feat(authentication): file password algorithms (#3848)

This adds significant enhancements to the file auth provider including multiple additional algorithms.
author: James Elliott <james-d-elliott@users.noreply.github.com> 2022-10-17 21:51:59 +1100
committer: GitHub <noreply@github.com> 2022-10-17 21:51:59 +1100
commit: 3a70f6739b82a523fc8112a29ac156446253fc58 (patch)
tree: 9a888643c24bd3888f9fa49a11f1a61000cd0c38 /internal/configuration/validator/authentication_test.go
parent: 8eadf72dc776aa75cdb7337f7d54dff50cbf14ec (diff)
1 files changed, 409 insertions, 109 deletions
diff --git a/internal/configuration/validator/authentication_test.go b/internal/configuration/validator/authentication_test.go
index 9df81a38b..328e90590 100644
--- a/internal/configuration/validator/authentication_test.go
+++ b/internal/configuration/validator/authentication_test.go
@@ -14,22 +14,28 @@ import (
 
 func TestShouldRaiseErrorWhenBothBackendsProvided(t *testing.T) {
 	validator := schema.NewStructValidator()
-	backendConfig := schema.AuthenticationBackendConfiguration{}
+	backendConfig := schema.AuthenticationBackend{}
 
-	backendConfig.LDAP = &schema.LDAPAuthenticationBackendConfiguration{}
-	backendConfig.File = &schema.FileAuthenticationBackendConfiguration{
+	backendConfig.LDAP = &schema.LDAPAuthenticationBackend{}
+	backendConfig.File = &schema.FileAuthenticationBackend{
 		Path: "/tmp",
 	}
 
 	ValidateAuthenticationBackend(&backendConfig, validator)
 
-	require.Len(t, validator.Errors(), 1)
+	require.Len(t, validator.Errors(), 7)
 	assert.EqualError(t, validator.Errors()[0], "authentication_backend: please ensure only one of the 'file' or 'ldap' backend is configured")
+	assert.EqualError(t, validator.Errors()[1], "authentication_backend: ldap: option 'url' is required")
+	assert.EqualError(t, validator.Errors()[2], "authentication_backend: ldap: option 'user' is required")
+	assert.EqualError(t, validator.Errors()[3], "authentication_backend: ldap: option 'password' is required")
+	assert.EqualError(t, validator.Errors()[4], "authentication_backend: ldap: option 'base_dn' is required")
+	assert.EqualError(t, validator.Errors()[5], "authentication_backend: ldap: option 'users_filter' is required")
+	assert.EqualError(t, validator.Errors()[6], "authentication_backend: ldap: option 'groups_filter' is required")
 }
 
 func TestShouldRaiseErrorWhenNoBackendProvided(t *testing.T) {
 	validator := schema.NewStructValidator()
-	backendConfig := schema.AuthenticationBackendConfiguration{}
+	backendConfig := schema.AuthenticationBackend{}
 
 	ValidateAuthenticationBackend(&backendConfig, validator)
 
@@ -39,23 +45,18 @@ func TestShouldRaiseErrorWhenNoBackendProvided(t *testing.T) {
 
 type FileBasedAuthenticationBackend struct {
 	suite.Suite
-	config    schema.AuthenticationBackendConfiguration
+	config    schema.AuthenticationBackend
 	validator *schema.StructValidator
 }
 
 func (suite *FileBasedAuthenticationBackend) SetupTest() {
+	password := schema.DefaultPasswordConfig
+
 	suite.validator = schema.NewStructValidator()
-	suite.config = schema.AuthenticationBackendConfiguration{}
-	suite.config.File = &schema.FileAuthenticationBackendConfiguration{Path: "/a/path", Password: &schema.PasswordConfiguration{
-		Algorithm:   schema.DefaultPasswordConfiguration.Algorithm,
-		Iterations:  schema.DefaultPasswordConfiguration.Iterations,
-		Parallelism: schema.DefaultPasswordConfiguration.Parallelism,
-		Memory:      schema.DefaultPasswordConfiguration.Memory,
-		KeyLength:   schema.DefaultPasswordConfiguration.KeyLength,
-		SaltLength:  schema.DefaultPasswordConfiguration.SaltLength,
-	}}
-	suite.config.File.Password.Algorithm = schema.DefaultPasswordConfiguration.Algorithm
+	suite.config = schema.AuthenticationBackend{}
+	suite.config.File = &schema.FileAuthenticationBackend{Path: "/a/path", Password: password}
 }
+
 func (suite *FileBasedAuthenticationBackend) TestShouldValidateCompleteConfiguration() {
 	ValidateAuthenticationBackend(&suite.config, suite.validator)
 
@@ -74,161 +75,429 @@ func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenNoPathProvi
 	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: option 'path' is required")
 }
 
-func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenMemoryNotMoreThanEightTimesParallelism() {
-	suite.config.File.Password.Memory = 8
-	suite.config.File.Password.Parallelism = 2
+func (suite *FileBasedAuthenticationBackend) TestShouldSetDefaultConfigurationWhenBlank() {
+	suite.config.File.Password = schema.Password{}
+
+	suite.Assert().Equal(0, suite.config.File.Password.KeyLength)
+	suite.Assert().Equal(0, suite.config.File.Password.Iterations)
+	suite.Assert().Equal(0, suite.config.File.Password.SaltLength)
+	suite.Assert().Equal("", suite.config.File.Password.Algorithm)
+	suite.Assert().Equal(0, suite.config.File.Password.Memory)
+	suite.Assert().Equal(0, suite.config.File.Password.Parallelism)
 
