This is an automated email from the ASF dual-hosted git repository.
jiahuili430 pushed a commit to branch fix-password-hasher
in repository https://gitbox.apache.org/repos/asf/couchdb.git
The following commit(s) were added to refs/heads/fix-password-hasher by this
push:
new 7d1e95c1d Add tests for couch_password_hasher.erl
7d1e95c1d is described below
commit 7d1e95c1d505fe57a80f8d716780430ac26c5fb3
Author: Jiahui Li <[email protected]>
AuthorDate: Sat Dec 6 19:12:32 2025 -0600
Add tests for couch_password_hasher.erl
---
.../test/eunit/couch_passwords_hasher_tests.erl | 237 +++++++++++++++++++++
1 file changed, 237 insertions(+)
diff --git a/src/couch/test/eunit/couch_passwords_hasher_tests.erl
b/src/couch/test/eunit/couch_passwords_hasher_tests.erl
new file mode 100644
index 000000000..34285676f
--- /dev/null
+++ b/src/couch/test/eunit/couch_passwords_hasher_tests.erl
@@ -0,0 +1,237 @@
+% Licensed under the Apache License, Version 2.0 (the "License"); you may not
+% use this file except in compliance with the License. You may obtain a copy of
+% the License at
+%
+% http://www.apache.org/licenses/LICENSE-2.0
+%
+% Unless required by applicable law or agreed to in writing, software
+% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+% License for the specific language governing permissions and limitations under
+% the License.
+
+-module(couch_passwords_hasher_tests).
+
+-include_lib("couch/include/couch_db.hrl").
+-include_lib("couch/include/couch_eunit.hrl").
+
+-define(USER, "couch_passowrds_hash_test_admin").
+-define(PASS, "pass").
+-define(AUTH, {basic_auth, {?USER, ?PASS}}).
+-define(CONTENT_JSON, {"Content-Type", "application/json"}).
+-define(RANDOM_USER, "user-" ++ ?b2l(couch_uuids:random())).
+
+setup() ->
+ update_hash(?USER, ?PASS),
+ Db = ?b2l(?tempdb()),
+ create_db(Db),
+ config:set("couch_httpd_auth", "authentication_db", Db, false),
+ meck:new(couch_password_hasher, [passthrough]),
+ Db.
+
+teardown(Db) ->
+ delete_db(Db),
+ config:delete("admins", ?USER, false),
+ config:delete("couch_httpd_auth", "authentication_db", false),
+ meck:unload().
+
+couch_password_hasher_simple_test_() ->
+ {
+ "password hasher simple scheme tests",
+ {
+ setup,
+ fun() -> test_util:start_couch([chttpd]) end,
+ fun test_util:stop_couch/1,
+ {
+ foreach,
+ fun() ->
+ Db = setup(),
+ configure("simple"),
+ Db
+ end,
+ fun teardown/1,
+ [
+
?TDEF_FE(create_user_by_admin_should_not_upgrade_password_hash),
+
?TDEF_FE(request_by_user_called_upgrade_password_hash_simple),
+
?TDEF_FE(update_user_password_by_user_called_upgrade_password_hash_simple)
+ ]
+ }
+ }
+ }.
+
+couch_password_hasher_pbkdf2_test_() ->
+ {
+ "password hasher pbkdf2 scheme tests",
+ {
+ setup,
+ fun() -> test_util:start_couch([chttpd]) end,
+ fun test_util:stop_couch/1,
+ {
+ foreach,
+ fun() ->
+ Db = setup(),
+ configure("pbkdf2"),
+ Db
+ end,
+ fun teardown/1,
+ [
+
?TDEF_FE(create_user_by_admin_should_not_upgrade_password_hash),
+
?TDEF_FE(request_by_user_should_not_upgrade_password_hash_pbkdf2),
+
?TDEF_FE(update_user_password_by_user_should_not_upgrade_password_hash_pbkdf2)
+ ]
+ }
+ }
+ }.
+
+create_user_by_admin_should_not_upgrade_password_hash(Db) ->
+ reset(),
+ create_user(Db, ?RANDOM_USER, ?PASS),
+ ?assertEqual(0, num_calls()).
+
+request_by_user_called_upgrade_password_hash_simple(Db) ->
+ User = request_by_user_should_not_upgrade_password_hash(Db),
+ ?assertEqual(1, num_calls()),
+ config:delete("admins", User, false).
+
+request_by_user_should_not_upgrade_password_hash_pbkdf2(Db) ->
+ User = request_by_user_should_not_upgrade_password_hash(Db),
+ ?assertEqual(0, num_calls()),
+ config:delete("admins", User, false).
+
+request_by_user_should_not_upgrade_password_hash(Db) ->
+ User = ?RANDOM_USER,
+ create_user(Db, User, ?PASS),
+ {200, _} = req(get, url(Db, "org.couchdb.user:" ++ User)),
+ ?assertEqual(0, num_calls()),
+
+ update_hash(User, ?PASS),
+ reset(),
+ meck:expect(couch_password_hasher, is_doc, fun(_) -> true end),
+ Headers = [{basic_auth, {User, ?PASS}}],
+ {200, _} = req(get, url(), Headers, []),
+ User.
