Merge pull request #16 from jstepien/bcrypt-v2

Hash passwords with BCrypt instead of SHA1
2026-02-02 22:11:48 +01:00 · 2011-09-08 08:08:33 -07:00 · 2011-09-08 08:08:33 -07:00 · 50875cfa40
commit 50875cfa40
parent 23c95f2833 342b8ab4ef
18 changed files with 195 additions and 39 deletions
--- a/test/fixtures/users.yml
+++ b/test/fixtures/users.yml
@ -2,7 +2,7 @@
 admin_user:
  id: 1
  login: admin
-  crypted_password: <%= Digest::SHA1.hexdigest("#{Tracks::Config.salt}--abracadabra--") %>
+  crypted_password: <%= BCrypt::Password.create("abracadabra") %>
  token: <%= Digest::SHA1.hexdigest("adminSat Feb 25 17:14:00 GMT 20060.236961325863376") %>
  is_admin: true
  first_name: Admin
@ -12,7 +12,7 @@ admin_user:
 other_user:
  id: 2
  login: jane
-  crypted_password: <%= Digest::SHA1.hexdigest("#{Tracks::Config.salt}--sesame--") %>
+  crypted_password: <%= BCrypt::Password.create("sesame") %>
  token: <%= Digest::SHA1.hexdigest("janeSun Feb 19 14:42:45 GMT 20060.408173979260027") %>
  is_admin: false
  first_name: Jane
@ -32,7 +32,7 @@ ldap_user:
 sms_user:
  id: 4
  login: sms_user
-  crypted_password: <%= Digest::SHA1.hexdigest("#{Tracks::Config.salt}--sesame--") %>
+  crypted_password: <%= BCrypt::Password.create("sesame") %>
  token: <%= Digest::SHA1.hexdigest("sms_userSun Feb 19 14:42:45 GMT 20060.408173979260027") %>
  is_admin: false
  first_name: SMS
@ -48,3 +48,13 @@ ldap_user:
  first_name: International
  last_name: Harvester
  auth_type: CAS
+
+user_with_sha1_password:
+  id: 6
+  login: mr_deprecated
+  crypted_password: <%= Digest::SHA1::hexdigest("#{Tracks::Config.salt}--foobar--") %>
+  token: <%= Digest::SHA1.hexdigest("mr_deprecatedSun Feb 19 14:42:45 GMT 20060.408173979260027") %>
+  is_admin: false
+  first_name: Mister
+  last_name: Deprecated
+  auth_type: database
--- a/test/functional/users_controller_test.rb
+++ b/test/functional/users_controller_test.rb
@ -31,7 +31,7 @@ class UsersControllerTest < ActionController::TestCase
    get :index
    assert_response :success
    assert_equal "TRACKS::Manage Users", assigns['page_title']  
-    assert_equal 4, assigns['total_users']
+    assert_equal 5, assigns['total_users']
    assert_equal "/users", session['return-to']
  end

@ -68,7 +68,7 @@ class UsersControllerTest < ActionController::TestCase
    post :update_password, :updateuser => {:password => 'newpassword', :password_confirmation => 'newpassword'}
    assert_redirected_to preferences_path
    @updated_user = User.find(users(:admin_user).id)
-    assert_equal @updated_user.crypted_password, Digest::SHA1.hexdigest("#{Tracks::Config.salt}--newpassword--")
+    assert_not_nil User.authenticate(@updated_user.login, 'newpassword')
    assert_equal "Password updated.", flash[:notice]
  end
  
--- a/test/integration/users_xml_api_test.rb
+++ b/test/integration/users_xml_api_test.rb
@ -79,7 +79,7 @@ class UsersXmlApiTest < ActionController::IntegrationTest
    get '/users.xml', {}, basic_auth_headers()
    assert_response :success
    assert_tag :tag => "users",
-               :children => { :count => 4, :only => { :tag => "user" } }
+               :children => { :count => 5, :only => { :tag => "user" } }
    assert_no_tag :tag => "password"
  end

--- a/test/unit/user_test.rb
+++ b/test/unit/user_test.rb
@ -33,7 +33,7 @@ class UserTest < ActiveSupport::TestCase
    assert_kind_of User, @admin_user
    assert_equal 1, @admin_user.id
    assert_equal "admin", @admin_user.login
-    assert_equal "#{Digest::SHA1.hexdigest("#{Tracks::Config.salt}--abracadabra--")}", @admin_user.crypted_password
+    assert_not_nil @admin_user.crypted_password
    assert_not_nil @admin_user.token
    assert @admin_user.is_admin
  end
@ -43,7 +43,7 @@ class UserTest < ActiveSupport::TestCase
    assert_kind_of User, @other_user
    assert_equal 2, @other_user.id
    assert_equal "jane", @other_user.login
-    assert_equal "#{Digest::SHA1.hexdigest("#{Tracks::Config.salt}--sesame--")}", @other_user.crypted_password
+    assert_not_nil @other_user.crypted_password
    assert_not_nil @other_user.token
    assert @other_user.is_admin == false || @other_user.is_admin == 0
  end
@ -330,6 +330,32 @@ class UserTest < ActiveSupport::TestCase
       assert_equal u.id, User.find_by_open_id_url(raw_open_id_url).id
     end
  end
+
+  def test_should_discover_using_depracted_password
+    assert_nil @admin_user.uses_deprecated_password?
+    assert_nil @other_user.uses_deprecated_password?
+    assert users(:user_with_sha1_password).uses_deprecated_password?
+  end
+
+  def test_should_not_have_deprecated_password_after_update
+    u = users(:user_with_sha1_password)
+    assert u.uses_deprecated_password?
+    u.change_password("foobar", "foobar")
+    assert_nil u.uses_deprecated_password?
+  end
+
+  def test_should_authenticate_with_deprecated_password
+    assert_nil User.authenticate('mr_deprecated', 'wrong password')
+    assert_equal users(:user_with_sha1_password),
+      User.authenticate('mr_deprecated', 'foobar')
+  end
+
+  def test_password_matches
+    assert_not_nil User.authenticate(@admin_user.login, "abracadabra")
+    assert_nil User.authenticate(@admin_user.login, "incorrect")
+    assert_not_nil User.authenticate(users(:user_with_sha1_password).login, "foobar")
+    assert_nil User.authenticate(users(:user_with_sha1_password).login, "wrong")
+  end
  
  
  protected