Added test for acheck_password() to ensure make_password is called fo…

…r unusable passwords.

This is a follow up for the fix of CVE-2024-39329
(5d86458) where the timing of
verify_password() was standardized when checking unusable passwords.

tests/auth_tests/test_hashers.py

@@ -1,3 +1,4 @@
+from contextlib import contextmanager
 from unittest import mock, skipUnless
 
 from django.conf.global_settings import PASSWORD_HASHERS
@@ -452,8 +453,33 @@ def test_check_password_calls_harden_runtime(self):
             check_password("wrong_password", encoded)
             self.assertEqual(hasher.harden_runtime.call_count, 1)
 
-    def test_check_password_calls_make_password_to_fake_runtime(self):
+    @contextmanager
+    def assertMakePasswordCalled(self, password, encoded, hasher_side_effect):
         hasher = get_hasher("default")
+        with (
+            mock.patch(
+                "django.contrib.auth.hashers.identify_hasher",
+                side_effect=hasher_side_effect,
+            ) as mock_identify_hasher,
+            mock.patch(
+                "django.contrib.auth.hashers.make_password"
+            ) as mock_make_password,
+            mock.patch(
+                "django.contrib.auth.hashers.get_random_string",
+                side_effect=lambda size: "x" * size,
+            ),
+            mock.patch.object(hasher, "verify"),
+        ):
+            # Ensure make_password is called to standardize timing.
+            yield
+            self.assertEqual(hasher.verify.call_count, 0)
+            self.assertEqual(mock_identify_hasher.mock_calls, [mock.call(encoded)])
+            self.assertEqual(
+                mock_make_password.mock_calls,
+                [mock.call("x" * UNUSABLE_PASSWORD_SUFFIX_LENGTH)],
+            )
+
+    def test_check_password_calls_make_password_to_fake_runtime(self):
         cases = [
             (None, None, None),  # no plain text password provided
             ("foo", make_password(password=None), None),  # unusable encoded
@@ -462,27 +488,22 @@ def test_check_password_calls_make_password_to_fake_runtime(self):
         for password, encoded, hasher_side_effect in cases:
             with (
                 self.subTest(encoded=encoded),
-                mock.patch(
-                    "django.contrib.auth.hashers.identify_hasher",
-                    side_effect=hasher_side_effect,
-                ) as mock_identify_hasher,
-                mock.patch(
-                    "django.contrib.auth.hashers.make_password"
-                ) as mock_make_password,
-                mock.patch(
-                    "django.contrib.auth.hashers.get_random_string",
-                    side_effect=lambda size: "x" * size,
-                ),
-                mock.patch.object(hasher, "verify"),
+                self.assertMakePasswordCalled(password, encoded, hasher_side_effect),
             ):
-                # Ensure make_password is called to standardize timing.
                 check_password(password, encoded)
-                self.assertEqual(hasher.verify.call_count, 0)
-                self.assertEqual(mock_identify_hasher.mock_calls, [mock.call(encoded)])
-                self.assertEqual(
-                    mock_make_password.mock_calls,
-                    [mock.call("x" * UNUSABLE_PASSWORD_SUFFIX_LENGTH)],
-                )
+
+    async def test_acheck_password_calls_make_password_to_fake_runtime(self):
+        cases = [
+            (None, None, None),  # no plain text password provided
+            ("foo", make_password(password=None), None),  # unusable encoded
+            ("letmein", make_password(password="letmein"), ValueError),  # valid encoded
+        ]
+        for password, encoded, hasher_side_effect in cases:
+            with (
+                self.subTest(encoded=encoded),
+                self.assertMakePasswordCalled(password, encoded, hasher_side_effect),
+            ):
+                await acheck_password(password, encoded)
 
     def test_encode_invalid_salt(self):
         hasher_classes = [