tests/Umbraco.Tests.UnitTests/Umbraco.Core/Security/LegacyPasswordSecurityTests.cs

// Copyright (c) Umbraco.
// See LICENSE for more details.

using System;
using System.Security.Cryptography;
using System.Text;
using Moq;
using NUnit.Framework;
using Umbraco.Cms.Core.Configuration;
using Umbraco.Cms.Core.Security;
using Umbraco.Extensions;
using Constants = Umbraco.Cms.Core.Constants;

namespace Umbraco.Cms.Tests.UnitTests.Umbraco.Core.Security
{
    [TestFixture]
    public class LegacyPasswordSecurityTests
    {
        [Test]
        public void Check_Password_Hashed_Non_KeyedHashAlgorithm()
        {
            IPasswordConfiguration passwordConfiguration = Mock.Of<IPasswordConfiguration>(x => x.HashAlgorithmType == "SHA1");
            var passwordSecurity = new LegacyPasswordSecurity();

            var pass = "ThisIsAHashedPassword";
            var hashed = passwordSecurity.HashNewPassword(passwordConfiguration.HashAlgorithmType, pass, out string salt);
            var storedPassword = passwordSecurity.FormatPasswordForStorage(passwordConfiguration.HashAlgorithmType, hashed, salt);

            var result = passwordSecurity.VerifyPassword(passwordConfiguration.HashAlgorithmType, "ThisIsAHashedPassword", storedPassword);

            Assert.IsTrue(result);
        }

        [Test]
        public void Check_Password_Hashed_KeyedHashAlgorithm()
        {
            IPasswordConfiguration passwordConfiguration = Mock.Of<IPasswordConfiguration>(x => x.HashAlgorithmType == Constants.Security.AspNetUmbraco8PasswordHashAlgorithmName);
            var passwordSecurity = new LegacyPasswordSecurity();

            var pass = "ThisIsAHashedPassword";
            var hashed = passwordSecurity.HashNewPassword(passwordConfiguration.HashAlgorithmType, pass, out string salt);
            var storedPassword = passwordSecurity.FormatPasswordForStorage(passwordConfiguration.HashAlgorithmType, hashed, salt);

            var result = passwordSecurity.VerifyPassword(passwordConfiguration.HashAlgorithmType, "ThisIsAHashedPassword", storedPassword);

            Assert.IsTrue(result);
        }

        [Test]
        public void Check_Password_Legacy_v4_SHA1()
        {
            const string clearText = "ThisIsAHashedPassword";
            var clearTextUnicodeBytes = Encoding.Unicode.GetBytes(clearText);
            using var algorithm = new HMACSHA1(clearTextUnicodeBytes);
            var dbPassword = Convert.ToBase64String(algorithm.ComputeHash(clearTextUnicodeBytes));

            var result = new LegacyPasswordSecurity().VerifyLegacyHashedPassword(clearText, dbPassword);

            Assert.IsTrue(result);
        }

        [Test]
        public void Format_Pass_For_Storage_Hashed()
        {
            IPasswordConfiguration passwordConfiguration = Mock.Of<IPasswordConfiguration>(x => x.HashAlgorithmType == Constants.Security.AspNetUmbraco8PasswordHashAlgorithmName);
            var passwordSecurity = new LegacyPasswordSecurity();

            var salt = LegacyPasswordSecurity.GenerateSalt();
            var stored = "ThisIsAHashedPassword";

            var result = passwordSecurity.FormatPasswordForStorage(passwordConfiguration.HashAlgorithmType, stored, salt);

            Assert.AreEqual(salt + "ThisIsAHashedPassword", result);
        }

        [Test]
        public void Get_Stored_Password_Hashed()
        {
            IPasswordConfiguration passwordConfiguration = Mock.Of<IPasswordConfiguration>(x => x.HashAlgorithmType == Constants.Security.AspNetUmbraco8PasswordHashAlgorithmName);
            var passwordSecurity = new LegacyPasswordSecurity();

            var salt = LegacyPasswordSecurity.GenerateSalt();
            var stored = salt + "ThisIsAHashedPassword";

            var result = passwordSecurity.ParseStoredHashPassword(passwordConfiguration.HashAlgorithmType, stored, out string initSalt);

