tests/Umbraco.Tests.UnitTests/Umbraco.Core/Security/LegacyPasswordSecurityTests.cs

// Copyright (c) Umbraco.
// See LICENSE for more details.

using Moq;
using NUnit.Framework;
using Umbraco.Cms.Core.Configuration;
using Umbraco.Cms.Core.Security;
using Constants = Umbraco.Cms.Core.Constants;

namespace Umbraco.Cms.Tests.UnitTests.Umbraco.Core.Security
{
    [TestFixture]
    public class LegacyPasswordSecurityTests
    {
        [Test]
        public void Check_Password_Hashed_Non_KeyedHashAlgorithm()
        {
            IPasswordConfiguration passwordConfiguration = Mock.Of<IPasswordConfiguration>(x => x.HashAlgorithmType == "SHA256");
            var passwordSecurity = new LegacyPasswordSecurity();

            var pass = "ThisIsAHashedPassword";
            var hashed = passwordSecurity.HashNewPassword(passwordConfiguration.HashAlgorithmType, pass, out string salt);
            var storedPassword = passwordSecurity.FormatPasswordForStorage(passwordConfiguration.HashAlgorithmType, hashed, salt);

            var result = passwordSecurity.VerifyPassword(passwordConfiguration.HashAlgorithmType, "ThisIsAHashedPassword", storedPassword);

            Assert.IsTrue(result);
        }

        [Test]
        public void Check_Password_Hashed_KeyedHashAlgorithm()
        {
            IPasswordConfiguration passwordConfiguration = Mock.Of<IPasswordConfiguration>(x => x.HashAlgorithmType == Constants.Security.AspNetUmbraco8PasswordHashAlgorithmName);
            var passwordSecurity = new LegacyPasswordSecurity();

            var pass = "ThisIsAHashedPassword";
            var hashed = passwordSecurity.HashNewPassword(passwordConfiguration.HashAlgorithmType, pass, out string salt);
            var storedPassword = passwordSecurity.FormatPasswordForStorage(passwordConfiguration.HashAlgorithmType, hashed, salt);

            var result = passwordSecurity.VerifyPassword(passwordConfiguration.HashAlgorithmType, "ThisIsAHashedPassword", storedPassword);

            Assert.IsTrue(result);
        }

        [Test]
        public void Check_Password_Legacy_v4_SHA1()
        {
            IPasswordConfiguration passwordConfiguration = Mock.Of<IPasswordConfiguration>(x => x.HashAlgorithmType == Constants.Security.AspNetUmbraco4PasswordHashAlgorithmName);
            var passwordSecurity = new LegacyPasswordSecurity();

            var pass = "ThisIsAHashedPassword";
            var hashed = passwordSecurity.HashNewPassword(passwordConfiguration.HashAlgorithmType, pass, out string salt);
            var storedPassword = passwordSecurity.FormatPasswordForStorage(passwordConfiguration.HashAlgorithmType, hashed, salt);

            var result = passwordSecurity.VerifyPassword(passwordConfiguration.HashAlgorithmType, "ThisIsAHashedPassword", storedPassword);

            Assert.IsTrue(result);
        }

        [Test]
        public void Format_Pass_For_Storage_Hashed()
        {
            IPasswordConfiguration passwordConfiguration = Mock.Of<IPasswordConfiguration>(x => x.HashAlgorithmType == Constants.Security.AspNetUmbraco8PasswordHashAlgorithmName);
            var passwordSecurity = new LegacyPasswordSecurity();

            var salt = LegacyPasswordSecurity.GenerateSalt();
            var stored = "ThisIsAHashedPassword";

            var result = passwordSecurity.FormatPasswordForStorage(passwordConfiguration.HashAlgorithmType, stored, salt);

            Assert.AreEqual(salt + "ThisIsAHashedPassword", result);
        }

        [Test]
        public void Get_Stored_Password_Hashed()
        {
            IPasswordConfiguration passwordConfiguration = Mock.Of<IPasswordConfiguration>(x => x.HashAlgorithmType == Constants.Security.AspNetUmbraco8PasswordHashAlgorithmName);
            var passwordSecurity = new LegacyPasswordSecurity();

            var salt = LegacyPasswordSecurity.GenerateSalt();
            var stored = salt + "ThisIsAHashedPassword";

            var result = passwordSecurity.ParseStoredHashPassword(passwordConfiguration.HashAlgorithmType, stored, out string initSalt);

            Assert.AreEqual("ThisIsAHashedPassword", result);
        }

        /// <summary>
        /// The salt generated is always the same length
        /// </summary>
        [Test]
        public void Check_Salt_Length()
        {
            var lastLength = 0;
            for (var i = 0; i < 10000; i++)
            {
                var result = LegacyPasswordSecurity.GenerateSalt();

                if (i > 0)
                {
                    Assert.AreEqual(lastLength, result.Length);
                }

                lastLength = result.Length;
            }
        }
    }
}
Cleaned-up code in Umbraco.Web.UnitTests to match linting rules. 2020-12-20 08:36:11 +01:00			`// Copyright (c) Umbraco.`
			`// See LICENSE for more details.`

