lock: Add secret token hashing with argon2id

This commit is contained in:
Ada 2024-02-25 00:29:39 +01:00
parent 7c6e18538b
commit 00baaff708
13 changed files with 359 additions and 80 deletions

6
go.mod
View file

@ -2,9 +2,13 @@ module git.gnous.eu/gnouseu/plakken
go 1.22 go 1.22
require github.com/redis/go-redis/v9 v9.5.1 require (
github.com/redis/go-redis/v9 v9.5.1
golang.org/x/crypto v0.20.0
)
require ( require (
github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
golang.org/x/sys v0.17.0 // indirect
) )

4
go.sum
View file

@ -8,3 +8,7 @@ github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/r
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc= github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
github.com/redis/go-redis/v9 v9.5.1 h1:H1X4D3yHPaYrkL5X06Wh6xNVM/pX0Ft4RV0vMGvLBh8= github.com/redis/go-redis/v9 v9.5.1 h1:H1X4D3yHPaYrkL5X06Wh6xNVM/pX0Ft4RV0vMGvLBh8=
github.com/redis/go-redis/v9 v9.5.1/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M= github.com/redis/go-redis/v9 v9.5.1/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
golang.org/x/crypto v0.20.0 h1:jmAMJJZXr5KiCw05dfYK9QnqaqKLYXijU23lsEdcQqg=
golang.org/x/crypto v0.20.0/go.mod h1:Xwo95rrVNIoSMx9wa1JroENMToLWn3RNVrTBpLHgZPQ=
golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=

View file

@ -5,4 +5,10 @@ import "time"
const ( const (
HTTPTimeout = 3 * time.Second HTTPTimeout = 3 * time.Second
ExpirationCurlCreate = 604800 * time.Second // Second in one week ExpirationCurlCreate = 604800 * time.Second // Second in one week
TokenLength = 32
ArgonSaltSize = 16
ArgonMemory = 64 * 1024
ArgonThreads = 4
ArgonKeyLength = 32
ArgonIterations = 2
) )

View file

@ -5,6 +5,7 @@ import (
"log" "log"
"time" "time"
"git.gnous.eu/gnouseu/plakken/internal/secret"
"github.com/redis/go-redis/v9" "github.com/redis/go-redis/v9"
) )
@ -36,7 +37,7 @@ func ConnectDB(dbConfig *redis.Options) *redis.Client {
func Ping(db *redis.Client) error { func Ping(db *redis.Client) error {
status := db.Ping(ctx) status := db.Ping(ctx)
if status.String() != "ping: PONG" { if status.String() != "ping: PONG" {
return &PingError{} return &pingError{}
} }
return nil return nil
} }
@ -68,6 +69,13 @@ func (config DBConfig) UrlExist(url string) bool {
return config.DB.Exists(ctx, url).Val() == 1 return config.DB.Exists(ctx, url).Val() == 1
} }
func (config DBConfig) VerifySecret(url string, secret string) bool { func (config DBConfig) VerifySecret(url string, token string) (bool, error) {
return secret == config.DB.HGet(ctx, url, "secret").Val() storedHash := config.DB.HGet(ctx, url, "secret").Val()
result, err := secret.VerifyPassword(token, storedHash)
if err != nil {
return false, err
}
return result, nil
} }

View file

@ -1,7 +1,7 @@
package database package database
type PingError struct{} type pingError struct{}
func (m *PingError) Error() string { func (m *pingError) Error() string {
return "Connection to redis not work" return "Connection to redis not work"
} }

View file

@ -42,8 +42,8 @@ func (config ServerConfig) router() {
http.Handle("GET /static/{file}", http.FileServer(staticFiles)) http.Handle("GET /static/{file}", http.FileServer(staticFiles))
http.HandleFunc("GET /{key}/{settings...}", WebConfig.View) http.HandleFunc("GET /{key}/{settings...}", WebConfig.View)
http.HandleFunc("POST /{$}", WebConfig.CurlCreate) http.HandleFunc("POST /{$}", WebConfig.CurlCreate)
http.HandleFunc("POST /create/{$}", WebConfig.Create) http.HandleFunc("POST /create/{$}", WebConfig.PostCreate)
http.HandleFunc("DELETE /{key}", WebConfig.Delete) http.HandleFunc("DELETE /{key}", WebConfig.DeleteRequest)
} }
// Config Configure HTTP server // Config Configure HTTP server

