking following URL:
+            password: ${new_password}
-            ${password_reset_url}
             ${self.plaintext_footer()}
             </%def>
             <br/>
             <strong>If you didn't request a new password, please contact your RhodeCode administrator.</strong>
             </p>
-            <p>password: <input value='${new_password}'/></p>
+            <p>password: <pre>${new_password}</pre>

rhodecode/tests/functional/test_login.py

0 +26 -107

@@ -25,15 +25,13 b' import pytest'
25		25
26	from rhodecode.config.routing import ADMIN_PREFIX	26	from rhodecode.config.routing import ADMIN_PREFIX
27	from rhodecode.tests import (	27	from rhodecode.tests import (
28	TestController, assert_session_flash, clear_all_caches, url,	28	assert_session_flash, url, HG_REPO, TEST_USER_ADMIN_LOGIN)
29	HG_REPO, TEST_USER_ADMIN_LOGIN, TEST_USER_ADMIN_PASS)
30	from rhodecode.tests.fixture import Fixture	29	from rhodecode.tests.fixture import Fixture
31	from rhodecode.tests.utils import AssertResponse, get_session_from_response	30	from rhodecode.tests.utils import AssertResponse, get_session_from_response
32	from rhodecode.lib.auth import check_password, ~~generate_auth_token~~	31	from rhodecode.lib.auth import check_password
33	from rhodecode.lib import helpers as h
34	from rhodecode.model.auth_token import AuthTokenModel	32	from rhodecode.model.auth_token import AuthTokenModel
35	from rhodecode.model import validators	33	from rhodecode.model import validators
36	from rhodecode.model.db import User, Notification	34	from rhodecode.model.db import User, Notification, UserApiKeys
37	from rhodecode.model.meta import Session	35	from rhodecode.model.meta import Session
38		36
39	fixture = Fixture()	37	fixture = Fixture()
@@ -49,7 +47,7 b" pwd_reset_confirm_url = ADMIN_PREFIX + '"
49		47
50		48
51	@pytest.mark.usefixtures('app')	49	@pytest.mark.usefixtures('app')
52	class TestLoginController:	50	class TestLoginController(object):
53	destroy_users = set()	51	destroy_users = set()
54		52
55	@classmethod	53	@classmethod
@@ -374,54 +372,42 b' class TestLoginController:'
374	def test_forgot_password_wrong_mail(self):	372	def test_forgot_password_wrong_mail(self):
375	bad_email = 'marcin@wrongmail.org'	373	bad_email = 'marcin@wrongmail.org'
376	response = self.app.post(	374	response = self.app.post(
377	pwd_reset_url,	375	pwd_reset_url, {'email': bad_email, }
378	{'email': bad_email, }
379	)	376	)
		377	assert_session_flash(response,
		378	'If such email exists, a password reset link was sent to it.')
380		379
381	msg = validators.ValidSystemEmail()._messages['non_existing_email']	380	def test_forgot_password(self, user_util):
382	msg = h.html_escape(msg % {'email': bad_email})
383	response.mustcontain()
384
385	def test_forgot_password(self):
386	response = self.app.get(pwd_reset_url)	381	response = self.app.get(pwd_reset_url)
387	assert response.status == '200 OK'	382	assert response.status == '200 OK'
388		383
389	username = 'test_password_reset_1'	384	user = user_util.create_user()
390	password = 'qweqwe'	385	user_id = user.user_id
391	email = 'marcin@python-works.com'	386	email = user.email
392	name = 'passwd'
393	lastname = 'reset'
394		387
395	new = User()	388	response = self.app.post(pwd_reset_url, {'email': email, })
396	new.username = username
397	new.password = password
398	new.email = email
399	new.name = name
400	new.lastname = lastname
401	new.api_key = generate_auth_token(username)
402	Session().add(new)
403	Session().commit()
404		389
405	response = self.app.post(pwd_reset_url,	390	assert_session_flash(response,
406	{'email': email, })	391	'If such email exists, a password reset link was sent to it.')
407
408	assert_session_flash(
409	response, 'Your password reset link was sent')
410
411	response = response.follow()
412		392
413	# BAD KEY	393	# BAD KEY
414		394	confirm_url = '{}?key={}'.format(pwd_reset_confirm_url, 'badkey')
415	key = "bad"
416	confirm_url = '{}?key={}'.format(pwd_reset_confirm_url, key)
417	response = self.app.get(confirm_url)	395	response = self.app.get(confirm_url)
