go-passwd/passwd_test.go

package passwd_test

import (
	"bytes"
	"crypto/subtle"
	"fmt"
	"testing"

	"github.com/matryer/is"
	"github.com/sour-is/go-passwd"
	"github.com/sour-is/go-passwd/pkg/argon2"
	"github.com/sour-is/go-passwd/pkg/unix"
)

type plainPasswd struct{}

func (p *plainPasswd) Passwd(pass, check []byte) ([]byte, error) {
	if check == nil {
		var b bytes.Buffer
		b.WriteString("$plain$")
		b.Write(pass)
		return b.Bytes(), nil
	}

	if subtle.ConstantTimeCompare([]byte(pass), []byte(bytes.TrimPrefix(check, []byte("$plain$")))) == 1 {
		return check, nil
	}

	return check, passwd.ErrNoMatch
}

func (p *plainPasswd) ApplyPasswd(passwd *passwd.Passwd) {
	passwd.Register("plain", p)
	passwd.SetFallthrough(p)
}

// Example of upgrading password hash to a greater complexity.
//
// Note: This example uses very unsecure hash functions to allow for predictable output. Use of argon2.Argon2id or scrypt.Scrypt2 for greater hash security is recommended.
func Example() {
	pass := []byte("my_pass")
	hash := []byte("$1$81ed91e1131a3a5a50d8a68e8ef85fa0")

	pwd := passwd.New(
		argon2.Argon2id, // first is preferred type.
		&unix.MD5{},
	)

	_, err := pwd.Passwd(pass, hash)
	if err != nil {
		fmt.Println("fail: ", err)
		return
	}

	// Check if we want to update.
	if !pwd.IsPreferred(hash) {
		newHash, err := pwd.Passwd(pass, nil)
		if err != nil {
			fmt.Println("fail: ", err)
			return
		}

		fmt.Println("new hash:", string(newHash)[:31], "...")
	}

	// Output:
	//  new hash: $argon2id$v=19,m=65536,t=1,p=4$ ...
}

func TestPasswdHash(t *testing.T) {
	type testCase struct {
		pass, hash []byte
	}

	tests := []testCase{
		{[]byte("passwd"), []byte("passwd")},
		{[]byte("passwd"), []byte("$plain$passwd")},
	}
	algos := []passwd.Passwder{&plainPasswd{}}

	is := is.New(t)
	// Generate additional test cases for each algo.
	for _, algo := range algos {
		hash, err := algo.Passwd([]byte("passwd"), nil)
		is.NoErr(err)
		tests = append(tests, testCase{[]byte("passwd"), hash})
	}

	pass := passwd.New(algos...)

	for i, tt := range tests {
		t.Run(fmt.Sprint("Test-", i), func(t *testing.T) {
			is := is.New(t)

			hash, err := pass.Passwd(tt.pass, tt.hash)
			is.Equal(hash, tt.hash)
			is.NoErr(err)
		})
	}
}

func TestPasswdIsPreferred(t *testing.T) {
	is := is.New(t)

	pass := passwd.New(&plainPasswd{})

	ok := pass.IsPreferred([]byte("$plain$passwd"))
	is.True(ok)

	ok = pass.IsPreferred([]byte("$foo$passwd"))
	is.True(!ok)
}
initial commit 2022-12-07 14:19:04 -07:00			`package passwd_test`

			`import (`
feat: BREAKING: change from string to []byte 2022-12-10 08:58:08 -07:00			`"bytes"`
initial commit 2022-12-07 14:19:04 -07:00			`"crypto/subtle"`
			`"fmt"`
			`"testing"`

			`"github.com/matryer/is"`
			`"github.com/sour-is/go-passwd"`
feat: BREAKING: change from string to []byte 2022-12-10 08:58:08 -07:00			`"github.com/sour-is/go-passwd/pkg/argon2"`
initial commit 2022-12-07 14:19:04 -07:00			`"github.com/sour-is/go-passwd/pkg/unix"`
			`)`

			`type plainPasswd struct{}`

feat: BREAKING: change from string to []byte 2022-12-10 08:58:08 -07:00			`func (p *plainPasswd) Passwd(pass, check []byte) ([]byte, error) {`
			`if check == nil {`
			`var b bytes.Buffer`
			`b.WriteString("$plain$")`
			`b.Write(pass)`
			`return b.Bytes(), nil`
initial commit 2022-12-07 14:19:04 -07:00			`}`

feat: BREAKING: change from string to []byte 2022-12-10 08:58:08 -07:00			`if subtle.ConstantTimeCompare([]byte(pass), []byte(bytes.TrimPrefix(check, []byte("$plain$")))) == 1 {`
initial commit 2022-12-07 14:19:04 -07:00			`return check, nil`
			`}`