147
internal/secret/crypto.go Normal file
View file

@ -0,0 +1,147 @@
// Package secret implement all crypto utils like password hashing and secret generation
package secret
import (
"bytes"
"crypto/rand"
"encoding/base64"
"fmt"
"strconv"
"strings"
"git.gnous.eu/gnouseu/plakken/internal/constant"
"golang.org/x/crypto/argon2"
)
type argon2idHash struct {
salt []byte
hash []byte
}
// Argon2id config
type config struct {
saltLength uint8
memory uint32
threads uint8
keyLength uint32
iterations uint32
}
// generateSecret for password hashing or token generation
func generateSecret(length uint8) ([]byte, error) {
secret := make([]byte, length)
_, err := rand.Read(secret)
if err != nil {
return nil, err
}
return secret, err
}
// GenerateToken generate hexadecimal token
func GenerateToken() (string, error) {
secret, err := generateSecret(constant.TokenLength)
if err != nil {
return "", err
}
token := fmt.Sprintf("%x", secret)
return token, nil
}
// generateArgon2ID Generate an argon2id hash from source string and specified salt
func (config config) generateArgon2ID(source string, salt []byte) []byte {
hash := argon2.IDKey([]byte(source), salt, config.iterations, config.memory, config.threads, config.keyLength)
return hash
}
// Password hash a source string with argon2id, return properly encoded hash
func Password(password string) (string, error) {
config := config{
saltLength: constant.ArgonSaltSize,
memory: constant.ArgonMemory,
threads: constant.ArgonThreads,
keyLength: constant.ArgonKeyLength,
iterations: constant.ArgonIterations,
}
salt, err := generateSecret(config.saltLength)
if err != nil {
return "", err
}
hash := config.generateArgon2ID(password, salt)
base64Hash := base64.RawStdEncoding.EncodeToString(hash)
base64Salt := base64.RawStdEncoding.EncodeToString(salt)
formatted := fmt.Sprintf("$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s", argon2.Version, config.memory, config.iterations, config.threads, base64Salt, base64Hash)
return formatted, nil
}
// VerifyPassword check is source password and stored password is similar, take password and a properly encoded hash.
func VerifyPassword(password string, hash string) (bool, error) {
argon2Hash, config, err := parseHash(hash)
if err != nil {
return false, err
}
result := config.generateArgon2ID(password, argon2Hash.salt)
return bytes.Equal(result, argon2Hash.hash), nil
}
// parseHash parse existing encoded argon2id string
func parseHash(source string) (argon2idHash, config, error) {
separateItem := strings.Split(source, "$")
if len(separateItem) != 6 {
return argon2idHash{}, config{}, &parseError{message: "Hash format is not valid"}
}
if separateItem[1] != "argon2id" {
return argon2idHash{}, config{}, &parseError{message: "Algorithm is not valid"}
}
separateParam := strings.Split(separateItem[3], ",")
if len(separateParam) != 3 {
return argon2idHash{}, config{}, &parseError{message: "Hash config is not valid"}
}
salt, err := base64.RawStdEncoding.Strict().DecodeString(separateItem[4])
if err != nil {
return argon2idHash{}, config{}, err
}
var hash []byte
hash, err = base64.RawStdEncoding.Strict().DecodeString(separateItem[5])
if err != nil {
return argon2idHash{}, config{}, err
}
saltLength := uint8(len(salt))
keyLength := uint32(len(hash))
var memory int
memory, err = strconv.Atoi(strings.Replace(separateParam[0], "m=", "", -1))
if err != nil {
return argon2idHash{}, config{}, err
}
var iterations int
iterations, err = strconv.Atoi(strings.Replace(separateParam[1], "t=", "", -1))
if err != nil {
return argon2idHash{}, config{}, err
}
var threads int
threads, err = strconv.Atoi(strings.Replace(separateParam[2], "p=", "", -1))
if err != nil {
return argon2idHash{}, config{}, err
}
return argon2idHash{salt: salt, hash: hash}, config{saltLength: saltLength, memory: uint32(memory), threads: uint8(threads), iterations: uint32(iterations), keyLength: keyLength}, nil
}

