func (s *UserSuite) TestPasswordValidUpdatesSalt(c *gc.C) {
u, err := s.State.AddUser("someuser", "password")
c.Assert(err, gc.IsNil)
compatHash := utils.UserPasswordHash("foo", utils.CompatSalt)
err = u.SetPasswordHash(compatHash, "")
c.Assert(err, gc.IsNil)
beforeSalt, beforeHash := state.GetUserPasswordSaltAndHash(u)
c.Assert(beforeSalt, gc.Equals, "")
c.Assert(beforeHash, gc.Equals, compatHash)
c.Assert(u.PasswordValid("bar"), jc.IsFalse)
// A bad password doesn't trigger a rewrite
afterBadSalt, afterBadHash := state.GetUserPasswordSaltAndHash(u)
c.Assert(afterBadSalt, gc.Equals, "")
c.Assert(afterBadHash, gc.Equals, compatHash)
// When we get a valid check, we then add a salt and rewrite the hash
c.Assert(u.PasswordValid("foo"), jc.IsTrue)
afterSalt, afterHash := state.GetUserPasswordSaltAndHash(u)
c.Assert(afterSalt, gc.Not(gc.Equals), "")
c.Assert(afterHash, gc.Not(gc.Equals), compatHash)
c.Assert(afterHash, gc.Equals, utils.UserPasswordHash("foo", afterSalt))
// running PasswordValid again doesn't trigger another rewrite
c.Assert(u.PasswordValid("foo"), jc.IsTrue)
lastSalt, lastHash := state.GetUserPasswordSaltAndHash(u)
c.Assert(lastSalt, gc.Equals, afterSalt)
c.Assert(lastHash, gc.Equals, afterHash)
}
func (s *UserSuite) TestSetPasswordChangesSalt(c *gc.C) {
u, err := s.State.AddUser("someuser", "a-password")
c.Assert(err, gc.IsNil)
origSalt, origHash := state.GetUserPasswordSaltAndHash(u)
c.Check(origSalt, gc.Not(gc.Equals), "")
// Even though the password is the same, we take this opportunity to
// update the salt
u.SetPassword("a-password")
newSalt, newHash := state.GetUserPasswordSaltAndHash(u)
c.Check(newSalt, gc.Not(gc.Equals), "")
c.Check(newSalt, gc.Not(gc.Equals), origSalt)
c.Check(newHash, gc.Not(gc.Equals), origHash)
c.Check(u.PasswordValid("a-password"), jc.IsTrue)
}
func (s *UserSuite) TestAddUserSetsSalt(c *gc.C) {
u, err := s.State.AddUser("someuser", "a-password")
c.Assert(err, gc.IsNil)
salt, hash := state.GetUserPasswordSaltAndHash(u)
c.Check(hash, gc.Not(gc.Equals), "")
c.Check(salt, gc.Not(gc.Equals), "")
c.Check(utils.UserPasswordHash("a-password", salt), gc.Equals, hash)
c.Check(u.PasswordValid("a-password"), jc.IsTrue)
}
func (s *UserSuite) TestSetPasswordHashWithSalt(c *gc.C) {
u, err := s.State.AddUser("someuser", "password")
c.Assert(err, gc.IsNil)
err = u.SetPasswordHash(utils.UserPasswordHash("foo", "salted"), "salted")
c.Assert(err, gc.IsNil)
c.Assert(u.PasswordValid("foo"), jc.IsTrue)
salt, hash := state.GetUserPasswordSaltAndHash(u)
c.Assert(salt, gc.Equals, "salted")
c.Assert(hash, gc.Not(gc.Equals), utils.UserPasswordHash("foo", utils.CompatSalt))
}