			`using Moq;`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00			`using NUnit.Framework;`
Netcore: Align namespaces (#9801) * Rename Umbraco.Core namespace to Umbraco.Cms.Core * Move extension methods in core project to Umbraco.Extensions * Move extension methods in core project to Umbraco.Extensions * Rename Umbraco.Examine namespace to Umbraco.Cms.Examine * Move examine extensions to Umbraco.Extensions namespace * Reflect changed namespaces in Builder and fix unit tests * Adjust namespace in Umbraco.ModelsBuilder.Embedded * Adjust namespace in Umbraco.Persistence.SqlCe * Adjust namespace in Umbraco.PublishedCache.NuCache * Align namespaces in Umbraco.Web.BackOffice * Align namespaces in Umbraco.Web.Common * Ensure that SqlCeSupport is still enabled after changing the namespace * Align namespaces in Umbraco.Web.Website * Align namespaces in Umbraco.Web.UI.NetCore * Align namespaces in Umbraco.Tests.Common * Align namespaces in Umbraco.Tests.UnitTests * Align namespaces in Umbraco.Tests.Integration * Fix errors caused by changed namespaces * Fix integration tests * Undo the Umbraco.Examine.Lucene namespace change This breaks integration tests on linux, since the namespace wont exists there because it's only used on windows. * Fix merge * Fix Merge 2021-02-18 11:06:02 +01:00			`using Umbraco.Cms.Core.Configuration;`
			`using Umbraco.Cms.Core.Security;`
			`using Constants = Umbraco.Cms.Core.Constants;`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
Netcore: Align namespaces (#9801) * Rename Umbraco.Core namespace to Umbraco.Cms.Core * Move extension methods in core project to Umbraco.Extensions * Move extension methods in core project to Umbraco.Extensions * Rename Umbraco.Examine namespace to Umbraco.Cms.Examine * Move examine extensions to Umbraco.Extensions namespace * Reflect changed namespaces in Builder and fix unit tests * Adjust namespace in Umbraco.ModelsBuilder.Embedded * Adjust namespace in Umbraco.Persistence.SqlCe * Adjust namespace in Umbraco.PublishedCache.NuCache * Align namespaces in Umbraco.Web.BackOffice * Align namespaces in Umbraco.Web.Common * Ensure that SqlCeSupport is still enabled after changing the namespace * Align namespaces in Umbraco.Web.Website * Align namespaces in Umbraco.Web.UI.NetCore * Align namespaces in Umbraco.Tests.Common * Align namespaces in Umbraco.Tests.UnitTests * Align namespaces in Umbraco.Tests.Integration * Fix errors caused by changed namespaces * Fix integration tests * Undo the Umbraco.Examine.Lucene namespace change This breaks integration tests on linux, since the namespace wont exists there because it's only used on windows. * Fix merge * Fix Merge 2021-02-18 11:06:02 +01:00			`namespace Umbraco.Cms.Tests.UnitTests.Umbraco.Core.Security`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00			`{`
			`[TestFixture]`
Gets password roll forward working 2020-10-07 16:56:48 +11:00			`public class LegacyPasswordSecurityTests`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00			`{`
			`[Test]`
			`public void Check_Password_Hashed_Non_KeyedHashAlgorithm()`
			`{`
Cleaned-up code in Umbraco.Web.UnitTests to match linting rules. 2020-12-20 08:36:11 +01:00			`IPasswordConfiguration passwordConfiguration = Mock.Of<IPasswordConfiguration>(x => x.HashAlgorithmType == "SHA256");`
Gets password roll forward working 2020-10-07 16:56:48 +11:00			`var passwordSecurity = new LegacyPasswordSecurity();`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
			`var pass = "ThisIsAHashedPassword";`
Cleaned-up code in Umbraco.Web.UnitTests to match linting rules. 2020-12-20 08:36:11 +01:00			`var hashed = passwordSecurity.HashNewPassword(passwordConfiguration.HashAlgorithmType, pass, out string salt);`
Gets password roll forward working 2020-10-07 16:56:48 +11:00			`var storedPassword = passwordSecurity.FormatPasswordForStorage(passwordConfiguration.HashAlgorithmType, hashed, salt);`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
Adds support for the super old password format so we can handle upgrades 2020-10-07 15:20:43 +11:00			`var result = passwordSecurity.VerifyPassword(passwordConfiguration.HashAlgorithmType, "ThisIsAHashedPassword", storedPassword);`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
			`Assert.IsTrue(result);`
			`}`

			`[Test]`
			`public void Check_Password_Hashed_KeyedHashAlgorithm()`
			`{`
Cleaned-up code in Umbraco.Web.UnitTests to match linting rules. 2020-12-20 08:36:11 +01:00			`IPasswordConfiguration passwordConfiguration = Mock.Of<IPasswordConfiguration>(x => x.HashAlgorithmType == Constants.Security.AspNetUmbraco8PasswordHashAlgorithmName);`
Gets password roll forward working 2020-10-07 16:56:48 +11:00			`var passwordSecurity = new LegacyPasswordSecurity();`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
			`var pass = "ThisIsAHashedPassword";`
Cleaned-up code in Umbraco.Web.UnitTests to match linting rules. 2020-12-20 08:36:11 +01:00			`var hashed = passwordSecurity.HashNewPassword(passwordConfiguration.HashAlgorithmType, pass, out string salt);`
Gets password roll forward working 2020-10-07 16:56:48 +11:00			`var storedPassword = passwordSecurity.FormatPasswordForStorage(passwordConfiguration.HashAlgorithmType, hashed, salt);`

