mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-31 11:31:07 +02:00
a311735761
* allows use of pre-hashed passwords with userpass backend * Remove unneeded error * Single error check after switch * use param name quoted in error message * updated test for quoted param in error * white space fixes for markdown doc * More whitespace fixes * added changelog * Password/pre-hashed password are only required on 'create' operation * docs indentation * Update website/content/docs/auth/userpass.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> * Updated docs * Check length of hash too * Update builtin/credential/userpass/path_user_password_test.go :) Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com> --------- Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
93 lines
2.5 KiB
Go
93 lines
2.5 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package userpass
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"golang.org/x/crypto/bcrypt"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
// TestUserPass_ParseHash ensures that we correctly validate password hashes that
|
|
// conform to the bcrypt standard based on the prefix of the hash.
|
|
func TestUserPass_ParseHash(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
tests := map[string]struct {
|
|
input string
|
|
isErrorExpected bool
|
|
expectedErrorMessage string
|
|
}{
|
|
"too-short": {
|
|
input: "too short",
|
|
isErrorExpected: true,
|
|
expectedErrorMessage: "password hash has incorrect length",
|
|
},
|
|
"60-spaces": {
|
|
input: " ",
|
|
isErrorExpected: true,
|
|
expectedErrorMessage: "password hash has incorrect prefix",
|
|
},
|
|
"jibberish": {
|
|
input: "jibberfishjibberfishjibberfishjibberfishjibberfishjibberfish",
|
|
isErrorExpected: true,
|
|
expectedErrorMessage: "password hash has incorrect prefix",
|
|
},
|
|
"non-ascii-prefix": {
|
|
input: "$2a$qwertyjibberfishjibberfishjibberfishjibberfishjibberfish",
|
|
isErrorExpected: false,
|
|
},
|
|
"truncation-prefix": {
|
|
input: "$2b$qwertyjibberfishjibberfishjibberfishjibberfishjibberfish",
|
|
isErrorExpected: false,
|
|
},
|
|
"php-only-fixed-prefix": {
|
|
input: "$2y$qwertyjibberfishjibberfishjibberfishjibberfishjibberfish",
|
|
isErrorExpected: false,
|
|
},
|
|
"php-only-existing": {
|
|
input: "$2x$qwertyjibberfishjibberfishjibberfishjibberfishjibberfish",
|
|
isErrorExpected: true,
|
|
expectedErrorMessage: "password hash has incorrect prefix",
|
|
},
|
|
}
|
|
|
|
for name, tc := range tests {
|
|
name := name
|
|
tc := tc
|
|
t.Run(name, func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
got, err := parsePasswordHash(tc.input)
|
|
switch {
|
|
case tc.isErrorExpected:
|
|
require.EqualError(t, err, tc.expectedErrorMessage)
|
|
default:
|
|
require.NoError(t, err)
|
|
require.Equal(t, tc.input, string(got))
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestUserPass_BcryptHashLength ensures that using the bcrypt library to generate
|
|
// a hash from a password always produces the same length.
|
|
func TestUserPass_BcryptHashLength(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
tests := []string{
|
|
"",
|
|
" ",
|
|
"foo",
|
|
"this is a long password woo",
|
|
}
|
|
|
|
for _, input := range tests {
|
|
hash, err := bcrypt.GenerateFromPassword([]byte(input), bcrypt.DefaultCost)
|
|
require.NoError(t, err)
|
|
require.Len(t, hash, bcryptHashLength)
|
|
}
|
|
}
|