9
internal/secret/error.go Normal file
View file

@ -0,0 +1,9 @@
package secret
type parseError struct {
message string
}
func (m *parseError) Error() string {
return "parseHash: " + m.message
}

View file

@ -1,17 +1,17 @@
package utils package utils
type ParseIntBeforeSeparatorError struct { type parseIntBeforeSeparatorError struct {
Message string message string
} }
func (m *ParseIntBeforeSeparatorError) Error() string { func (m *parseIntBeforeSeparatorError) Error() string {
return "parseIntBeforeSeparator: " + m.Message return "parseIntBeforeSeparator: " + m.message
} }
type ParseExpirationError struct { type ParseExpirationError struct {
Message string message string
} }
func (m *ParseExpirationError) Error() string { func (m *ParseExpirationError) Error() string {
return "parseIntBeforeSeparator: " + m.Message return "parseIntBeforeSeparator: " + m.message
} }

View file

@ -1,8 +1,6 @@
package utils package utils
import ( import (
"crypto/rand"
"encoding/hex"
"log" "log"
mathrand "math/rand/v2" mathrand "math/rand/v2"
"regexp" "regexp"
@ -21,17 +19,6 @@ func GenerateUrl(length uint8) string {
return string(b) return string(b)
} }
// GenerateSecret generate random secret (32 bytes hexadecimal)
func GenerateSecret() string {
key := make([]byte, 32)
_, err := rand.Read(key)
if err != nil {
log.Printf("Failed to generate secret")
}
return hex.EncodeToString(key)
}
// CheckCharRedundant verify is a character is redundant in a string // CheckCharRedundant verify is a character is redundant in a string
func CheckCharRedundant(source string, char string) bool { // Verify if a char is redundant func CheckCharRedundant(source string, char string) bool { // Verify if a char is redundant
return strings.Count(source, char) > 1 return strings.Count(source, char) > 1
@ -39,7 +26,7 @@ func CheckCharRedundant(source string, char string) bool { // Verify if a char i
func parseIntBeforeSeparator(source *string, sep string) (int, error) { // return 0 & error if error, only accept positive number func parseIntBeforeSeparator(source *string, sep string) (int, error) { // return 0 & error if error, only accept positive number
if CheckCharRedundant(*source, sep) { if CheckCharRedundant(*source, sep) {
return 0, &ParseIntBeforeSeparatorError{Message: *source + ": cannot parse value as int"} return 0, &parseIntBeforeSeparatorError{message: *source + ": cannot parse value as int"}
} }
var value int var value int
var err error var err error
@ -47,14 +34,14 @@ func parseIntBeforeSeparator(source *string, sep string) (int, error) { // retur
value, err = strconv.Atoi(strings.Split(*source, sep)[0]) value, err = strconv.Atoi(strings.Split(*source, sep)[0])
if err != nil { if err != nil {
log.Println(err) log.Println(err)
return 0, &ParseIntBeforeSeparatorError{Message: *source + ": cannot parse value as int"} return 0, &parseIntBeforeSeparatorError{message: *source + ": cannot parse value as int"}
} }
if value < 0 { // Only positive value is correct if value < 0 { // Only positive value is correct
return 0, &ParseIntBeforeSeparatorError{Message: *source + ": format only take positive value"} return 0, &parseIntBeforeSeparatorError{message: *source + ": format only take positive value"}
} }
if value > 99 { if value > 99 {
return 0, &ParseIntBeforeSeparatorError{Message: *source + ": Format only take two number"} return 0, &parseIntBeforeSeparatorError{message: *source + ": Format only take two number"}
} }
*source = strings.Join(strings.Split(*source, sep)[1:], "") *source = strings.Join(strings.Split(*source, sep)[1:], "")
@ -77,25 +64,25 @@ func ParseExpiration(source string) (int, error) {
expiration = tempOutput * 86400 expiration = tempOutput * 86400
if err != nil { if err != nil {
log.Println(err) log.Println(err)
return 0, &ParseExpirationError{Message: "Invalid syntax"} return 0, &ParseExpirationError{message: "Invalid syntax"}
} }
tempOutput, err = parseIntBeforeSeparator(&source, "h") tempOutput, err = parseIntBeforeSeparator(&source, "h")
expiration += tempOutput * 3600 expiration += tempOutput * 3600
if err != nil { if err != nil {
log.Println(err) log.Println(err)
return 0, &ParseExpirationError{Message: "Invalid syntax"} return 0, &ParseExpirationError{message: "Invalid syntax"}
} }
tempOutput, err = parseIntBeforeSeparator(&source, "m") tempOutput, err = parseIntBeforeSeparator(&source, "m")
expiration += tempOutput * 60 expiration += tempOutput * 60
if err != nil { if err != nil {
log.Println(err) log.Println(err)
return 0, &ParseExpirationError{Message: "Invalid syntax"} return 0, &ParseExpirationError{message: "Invalid syntax"}
} }
tempOutput, err = parseIntBeforeSeparator(&source, "s") tempOutput, err = parseIntBeforeSeparator(&source, "s")
expiration += tempOutput * 1 expiration += tempOutput * 1
if err != nil { if err != nil {
log.Println(err) log.Println(err)
return 0, &ParseExpirationError{Message: "Invalid syntax"} return 0, &ParseExpirationError{message: "Invalid syntax"}
} }
return expiration, nil return expiration, nil

