fix: harden login for MLPS requirements
This commit is contained in:
@@ -0,0 +1,64 @@
|
||||
package auth
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"crypto/sha256"
|
||||
"crypto/x509"
|
||||
"encoding/base64"
|
||||
"encoding/pem"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestPasswordCipherDecryptsRSAOAEP256(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
key, err := rsa.GenerateKey(rand.Reader, 2048)
|
||||
require.NoError(t, err)
|
||||
privatePEM := string(pem.EncodeToMemory(&pem.Block{
|
||||
Type: "RSA PRIVATE KEY",
|
||||
Bytes: x509.MarshalPKCS1PrivateKey(key),
|
||||
}))
|
||||
|
||||
cipher, err := NewPasswordCipher(privatePEM, "test-key")
|
||||
require.NoError(t, err)
|
||||
|
||||
encrypted, err := rsa.EncryptOAEP(sha256.New(), rand.Reader, &key.PublicKey, []byte("Admin@123"), nil)
|
||||
require.NoError(t, err)
|
||||
|
||||
got, err := cipher.Decrypt(base64.StdEncoding.EncodeToString(encrypted), "test-key")
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, "Admin@123", got)
|
||||
}
|
||||
|
||||
func TestPasswordCipherRejectsWrongKeyID(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
key, err := rsa.GenerateKey(rand.Reader, 2048)
|
||||
require.NoError(t, err)
|
||||
privatePEM := string(pem.EncodeToMemory(&pem.Block{
|
||||
Type: "RSA PRIVATE KEY",
|
||||
Bytes: x509.MarshalPKCS1PrivateKey(key),
|
||||
}))
|
||||
|
||||
cipher, err := NewPasswordCipher(privatePEM, "expected")
|
||||
require.NoError(t, err)
|
||||
|
||||
_, err = cipher.Decrypt("bad", "other")
|
||||
require.Error(t, err)
|
||||
require.Contains(t, err.Error(), "key id mismatch")
|
||||
}
|
||||
|
||||
func TestNewEphemeralPasswordCipherExposesPublicKey(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
cipher, err := NewEphemeralPasswordCipher("ephemeral")
|
||||
require.NoError(t, err)
|
||||
|
||||
publicKey := cipher.PublicKey()
|
||||
require.Equal(t, "ephemeral", publicKey.KeyID)
|
||||
require.Equal(t, "RSA-OAEP-256", publicKey.Algorithm)
|
||||
require.Contains(t, publicKey.PublicKey, "BEGIN PUBLIC KEY")
|
||||
}
|
||||
Reference in New Issue
Block a user