            Assert.AreEqual("ThisIsAHashedPassword", result);
        }

        /// <summary>
        /// The salt generated is always the same length
        /// </summary>
        [Test]
        public void Check_Salt_Length()
        {
            var lastLength = 0;
            for (var i = 0; i < 10000; i++)
            {
                var result = LegacyPasswordSecurity.GenerateSalt();

                if (i > 0)
                {
                    Assert.AreEqual(lastLength, result.Length);
                }

                lastLength = result.Length;
            }
        }
    }
}
Cleaned-up code in Umbraco.Web.UnitTests to match linting rules. 2020-12-20 08:36:11 +01:00			`// Copyright (c) Umbraco.`
			`// See LICENSE for more details.`

Further enhancements for legacy password support. (#12124) * Further enhancements for legacy password support. For users - try new style passwords first and fallback on failure seeing as a valid modern password is the norm, rehash is only one time. For both users and members also deals with the fact that for useLegacyEncoding we could store any old thing in passwordConfig e.g. it's possible to get Umbraco8 to store "HMACSHA384" alongside the hash even though it's really HMACSHA1 with password used as key (try it out by tweaking machine key settings and setting useLegacyEncoding=true). Has behavioral breaking changes in LegacyPasswordSecurity as the code now expects consumers to to respect IsSupportedHashAlgorithm rather than ignoring it. * Less rushed removals 2022-03-11 10:41:04 +00:00			`using System;`
			`using System.Security.Cryptography;`
			`using System.Text;`
Cleaned-up code in Umbraco.Web.UnitTests to match linting rules. 2020-12-20 08:36:11 +01:00			`using Moq;`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00			`using NUnit.Framework;`
Netcore: Align namespaces (#9801) * Rename Umbraco.Core namespace to Umbraco.Cms.Core * Move extension methods in core project to Umbraco.Extensions * Move extension methods in core project to Umbraco.Extensions * Rename Umbraco.Examine namespace to Umbraco.Cms.Examine * Move examine extensions to Umbraco.Extensions namespace * Reflect changed namespaces in Builder and fix unit tests * Adjust namespace in Umbraco.ModelsBuilder.Embedded * Adjust namespace in Umbraco.Persistence.SqlCe * Adjust namespace in Umbraco.PublishedCache.NuCache * Align namespaces in Umbraco.Web.BackOffice * Align namespaces in Umbraco.Web.Common * Ensure that SqlCeSupport is still enabled after changing the namespace * Align namespaces in Umbraco.Web.Website * Align namespaces in Umbraco.Web.UI.NetCore * Align namespaces in Umbraco.Tests.Common * Align namespaces in Umbraco.Tests.UnitTests * Align namespaces in Umbraco.Tests.Integration * Fix errors caused by changed namespaces * Fix integration tests * Undo the Umbraco.Examine.Lucene namespace change This breaks integration tests on linux, since the namespace wont exists there because it's only used on windows. * Fix merge * Fix Merge 2021-02-18 11:06:02 +01:00			`using Umbraco.Cms.Core.Configuration;`
			`using Umbraco.Cms.Core.Security;`
Further enhancements for legacy password support. (#12124) * Further enhancements for legacy password support. For users - try new style passwords first and fallback on failure seeing as a valid modern password is the norm, rehash is only one time. For both users and members also deals with the fact that for useLegacyEncoding we could store any old thing in passwordConfig e.g. it's possible to get Umbraco8 to store "HMACSHA384" alongside the hash even though it's really HMACSHA1 with password used as key (try it out by tweaking machine key settings and setting useLegacyEncoding=true). Has behavioral breaking changes in LegacyPasswordSecurity as the code now expects consumers to to respect IsSupportedHashAlgorithm rather than ignoring it. * Less rushed removals 2022-03-11 10:41:04 +00:00			`using Umbraco.Extensions;`
Netcore: Align namespaces (#9801) * Rename Umbraco.Core namespace to Umbraco.Cms.Core * Move extension methods in core project to Umbraco.Extensions * Move extension methods in core project to Umbraco.Extensions * Rename Umbraco.Examine namespace to Umbraco.Cms.Examine * Move examine extensions to Umbraco.Extensions namespace * Reflect changed namespaces in Builder and fix unit tests * Adjust namespace in Umbraco.ModelsBuilder.Embedded * Adjust namespace in Umbraco.Persistence.SqlCe * Adjust namespace in Umbraco.PublishedCache.NuCache * Align namespaces in Umbraco.Web.BackOffice * Align namespaces in Umbraco.Web.Common * Ensure that SqlCeSupport is still enabled after changing the namespace * Align namespaces in Umbraco.Web.Website * Align namespaces in Umbraco.Web.UI.NetCore * Align namespaces in Umbraco.Tests.Common * Align namespaces in Umbraco.Tests.UnitTests * Align namespaces in Umbraco.Tests.Integration * Fix errors caused by changed namespaces * Fix integration tests * Undo the Umbraco.Examine.Lucene namespace change This breaks integration tests on linux, since the namespace wont exists there because it's only used on windows. * Fix merge * Fix Merge 2021-02-18 11:06:02 +01:00			`using Constants = Umbraco.Cms.Core.Constants;`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
Netcore: Align namespaces (#9801) * Rename Umbraco.Core namespace to Umbraco.Cms.Core * Move extension methods in core project to Umbraco.Extensions * Move extension methods in core project to Umbraco.Extensions * Rename Umbraco.Examine namespace to Umbraco.Cms.Examine * Move examine extensions to Umbraco.Extensions namespace * Reflect changed namespaces in Builder and fix unit tests * Adjust namespace in Umbraco.ModelsBuilder.Embedded * Adjust namespace in Umbraco.Persistence.SqlCe * Adjust namespace in Umbraco.PublishedCache.NuCache * Align namespaces in Umbraco.Web.BackOffice * Align namespaces in Umbraco.Web.Common * Ensure that SqlCeSupport is still enabled after changing the namespace * Align namespaces in Umbraco.Web.Website * Align namespaces in Umbraco.Web.UI.NetCore * Align namespaces in Umbraco.Tests.Common * Align namespaces in Umbraco.Tests.UnitTests * Align namespaces in Umbraco.Tests.Integration * Fix errors caused by changed namespaces * Fix integration tests * Undo the Umbraco.Examine.Lucene namespace change This breaks integration tests on linux, since the namespace wont exists there because it's only used on windows. * Fix merge * Fix Merge 2021-02-18 11:06:02 +01:00			`namespace Umbraco.Cms.Tests.UnitTests.Umbraco.Core.Security`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00			`{`
			`[TestFixture]`
Gets password roll forward working 2020-10-07 16:56:48 +11:00			`public class LegacyPasswordSecurityTests`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00			`{`
			`[Test]`
			`public void Check_Password_Hashed_Non_KeyedHashAlgorithm()`
			`{`
Further enhancements for legacy password support. (#12124) * Further enhancements for legacy password support. For users - try new style passwords first and fallback on failure seeing as a valid modern password is the norm, rehash is only one time. For both users and members also deals with the fact that for useLegacyEncoding we could store any old thing in passwordConfig e.g. it's possible to get Umbraco8 to store "HMACSHA384" alongside the hash even though it's really HMACSHA1 with password used as key (try it out by tweaking machine key settings and setting useLegacyEncoding=true). Has behavioral breaking changes in LegacyPasswordSecurity as the code now expects consumers to to respect IsSupportedHashAlgorithm rather than ignoring it. * Less rushed removals 2022-03-11 10:41:04 +00:00			`IPasswordConfiguration passwordConfiguration = Mock.Of<IPasswordConfiguration>(x => x.HashAlgorithmType == "SHA1");`
Gets password roll forward working 2020-10-07 16:56:48 +11:00			`var passwordSecurity = new LegacyPasswordSecurity();`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
			`var pass = "ThisIsAHashedPassword";`
Cleaned-up code in Umbraco.Web.UnitTests to match linting rules. 2020-12-20 08:36:11 +01:00			`var hashed = passwordSecurity.HashNewPassword(passwordConfiguration.HashAlgorithmType, pass, out string salt);`
Gets password roll forward working 2020-10-07 16:56:48 +11:00			`var storedPassword = passwordSecurity.FormatPasswordForStorage(passwordConfiguration.HashAlgorithmType, hashed, salt);`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
Adds support for the super old password format so we can handle upgrades 2020-10-07 15:20:43 +11:00			`var result = passwordSecurity.VerifyPassword(passwordConfiguration.HashAlgorithmType, "ThisIsAHashedPassword", storedPassword);`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
			`Assert.IsTrue(result);`
			`}`

			`[Test]`
			`public void Check_Password_Hashed_KeyedHashAlgorithm()`
			`{`
Cleaned-up code in Umbraco.Web.UnitTests to match linting rules. 2020-12-20 08:36:11 +01:00			`IPasswordConfiguration passwordConfiguration = Mock.Of<IPasswordConfiguration>(x => x.HashAlgorithmType == Constants.Security.AspNetUmbraco8PasswordHashAlgorithmName);`
Gets password roll forward working 2020-10-07 16:56:48 +11:00			`var passwordSecurity = new LegacyPasswordSecurity();`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
			`var pass = "ThisIsAHashedPassword";`
Cleaned-up code in Umbraco.Web.UnitTests to match linting rules. 2020-12-20 08:36:11 +01:00			`var hashed = passwordSecurity.HashNewPassword(passwordConfiguration.HashAlgorithmType, pass, out string salt);`
Gets password roll forward working 2020-10-07 16:56:48 +11:00			`var storedPassword = passwordSecurity.FormatPasswordForStorage(passwordConfiguration.HashAlgorithmType, hashed, salt);`

			`var result = passwordSecurity.VerifyPassword(passwordConfiguration.HashAlgorithmType, "ThisIsAHashedPassword", storedPassword);`

			`Assert.IsTrue(result);`
			`}`

			`[Test]`
			`public void Check_Password_Legacy_v4_SHA1()`
			`{`
Further enhancements for legacy password support. (#12124) * Further enhancements for legacy password support. For users - try new style passwords first and fallback on failure seeing as a valid modern password is the norm, rehash is only one time. For both users and members also deals with the fact that for useLegacyEncoding we could store any old thing in passwordConfig e.g. it's possible to get Umbraco8 to store "HMACSHA384" alongside the hash even though it's really HMACSHA1 with password used as key (try it out by tweaking machine key settings and setting useLegacyEncoding=true). Has behavioral breaking changes in LegacyPasswordSecurity as the code now expects consumers to to respect IsSupportedHashAlgorithm rather than ignoring it. * Less rushed removals 2022-03-11 10:41:04 +00:00			`const string clearText = "ThisIsAHashedPassword";`
			`var clearTextUnicodeBytes = Encoding.Unicode.GetBytes(clearText);`
			`using var algorithm = new HMACSHA1(clearTextUnicodeBytes);`
			`var dbPassword = Convert.ToBase64String(algorithm.ComputeHash(clearTextUnicodeBytes));`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
Further enhancements for legacy password support. (#12124) * Further enhancements for legacy password support. For users - try new style passwords first and fallback on failure seeing as a valid modern password is the norm, rehash is only one time. For both users and members also deals with the fact that for useLegacyEncoding we could store any old thing in passwordConfig e.g. it's possible to get Umbraco8 to store "HMACSHA384" alongside the hash even though it's really HMACSHA1 with password used as key (try it out by tweaking machine key settings and setting useLegacyEncoding=true). Has behavioral breaking changes in LegacyPasswordSecurity as the code now expects consumers to to respect IsSupportedHashAlgorithm rather than ignoring it. * Less rushed removals 2022-03-11 10:41:04 +00:00			`var result = new LegacyPasswordSecurity().VerifyLegacyHashedPassword(clearText, dbPassword);`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
			`Assert.IsTrue(result);`
			`}`

			`[Test]`
			`public void Format_Pass_For_Storage_Hashed()`
			`{`
Cleaned-up code in Umbraco.Web.UnitTests to match linting rules. 2020-12-20 08:36:11 +01:00			`IPasswordConfiguration passwordConfiguration = Mock.Of<IPasswordConfiguration>(x => x.HashAlgorithmType == Constants.Security.AspNetUmbraco8PasswordHashAlgorithmName);`
Gets password roll forward working 2020-10-07 16:56:48 +11:00			`var passwordSecurity = new LegacyPasswordSecurity();`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
renames to LegacyPasswordSecurity 2020-05-28 23:24:32 +10:00			`var salt = LegacyPasswordSecurity.GenerateSalt();`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00			`var stored = "ThisIsAHashedPassword";`

Gets password roll forward working 2020-10-07 16:56:48 +11:00			`var result = passwordSecurity.FormatPasswordForStorage(passwordConfiguration.HashAlgorithmType, stored, salt);`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
			`Assert.AreEqual(salt + "ThisIsAHashedPassword", result);`
			`}`

			`[Test]`
			`public void Get_Stored_Password_Hashed()`
			`{`
Cleaned-up code in Umbraco.Web.UnitTests to match linting rules. 2020-12-20 08:36:11 +01:00			`IPasswordConfiguration passwordConfiguration = Mock.Of<IPasswordConfiguration>(x => x.HashAlgorithmType == Constants.Security.AspNetUmbraco8PasswordHashAlgorithmName);`
Gets password roll forward working 2020-10-07 16:56:48 +11:00			`var passwordSecurity = new LegacyPasswordSecurity();`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
renames to LegacyPasswordSecurity 2020-05-28 23:24:32 +10:00			`var salt = LegacyPasswordSecurity.GenerateSalt();`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00			`var stored = salt + "ThisIsAHashedPassword";`

Cleaned-up code in Umbraco.Web.UnitTests to match linting rules. 2020-12-20 08:36:11 +01:00			`var result = passwordSecurity.ParseStoredHashPassword(passwordConfiguration.HashAlgorithmType, stored, out string initSalt);`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
			`Assert.AreEqual("ThisIsAHashedPassword", result);`
			`}`

			`/// <summary>`
			`/// The salt generated is always the same length`
			`/// </summary>`
			`[Test]`
			`public void Check_Salt_Length()`
			`{`
			`var lastLength = 0;`
			`for (var i = 0; i < 10000; i++)`
			`{`
renames to LegacyPasswordSecurity 2020-05-28 23:24:32 +10:00			`var result = LegacyPasswordSecurity.GenerateSalt();`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
			`if (i > 0)`
Cleaned-up code in Umbraco.Web.UnitTests to match linting rules. 2020-12-20 08:36:11 +01:00			`{`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00			`Assert.AreEqual(lastLength, result.Length);`
Cleaned-up code in Umbraco.Web.UnitTests to match linting rules. 2020-12-20 08:36:11 +01:00			`}`
kill user membership provider, adds some passwords api abstractions, moves membership provider logic out of Core/services, removes membership scenario and other membership code we don't want anymore. 2019-11-25 21:20:00 +11:00
			`lastLength = result.Length;`
			`}`
			`}`
			`}`
			`}`