 	ValidateAuthenticationBackend(&suite.config, suite.validator)
 
 	suite.Assert().Len(suite.validator.Warnings(), 0)
-	suite.Require().Len(suite.validator.Errors(), 1)
+	suite.Assert().Len(suite.validator.Errors(), 0)
 
-	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: option 'memory' must at least be parallelism multiplied by 8 when using algorithm 'argon2id' with parallelism 2 it should be at least 16 but it is configured as '8'")
+	suite.Assert().Equal(schema.DefaultPasswordConfig.KeyLength, suite.config.File.Password.KeyLength)
+	suite.Assert().Equal(schema.DefaultPasswordConfig.Iterations, suite.config.File.Password.Iterations)
+	suite.Assert().Equal(schema.DefaultPasswordConfig.SaltLength, suite.config.File.Password.SaltLength)
+	suite.Assert().Equal(schema.DefaultPasswordConfig.Algorithm, suite.config.File.Password.Algorithm)
+	suite.Assert().Equal(schema.DefaultPasswordConfig.Memory, suite.config.File.Password.Memory)
+	suite.Assert().Equal(schema.DefaultPasswordConfig.Parallelism, suite.config.File.Password.Parallelism)
 }
 
-func (suite *FileBasedAuthenticationBackend) TestShouldSetDefaultConfigurationWhenBlank() {
-	suite.config.File.Password = &schema.PasswordConfiguration{}
+func (suite *FileBasedAuthenticationBackend) TestShouldMigrateLegacyConfigurationSHA512() {
+	suite.config.File.Password = schema.Password{}
+	suite.Assert().Equal("", suite.config.File.Password.Algorithm)
 
-	suite.Assert().Equal(0, suite.config.File.Password.KeyLength)
-	suite.Assert().Equal(0, suite.config.File.Password.Iterations)
-	suite.Assert().Equal(0, suite.config.File.Password.SaltLength)
+	suite.config.File.Password = schema.Password{
+		Algorithm:  digestSHA512,
+		Iterations: 1000000,
+		SaltLength: 8,
+	}
+
+	ValidateAuthenticationBackend(&suite.config, suite.validator)
+
+	suite.Assert().Len(suite.validator.Warnings(), 0)
+	suite.Assert().Len(suite.validator.Errors(), 0)
+
+	suite.Assert().Equal(hashSHA2Crypt, suite.config.File.Password.Algorithm)
+	suite.Assert().Equal(digestSHA512, suite.config.File.Password.SHA2Crypt.Variant)
+	suite.Assert().Equal(1000000, suite.config.File.Password.SHA2Crypt.Iterations)
+	suite.Assert().Equal(8, suite.config.File.Password.SHA2Crypt.SaltLength)
+}
+
+func (suite *FileBasedAuthenticationBackend) TestShouldMigrateLegacyConfigurationSHA512ButNotOverride() {
+	suite.config.File.Password = schema.Password{}
 	suite.Assert().Equal("", suite.config.File.Password.Algorithm)
-	suite.Assert().Equal(0, suite.config.File.Password.Memory)
-	suite.Assert().Equal(0, suite.config.File.Password.Parallelism)
+
+	suite.config.File.Password = schema.Password{
+		Algorithm:  digestSHA512,
+		Iterations: 1000000,
+		SaltLength: 8,
+		SHA2Crypt: schema.SHA2CryptPassword{
+			Variant:    digestSHA256,
+			Iterations: 50000,
+			SaltLength: 12,
+		},
+	}
+
+	ValidateAuthenticationBackend(&suite.config, suite.validator)
+
+	suite.Assert().Len(suite.validator.Warnings(), 0)
+	suite.Assert().Len(suite.validator.Errors(), 0)
+
+	suite.Assert().Equal(hashSHA2Crypt, suite.config.File.Password.Algorithm)
+	suite.Assert().Equal(digestSHA256, suite.config.File.Password.SHA2Crypt.Variant)
+	suite.Assert().Equal(50000, suite.config.File.Password.SHA2Crypt.Iterations)
+	suite.Assert().Equal(12, suite.config.File.Password.SHA2Crypt.SaltLength)
+}
+
+func (suite *FileBasedAuthenticationBackend) TestShouldMigrateLegacyConfigurationSHA512Alt() {
+	suite.config.File.Password = schema.Password{}
+	suite.Assert().Equal("", suite.config.File.Password.Algorithm)
+
+	suite.config.File.Password = schema.Password{
+		Algorithm:  digestSHA512,
+		Iterations: 1000000,
+		SaltLength: 64,
+	}
+
+	ValidateAuthenticationBackend(&suite.config, suite.validator)
+
+	suite.Assert().Len(suite.validator.Warnings(), 0)
+	suite.Assert().Len(suite.validator.Errors(), 0)
+
+	suite.Assert().Equal(hashSHA2Crypt, suite.config.File.Password.Algorithm)
+	suite.Assert().Equal(digestSHA512, suite.config.File.Password.SHA2Crypt.Variant)
+	suite.Assert().Equal(1000000, suite.config.File.Password.SHA2Crypt.Iterations)
+	suite.Assert().Equal(16, suite.config.File.Password.SHA2Crypt.SaltLength)
+}
+
+func (suite *FileBasedAuthenticationBackend) TestShouldMigrateLegacyConfigurationArgon2() {
+	suite.config.File.Password = schema.Password{}
+	suite.Assert().Equal("", suite.config.File.Password.Algorithm)
+
+	suite.config.File.Password = schema.Password{
+		Algorithm:   "argon2id",
+		Iterations:  4,
+		Memory:      1024,
+		Parallelism: 4,
+		KeyLength:   64,
+		SaltLength:  64,
+	}
 
 	ValidateAuthenticationBackend(&suite.config, suite.validator)
 
 	suite.Assert().Len(suite.validator.Warnings(), 0)
 	suite.Assert().Len(suite.validator.Errors(), 0)
 
-	suite.Assert().Equal(schema.DefaultPasswordConfiguration.KeyLength, suite.config.File.Password.KeyLength)
-	suite.Assert().Equal(schema.DefaultPasswordConfiguration.Iterations, suite.config.File.Password.Iterations)
-	suite.Assert().Equal(schema.DefaultPasswordConfiguration.SaltLength, suite.config.File.Password.SaltLength)
-	suite.Assert().Equal(schema.DefaultPasswordConfiguration.Algorithm, suite.config.File.Password.Algorithm)
-	suite.Assert().Equal(schema.DefaultPasswordConfiguration.Memory, suite.config.File.Password.Memory)
-	suite.Assert().Equal(schema.DefaultPasswordConfiguration.Parallelism, suite.config.File.Password.Parallelism)
+	suite.Assert().Equal("argon2", suite.config.File.Password.Algorithm)
+	suite.Assert().Equal("argon2id", suite.config.File.Password.Argon2.Variant)
+	suite.Assert().Equal(4, suite.config.File.Password.Argon2.Iterations)
+	suite.Assert().Equal(1048576, suite.config.File.Password.Argon2.Memory)
+	suite.Assert().Equal(4, suite.config.File.Password.Argon2.Parallelism)
+	suite.Assert().Equal(64, suite.config.File.Password.Argon2.KeyLength)
+	suite.Assert().Equal(64, suite.config.File.Password.Argon2.SaltLength)
 }
 
-func (suite *FileBasedAuthenticationBackend) TestShouldSetDefaultConfigurationWhenOnlySHA512Set() {
-	suite.config.File.Password = &schema.PasswordConfiguration{}
+func (suite *FileBasedAuthenticationBackend) TestShouldMigrateLegacyConfigurationArgon2ButNotOverride() {
+	suite.config.File.Password = schema.Password{}
 	suite.Assert().Equal("", suite.config.File.Password.Algorithm)
-	suite.config.File.Password.Algorithm = "sha512"
+
+	suite.config.File.Password = schema.Password{
+		Algorithm:   "argon2id",
+		Iterations:  4,
+		Memory:      1024,
+		Parallelism: 4,
+		KeyLength:   64,
+		SaltLength:  64,
+		Argon2: schema.Argon2Password{
+			Variant:     "argon2d",
+			Iterations:  1,
+			Memory:      2048,
+			Parallelism: 1,
+			KeyLength:   32,
+			SaltLength:  32,
+		},
+	}
 
 	ValidateAuthenticationBackend(&suite.config, suite.validator)
 
 	suite.Assert().Len(suite.validator.Warnings(), 0)
 	suite.Assert().Len(suite.validator.Errors(), 0)
 
-	suite.Assert().Equal(schema.DefaultPasswordSHA512Configuration.KeyLength, suite.config.File.Password.KeyLength)
-	suite.Assert().Equal(schema.DefaultPasswordSHA512Configuration.Iterations, suite.config.File.Password.Iterations)
-	suite.Assert().Equal(schema.DefaultPasswordSHA512Configuration.SaltLength, suite.config.File.Password.SaltLength)
-	suite.Assert().Equal(schema.DefaultPasswordSHA512Configuration.Algorithm, suite.config.File.Password.Algorithm)
-	suite.Assert().Equal(schema.DefaultPasswordSHA512Configuration.Memory, suite.config.File.Password.Memory)
-	suite.Assert().Equal(schema.DefaultPasswordSHA512Configuration.Parallelism, suite.config.File.Password.Parallelism)
+	suite.Assert().Equal("argon2", suite.config.File.Password.Algorithm)
+	suite.Assert().Equal("argon2d", suite.config.File.Password.Argon2.Variant)
+	suite.Assert().Equal(1, suite.config.File.Password.Argon2.Iterations)
+	suite.Assert().Equal(2048, suite.config.File.Password.Argon2.Memory)
+	suite.Assert().Equal(1, suite.config.File.Password.Argon2.Parallelism)
+	suite.Assert().Equal(32, suite.config.File.Password.Argon2.KeyLength)
+	suite.Assert().Equal(32, suite.config.File.Password.Argon2.SaltLength)
 }
-func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenKeyLengthTooLow() {
-	suite.config.File.Password.KeyLength = 1
+
+func (suite *FileBasedAuthenticationBackend) TestShouldMigrateLegacyConfigurationWhenOnlySHA512Set() {
+	suite.config.File.Password = schema.Password{}
+	suite.Assert().Equal("", suite.config.File.Password.Algorithm)
+	suite.config.File.Password.Algorithm = digestSHA512
+
+	ValidateAuthenticationBackend(&suite.config, suite.validator)
+
+	suite.Assert().Len(suite.validator.Warnings(), 0)
+	suite.Assert().Len(suite.validator.Errors(), 0)
+
+	suite.Assert().Equal(hashSHA2Crypt, suite.config.File.Password.Algorithm)
+	suite.Assert().Equal(digestSHA512, suite.config.File.Password.SHA2Crypt.Variant)
+	suite.Assert().Equal(schema.DefaultPasswordConfig.SHA2Crypt.Iterations, suite.config.File.Password.SHA2Crypt.Iterations)
+	suite.Assert().Equal(schema.DefaultPasswordConfig.SHA2Crypt.SaltLength, suite.config.File.Password.SHA2Crypt.SaltLength)
+}
+
+func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorOnInvalidArgon2Variant() {
+	suite.config.File.Password = schema.Password{}
+	suite.Assert().Equal("", suite.config.File.Password.Algorithm)
+	suite.config.File.Password.Algorithm = "argon2"
+	suite.config.File.Password.Argon2.Variant = testInvalid
 
 	ValidateAuthenticationBackend(&suite.config, suite.validator)
 
 	suite.Assert().Len(suite.validator.Warnings(), 0)
 	suite.Require().Len(suite.validator.Errors(), 1)
 
-	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: option 'key_length' must be 16 or more when using algorithm 'argon2id' but it is configured as '1'")
+	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: argon2: option 'variant' is configured as 'invalid' but must be one of the following values: 'argon2id', 'id', 'argon2i', 'i', 'argon2d', 'd'")
 }
 
-func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenSaltLengthTooLow() {
-	suite.config.File.Password.SaltLength = -1
+func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorOnInvalidSHA2CryptVariant() {
+	suite.config.File.Password = schema.Password{}
+	suite.Assert().Equal("", suite.config.File.Password.Algorithm)
+	suite.config.File.Password.Algorithm = hashSHA2Crypt
+	suite.config.File.Password.SHA2Crypt.Variant = testInvalid
 
 	ValidateAuthenticationBackend(&suite.config, suite.validator)
 
 	suite.Assert().Len(suite.validator.Warnings(), 0)
 	suite.Require().Len(suite.validator.Errors(), 1)
 
-	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: option 'salt_length' must be 2 or more but it is configured a '-1'")
+	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: sha2crypt: option 'variant' is configured as 'invalid' but must be one of the following values: 'sha256', 'sha512'")
 }
 
-func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenBadAlgorithmDefined() {
-	suite.config.File.Password.Algorithm = "bogus"
+func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorOnInvalidSHA2CryptSaltLength() {
+	suite.config.File.Password = schema.Password{}
+	suite.Assert().Equal("", suite.config.File.Password.Algorithm)
+	suite.config.File.Password.Algorithm = hashSHA2Crypt
+	suite.config.File.Password.SHA2Crypt.SaltLength = 40
 
 	ValidateAuthenticationBackend(&suite.config, suite.validator)
 
 	suite.Assert().Len(suite.validator.Warnings(), 0)
 	suite.Require().Len(suite.validator.Errors(), 1)
 
-	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: option 'algorithm' must be either 'argon2id' or 'sha512' but it is configured as 'bogus'")
+	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: sha2crypt: option 'salt_length' is configured as '40' but must be less than or equal to '16'")
 }
 
-func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenIterationsTooLow() {
-	suite.config.File.Password.Iterations = -1
+func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorOnInvalidPBKDF2Variant() {
+	suite.config.File.Password = schema.Password{}
+	suite.Assert().Equal("", suite.config.File.Password.Algorithm)
+	suite.config.File.Password.Algorithm = "pbkdf2"
+	suite.config.File.Password.PBKDF2.Variant = testInvalid
 
 	ValidateAuthenticationBackend(&suite.config, suite.validator)
 
 	suite.Assert().Len(suite.validator.Warnings(), 0)
 	suite.Require().Len(suite.validator.Errors(), 1)
 
-	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: option 'iterations' must be 1 or more but it is configured as '-1'")
+	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: pbkdf2: option 'variant' is configured as 'invalid' but must be one of the following values: 'sha1', 'sha224', 'sha256', 'sha384', 'sha512'")
 }
 
-func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenParallelismTooLow() {
-	suite.config.File.Password.Parallelism = -1
+func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorOnInvalidBCryptVariant() {
+	suite.config.File.Password = schema.Password{}
+	suite.Assert().Equal("", suite.config.File.Password.Algorithm)
+	suite.config.File.Password.Algorithm = "bcrypt"
+	suite.config.File.Password.BCrypt.Variant = testInvalid
 
 	ValidateAuthenticationBackend(&suite.config, suite.validator)
 
 	suite.Assert().Len(suite.validator.Warnings(), 0)
 	suite.Require().Len(suite.validator.Errors(), 1)
 
-	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: option 'parallelism' must be 1 or more when using algorithm 'argon2id' but it is configured as '-1'")
+	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: bcrypt: option 'variant' is configured as 'invalid' but must be one of the following values: 'standard', 'sha256'")
 }
 
-func (suite *FileBasedAuthenticationBackend) TestShouldSetDefaultValues() {
-	suite.config.File.Password.Algorithm = ""
-	suite.config.File.Password.Iterations = 0
-	suite.config.File.Password.SaltLength = 0
-	suite.config.File.Password.Memory = 0
-	suite.config.File.Password.Parallelism = 0
+func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenSHA2CryptOptionsTooLow() {
+	suite.config.File.Password.SHA2Crypt.Iterations = -1
+	suite.config.File.Password.SHA2Crypt.SaltLength = -1
 
 	ValidateAuthenticationBackend(&suite.config, suite.validator)
 
 	suite.Assert().Len(suite.validator.Warnings(), 0)
-	suite.Assert().Len(suite.validator.Errors(), 0)
+	suite.Require().Len(suite.validator.Errors(), 2)
 
-	suite.Assert().Equal(schema.DefaultPasswordConfiguration.Algorithm, suite.config.File.Password.Algorithm)
-	suite.Assert().Equal(schema.DefaultPasswordConfiguration.Iterations, suite.config.File.Password.Iterations)
-	suite.Assert().Equal(schema.DefaultPasswordConfiguration.SaltLength, suite.config.File.Password.SaltLength)
-	suite.Assert().Equal(schema.DefaultPasswordConfiguration.Memory, suite.config.File.Password.Memory)
-	suite.Assert().Equal(schema.DefaultPasswordConfiguration.Parallelism, suite.config.File.Password.Parallelism)
+	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: sha2crypt: option 'iterations' is configured as '-1' but must be greater than or equal to '1000'")
+	suite.Assert().EqualError(suite.validator.Errors()[1], "authentication_backend: file: password: sha2crypt: option 'salt_length' is configured as '-1' but must be greater than or equal to '1'")
 }
 
-func TestFileBasedAuthenticationBackend(t *testing.T) {
-	suite.Run(t, new(FileBasedAuthenticationBackend))
+func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenSHA2CryptOptionsTooHigh() {
+	suite.config.File.Password.SHA2Crypt.Iterations = 999999999999
+	suite.config.File.Password.SHA2Crypt.SaltLength = 99
+
+	ValidateAuthenticationBackend(&suite.config, suite.validator)
+
+	suite.Assert().Len(suite.validator.Warnings(), 0)
+	suite.Require().Len(suite.validator.Errors(), 2)
+
+	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: sha2crypt: option 'iterations' is configured as '999999999999' but must be less than or equal to '999999999'")
+	suite.Assert().EqualError(suite.validator.Errors()[1], "authentication_backend: file: password: sha2crypt: option 'salt_length' is configured as '99' but must be less than or equal to '16'")
 }
 
-type LDAPAuthenticationBackendSuite struct {
-	suite.Suite
-	config    schema.AuthenticationBackendConfiguration
-	validator *schema.StructValidator
+func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenPBKDF2OptionsTooLow() {
+	suite.config.File.Password.PBKDF2.Iterations = -1
+	suite.config.File.Password.PBKDF2.SaltLength = -1
+
+	ValidateAuthenticationBackend(&suite.config, suite.validator)
+
+	suite.Assert().Len(suite.validator.Warnings(), 0)
+	suite.Require().Len(suite.validator.Errors(), 2)
+
+	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: pbkdf2: option 'iterations' is configured as '-1' but must be greater than or equal to '100000'")
+	suite.Assert().EqualError(suite.validator.Errors()[1], "authentication_backend: file: password: pbkdf2: option 'salt_length' is configured as '-1' but must be greater than or equal to '8'")
 }
 
-func (suite *LDAPAuthenticationBackendSuite) SetupTest() {
-	suite.validator = schema.NewStructValidator()
-	suite.config = schema.AuthenticationBackendConfiguration{}
-	suite.config.LDAP = &schema.LDAPAuthenticationBackendConfiguration{}
-	suite.config.LDAP.Implementation = schema.LDAPImplementationCustom
-	suite.config.LDAP.URL = testLDAPURL
-	suite.config.LDAP.User = testLDAPUser
-	suite.config.LDAP.Password = testLDAPPassword
-	suite.config.LDAP.BaseDN = testLDAPBaseDN
-	suite.config.LDAP.UsernameAttribute = "uid"
-	suite.config.LDAP.UsersFilter = "({username_attribute}={input})"
-	suite.config.LDAP.GroupsFilter = "(cn={input})"
+func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenPBKDF2OptionsTooHigh() {
+	suite.config.File.Password.PBKDF2.Iterations = 2147483649
+	suite.config.File.Password.PBKDF2.SaltLength = 2147483650
+
+	ValidateAuthenticationBackend(&suite.config, suite.validator)
+
+	suite.Assert().Len(suite.validator.Warnings(), 0)
+	suite.Require().Len(suite.validator.Errors(), 2)
+
+	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: pbkdf2: option 'iterations' is configured as '2147483649' but must be less than or equal to '2147483647'")
+	suite.Assert().EqualError(suite.validator.Errors()[1], "authentication_backend: file: password: pbkdf2: option 'salt_length' is configured as '2147483650' but must be less than or equal to '2147483647'")
 }
 