418	assert response.status == '302 Found'	396	assert response.status == '302 Found'
419	assert response.location.endswith(pwd_reset_url)	397	assert response.location.endswith(pwd_reset_url)
		398	assert_session_flash(response, 'Given reset token is invalid')
		399
		400	response.follow() # cleanup flash
420		401
421	# GOOD KEY	402	# GOOD KEY
		403	key = UserApiKeys.query()\
		404	.filter(UserApiKeys.user_id == user_id)\
		405	.filter(UserApiKeys.role == UserApiKeys.ROLE_PASSWORD_RESET)\
		406	.first()
422		407
423	key = User.get_by_username(username).api_key	408	assert key
424	confirm_url = '{}?key={}'.format(pwd_reset_confirm_url, key)	409
		410	confirm_url = '{}?key={}'.format(pwd_reset_confirm_url, key.api_key)
425	response = self.app.get(confirm_url)	411	response = self.app.get(confirm_url)
426	assert response.status == '302 Found'	412	assert response.status == '302 Found'
427	assert response.location.endswith(login_url)	413	assert response.location.endswith(login_url)
@@ -431,7 +417,7 b' class TestLoginController:'
431	'Your password reset was successful, '	417	'Your password reset was successful, '
432	'a new password has been sent to your email')	418	'a new password has been sent to your email')
433		419
434	~~response~~ = response.follow()	420	response.follow()
435		421
436	def _get_api_whitelist(self, values=None):	422	def _get_api_whitelist(self, values=None):
437	config = {'api_access_controllers_whitelist': values or []}	423	config = {'api_access_controllers_whitelist': values or []}
@@ -522,70 +508,3 b' class TestLoginController:'
522	repo_name=HG_REPO, revision='tip',	508	repo_name=HG_REPO, revision='tip',
523	api_key=new_auth_token.api_key),	509	api_key=new_auth_token.api_key),
524	status=302)	510	status=302)
525
526
527	class TestPasswordReset(TestController):
528
529	@pytest.mark.parametrize(
530	'pwd_reset_setting, show_link, show_reset', [
531	('hg.password_reset.enabled', True, True),
532	('hg.password_reset.hidden', False, True),
533	('hg.password_reset.disabled', False, False),
534	])
535	def test_password_reset_settings(
536	self, pwd_reset_setting, show_link, show_reset):
537	clear_all_caches()
538	self.log_user(TEST_USER_ADMIN_LOGIN, TEST_USER_ADMIN_PASS)
539	params = {
540	'csrf_token': self.csrf_token,
541	'anonymous': 'True',
542	'default_register': 'hg.register.auto_activate',
543	'default_register_message': '',
544	'default_password_reset': pwd_reset_setting,
545	'default_extern_activate': 'hg.extern_activate.auto',
546	}
547	resp = self.app.post(url('admin_permissions_application'), params=params)
548	self.logout_user()
549
550	login_page = self.app.get(login_url)
551	asr_login = AssertResponse(login_page)
552	index_page = self.app.get(index_url)
553	asr_index = AssertResponse(index_page)
554
555	if show_link:
556	asr_login.one_element_exists('a.pwd_reset')
557	asr_index.one_element_exists('a.pwd_reset')
558	else:
559	asr_login.no_element_exists('a.pwd_reset')
560	asr_index.no_element_exists('a.pwd_reset')
561
562	pwdreset_page = self.app.get(pwd_reset_url)
563
564	asr_reset = AssertResponse(pwdreset_page)
565	if show_reset:
566	assert 'Send password reset email' in pwdreset_page
567	asr_reset.one_element_exists('#email')
568	asr_reset.one_element_exists('#send')
569	else:
570	assert 'Password reset is disabled.' in pwdreset_page
571	asr_reset.no_element_exists('#email')
572	asr_reset.no_element_exists('#send')
573
574	def test_password_form_disabled(self):
575	self.log_user(TEST_USER_ADMIN_LOGIN, TEST_USER_ADMIN_PASS)
576	params = {
577	'csrf_token': self.csrf_token,
578	'anonymous': 'True',
579	'default_register': 'hg.register.auto_activate',
580	'default_register_message': '',
581	'default_password_reset': 'hg.password_reset.disabled',
582	'default_extern_activate': 'hg.extern_activate.auto',
583	}
584	self.app.post(url('admin_permissions_application'), params=params)
585	self.logout_user()
586
587	pwdreset_page = self.app.post(
588	pwd_reset_url,
589	{'email': 'lisa@rhodecode.com',}
590	)
591	assert 'Password reset is disabled.' in pwdreset_page

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages