forgejo/modules/auth/password/hash/hash_test.go

// Copyright 2023 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package hash

import (
	"encoding/hex"
	"strconv"
	"strings"
	"testing"

	"github.com/stretchr/testify/assert"
)

type testSaltHasher string

func (t testSaltHasher) HashWithSaltBytes(password string, salt []byte) string {
	return password + "$" + string(salt) + "$" + string(t)
}

func Test_registerHasher(t *testing.T) {
	MustRegister("Test_registerHasher", func(config string) testSaltHasher {
		return testSaltHasher(config)
	})

	assert.Panics(t, func() {
		MustRegister("Test_registerHasher", func(config string) testSaltHasher {
			return testSaltHasher(config)
		})
	})

	assert.Error(t, Register("Test_registerHasher", func(config string) testSaltHasher {
		return testSaltHasher(config)
	}))

	assert.Equal(t, "password$salt$",
		Parse("Test_registerHasher").PasswordSaltHasher.HashWithSaltBytes("password", []byte("salt")))

	assert.Equal(t, "password$salt$config",
		Parse("Test_registerHasher$config").PasswordSaltHasher.HashWithSaltBytes("password", []byte("salt")))

	delete(availableHasherFactories, "Test_registerHasher")
}

func TestParse(t *testing.T) {
	hashAlgorithmsToTest := []string{}
	for plainHashAlgorithmNames := range availableHasherFactories {
		hashAlgorithmsToTest = append(hashAlgorithmsToTest, plainHashAlgorithmNames)
	}
	for _, aliased := range aliasAlgorithmNames {
		if strings.Contains(aliased, "$") {
			hashAlgorithmsToTest = append(hashAlgorithmsToTest, aliased)
		}
	}
	for _, algorithmName := range hashAlgorithmsToTest {
		t.Run(algorithmName, func(t *testing.T) {
			algo := Parse(algorithmName)
			assert.NotNil(t, algo, "Algorithm %s resulted in an empty algorithm", algorithmName)
		})
	}
}

func TestHashing(t *testing.T) {
	hashAlgorithmsToTest := []string{}
	for plainHashAlgorithmNames := range availableHasherFactories {
		hashAlgorithmsToTest = append(hashAlgorithmsToTest, plainHashAlgorithmNames)
	}
	for _, aliased := range aliasAlgorithmNames {
		if strings.Contains(aliased, "$") {
			hashAlgorithmsToTest = append(hashAlgorithmsToTest, aliased)
		}
	}

	runTests := func(password, salt string, shouldPass bool) {
		for _, algorithmName := range hashAlgorithmsToTest {
			t.Run(algorithmName, func(t *testing.T) {
				output, err := Parse(algorithmName).Hash(password, salt)
				if shouldPass {
					assert.NoError(t, err)
					assert.NotEmpty(t, output, "output for %s was empty", algorithmName)
				} else {
					assert.Error(t, err)
				}

				assert.Equal(t, Parse(algorithmName).VerifyPassword(password, output, salt), shouldPass)
			})
		}
	}

	// Test with new salt format.
	runTests(strings.Repeat("a", 16), hex.EncodeToString([]byte{0x01, 0x02, 0x03}), true)

	// Test with legacy salt format.
	runTests(strings.Repeat("a", 16), strings.Repeat("b", 10), true)

	// Test with invalid salt.
	runTests(strings.Repeat("a", 16), "a", false)
}

// vectors were generated using the current codebase.
var vectors = []struct {
	algorithms []string
	password   string
	salt       string
	output     string
	shouldfail bool
}{
	{
		algorithms: []string{"bcrypt", "bcrypt$10"},
		password:   "abcdef",
		salt:       strings.Repeat("a", 10),
		output:     "$2a$10$fjtm8BsQ2crym01/piJroenO3oSVUBhSLKaGdTYJ4tG0ePVCrU0G2",
		shouldfail: false,
	},
	{
		algorithms: []string{"scrypt", "scrypt$65536$16$2$50"},
		password:   "abcdef",
		salt:       strings.Repeat("a", 10),
		output:     "3b571d0c07c62d42b7bad3dbf18fb0cd67d4d8cd4ad4c6928e1090e5b2a4a84437c6fd2627d897c0e7e65025ca62b67a0002",
		shouldfail: false,
	},
	{
		algorithms: []string{"argon2", "argon2$2$65536$8$50"},
		password:   "abcdef",
		salt:       strings.Repeat("a", 10),
		output:     "551f089f570f989975b6f7c6a8ff3cf89bc486dd7bbe87ed4d80ad4362f8ee599ec8dda78dac196301b98456402bcda775dc",
		shouldfail: false,
	},
	{
		algorithms: []string{"pbkdf2", "pbkdf2$10000$50"},
		password:   "abcdef",
		salt:       strings.Repeat("a", 10),
		output:     "ab48d5471b7e6ed42d10001db88c852ff7303c788e49da5c3c7b63d5adf96360303724b74b679223a3dea8a242d10abb1913",
		shouldfail: false,
	},
	{
		algorithms: []string{"bcrypt", "bcrypt$10"},
		password:   "abcdef",
		salt:       hex.EncodeToString([]byte{0x01, 0x02, 0x03, 0x04}),
		output:     "$2a$10$qhgm32w9ZpqLygugWJsLjey8xRGcaq9iXAfmCeNBXxddgyoaOC3Gq",
		shouldfail: false,
	},
	{
		algorithms: []string{"scrypt", "scrypt$65536$16$2$50"},
		password:   "abcdef",
		salt:       hex.EncodeToString([]byte{0x01, 0x02, 0x03, 0x04}),
		output:     "25fe5f66b43fa4eb7b6717905317cd2223cf841092dc8e0a1e8c75720ad4846cb5d9387303e14bc3c69faa3b1c51ef4b7de1",
		shouldfail: false,
	},
	{
		algorithms: []string{"argon2", "argon2$2$65536$8$50"},
		password:   "abcdef",
		salt:       hex.EncodeToString([]byte{0x01, 0x02, 0x03, 0x04}),
		output:     "9c287db63a91d18bb1414b703216da4fc431387c1ae7c8acdb280222f11f0929831055dbfd5126a3b48566692e83ec750d2a",
		shouldfail: false,
	},
	{
		algorithms: []string{"pbkdf2", "pbkdf2$10000$50"},
		password:   "abcdef",
		salt:       hex.EncodeToString([]byte{0x01, 0x02, 0x03, 0x04}),
		output:     "45d6cdc843d65cf0eda7b90ab41435762a282f7df013477a1c5b212ba81dbdca2edf1ecc4b5cb05956bb9e0c37ab29315d78",
		shouldfail: false,
	},
	{
		algorithms: []string{"pbkdf2$320000$50"},
		password:   "abcdef",
		salt:       hex.EncodeToString([]byte{0x01, 0x02, 0x03, 0x04}),
		output:     "84e233114499e8721da80e85568e5b7b5900b3e49a30845fcda9d1e1756da4547d70f8740ac2b4a5d82f88cebcd27f21bfe2",
		shouldfail: false,
	},
	{
		algorithms: []string{"pbkdf2", "pbkdf2$10000$50"},
		password:   "abcdef",
		salt:       "",
		output:     "",
		shouldfail: true,
	},
}

// Ensure that the current code will correctly verify against the test vectors.
func TestVectors(t *testing.T) {
	for i, vector := range vectors {
		for _, algorithm := range vector.algorithms {
			t.Run(strconv.Itoa(i)+": "+algorithm, func(t *testing.T) {
				pa := Parse(algorithm)
				assert.Equal(t, !vector.shouldfail, pa.VerifyPassword(vector.password, vector.output, vector.salt))
			})
		}
	}
}
Provide the ability to set password hash algorithm parameters (#22942) This PR refactors and improves the password hashing code within gitea and makes it possible for server administrators to set the password hashing parameters In addition it takes the opportunity to adjust the settings for `pbkdf2` in order to make the hashing a little stronger. The majority of this work was inspired by PR #14751 and I would like to thank @boppy for their work on this. Thanks to @gusted for the suggestion to adjust the `pbkdf2` hashing parameters. Close #14751 --------- Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: delvh <dev.lh@web.de> Co-authored-by: John Olheiser <john.olheiser@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> 2023-02-19 07:35:20 +00:00			`// Copyright 2023 The Gitea Authors. All rights reserved.`
			`// SPDX-License-Identifier: MIT`

			`package hash`

			`import (`
			`"encoding/hex"`
			`"strconv"`
			`"strings"`
			`"testing"`

			`"github.com/stretchr/testify/assert"`
			`)`

			`type testSaltHasher string`

			`func (t testSaltHasher) HashWithSaltBytes(password string, salt []byte) string {`
			`return password + "$" + string(salt) + "$" + string(t)`
			`}`

			`func Test_registerHasher(t *testing.T) {`
Make CI use a dummy password hasher for all tests (#22983) During the recent hash algorithm change it became clear that the choice of password hash algorithm plays a role in the time taken for CI to run. Therefore as attempt to improve CI we should consider using a dummy hashing algorithm instead of a real hashing algorithm. This PR creates a dummy algorithm which is then set as the default hashing algorithm during tests that use the fixtures. This hopefully will cause a reduction in the time it takes for CI to run. --------- Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> 2023-02-20 05:20:30 +00:00			`MustRegister("Test_registerHasher", func(config string) testSaltHasher {`
Provide the ability to set password hash algorithm parameters (#22942) This PR refactors and improves the password hashing code within gitea and makes it possible for server administrators to set the password hashing parameters In addition it takes the opportunity to adjust the settings for `pbkdf2` in order to make the hashing a little stronger. The majority of this work was inspired by PR #14751 and I would like to thank @boppy for their work on this. Thanks to @gusted for the suggestion to adjust the `pbkdf2` hashing parameters. Close #14751 --------- Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: delvh <dev.lh@web.de> Co-authored-by: John Olheiser <john.olheiser@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> 2023-02-19 07:35:20 +00:00			`return testSaltHasher(config)`
			`})`

			`assert.Panics(t, func() {`
Make CI use a dummy password hasher for all tests (#22983) During the recent hash algorithm change it became clear that the choice of password hash algorithm plays a role in the time taken for CI to run. Therefore as attempt to improve CI we should consider using a dummy hashing algorithm instead of a real hashing algorithm. This PR creates a dummy algorithm which is then set as the default hashing algorithm during tests that use the fixtures. This hopefully will cause a reduction in the time it takes for CI to run. --------- Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> 2023-02-20 05:20:30 +00:00			`MustRegister("Test_registerHasher", func(config string) testSaltHasher {`
Provide the ability to set password hash algorithm parameters (#22942) This PR refactors and improves the password hashing code within gitea and makes it possible for server administrators to set the password hashing parameters In addition it takes the opportunity to adjust the settings for `pbkdf2` in order to make the hashing a little stronger. The majority of this work was inspired by PR #14751 and I would like to thank @boppy for their work on this. Thanks to @gusted for the suggestion to adjust the `pbkdf2` hashing parameters. Close #14751 --------- Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: delvh <dev.lh@web.de> Co-authored-by: John Olheiser <john.olheiser@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> 2023-02-19 07:35:20 +00:00			`return testSaltHasher(config)`
			`})`
			`})`

Make CI use a dummy password hasher for all tests (#22983) During the recent hash algorithm change it became clear that the choice of password hash algorithm plays a role in the time taken for CI to run. Therefore as attempt to improve CI we should consider using a dummy hashing algorithm instead of a real hashing algorithm. This PR creates a dummy algorithm which is then set as the default hashing algorithm during tests that use the fixtures. This hopefully will cause a reduction in the time it takes for CI to run. --------- Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> 2023-02-20 05:20:30 +00:00			`assert.Error(t, Register("Test_registerHasher", func(config string) testSaltHasher {`
			`return testSaltHasher(config)`
			`}))`