-func (suite *LDAPAuthenticationBackendSuite) TestShouldValidateCompleteConfiguration() {
+func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenBCryptOptionsTooLow() {
+	suite.config.File.Password.BCrypt.Cost = -1
+
+	ValidateAuthenticationBackend(&suite.config, suite.validator)
+
+	suite.Assert().Len(suite.validator.Warnings(), 0)
+	suite.Require().Len(suite.validator.Errors(), 1)
+
+	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: bcrypt: option 'cost' is configured as '-1' but must be greater than or equal to '10'")
+}
+
+func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenBCryptOptionsTooHigh() {
+	suite.config.File.Password.BCrypt.Cost = 900
+
+	ValidateAuthenticationBackend(&suite.config, suite.validator)
+
+	suite.Assert().Len(suite.validator.Warnings(), 0)
+	suite.Require().Len(suite.validator.Errors(), 1)
+
+	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: bcrypt: option 'cost' is configured as '900' but must be less than or equal to '31'")
+}
+
+func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenSCryptOptionsTooLow() {
+	suite.config.File.Password.SCrypt.Iterations = -1
+	suite.config.File.Password.SCrypt.BlockSize = -21
+	suite.config.File.Password.SCrypt.Parallelism = -11
+	suite.config.File.Password.SCrypt.KeyLength = -77
+	suite.config.File.Password.SCrypt.SaltLength = 7
+
+	ValidateAuthenticationBackend(&suite.config, suite.validator)
+
+	suite.Assert().Len(suite.validator.Warnings(), 0)
+	suite.Require().Len(suite.validator.Errors(), 5)
+
+	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: scrypt: option 'iterations' is configured as '-1' but must be greater than or equal to '1'")
+	suite.Assert().EqualError(suite.validator.Errors()[1], "authentication_backend: file: password: scrypt: option 'block_size' is configured as '-21' but must be greater than or equal to '1'")
+	suite.Assert().EqualError(suite.validator.Errors()[2], "authentication_backend: file: password: scrypt: option 'parallelism' is configured as '-11' but must be greater than or equal to '1'")
+	suite.Assert().EqualError(suite.validator.Errors()[3], "authentication_backend: file: password: scrypt: option 'key_length' is configured as '-77' but must be greater than or equal to '1'")
+	suite.Assert().EqualError(suite.validator.Errors()[4], "authentication_backend: file: password: scrypt: option 'salt_length' is configured as '7' but must be greater than or equal to '8'")
+}
+
+func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenSCryptOptionsTooHigh() {
+	suite.config.File.Password.SCrypt.BlockSize = 360287970189639672
+	suite.config.File.Password.SCrypt.KeyLength = 1374389534409
+	suite.config.File.Password.SCrypt.SaltLength = 2147483647
+
+	ValidateAuthenticationBackend(&suite.config, suite.validator)
+
+	suite.Assert().Len(suite.validator.Warnings(), 0)
+	suite.Require().Len(suite.validator.Errors(), 3)
+
+	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: scrypt: option 'block_size' is configured as '360287970189639672' but must be less than or equal to '36028797018963967'")
+	suite.Assert().EqualError(suite.validator.Errors()[1], "authentication_backend: file: password: scrypt: option 'key_length' is configured as '1374389534409' but must be less than or equal to '137438953440'")
+	suite.Assert().EqualError(suite.validator.Errors()[2], "authentication_backend: file: password: scrypt: option 'salt_length' is configured as '2147483647' but must be less than or equal to '1024'")
+}
+
+func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenArgon2OptionsTooLow() {
+	suite.config.File.Password.Argon2.Iterations = -1
+	suite.config.File.Password.Argon2.Memory = -1
+	suite.config.File.Password.Argon2.Parallelism = -1
+	suite.config.File.Password.Argon2.KeyLength = 1
+	suite.config.File.Password.Argon2.SaltLength = -1
+
+	ValidateAuthenticationBackend(&suite.config, suite.validator)
+
+	suite.Assert().Len(suite.validator.Warnings(), 0)
+	suite.Require().Len(suite.validator.Errors(), 5)
+
+	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: argon2: option 'iterations' is configured as '-1' but must be greater than or equal to '1'")
+	suite.Assert().EqualError(suite.validator.Errors()[1], "authentication_backend: file: password: argon2: option 'parallelism' is configured as '-1' but must be greater than or equal to '1'")
+	suite.Assert().EqualError(suite.validator.Errors()[2], "authentication_backend: file: password: argon2: option 'memory' is configured as '-1' but must be greater than or equal to '1'")
+	suite.Assert().EqualError(suite.validator.Errors()[3], "authentication_backend: file: password: argon2: option 'key_length' is configured as '1' but must be greater than or equal to '4'")
+	suite.Assert().EqualError(suite.validator.Errors()[4], "authentication_backend: file: password: argon2: option 'salt_length' is configured as '-1' but must be greater than or equal to '1'")
+}
+
+func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenArgon2OptionsTooHigh() {
+	suite.config.File.Password.Argon2.Iterations = 9999999999
+	suite.config.File.Password.Argon2.Parallelism = 16777216
+	suite.config.File.Password.Argon2.KeyLength = 9999999998
+	suite.config.File.Password.Argon2.SaltLength = 9999999997
+
+	ValidateAuthenticationBackend(&suite.config, suite.validator)
+
+	suite.Assert().Len(suite.validator.Warnings(), 0)
+	suite.Require().Len(suite.validator.Errors(), 5)
+
+	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: argon2: option 'iterations' is configured as '9999999999' but must be less than or equal to '2147483647'")
+	suite.Assert().EqualError(suite.validator.Errors()[1], "authentication_backend: file: password: argon2: option 'parallelism' is configured as '16777216' but must be less than or equal to '16777215'")
+	suite.Assert().EqualError(suite.validator.Errors()[3], "authentication_backend: file: password: argon2: option 'key_length' is configured as '9999999998' but must be less than or equal to '2147483647'")
+	suite.Assert().EqualError(suite.validator.Errors()[4], "authentication_backend: file: password: argon2: option 'salt_length' is configured as '9999999997' but must be less than or equal to '2147483647'")
+}
+
+func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenArgon2MemoryTooLow() {
+	suite.config.File.Password.Argon2.Memory = 4
+	suite.config.File.Password.Argon2.Parallelism = 4
+
+	ValidateAuthenticationBackend(&suite.config, suite.validator)
+
+	suite.Assert().Len(suite.validator.Warnings(), 0)
+	suite.Require().Len(suite.validator.Errors(), 1)
+
+	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: argon2: option 'memory' is configured as '4' but must be greater than or equal to '32' or '4' (the value of 'parallelism) multiplied by '8'")
+}
+
+func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenBadAlgorithmDefined() {
+	suite.config.File.Password.Algorithm = "bogus"
+
+	ValidateAuthenticationBackend(&suite.config, suite.validator)
+
+	suite.Assert().Len(suite.validator.Warnings(), 0)
+	suite.Require().Len(suite.validator.Errors(), 1)
+
+	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: option 'algorithm' is configured as 'bogus' but must be one of the following values: 'sha2crypt', 'pbkdf2', 'scrypt', 'bcrypt', 'argon2'")
+}
+
+func (suite *FileBasedAuthenticationBackend) TestShouldSetDefaultValues() {
+	suite.config.File.Password.Algorithm = ""
+	suite.config.File.Password.Iterations = 0
+	suite.config.File.Password.SaltLength = 0
+	suite.config.File.Password.Memory = 0
+	suite.config.File.Password.Parallelism = 0
+
 	ValidateAuthenticationBackend(&suite.config, suite.validator)
 
 	suite.Assert().Len(suite.validator.Warnings(), 0)
 	suite.Assert().Len(suite.validator.Errors(), 0)
+
+	suite.Assert().Equal(schema.DefaultPasswordConfig.Algorithm, suite.config.File.Password.Algorithm)
+	suite.Assert().Equal(schema.DefaultPasswordConfig.Iterations, suite.config.File.Password.Iterations)
+	suite.Assert().Equal(schema.DefaultPasswordConfig.SaltLength, suite.config.File.Password.SaltLength)
+	suite.Assert().Equal(schema.DefaultPasswordConfig.Memory, suite.config.File.Password.Memory)
+	suite.Assert().Equal(schema.DefaultPasswordConfig.Parallelism, suite.config.File.Password.Parallelism)
 }
 
 func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenResetURLIsInvalid() {
@@ -270,6 +539,37 @@ func (suite *FileBasedAuthenticationBackend) TestShouldConfigureDisableResetPass
 	suite.Assert().False(suite.config.PasswordReset.Disable)
 }
 
+func TestFileBasedAuthenticationBackend(t *testing.T) {
+	suite.Run(t, new(FileBasedAuthenticationBackend))
+}
+
+type LDAPAuthenticationBackendSuite struct {
+	suite.Suite
+	config    schema.AuthenticationBackend
+	validator *schema.StructValidator
+}
+
+func (suite *LDAPAuthenticationBackendSuite) SetupTest() {
+	suite.validator = schema.NewStructValidator()
+	suite.config = schema.AuthenticationBackend{}
+	suite.config.LDAP = &schema.LDAPAuthenticationBackend{}
+	suite.config.LDAP.Implementation = schema.LDAPImplementationCustom
+	suite.config.LDAP.URL = testLDAPURL
+	suite.config.LDAP.User = testLDAPUser
+	suite.config.LDAP.Password = testLDAPPassword
+	suite.config.LDAP.BaseDN = testLDAPBaseDN
+	suite.config.LDAP.UsernameAttribute = "uid"
+	suite.config.LDAP.UsersFilter = "({username_attribute}={input})"
+	suite.config.LDAP.GroupsFilter = "(cn={input})"
+}
+
+func (suite *LDAPAuthenticationBackendSuite) TestShouldValidateCompleteConfiguration() {
+	ValidateAuthenticationBackend(&suite.config, suite.validator)
+
+	suite.Assert().Len(suite.validator.Warnings(), 0)
+	suite.Assert().Len(suite.validator.Errors(), 0)
+}
+
 func (suite *LDAPAuthenticationBackendSuite) TestShouldValidateDefaultImplementationAndUsernameAttribute() {
 	suite.config.LDAP.Implementation = ""
 	suite.config.LDAP.UsernameAttribute = ""
@@ -277,7 +577,7 @@ func (suite *LDAPAuthenticationBackendSuite) TestShouldValidateDefaultImplementa
 
 	suite.Assert().Equal(schema.LDAPImplementationCustom, suite.config.LDAP.Implementation)
 
-	suite.Assert().Equal(suite.config.LDAP.UsernameAttribute, schema.DefaultLDAPAuthenticationBackendConfiguration.UsernameAttribute)
+	suite.Assert().Equal(suite.config.LDAP.UsernameAttribute, schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.UsernameAttribute)
 	suite.Assert().Len(suite.validator.Warnings(), 0)
 	suite.Assert().Len(suite.validator.Errors(), 0)
 }
@@ -490,7 +790,7 @@ func (suite *LDAPAuthenticationBackendSuite) TestShouldSetDefaultTLSMinimumVersi
 	suite.Assert().Len(suite.validator.Warnings(), 0)
 	suite.Assert().Len(suite.validator.Errors(), 0)
 
