From af941920c84b1b1ee5f630993eba0d2d3699aa61 Mon Sep 17 00:00:00 2001
From: Tulio Casagrande <tcasagra@thoughtworks.com>
Date: Wed, 5 Apr 2017 17:58:32 -0300
Subject: [#934] Add back-end password validation

---
 .../resources/account_recovery_resource.py         | 31 ++++++++++++++--
 .../resources/test_account_recovery_resource.py    | 43 ++++++++++++++++++++--
 2 files changed, 67 insertions(+), 7 deletions(-)

(limited to 'service')

diff --git a/service/pixelated/resources/account_recovery_resource.py b/service/pixelated/resources/account_recovery_resource.py
index 6781f209..6e80f360 100644
--- a/service/pixelated/resources/account_recovery_resource.py
+++ b/service/pixelated/resources/account_recovery_resource.py
@@ -15,14 +15,23 @@
 # along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
 
 import os
+import json
 
-from pixelated.resources import BaseResource
 from twisted.python.filepath import FilePath
-from pixelated.resources import get_public_static_folder
 from twisted.web.http import OK, INTERNAL_SERVER_ERROR
 from twisted.web.template import Element, XMLFile, renderElement
 from twisted.web.server import NOT_DONE_YET
 from twisted.internet import defer
+from twisted.logger import Logger
+
+from pixelated.resources import BaseResource
+from pixelated.resources import get_public_static_folder
+
+log = Logger()
+
+
+class InvalidPasswordError(Exception):
+    pass
 
 
 class AccountRecoveryPage(Element):
@@ -52,10 +61,24 @@ class AccountRecoveryResource(BaseResource):
             request.setResponseCode(OK)
             request.finish()
 
-        def error_response(response):
+        def error_response(failure):
+            log.warn(failure)
             request.setResponseCode(INTERNAL_SERVER_ERROR)
             request.finish()
 
-        d = defer.succeed('Done!')
+        d = self._validate_password(request)
         d.addCallbacks(success_response, error_response)
         return NOT_DONE_YET
+
+    def _get_post_form(self, request):
+        return json.loads(request.content.getvalue())
+
+    def _validate_password(self, request):
+        form = self._get_post_form(request)
+        password = form.get('password')
+        confirmPassword = form.get('confirmPassword')
+
+        if password == confirmPassword and len(password) >= 8 and len(password) <= 9999:
+            return defer.succeed('Done!')
+
+        return defer.fail(InvalidPasswordError('The user entered an invalid password or confirmation'))
diff --git a/service/test/unit/resources/test_account_recovery_resource.py b/service/test/unit/resources/test_account_recovery_resource.py
index cd9acae7..bdae15b6 100644
--- a/service/test/unit/resources/test_account_recovery_resource.py
+++ b/service/test/unit/resources/test_account_recovery_resource.py
@@ -14,14 +14,12 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
 
-import os
-
 from mock import MagicMock
 from twisted.trial import unittest
 from twisted.web.test.requesthelper import DummyRequest
 from twisted.internet import defer
 
-from pixelated.resources.account_recovery_resource import AccountRecoveryResource
+from pixelated.resources.account_recovery_resource import AccountRecoveryResource, InvalidPasswordError
 from test.unit.resources import DummySite
 
 
@@ -46,6 +44,8 @@ class TestAccountRecoveryResource(unittest.TestCase):
     def test_post_returns_successfully(self):
         request = DummyRequest(['/account-recovery'])
         request.method = 'POST'
+        request.content = MagicMock()
+        request.content.getvalue.return_value = '{"password": "12345678", "confirmPassword": "12345678"}'
         d = self.web.get(request)
 
         def assert_successful_response(_):
@@ -53,3 +53,40 @@ class TestAccountRecoveryResource(unittest.TestCase):
 
         d.addCallback(assert_successful_response)
         return d
+
+    def test_get_post_form(self):
+        request = MagicMock()
+        request.content.getvalue.return_value = '{"userCode": "abc", "password": "123", "confirmPassword": "456"}'
+        form = self.resource._get_post_form(request)
+
+        self.assertEqual(form.get('userCode'), 'abc')
+        self.assertEqual(form.get('password'), '123')
+        self.assertEqual(form.get('confirmPassword'), '456')
+
+    def test_validate_password_successfully(self):
+        request = MagicMock()
+        request.content.getvalue.return_value = '{"password": "12345678", "confirmPassword": "12345678"}'
+
+        d = self.resource._validate_password(request)
+
+        def assert_successful(success):
+            self.assertEqual(success, 'Done!')
+
+        d.addCallback(assert_successful)
+        return d
+
+    @defer.inlineCallbacks
+    def test_validate_password_failed_by_confirmation(self):
+        request = MagicMock()
+        request.content.getvalue.return_value = '{"password": "12345678", "confirmPassword": "1234"}'
+
+        with self.assertRaises(InvalidPasswordError):
+            yield self.resource._validate_password(request)
+
+    @defer.inlineCallbacks
+    def test_validate_password_failed_by_length(self):
+        request = MagicMock()
+        request.content.getvalue.return_value = '{"password": "1234", "confirmPassword": "1234"}'
+
+        with self.assertRaises(InvalidPasswordError):
+            yield self.resource._validate_password(request)
-- 
cgit v1.2.3