86c791b8a6
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
62 lines
2.5 KiB
Go
62 lines
2.5 KiB
Go
// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package testutil
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
"golang.org/x/crypto/bcrypt"
|
|
|
|
"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
|
|
)
|
|
|
|
func TestBcryptConstants(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
// It would be helpful to know if upgrading golang changes these constants some day, so test them here for visibility during upgrades.
|
|
require.Equal(t, 4, bcrypt.MinCost, "golang has changed bcrypt.MinCost: please consider implications to the other tests")
|
|
require.Equal(t, 10, bcrypt.DefaultCost, "golang has changed bcrypt.DefaultCost: please consider implications to the production code and tests")
|
|
}
|
|
|
|
func TestBcryptHashedPassword1TestHelpers(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
// Can use this to help generate or regenerate the test helper hash constants.
|
|
// t.Log(generateHash(t, PlaintextPassword1, 12))
|
|
|
|
require.NoError(t, bcrypt.CompareHashAndPassword([]byte(HashedPassword1AtGoMinCost), []byte(PlaintextPassword1)))
|
|
require.NoError(t, bcrypt.CompareHashAndPassword([]byte(HashedPassword1JustBelowSupervisorMinCost), []byte(PlaintextPassword1)))
|
|
require.NoError(t, bcrypt.CompareHashAndPassword([]byte(HashedPassword1AtSupervisorMinCost), []byte(PlaintextPassword1)))
|
|
|
|
requireCost(t, bcrypt.MinCost, HashedPassword1AtGoMinCost)
|
|
requireCost(t, oidcclientvalidator.DefaultMinBcryptCost-1, HashedPassword1JustBelowSupervisorMinCost)
|
|
requireCost(t, oidcclientvalidator.DefaultMinBcryptCost, HashedPassword1AtSupervisorMinCost)
|
|
}
|
|
|
|
func TestBcryptHashedPassword2TestHelpers(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
// Can use this to help generate or regenerate the test helper hash constants.
|
|
// t.Log(generateHash(t, PlaintextPassword2, 12))
|
|
|
|
require.NoError(t, bcrypt.CompareHashAndPassword([]byte(HashedPassword2AtGoMinCost), []byte(PlaintextPassword2)))
|
|
require.NoError(t, bcrypt.CompareHashAndPassword([]byte(HashedPassword2AtSupervisorMinCost), []byte(PlaintextPassword2)))
|
|
|
|
requireCost(t, bcrypt.MinCost, HashedPassword2AtGoMinCost)
|
|
requireCost(t, oidcclientvalidator.DefaultMinBcryptCost, HashedPassword2AtSupervisorMinCost)
|
|
}
|
|
|
|
func generateHash(t *testing.T, password string, cost int) string { //nolint:unused,deadcode // used in comments above
|
|
hash, err := bcrypt.GenerateFromPassword([]byte(password), cost)
|
|
require.NoError(t, err)
|
|
return string(hash)
|
|
}
|
|
|
|
func requireCost(t *testing.T, wantCost int, hash string) {
|
|
cost, err := bcrypt.Cost([]byte(hash))
|
|
require.NoError(t, err)
|
|
require.Equal(t, wantCost, cost)
|
|
}
|