+
+update_user_password_by_user_called_upgrade_password_hash_simple(Db) ->
+ {User, Rev} =
update_user_password_by_user_should_not_upgrade_password_hash(Db),
+ NewPass = "new_password",
+ update_password(Db, User, ?PASS, NewPass, ?b2l(Rev)),
+ ?assertEqual(1, num_calls()),
+
+ update_hash(User, NewPass),
+ OldAuth = [{basic_auth, {User, ?PASS}}],
+ {401, _} = req(get, url(), OldAuth, []),
+ ?assertEqual(1, num_calls()),
+ NewAuth = [{basic_auth, {User, NewPass}}],
+ {200, _} = req(get, url(), NewAuth, []),
+ ?assertEqual(1, num_calls()),
+ config:delete("admins", User, false).
+
+update_user_password_by_user_should_not_upgrade_password_hash_pbkdf2(Db) ->
+ {User, Rev} =
update_user_password_by_user_should_not_upgrade_password_hash(Db),
+ NewPass = "new_password",
+ update_password(Db, User, ?PASS, NewPass, ?b2l(Rev)),
+ ?assertEqual(0, num_calls()),
+
+ update_hash(User, NewPass),
+ OldAuth = [{basic_auth, {User, ?PASS}}],
+ {401, _} = req(get, url(), OldAuth, []),
+ ?assertEqual(0, num_calls()),
+ NewAuth = [{basic_auth, {User, NewPass}}],
+ {200, _} = req(get, url(), NewAuth, []),
+ ?assertEqual(0, num_calls()),
+ config:delete("admins", User, false).
+
+update_user_password_by_user_should_not_upgrade_password_hash(Db) ->
+ User = ?RANDOM_USER,
+ create_user(Db, User, ?PASS),
+ {200, #{<<"_rev">> := Rev}} = req(get, url(Db, "org.couchdb.user:" ++
User)),
+ ?assertEqual(0, num_calls()),
+
+ update_hash(User, ?PASS),
+ reset(),
+ meck:expect(couch_password_hasher, is_doc, fun(_) -> true end),
+ {User, Rev}.
+
+
+%%%%%%%%%%%%%%%%%%%% Utility Functions %%%%%%%%%%%%%%%%%%%%
+update_hash(User, Pass) ->
+ Hashed = couch_passwords:hash_admin_password(Pass),
+ config:set("admins", User, ?b2l(Hashed), false).
+
+url() ->
+ Addr = config:get("chttpd", "bind_address", "127.0.0.1"),
+ Port = mochiweb_socket_server:get(chttpd, port),
+ lists:concat(["http://";, Addr, ":", Port]).
+
+url(Db) ->
+ url() ++ "/" ++ Db.
+
+url(Db, Path) ->
+ url(Db) ++ "/" ++ Path.
+
+configure(Scheme) ->
+ config:set("couch_httpd_auth", "password_scheme", Scheme, false).
+
+create_db(Db) ->
+ case req(put, url(Db)) of
+ {201, #{}} -> ok;
+ Error -> error({failed_to_create_test_db, Db, Error})
+ end.
+
+delete_db(Db) ->
+ case req(delete, url(Db)) of
+ {200, #{}} -> ok;
+ Error -> error({failed_to_delete_test_db, Db, Error})
+ end.
+
+create_user(Db, UserName, Password) ->
+ ok = couch_auth_cache:ensure_users_db_exists(),
+ User = ?l2b(UserName),
+ Pass = ?l2b(Password),
+ Body =
+ {[
+ {<<"name">>, User},
+ {<<"password">>, Pass},
+ {<<"roles">>, []},
+ {<<"type">>, <<"user">>}
+ ]},
+ case req(put, url(Db, "org.couchdb.user:" ++ UserName),
jiffy:encode(Body)) of
+ {201, #{}} -> ok;
+ Error -> error({failed_to_create_user, UserName, Error})
+ end.
+
+update_password(Db, UserName, Password, NewPassword, Rev) ->
+ User = ?l2b(UserName),
+ NewPass = ?l2b(NewPassword),
+ Body =
+ {[
+ {<<"name">>, User},
+ {<<"password">>, NewPass},
+ {<<"roles">>, []},
+ {<<"type">>, <<"user">>}
+ ]},
+ Headers = [{basic_auth, {UserName, Password}}, {"If-Match", Rev}],
+ case req(put, url(Db, "org.couchdb.user:" ++ UserName), Headers,
jiffy:encode(Body)) of
+ {201, #{}} -> ok;
+ Error -> error({failed_to_update_password, UserName, Error})
+ end.
+
+req(Method, Url) ->
+ Headers = [?CONTENT_JSON, ?AUTH],
+ {ok, Code, _, Res} = test_request:request(Method, Url, Headers),
+ {Code, jiffy:decode(Res, [return_maps])}.
+
+req(Method, Url, Body) ->
+ Headers = [?CONTENT_JSON, ?AUTH],
+ {ok, Code, _, Res} = test_request:request(Method, Url, Headers, Body),
+ {Code, jiffy:decode(Res, [return_maps])}.
+
+req(Method, Url, Headers, Body) ->
+ {ok, Code, _, Res} = test_request:request(Method, Url, Headers, Body),
+ {Code, jiffy:decode(Res, [return_maps])}.
+
+reset() ->
+ meck:reset(couch_password_hasher).
+
+num_calls() ->
+ meck:num_calls(couch_password_hasher, upgrade_password_hash, ['_', '_',
'_', '_', '_', '_']).