View file

@ -1,10 +1,18 @@
package plak package plak
type DeletePlakError struct { type deletePlakError struct {
Name string name string
Err error err error
} }
func (m *DeletePlakError) Error() string { func (m *deletePlakError) Error() string {
return "Cannot delete: " + m.Name + " : " + m.Err.Error() return "Cannot delete: " + m.name + " : " + m.err.Error()
}
type createError struct {
message string
}
func (m *createError) Error() string {
return "create: cannot create plak: " + m.message
} }

View file

@ -10,6 +10,7 @@ import (
"git.gnous.eu/gnouseu/plakken/internal/constant" "git.gnous.eu/gnouseu/plakken/internal/constant"
"git.gnous.eu/gnouseu/plakken/internal/database" "git.gnous.eu/gnouseu/plakken/internal/database"
"git.gnous.eu/gnouseu/plakken/internal/secret"
"git.gnous.eu/gnouseu/plakken/internal/utils" "git.gnous.eu/gnouseu/plakken/internal/utils"
"github.com/redis/go-redis/v9" "github.com/redis/go-redis/v9"
@ -24,26 +25,48 @@ type WebConfig struct {
Templates embed.FS Templates embed.FS
} }
// Plak "Object" for plak // plak "Object" for plak
type Plak struct { type plak struct {
Key string Key string
Content string Content string
Expiration time.Duration Expiration time.Duration
DB *redis.Client DB *redis.Client
} }
// Create manage POST request for create Plak // create a plak
func (config WebConfig) Create(w http.ResponseWriter, r *http.Request) { func (plak plak) create() (string, error) {
dbConf := database.DBConfig{
DB: plak.DB,
}
token, err := secret.GenerateToken()
if err != nil {
return "", err
}
if dbConf.UrlExist(plak.Key) {
return "", &createError{message: "key already exist"}
}
var hashedSecret string
hashedSecret, err = secret.Password(token)
if err != nil {
return "", err
}
dbConf.InsertPaste(plak.Key, plak.Content, hashedSecret, plak.Expiration)
return token, nil
}
// PostCreate manage POST request for create plak
func (config WebConfig) PostCreate(w http.ResponseWriter, r *http.Request) {
content := r.FormValue("content") content := r.FormValue("content")
if content == "" { if content == "" {
w.WriteHeader(http.StatusBadRequest) w.WriteHeader(http.StatusBadRequest)
return return
} }
dbConf := database.DBConfig{
DB: config.DB,
}
filename := r.FormValue("filename") filename := r.FormValue("filename")
var key string var key string
if len(filename) == 0 { if len(filename) == 0 {
@ -53,46 +76,67 @@ func (config WebConfig) Create(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusBadRequest) w.WriteHeader(http.StatusBadRequest)
return return
} }
if dbConf.UrlExist(filename) {
w.WriteHeader(http.StatusBadRequest)
return
}
key = filename key = filename
} }
secret := utils.GenerateSecret() plak := plak{
rawExpiration := r.FormValue("exp") Key: key,
Content: content,
DB: config.DB,
}
rawExpiration := r.FormValue("exp")
expiration, err := utils.ParseExpiration(rawExpiration) expiration, err := utils.ParseExpiration(rawExpiration)
if err != nil { if err != nil {
w.WriteHeader(http.StatusBadRequest) log.Println(err)
w.WriteHeader(http.StatusInternalServerError)
return return
} else if expiration == 0 { }
dbConf.InsertPaste(key, content, secret, -1)
if expiration == 0 {
plak.Expiration = -1
} else { } else {
dbConf.InsertPaste(key, content, secret, time.Duration(expiration*int(time.Second))) plak.Expiration = time.Duration(expiration * int(time.Second))
}
_, err = plak.create()
if err != nil {
log.Println(err)
w.WriteHeader(http.StatusInternalServerError)
return
} }
http.Redirect(w, r, "/"+key, http.StatusSeeOther) http.Redirect(w, r, "/"+key, http.StatusSeeOther)
} }
// CurlCreate Create plak with minimum param, ideal for curl. Force 7 day expiration // CurlCreate PostCreate plak with minimum param, ideal for curl. Force 7 day expiration
func (config WebConfig) CurlCreate(w http.ResponseWriter, r *http.Request) { func (config WebConfig) CurlCreate(w http.ResponseWriter, r *http.Request) {
if r.ContentLength == 0 { if r.ContentLength == 0 {
w.WriteHeader(http.StatusBadRequest) w.WriteHeader(http.StatusBadRequest)
return return
} }
content, _ := io.ReadAll(r.Body) content, _ := io.ReadAll(r.Body)
err := r.Body.Close() err := r.Body.Close()
if err != nil { if err != nil {
log.Println(err) log.Println(err)
} }
key := utils.GenerateUrl(config.UrlLength) key := utils.GenerateUrl(config.UrlLength)
secret := utils.GenerateSecret()
