func (s *UserSuite) TestPasswordValidUpdatesSalt(c *gc.C) {
user := s.Factory.MakeUser(c, nil)
compatHash := utils.UserPasswordHash("foo", utils.CompatSalt)
err := user.SetPasswordHash(compatHash, "")
c.Assert(err, jc.ErrorIsNil)
beforeSalt, beforeHash := state.GetUserPasswordSaltAndHash(user)
c.Assert(beforeSalt, gc.Equals, "")
c.Assert(beforeHash, gc.Equals, compatHash)
c.Assert(user.PasswordValid("bar"), jc.IsFalse)
// A bad password doesn't trigger a rewrite
afterBadSalt, afterBadHash := state.GetUserPasswordSaltAndHash(user)
c.Assert(afterBadSalt, gc.Equals, "")
c.Assert(afterBadHash, gc.Equals, compatHash)
// When we get a valid check, we then add a salt and rewrite the hash
c.Assert(user.PasswordValid("foo"), jc.IsTrue)
afterSalt, afterHash := state.GetUserPasswordSaltAndHash(user)
c.Assert(afterSalt, gc.Not(gc.Equals), "")
c.Assert(afterHash, gc.Not(gc.Equals), compatHash)
c.Assert(afterHash, gc.Equals, utils.UserPasswordHash("foo", afterSalt))
// running PasswordValid again doesn't trigger another rewrite
c.Assert(user.PasswordValid("foo"), jc.IsTrue)
lastSalt, lastHash := state.GetUserPasswordSaltAndHash(user)
c.Assert(lastSalt, gc.Equals, afterSalt)
c.Assert(lastHash, gc.Equals, afterHash)
}
func (s *UserSuite) TestSetPasswordChangesSalt(c *gc.C) {
user := s.Factory.MakeUser(c, nil)
origSalt, origHash := state.GetUserPasswordSaltAndHash(user)
c.Assert(origSalt, gc.Not(gc.Equals), "")
user.SetPassword("a-password")
newSalt, newHash := state.GetUserPasswordSaltAndHash(user)
c.Assert(newSalt, gc.Not(gc.Equals), "")
c.Assert(newSalt, gc.Not(gc.Equals), origSalt)
c.Assert(newHash, gc.Not(gc.Equals), origHash)
c.Assert(user.PasswordValid("a-password"), jc.IsTrue)
}
func (s *UserSuite) TestSetPasswordChangesSalt(c *gc.C) {
user := s.factory.MakeAnyUser()
origSalt, origHash := state.GetUserPasswordSaltAndHash(user)
c.Check(origSalt, gc.Not(gc.Equals), "")
// Even though the password is the same, we take this opportunity to
// update the salt
user.SetPassword("a-password")
newSalt, newHash := state.GetUserPasswordSaltAndHash(user)
c.Check(newSalt, gc.Not(gc.Equals), "")
c.Check(newSalt, gc.Not(gc.Equals), origSalt)
c.Check(newHash, gc.Not(gc.Equals), origHash)
c.Check(user.PasswordValid("a-password"), jc.IsTrue)
}
func (s *UserSuite) TestAddUserSetsSalt(c *gc.C) {
user := s.Factory.MakeUser(c, &factory.UserParams{Password: "******"})
salt, hash := state.GetUserPasswordSaltAndHash(user)
c.Assert(hash, gc.Not(gc.Equals), "")
c.Assert(salt, gc.Not(gc.Equals), "")
c.Assert(utils.UserPasswordHash("a-password", salt), gc.Equals, hash)
c.Assert(user.PasswordValid("a-password"), jc.IsTrue)
}
func (s *UserSuite) TestSetPasswordHashWithSalt(c *gc.C) {
user := s.Factory.MakeUser(c, nil)
err := user.SetPasswordHash(utils.UserPasswordHash("foo", "salted"), "salted")
c.Assert(err, jc.ErrorIsNil)
c.Assert(user.PasswordValid("foo"), jc.IsTrue)
salt, _ := state.GetUserPasswordSaltAndHash(user)
c.Assert(salt, gc.Equals, "salted")
}
func (s *UserSuite) TestSetPasswordHashWithSalt(c *gc.C) {
user := s.factory.MakeAnyUser()
err := user.SetPasswordHash(utils.UserPasswordHash("foo", "salted"), "salted")
c.Assert(err, gc.IsNil)
c.Assert(user.PasswordValid("foo"), jc.IsTrue)
salt, hash := state.GetUserPasswordSaltAndHash(user)
c.Assert(salt, gc.Equals, "salted")
c.Assert(hash, gc.Not(gc.Equals), utils.UserPasswordHash("foo", utils.CompatSalt))
}