34509e7430
- Enhance the token exchange to check that the same client is used compared to the client used during the original authorization and token requests, and also check that the client has the token-exchange grant type allowed in its configuration. - Reduce the minimum required bcrypt cost for OIDCClient secrets because 15 is too slow for real-life use, especially considering that every login and every refresh flow will require two client auths. - In unit tests, use bcrypt hashes with a cost of 4, because bcrypt slows down by 13x when run with the race detector, and we run our tests with the race detector enabled, causing the tests to be unacceptably slow. The production code uses a higher minimum cost. - Centralize all pre-computed bcrypt hashes used by unit tests to a single place. Also extract some other useful test helpers for unit tests related to OIDCClients. - Add tons of unit tests for the token endpoint related to dynamic clients for authcode exchanges, token exchanges, and refreshes.
62 lines
2.5 KiB
Go
62 lines
2.5 KiB
Go
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package testutil
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"go.pinniped.dev/internal/oidc/oidcclientvalidator"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
"golang.org/x/crypto/bcrypt"
|
|
)
|
|
|
|
func TestBcryptConstants(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
// It would be helpful to know if upgrading golang changes these constants some day, so test them here for visibility during upgrades.
|
|
require.Equal(t, 4, bcrypt.MinCost, "golang has changed bcrypt.MinCost: please consider implications to the other tests")
|
|
require.Equal(t, 10, bcrypt.DefaultCost, "golang has changed bcrypt.DefaultCost: please consider implications to the production code and tests")
|
|
}
|
|
|
|
func TestBcryptHashedPassword1TestHelpers(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
// Can use this to help generate or regenerate the test helper hash constants.
|
|
// t.Log(generateHash(t, PlaintextPassword1, 12))
|
|
|
|
require.NoError(t, bcrypt.CompareHashAndPassword([]byte(HashedPassword1AtGoMinCost), []byte(PlaintextPassword1)))
|
|
require.NoError(t, bcrypt.CompareHashAndPassword([]byte(HashedPassword1JustBelowSupervisorMinCost), []byte(PlaintextPassword1)))
|
|
require.NoError(t, bcrypt.CompareHashAndPassword([]byte(HashedPassword1AtSupervisorMinCost), []byte(PlaintextPassword1)))
|
|
|
|
requireCost(t, bcrypt.MinCost, HashedPassword1AtGoMinCost)
|
|
requireCost(t, oidcclientvalidator.DefaultMinBcryptCost-1, HashedPassword1JustBelowSupervisorMinCost)
|
|
requireCost(t, oidcclientvalidator.DefaultMinBcryptCost, HashedPassword1AtSupervisorMinCost)
|
|
}
|
|
|
|
func TestBcryptHashedPassword2TestHelpers(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
// Can use this to help generate or regenerate the test helper hash constants.
|
|
// t.Log(generateHash(t, PlaintextPassword2, 12))
|
|
|
|
require.NoError(t, bcrypt.CompareHashAndPassword([]byte(HashedPassword2AtGoMinCost), []byte(PlaintextPassword2)))
|
|
require.NoError(t, bcrypt.CompareHashAndPassword([]byte(HashedPassword2AtSupervisorMinCost), []byte(PlaintextPassword2)))
|
|
|
|
requireCost(t, bcrypt.MinCost, HashedPassword2AtGoMinCost)
|
|
requireCost(t, oidcclientvalidator.DefaultMinBcryptCost, HashedPassword2AtSupervisorMinCost)
|
|
}
|
|
|
|
func generateHash(t *testing.T, password string, cost int) string { //nolint:unused,deadcode // used in comments above
|
|
hash, err := bcrypt.GenerateFromPassword([]byte(password), cost)
|
|
require.NoError(t, err)
|
|
return string(hash)
|
|
}
|
|
|
|
func requireCost(t *testing.T, wantCost int, hash string) {
|
|
cost, err := bcrypt.Cost([]byte(hash))
|
|
require.NoError(t, err)
|
|
require.Equal(t, wantCost, cost)
|
|
}
|