-	suite.Assert().Equal(schema.DefaultLDAPAuthenticationBackendConfiguration.TLS.MinimumVersion, suite.config.LDAP.TLS.MinimumVersion)
+	suite.Assert().Equal(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.TLS.MinimumVersion, suite.config.LDAP.TLS.MinimumVersion)
 }
 
 func (suite *LDAPAuthenticationBackendSuite) TestShouldNotAllowInvalidTLSValue() {
@@ -512,20 +812,20 @@ func TestLdapAuthenticationBackend(t *testing.T) {
 
 type ActiveDirectoryAuthenticationBackendSuite struct {
 	suite.Suite
-	config    schema.AuthenticationBackendConfiguration
+	config    schema.AuthenticationBackend
 	validator *schema.StructValidator
 }
 
 func (suite *ActiveDirectoryAuthenticationBackendSuite) SetupTest() {
 	suite.validator = schema.NewStructValidator()
-	suite.config = schema.AuthenticationBackendConfiguration{}
-	suite.config.LDAP = &schema.LDAPAuthenticationBackendConfiguration{}
+	suite.config = schema.AuthenticationBackend{}
+	suite.config.LDAP = &schema.LDAPAuthenticationBackend{}
 	suite.config.LDAP.Implementation = schema.LDAPImplementationActiveDirectory
 	suite.config.LDAP.URL = testLDAPURL
 	suite.config.LDAP.User = testLDAPUser
 	suite.config.LDAP.Password = testLDAPPassword
 	suite.config.LDAP.BaseDN = testLDAPBaseDN
-	suite.config.LDAP.TLS = schema.DefaultLDAPAuthenticationBackendConfiguration.TLS
+	suite.config.LDAP.TLS = schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.TLS
 }
 
 func (suite *ActiveDirectoryAuthenticationBackendSuite) TestShouldSetActiveDirectoryDefaults() {
@@ -535,25 +835,25 @@ func (suite *ActiveDirectoryAuthenticationBackendSuite) TestShouldSetActiveDirec
 	suite.Assert().Len(suite.validator.Errors(), 0)
 
 	suite.Assert().Equal(
-		schema.DefaultLDAPAuthenticationBackendConfiguration.Timeout,
+		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.Timeout,
 		suite.config.LDAP.Timeout)
 	suite.Assert().Equal(
-		schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.UsersFilter,
+		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.UsersFilter,
 		suite.config.LDAP.UsersFilter)
 	suite.Assert().Equal(
-		schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.UsernameAttribute,
+		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.UsernameAttribute,
 		suite.config.LDAP.UsernameAttribute)
 	suite.Assert().Equal(
-		schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.DisplayNameAttribute,
+		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.DisplayNameAttribute,
 		suite.config.LDAP.DisplayNameAttribute)
 	suite.Assert().Equal(
-		schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.MailAttribute,
+		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.MailAttribute,
 		suite.config.LDAP.MailAttribute)
 	suite.Assert().Equal(
-		schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.GroupsFilter,
+		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.GroupsFilter,
 		suite.config.LDAP.GroupsFilter)
 	suite.Assert().Equal(
-		schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.GroupNameAttribute,
+		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.GroupNameAttribute,
 		suite.config.LDAP.GroupNameAttribute)
 }
 
@@ -569,25 +869,25 @@ func (suite *ActiveDirectoryAuthenticationBackendSuite) TestShouldOnlySetDefault
 	ValidateAuthenticationBackend(&suite.config, suite.validator)
 
 	suite.Assert().NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfiguration.Timeout,
+		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.Timeout,
 		suite.config.LDAP.Timeout)
 	suite.Assert().NotEqual(
-		schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.UsersFilter,
+		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.UsersFilter,
 		suite.config.LDAP.UsersFilter)
 	suite.Assert().NotEqual(
-		schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.UsernameAttribute,
+		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.UsernameAttribute,
 		suite.config.LDAP.UsernameAttribute)
 	suite.Assert().NotEqual(
-		schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.DisplayNameAttribute,
+		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.DisplayNameAttribute,
 		suite.config.LDAP.DisplayNameAttribute)
 	suite.Assert().NotEqual(
-		schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.MailAttribute,
+		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.MailAttribute,
 		suite.config.LDAP.MailAttribute)
 	suite.Assert().NotEqual(
-		schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.GroupsFilter,
+		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.GroupsFilter,
 		suite.config.LDAP.GroupsFilter)
 	suite.Assert().NotEqual(
-		schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.GroupNameAttribute,
+		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.GroupNameAttribute,
 		suite.config.LDAP.GroupNameAttribute)
 }
author	James Elliott <james-d-elliott@users.noreply.github.com>	2022-10-17 21:51:59 +1100
committer	GitHub <noreply@github.com>	2022-10-17 21:51:59 +1100
commit	3a70f6739b82a523fc8112a29ac156446253fc58 (patch)
tree	9a888643c24bd3888f9fa49a11f1a61000cd0c38 /internal/configuration/validator/authentication_test.go
parent	8eadf72dc776aa75cdb7337f7d54dff50cbf14ec (diff)