package app import ( "crypto/rand" "crypto/rsa" "crypto/sha256" "crypto/x509" "encoding/base64" "encoding/pem" "testing" sharedauth "github.com/geo-platform/tenant-api/internal/shared/auth" "github.com/geo-platform/tenant-api/internal/shared/response" "github.com/stretchr/testify/require" ) func TestOpsAuthLoginPasswordDecryptsEncryptedPassword(t *testing.T) { t.Parallel() key, err := rsa.GenerateKey(rand.Reader, 2048) require.NoError(t, err) privatePEM := string(pem.EncodeToMemory(&pem.Block{ Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key), })) cipher, err := sharedauth.NewPasswordCipher(privatePEM, "ops-test-key") require.NoError(t, err) encrypted, err := rsa.EncryptOAEP(sha256.New(), rand.Reader, &key.PublicKey, []byte("Ops@1234"), nil) require.NoError(t, err) svc := (&AuthService{}).WithPasswordCipher(cipher) got, err := svc.loginPassword(LoginInput{ EncryptedPassword: base64.StdEncoding.EncodeToString(encrypted), PasswordKeyID: "ops-test-key", }) require.NoError(t, err) require.Equal(t, "Ops@1234", got) } func TestOpsAuthLoginPasswordAllowsPlainPasswordCompatibility(t *testing.T) { t.Parallel() got, err := (&AuthService{}).loginPassword(LoginInput{Password: "Ops@1234"}) require.NoError(t, err) require.Equal(t, "Ops@1234", got) } func TestOpsAuthLoginPasswordRejectsEncryptedWhenCipherMissing(t *testing.T) { t.Parallel() _, err := (&AuthService{}).loginPassword(LoginInput{EncryptedPassword: "abc"}) require.Error(t, err) appErr, ok := err.(*response.AppError) require.True(t, ok) require.Equal(t, "password_cipher_unavailable", appErr.Message) }