Daniel Maksymilian Syrnicki
8c1fd1da2b
All checks were successful
Build ISO / build-iso (push) Successful in 17m28s
CI / lint (push) Successful in 27s
CI / test (push) Successful in 59s
CI / validate-json (push) Successful in 23s
CI / markdown-links (push) Successful in 15s
Release / release (push) Successful in 11m38s
Three interlocking issues that made 26.11/26.12 effectively un-upgradable from pre-auth versions without manual pacman + symlink surgery. Caught while SSH-testing the .196 VM which landed on a rollback loop after every Update-now click. 1. auth.py imported werkzeug.security, but the target system runs core as bare system Python — neither flask nor werkzeug are pip-installed. Fresh 26.11+ boxes died on import. Replaced with a 50-line stdlib `furtka/passwd.py` using hashlib.pbkdf2_hmac for new hashes and parsing werkzeug's `scrypt:N:r:p$salt$hex` format for backward-read so existing users.json survives. 2. updater._health_check pinged /api/apps expecting 200. Post- auth, /api/apps returns 401 for unauth requests → HTTPError caught as URLError → retry loop → 30s timeout → rollback. Now any 2xx-4xx counts as "server alive"; only 5xx / connection errors fail. Server responding at all is proof it came back up. 3. _do_install released the fcntl lock between sync pre-validation and the systemd-run dispatch. A second POST could slip in, pass the lock check, return 202, and leave its install-bg child to die silently on the in-child lock. Now the API also reads install-state.json and refuses 409 on non-terminal stages — the state file is the reliable signal, the fcntl lock is defence in depth. Test coverage: - tests/test_passwd.py (new, 6 cases): roundtrip, salt uniqueness, format shape, werkzeug scrypt backward-compat against a real hash captured from the .196 box, malformed + non-string rejection. - tests/test_updater.py: +3 cases for _health_check — 4xx=healthy, 5xx=unhealthy, URLError retry loop. - tests/test_api.py: +2 cases for install 409 on non-terminal state + 202 after terminal. All 267 tests green, ruff check + format clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
74 lines
2.8 KiB
Python
74 lines
2.8 KiB
Python
"""Tests for furtka.passwd — stdlib-only password hashing.
|
|
|
|
The primary contract: hash/verify roundtrips cleanly, AND the verifier
|
|
accepts the werkzeug hash format that 26.11 / 26.12 boxes wrote to
|
|
``users.json``. Losing that backward compat would lock out existing
|
|
admins after a 26.13+ upgrade.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
from furtka import passwd
|
|
|
|
|
|
def test_hash_roundtrip():
|
|
h = passwd.hash_password("hunter2")
|
|
assert passwd.verify_password("hunter2", h)
|
|
assert not passwd.verify_password("wrong", h)
|
|
|
|
|
|
def test_hash_is_salted():
|
|
# Two separate hashes of the same password must diverge.
|
|
a = passwd.hash_password("same-pw")
|
|
b = passwd.hash_password("same-pw")
|
|
assert a != b
|
|
assert passwd.verify_password("same-pw", a)
|
|
assert passwd.verify_password("same-pw", b)
|
|
|
|
|
|
def test_generated_hash_format():
|
|
# Shape is pbkdf2:<hash>:<iter>$<salt>$<hex>
|
|
h = passwd.hash_password("x")
|
|
parts = h.split("$", 2)
|
|
assert len(parts) == 3
|
|
method, salt, digest = parts
|
|
assert method.startswith("pbkdf2:sha256:")
|
|
assert salt
|
|
# digest is hex of pbkdf2_hmac sha256 → 64 hex chars
|
|
assert len(digest) == 64
|
|
assert all(c in "0123456789abcdef" for c in digest)
|
|
|
|
|
|
def test_verify_werkzeug_scrypt_hash():
|
|
"""Known werkzeug scrypt hash generated by 26.11 / 26.12 boxes.
|
|
|
|
Captured live off a .196 test VM after its auth bootstrap:
|
|
username=daniel, password=test-admin-pw1
|
|
Hash format: scrypt:32768:8:1$<salt>$<hex>
|
|
If this regresses, every existing box that upgraded via 26.11 and
|
|
set a password gets locked out on the next upgrade.
|
|
"""
|
|
known = (
|
|
"scrypt:32768:8:1$yWZUqJodowt9ieI1$"
|
|
"2d1059b3564da7492b4aa3c2be7fff6fef06085e5e1bfd52e897948c58246b7a"
|
|
"9603400355b7264f61c4436eba7bf8c947adec3d7a76be03b50efb4227e15a80"
|
|
)
|
|
assert passwd.verify_password("test-admin-pw1", known)
|
|
assert not passwd.verify_password("wrong-password", known)
|
|
|
|
|
|
def test_verify_rejects_malformed_hashes():
|
|
# Empty / missing delimiters / unknown method / bad int — all False.
|
|
assert not passwd.verify_password("x", "")
|
|
assert not passwd.verify_password("x", "nothingspecial")
|
|
assert not passwd.verify_password("x", "pbkdf2:sha256:600000") # no $salt$digest
|
|
assert not passwd.verify_password("x", "pbkdf2$salt$digest") # missing hash + iter
|
|
assert not passwd.verify_password("x", "bcrypt:12$salt$digest") # unsupported algo
|
|
assert not passwd.verify_password("x", "pbkdf2:sha256:abc$salt$digest") # bad iter int
|
|
|
|
|
|
def test_verify_rejects_nonstring_inputs():
|
|
# Defensive: users.json can be corrupted or have nulls.
|
|
assert not passwd.verify_password(None, "pbkdf2:sha256:1000$salt$digest") # type: ignore[arg-type]
|
|
assert not passwd.verify_password("x", None) # type: ignore[arg-type]
|
|
assert not passwd.verify_password("x", 12345) # type: ignore[arg-type]
|