Provide the ability to set password hash algorithm parameters (#22942) This PR refactors and improves the password hashing code within gitea and makes it possible for server administrators to set the password hashing parameters In addition it takes the opportunity to adjust the settings for `pbkdf2` in order to make the hashing a little stronger. The majority of this work was inspired by PR #14751 and I would like to thank @boppy for their work on this. Thanks to @gusted for the suggestion to adjust the `pbkdf2` hashing parameters. Close #14751 --------- Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: delvh <dev.lh@web.de> Co-authored-by: John Olheiser <john.olheiser@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> 2023-02-19 07:35:20 +00:00			`assert.Equal(t, "password$salt$",`
			`Parse("Test_registerHasher").PasswordSaltHasher.HashWithSaltBytes("password", []byte("salt")))`

			`assert.Equal(t, "password$salt$config",`
			`Parse("Test_registerHasher$config").PasswordSaltHasher.HashWithSaltBytes("password", []byte("salt")))`

			`delete(availableHasherFactories, "Test_registerHasher")`
			`}`

			`func TestParse(t *testing.T) {`
			`hashAlgorithmsToTest := []string{}`
			`for plainHashAlgorithmNames := range availableHasherFactories {`
			`hashAlgorithmsToTest = append(hashAlgorithmsToTest, plainHashAlgorithmNames)`
			`}`
			`for _, aliased := range aliasAlgorithmNames {`
			`if strings.Contains(aliased, "$") {`
			`hashAlgorithmsToTest = append(hashAlgorithmsToTest, aliased)`
			`}`
			`}`
			`for _, algorithmName := range hashAlgorithmsToTest {`
			`t.Run(algorithmName, func(t *testing.T) {`
			`algo := Parse(algorithmName)`
			`assert.NotNil(t, algo, "Algorithm %s resulted in an empty algorithm", algorithmName)`
			`})`
			`}`
			`}`

			`func TestHashing(t *testing.T) {`
			`hashAlgorithmsToTest := []string{}`
			`for plainHashAlgorithmNames := range availableHasherFactories {`
			`hashAlgorithmsToTest = append(hashAlgorithmsToTest, plainHashAlgorithmNames)`
			`}`
			`for _, aliased := range aliasAlgorithmNames {`
			`if strings.Contains(aliased, "$") {`
			`hashAlgorithmsToTest = append(hashAlgorithmsToTest, aliased)`
			`}`
			`}`

			`runTests := func(password, salt string, shouldPass bool) {`
			`for _, algorithmName := range hashAlgorithmsToTest {`
			`t.Run(algorithmName, func(t *testing.T) {`
			`output, err := Parse(algorithmName).Hash(password, salt)`
			`if shouldPass {`
			`assert.NoError(t, err)`
			`assert.NotEmpty(t, output, "output for %s was empty", algorithmName)`
			`} else {`
			`assert.Error(t, err)`
			`}`

			`assert.Equal(t, Parse(algorithmName).VerifyPassword(password, output, salt), shouldPass)`
			`})`
			`}`
			`}`

			`// Test with new salt format.`
			`runTests(strings.Repeat("a", 16), hex.EncodeToString([]byte{0x01, 0x02, 0x03}), true)`

			`// Test with legacy salt format.`
			`runTests(strings.Repeat("a", 16), strings.Repeat("b", 10), true)`

			`// Test with invalid salt.`
			`runTests(strings.Repeat("a", 16), "a", false)`
			`}`

