mirror of
https://github.com/scylladb/scylladb.git
synced 2026-04-24 02:20:37 +00:00
139 lines
4.7 KiB
C++
139 lines
4.7 KiB
C++
/*
|
|
* Copyright (C) 2018-present ScyllaDB
|
|
*/
|
|
|
|
/*
|
|
* SPDX-License-Identifier: LicenseRef-ScyllaDB-Source-Available-1.1
|
|
*/
|
|
|
|
#include <seastar/testing/test_case.hh>
|
|
|
|
#include <array>
|
|
#include <random>
|
|
#include <unordered_set>
|
|
|
|
#include "auth/passwords.hh"
|
|
|
|
#include <boost/test/unit_test.hpp>
|
|
#include <seastar/core/sstring.hh>
|
|
#include <seastar/core/coroutine.hh>
|
|
|
|
#include "seastarx.hh"
|
|
|
|
extern "C" {
|
|
#include <crypt.h>
|
|
#include <unistd.h>
|
|
}
|
|
|
|
static auto rng_for_salt = std::default_random_engine(std::random_device{}());
|
|
|
|
//
|
|
// The same password hashed multiple times will result in different strings because the salt will be different.
|
|
//
|
|
SEASTAR_TEST_CASE(passwords_are_salted) {
|
|
const char* const cleartext = "my_excellent_password";
|
|
std::unordered_set<sstring> observed_passwords{};
|
|
|
|
for (int i = 0; i < 10; ++i) {
|
|
const sstring e = auth::passwords::hash(cleartext, rng_for_salt, auth::passwords::scheme::sha_512);
|
|
BOOST_REQUIRE(!observed_passwords.contains(e));
|
|
observed_passwords.insert(e);
|
|
}
|
|
co_return;
|
|
}
|
|
|
|
//
|
|
// A hashed password will authenticate against the same password in cleartext.
|
|
//
|
|
SEASTAR_TEST_CASE(correct_passwords_authenticate) {
|
|
// Common passwords.
|
|
std::array<const char*, 3> passwords{
|
|
"12345",
|
|
"1_am_the_greatest!",
|
|
"password1"
|
|
};
|
|
|
|
for (const char* p : passwords) {
|
|
BOOST_REQUIRE(co_await auth::passwords::check(p, auth::passwords::hash(p, rng_for_salt, auth::passwords::scheme::sha_512)));
|
|
}
|
|
}
|
|
|
|
std::string long_password(uint32_t len) {
|
|
std::string out;
|
|
auto pattern = "0123456789";
|
|
for (uint32_t i = 0; i < len; ++i) {
|
|
out.push_back(pattern[i % strlen(pattern)]);
|
|
}
|
|
|
|
return out;
|
|
}
|
|
|
|
SEASTAR_TEST_CASE(same_hashes_as_crypt_h) {
|
|
|
|
std::string long_pwd_254 = long_password(254);
|
|
std::string long_pwd_255 = long_password(255);
|
|
std::string long_pwd_511 = long_password(511);
|
|
|
|
std::array<const char*, 8> passwords{
|
|
"12345",
|
|
"1_am_the_greatest!",
|
|
"password1",
|
|
// Some special characters
|
|
"!@#$%^&*()_+-=[]{}|\n;:'\",.<>/?",
|
|
// UTF-8 characters
|
|
"こんにちは、世界!",
|
|
// Passwords close to __crypt_sha512 length limit
|
|
long_pwd_254.c_str(),
|
|
long_pwd_255.c_str(),
|
|
// Password of maximal accepted length
|
|
long_pwd_511.c_str(),
|
|
};
|
|
|
|
auto salt = "$6$aaaabbbbccccdddd";
|
|
|
|
for (const char* p : passwords) {
|
|
auto res = co_await auth::passwords::detail::hash_with_salt_async(p, salt);
|
|
BOOST_REQUIRE(res == auth::passwords::detail::hash_with_salt(p, salt));
|
|
}
|
|
}
|
|
|
|
SEASTAR_TEST_CASE(too_long_password) {
|
|
auto p1 = long_password(71);
|
|
auto p2 = long_password(72);
|
|
auto p3 = long_password(73);
|
|
auto too_long_password = long_password(512);
|
|
|
|
auto salt_bcrypt = "$2a$05$mAyzaIeJu41dWUkxEbn8hO";
|
|
auto h1_bcrypt = co_await auth::passwords::detail::hash_with_salt_async(p1, salt_bcrypt);
|
|
auto h2_bcrypt = co_await auth::passwords::detail::hash_with_salt_async(p2, salt_bcrypt);
|
|
auto h3_bcrypt = co_await auth::passwords::detail::hash_with_salt_async(p3, salt_bcrypt);
|
|
BOOST_REQUIRE(h1_bcrypt != h2_bcrypt);
|
|
|
|
// The check below documents the behavior of the current bcrypt
|
|
// implementation that compares only the first 72 bytes of the password.
|
|
// Although we don't typically use bcrypt for password hashing, it is
|
|
// possible to insert such a hash using`CREATE ROLE ... WITH HASHED PASSWORD ...`.
|
|
// Refs: scylladb/scylladb#26842
|
|
BOOST_REQUIRE(h2_bcrypt == h3_bcrypt);
|
|
|
|
// The current implementation of bcrypt password hasing fails with passwords of length 512 and above
|
|
BOOST_CHECK_THROW(co_await auth::passwords::detail::hash_with_salt_async(too_long_password, salt_bcrypt), std::system_error);
|
|
|
|
auto salt_sha512 = "$6$aaaabbbbccccdddd";
|
|
auto h1_sha512 = co_await auth::passwords::detail::hash_with_salt_async(p1, salt_sha512);
|
|
auto h2_sha512 = co_await auth::passwords::detail::hash_with_salt_async(p2, salt_sha512);
|
|
auto h3_sha512 = co_await auth::passwords::detail::hash_with_salt_async(p3, salt_sha512);
|
|
BOOST_REQUIRE(h1_sha512 != h2_sha512);
|
|
BOOST_REQUIRE(h2_sha512 != h3_sha512);
|
|
// The current implementation of SHA-512 password hasing fails with passwords of length 512 and above
|
|
BOOST_CHECK_THROW(co_await auth::passwords::detail::hash_with_salt_async(too_long_password, salt_sha512), std::system_error);
|
|
}
|
|
|
|
//
|
|
// A hashed password that does not match the password in cleartext does not authenticate.
|
|
//
|
|
SEASTAR_TEST_CASE(incorrect_passwords_do_not_authenticate) {
|
|
const sstring hashed_password = auth::passwords::hash("actual_password", rng_for_salt,auth::passwords::scheme::sha_512);
|
|
BOOST_REQUIRE(!co_await auth::passwords::check("password_guess", hashed_password));
|
|
}
|