dbConf := database.DBConfig{ plak := plak{
DB: config.DB, Key: key,
Content: string(content),
Expiration: constant.ExpirationCurlCreate,
DB: config.DB,
}
var token string
token, err = plak.create()
if err != nil {
w.WriteHeader(http.StatusBadRequest)
return
} }
dbConf.InsertPaste(key, string(content), secret, constant.ExpirationCurlCreate)
var baseURL string var baseURL string
if r.TLS == nil { if r.TLS == nil {
@ -101,7 +145,7 @@ func (config WebConfig) CurlCreate(w http.ResponseWriter, r *http.Request) {
baseURL = "https://" + r.Host + "/" + key baseURL = "https://" + r.Host + "/" + key
} }
message := baseURL + "\n" + "Delete with : 'curl -X DELETE " + baseURL + "?secret\\=" + secret + "'" + "\n" message := baseURL + "\n" + "Delete with : 'curl -X DELETE " + baseURL + "?secret\\=" + token + "'" + "\n"
w.Header().Set("Content-Type", "text/plain; charset=utf-8") w.Header().Set("Content-Type", "text/plain; charset=utf-8")
_, err = io.WriteString(w, message) _, err = io.WriteString(w, message)
@ -115,18 +159,18 @@ func (config WebConfig) View(w http.ResponseWriter, r *http.Request) {
dbConf := database.DBConfig{ dbConf := database.DBConfig{
DB: config.DB, DB: config.DB,
} }
var plak Plak var currentPlak plak
key := r.PathValue("key") key := r.PathValue("key")
if dbConf.UrlExist(key) { if dbConf.UrlExist(key) {
plak = Plak{ currentPlak = plak{
Key: key, Key: key,
DB: config.DB, DB: config.DB,
} }
plak = plak.GetContent() currentPlak = currentPlak.getContent()
if r.PathValue("settings") == "raw" { if r.PathValue("settings") == "raw" {
w.Header().Set("Content-Type", "text/plain; charset=utf-8") w.Header().Set("Content-Type", "text/plain; charset=utf-8")
_, err := io.WriteString(w, plak.Content) _, err := io.WriteString(w, currentPlak.Content)
if err != nil { if err != nil {
log.Println(err) log.Println(err)
} }
@ -135,10 +179,13 @@ func (config WebConfig) View(w http.ResponseWriter, r *http.Request) {
if err != nil { if err != nil {
w.WriteHeader(http.StatusInternalServerError) w.WriteHeader(http.StatusInternalServerError)
log.Println(err) log.Println(err)
return
} }
err = t.Execute(w, plak) err = t.Execute(w, currentPlak)
if err != nil { if err != nil {
w.WriteHeader(http.StatusInternalServerError)
log.Println(err) log.Println(err)
return
} }
} }
} else { } else {
@ -146,24 +193,35 @@ func (config WebConfig) View(w http.ResponseWriter, r *http.Request) {
} }
} }
// Delete manage plak deletion endpoint // DeleteRequest manage plak deletion endpoint
func (config WebConfig) Delete(w http.ResponseWriter, r *http.Request) { func (config WebConfig) DeleteRequest(w http.ResponseWriter, r *http.Request) {
dbConf := database.DBConfig{ dbConf := database.DBConfig{
DB: config.DB, DB: config.DB,
} }
key := r.PathValue("key") key := r.PathValue("key")
var valid bool
if dbConf.UrlExist(key) { if dbConf.UrlExist(key) {
secret := r.URL.Query().Get("secret") var err error
if dbConf.VerifySecret(key, secret) { token := r.URL.Query().Get("secret")
plak := Plak{
valid, err = dbConf.VerifySecret(key, token)
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
log.Println(err)
return
}
if valid {
plak := plak{
Key: key, Key: key,
DB: config.DB, DB: config.DB,
} }
err := plak.deletePlak() err := plak.delete()
if err != nil { if err != nil {
log.Println(err) log.Println(err)
} }
w.WriteHeader(http.StatusNoContent) w.WriteHeader(http.StatusNoContent)
return return
} else { } else {
@ -171,22 +229,23 @@ func (config WebConfig) Delete(w http.ResponseWriter, r *http.Request) {
return return
} }
} }
w.WriteHeader(http.StatusNotFound) w.WriteHeader(http.StatusNotFound)
} }
// deletePlak Delete plak from database // delete DeleteRequest plak from database
func (plak Plak) deletePlak() error { func (plak plak) delete() error {
err := plak.DB.Del(ctx, plak.Key).Err() err := plak.DB.Del(ctx, plak.Key).Err()
if err != nil { if err != nil {
log.Println(err) log.Println(err)
return &DeletePlakError{Name: plak.Key, Err: err} return &deletePlakError{name: plak.Key, err: err}
} }
return nil return nil
} }
// GetContent get plak content // getContent get plak content
func (plak Plak) GetContent() Plak { func (plak plak) getContent() plak {
plak.Content = plak.DB.HGet(ctx, plak.Key, "content").Val() plak.Content = plak.DB.HGet(ctx, plak.Key, "content").Val()
return plak return plak
} }

