Fix pw check logic in accountreq and useradm which was previously inadvertently

inverted. Rename var to pw_match for consistence.

Fix string corruption in pickled MiG-user.db fixture file to allow proper use
of password_hash values.

Refactor the accountreq unit test module to split into peers testing and filter
testing with shared init of users in the latter, too. Relies on the pickled
user db from fixtures now. Add test coverage on account renewal for pw check
and ID collision.

Still acouple of TODOs with test coverage of suspended accounts and the
a password to match the pickled hash.

Author: jonasbardino

mig/shared/accountreq.py

@@ -1240,18 +1240,21 @@ def early_validation_checks(configuration, raw_request, service, username,
         authorized = raw_request.get('authorized', None)
         reset_token = raw_request.get('reset_token', None)
         if hashed:
-            raw_request['pw_changed'] = check_hash(configuration, service,
-                                                   username, password, hashed)
+            raw_request['pw_match'] = check_hash(configuration, service,
+                                                 username, password, hashed)
         elif scrambled:
-            raw_request['pw_changed'] = check_scramble(
+            raw_request['pw_match'] = check_scramble(
                 configuration, service, username, password, scrambled,
                 salt=configuration.site_password_salt)
+        else:
+            logger.debug('account for %r has no passwords set' % client_id)
+            raw_request['pw_match'] = True
 
         if account_status not in ('temporal', 'active', 'inactive'):
             logger.warning('existing account for %r is %s and not renewable'
                            % (client_id, account_status))
             raw_request['invalid'].append(renewal_blocked)
-        if raw_request['pw_changed'] and not authorized and not reset_token:
+        if not raw_request['pw_match'] and not authorized and not reset_token:
             logger.warning('illegal password change in request from %r' %
                            client_id)
             raw_request['invalid'].append(illegal_pw_change)

mig/shared/useradm.py

@@ -459,7 +459,7 @@ def verify_user_peers(configuration, db_path, client_id, user, now, verify_peer,
 
 
 def create_user_in_db(configuration, db_path, client_id, user, now, authorized,
-                      reset_token, reset_auth_type, pw_changed,
+                      reset_token, reset_auth_type, pw_match,
                       accepted_peer_list, force, verbose, ask_renew,
                       default_renew, do_lock, from_edit_user, ask_change_pw,
                       auto_create_db, create_backup):
@@ -571,12 +571,12 @@ def create_user_in_db(configuration, db_path, client_id, user, now, authorized,
             # existing password should be left alone on renewal.
             # The password_hash field is not guaranteed to exist and it varies
             # depending on the current random seed and assigned salt. So we use
-            # check_password during submit and save result in pw_changed.
+            # check_password during submit and save result in pw_match.
             if not user['password']:
                 user['password'] = user['old_password']
             if not user.get('password_hash', ''):
                 user['password_hash'] = user['old_password_hash']
-            if pw_changed:
+            if not pw_match:
                 # Allow password change if it's directly authorized with login
                 # or authorized through a simple reset challenge (reset_token).
                 if not authorized and reset_token:
@@ -1062,11 +1062,11 @@ def create_user(user, conf_path, db_path, force=False, verbose=False,
         reset_auth_type = user.get('auth', ['UNKNOWN'])[-1]
         # Always remove any reset_token fields before DB insert
         del user['reset_token']
-    pw_changed = False
-    if 'pw_changed' in user:
-        pw_changed = user['pw_changed']
-        # Always remove any pw_changed fields before DB insert
-        del user['pw_changed']
+    pw_match = True
+    if 'pw_match' in user:
+        pw_match = user['pw_match']
+        # Always remove any pw_match fields before DB insert
+        del user['pw_match']
 
     _logger.info('trying to create or renew user %r' % client_id)
     if verbose:
@@ -1095,7 +1095,7 @@ def create_user(user, conf_path, db_path, force=False, verbose=False,
 
     created = create_user_in_db(configuration, db_path, client_id, user, now,
                                 authorized, reset_token, reset_auth_type,
-                                pw_changed, accepted_peer_list, force, verbose,
+                                pw_match, accepted_peer_list, force, verbose,
                                 ask_renew, default_renew, do_lock,
                                 from_edit_user, ask_change_pw, auto_create_db,
                                 create_backup)