			`// vectors were generated using the current codebase.`
			`var vectors = []struct {`
			`algorithms []string`
			`password string`
			`salt string`
			`output string`
			`shouldfail bool`
			`}{`
			`{`
			`algorithms: []string{"bcrypt", "bcrypt$10"},`
			`password: "abcdef",`
			`salt: strings.Repeat("a", 10),`
			`output: "$2a$10$fjtm8BsQ2crym01/piJroenO3oSVUBhSLKaGdTYJ4tG0ePVCrU0G2",`
			`shouldfail: false,`
			`},`
			`{`
			`algorithms: []string{"scrypt", "scrypt$65536$16$2$50"},`
			`password: "abcdef",`
			`salt: strings.Repeat("a", 10),`
			`output: "3b571d0c07c62d42b7bad3dbf18fb0cd67d4d8cd4ad4c6928e1090e5b2a4a84437c6fd2627d897c0e7e65025ca62b67a0002",`
			`shouldfail: false,`
			`},`
			`{`
			`algorithms: []string{"argon2", "argon2$2$65536$8$50"},`
			`password: "abcdef",`
			`salt: strings.Repeat("a", 10),`
			`output: "551f089f570f989975b6f7c6a8ff3cf89bc486dd7bbe87ed4d80ad4362f8ee599ec8dda78dac196301b98456402bcda775dc",`
			`shouldfail: false,`
			`},`
			`{`
			`algorithms: []string{"pbkdf2", "pbkdf2$10000$50"},`
			`password: "abcdef",`
			`salt: strings.Repeat("a", 10),`
			`output: "ab48d5471b7e6ed42d10001db88c852ff7303c788e49da5c3c7b63d5adf96360303724b74b679223a3dea8a242d10abb1913",`
			`shouldfail: false,`
			`},`
			`{`
			`algorithms: []string{"bcrypt", "bcrypt$10"},`
			`password: "abcdef",`
			`salt: hex.EncodeToString([]byte{0x01, 0x02, 0x03, 0x04}),`
			`output: "$2a$10$qhgm32w9ZpqLygugWJsLjey8xRGcaq9iXAfmCeNBXxddgyoaOC3Gq",`
			`shouldfail: false,`
			`},`
			`{`
			`algorithms: []string{"scrypt", "scrypt$65536$16$2$50"},`
			`password: "abcdef",`
			`salt: hex.EncodeToString([]byte{0x01, 0x02, 0x03, 0x04}),`
			`output: "25fe5f66b43fa4eb7b6717905317cd2223cf841092dc8e0a1e8c75720ad4846cb5d9387303e14bc3c69faa3b1c51ef4b7de1",`
			`shouldfail: false,`
			`},`
			`{`
			`algorithms: []string{"argon2", "argon2$2$65536$8$50"},`
			`password: "abcdef",`
			`salt: hex.EncodeToString([]byte{0x01, 0x02, 0x03, 0x04}),`
			`output: "9c287db63a91d18bb1414b703216da4fc431387c1ae7c8acdb280222f11f0929831055dbfd5126a3b48566692e83ec750d2a",`
			`shouldfail: false,`
			`},`
			`{`
			`algorithms: []string{"pbkdf2", "pbkdf2$10000$50"},`
			`password: "abcdef",`
			`salt: hex.EncodeToString([]byte{0x01, 0x02, 0x03, 0x04}),`
			`output: "45d6cdc843d65cf0eda7b90ab41435762a282f7df013477a1c5b212ba81dbdca2edf1ecc4b5cb05956bb9e0c37ab29315d78",`
			`shouldfail: false,`
			`},`
			`{`
			`algorithms: []string{"pbkdf2$320000$50"},`
			`password: "abcdef",`
			`salt: hex.EncodeToString([]byte{0x01, 0x02, 0x03, 0x04}),`
			`output: "84e233114499e8721da80e85568e5b7b5900b3e49a30845fcda9d1e1756da4547d70f8740ac2b4a5d82f88cebcd27f21bfe2",`
			`shouldfail: false,`
			`},`
			`{`
			`algorithms: []string{"pbkdf2", "pbkdf2$10000$50"},`
			`password: "abcdef",`
			`salt: "",`
			`output: "",`
			`shouldfail: true,`
			`},`
			`}`

			`// Ensure that the current code will correctly verify against the test vectors.`
			`func TestVectors(t *testing.T) {`
			`for i, vector := range vectors {`
			`for _, algorithm := range vector.algorithms {`
			`t.Run(strconv.Itoa(i)+": "+algorithm, func(t *testing.T) {`
			`pa := Parse(algorithm)`
			`assert.Equal(t, !vector.shouldfail, pa.VerifyPassword(vector.password, vector.output, vector.salt))`
			`})`
			`}`
			`}`
			`}`