			`return check, passwd.ErrNoMatch`
			`}`

			`func (p plainPasswd) ApplyPasswd(passwd passwd.Passwd) {`
			`passwd.Register("plain", p)`
			`passwd.SetFallthrough(p)`
			`}`

chore: add recommendations to documentation of hash functions. 2022-12-09 10:05:39 -07:00			`// Example of upgrading password hash to a greater complexity.`
			`//`
			`// Note: This example uses very unsecure hash functions to allow for predictable output. Use of argon2.Argon2id or scrypt.Scrypt2 for greater hash security is recommended.`
initial commit 2022-12-07 14:19:04 -07:00			`func Example() {`
feat: BREAKING: change from string to []byte 2022-12-10 08:58:08 -07:00			`pass := []byte("my_pass")`
			`hash := []byte("$1$81ed91e1131a3a5a50d8a68e8ef85fa0")`
initial commit 2022-12-07 14:19:04 -07:00
			`pwd := passwd.New(`
feat: BREAKING: change from string to []byte 2022-12-10 08:58:08 -07:00			`argon2.Argon2id, // first is preferred type.`
			`&unix.MD5{},`
initial commit 2022-12-07 14:19:04 -07:00			`)`

			`_, err := pwd.Passwd(pass, hash)`
			`if err != nil {`
			`fmt.Println("fail: ", err)`
feat: BREAKING: change from string to []byte 2022-12-10 08:58:08 -07:00			`return`
initial commit 2022-12-07 14:19:04 -07:00			`}`

			`// Check if we want to update.`
			`if !pwd.IsPreferred(hash) {`
feat: BREAKING: change from string to []byte 2022-12-10 08:58:08 -07:00			`newHash, err := pwd.Passwd(pass, nil)`
initial commit 2022-12-07 14:19:04 -07:00			`if err != nil {`
			`fmt.Println("fail: ", err)`
feat: BREAKING: change from string to []byte 2022-12-10 08:58:08 -07:00			`return`
initial commit 2022-12-07 14:19:04 -07:00			`}`

feat: BREAKING: change from string to []byte 2022-12-10 08:58:08 -07:00			`fmt.Println("new hash:", string(newHash)[:31], "...")`
initial commit 2022-12-07 14:19:04 -07:00			`}`

			`// Output:`
feat: BREAKING: change from string to []byte 2022-12-10 08:58:08 -07:00			`// new hash: $argon2id$v=19,m=65536,t=1,p=4$ ...`
initial commit 2022-12-07 14:19:04 -07:00			`}`

			`func TestPasswdHash(t *testing.T) {`
			`type testCase struct {`
feat: BREAKING: change from string to []byte 2022-12-10 08:58:08 -07:00			`pass, hash []byte`
initial commit 2022-12-07 14:19:04 -07:00			`}`

			`tests := []testCase{`
feat: BREAKING: change from string to []byte 2022-12-10 08:58:08 -07:00			`{[]byte("passwd"), []byte("passwd")},`
			`{[]byte("passwd"), []byte("$plain$passwd")},`
initial commit 2022-12-07 14:19:04 -07:00			`}`
			`algos := []passwd.Passwder{&plainPasswd{}}`

			`is := is.New(t)`
			`// Generate additional test cases for each algo.`
			`for _, algo := range algos {`
feat: BREAKING: change from string to []byte 2022-12-10 08:58:08 -07:00			`hash, err := algo.Passwd([]byte("passwd"), nil)`
initial commit 2022-12-07 14:19:04 -07:00			`is.NoErr(err)`
feat: BREAKING: change from string to []byte 2022-12-10 08:58:08 -07:00			`tests = append(tests, testCase{[]byte("passwd"), hash})`
initial commit 2022-12-07 14:19:04 -07:00			`}`

			`pass := passwd.New(algos...)`

			`for i, tt := range tests {`
			`t.Run(fmt.Sprint("Test-", i), func(t *testing.T) {`
			`is := is.New(t)`

			`hash, err := pass.Passwd(tt.pass, tt.hash)`
			`is.Equal(hash, tt.hash)`
			`is.NoErr(err)`
			`})`
			`}`
			`}`

			`func TestPasswdIsPreferred(t *testing.T) {`
			`is := is.New(t)`

			`pass := passwd.New(&plainPasswd{})`

feat: BREAKING: change from string to []byte 2022-12-10 08:58:08 -07:00			`ok := pass.IsPreferred([]byte("$plain$passwd"))`
initial commit 2022-12-07 14:19:04 -07:00			`is.True(ok)`

feat: BREAKING: change from string to []byte 2022-12-10 08:58:08 -07:00			`ok = pass.IsPreferred([]byte("$foo$passwd"))`
initial commit 2022-12-07 14:19:04 -07:00			`is.True(!ok)`
			`}`