			`var result = passwordSecurity.VerifyPassword(passwordConfiguration.HashAlgorithmType, "ThisIsAHashedPassword", storedPassword);`

			`Assert.IsTrue(result);`
			`}`

			`[Test]`
			`public void Check_Password_Legacy_v4_SHA1()`
			`{`
Cleaned-up code in Umbraco.Web.UnitTests to match linting rules. 2020-12-20 08:36:11 +01:00			`IPasswordConfiguration passwordConfiguration = Mock.Of<IPasswordConfiguration>(x => x.HashAlgorithmType == Constants.Security.AspNetUmbraco4PasswordHashAlgorithmName);`
Gets password roll forward working 2020-10-07 16:56:48 +11:00			`var passwordSecurity = new LegacyPasswordSecurity();`

			`var pass = "ThisIsAHashedPassword";`
Cleaned-up code in Umbraco.Web.UnitTests to match linting rules. 2020-12-20 08:36:11 +01:00			`var hashed = passwordSecurity.HashNewPassword(passwordConfiguration.HashAlgorithmType, pass, out string salt);`
Gets password roll forward working 2020-10-07 16:56:48 +11:00			`var storedPassword = passwordSecurity.FormatPasswordForStorage(passwordConfiguration.HashAlgorithmType, hashed, salt);`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
Adds support for the super old password format so we can handle upgrades 2020-10-07 15:20:43 +11:00			`var result = passwordSecurity.VerifyPassword(passwordConfiguration.HashAlgorithmType, "ThisIsAHashedPassword", storedPassword);`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
			`Assert.IsTrue(result);`
			`}`

			`[Test]`
			`public void Format_Pass_For_Storage_Hashed()`
			`{`
Cleaned-up code in Umbraco.Web.UnitTests to match linting rules. 2020-12-20 08:36:11 +01:00			`IPasswordConfiguration passwordConfiguration = Mock.Of<IPasswordConfiguration>(x => x.HashAlgorithmType == Constants.Security.AspNetUmbraco8PasswordHashAlgorithmName);`
Gets password roll forward working 2020-10-07 16:56:48 +11:00			`var passwordSecurity = new LegacyPasswordSecurity();`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
renames to LegacyPasswordSecurity 2020-05-28 23:24:32 +10:00			`var salt = LegacyPasswordSecurity.GenerateSalt();`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00			`var stored = "ThisIsAHashedPassword";`

Gets password roll forward working 2020-10-07 16:56:48 +11:00			`var result = passwordSecurity.FormatPasswordForStorage(passwordConfiguration.HashAlgorithmType, stored, salt);`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
			`Assert.AreEqual(salt + "ThisIsAHashedPassword", result);`
			`}`

			`[Test]`
			`public void Get_Stored_Password_Hashed()`
			`{`
Cleaned-up code in Umbraco.Web.UnitTests to match linting rules. 2020-12-20 08:36:11 +01:00			`IPasswordConfiguration passwordConfiguration = Mock.Of<IPasswordConfiguration>(x => x.HashAlgorithmType == Constants.Security.AspNetUmbraco8PasswordHashAlgorithmName);`
Gets password roll forward working 2020-10-07 16:56:48 +11:00			`var passwordSecurity = new LegacyPasswordSecurity();`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
renames to LegacyPasswordSecurity 2020-05-28 23:24:32 +10:00			`var salt = LegacyPasswordSecurity.GenerateSalt();`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00			`var stored = salt + "ThisIsAHashedPassword";`

Cleaned-up code in Umbraco.Web.UnitTests to match linting rules. 2020-12-20 08:36:11 +01:00			`var result = passwordSecurity.ParseStoredHashPassword(passwordConfiguration.HashAlgorithmType, stored, out string initSalt);`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
			`Assert.AreEqual("ThisIsAHashedPassword", result);`
			`}`

			`/// <summary>`
			`/// The salt generated is always the same length`
			`/// </summary>`
			`[Test]`
			`public void Check_Salt_Length()`
			`{`
			`var lastLength = 0;`
			`for (var i = 0; i < 10000; i++)`
			`{`
renames to LegacyPasswordSecurity 2020-05-28 23:24:32 +10:00			`var result = LegacyPasswordSecurity.GenerateSalt();`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
			`if (i > 0)`
Cleaned-up code in Umbraco.Web.UnitTests to match linting rules. 2020-12-20 08:36:11 +01:00			`{`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00			`Assert.AreEqual(lastLength, result.Length);`
Cleaned-up code in Umbraco.Web.UnitTests to match linting rules. 2020-12-20 08:36:11 +01:00			`}`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
			`lastLength = result.Length;`
			`}`
			`}`
			`}`
			`}`