View file

@ -0,0 +1,47 @@
package secret_test
import (
"fmt"
"regexp"
"testing"
"git.gnous.eu/gnouseu/plakken/internal/constant"
"git.gnous.eu/gnouseu/plakken/internal/secret"
"golang.org/x/crypto/argon2"
)
func TestPasswordFormat(t *testing.T) {
regex := fmt.Sprintf("\\$argon2id\\$v=%d\\$m=%d,t=%d,p=%d\\$[A-Za-z0-9+/]*\\$[A-Za-z0-9+/]*$", argon2.Version, constant.ArgonMemory, constant.ArgonIterations, constant.ArgonThreads)
got, err := secret.Password("Password!")
if err != nil {
t.Fatal(err)
}
result, _ := regexp.MatchString(regex, got)
if !result {
t.Fatal("Error in Password, format is not valid "+": ", got)
}
}
func TestVerifyPassword(t *testing.T) {
result, err := secret.VerifyPassword("Password!", "$argon2id$v=19$m=65536,t=2,p=4$A+t5YGpyy1BHCbvk/LP1xQ$eNuUj6B2ZqXlGi6KEqep39a7N4nysUIojuPXye+Ypp0")
if err != nil {
t.Fatal(err)
}
if !result {
t.Fatal("Error in VerifyPassword, got:", result, "want: ", true)
}
}
func TestVerifyPasswordInvalid(t *testing.T) {
result, err := secret.VerifyPassword("notsamepassword", "$argon2id$v=19$m=65536,t=2,p=4$A+t5YGpyy1BHCbvk/LP1xQ$eNuUj6B2ZqXlGi6KEqep39a7N4nysUIojuPXye+Ypp0")
if err != nil {
t.Fatal(err)
}
if result {
t.Fatal("Error in VerifyPassword, got:", result, "want: ", false)
}
}