crypto/support/hashes/argon2/src/test/groovy/org/apache/shiro/crypto/support/hashes/argon2/Argon2HashTest.groovy

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

package org.apache.shiro.crypto.support.hashes.argon2

import org.apache.shiro.crypto.hash.format.Shiro1CryptFormat
import org.apache.shiro.crypto.hash.format.Shiro2CryptFormat
import org.apache.shiro.lang.util.SimpleByteSource
import org.bouncycastle.crypto.params.Argon2Parameters
import org.junit.jupiter.api.Test
import org.junit.jupiter.api.function.Executable

import static org.junit.jupiter.api.Assertions.*

class Argon2HashTest {

    private static final TEST_PASSWORD = "secret#shiro,password;Jo8opech";
    private static final TEST_PASSWORD_BS = new SimpleByteSource(TEST_PASSWORD)

    @Test
    void testArgon2Hash() {
        // given
        def shiro2Format = '$shiro2$argon2id$v=19$m=4096,t=3,p=4$MTIzNDU2Nzg5MDEyMzQ1Ng$bjcHqfb0LPHyS13eVaNcBga9LF12I3k34H5ULt2gyoI'

        // when
        def hash = new Shiro2CryptFormat().parse(shiro2Format) as Argon2Hash;
        def matchesPassword = hash.matchesPassword TEST_PASSWORD_BS;

        // then
        assertEquals Argon2Parameters.ARGON2_VERSION_13, hash.argonVersion
        assertEquals 3, hash.iterations
        assertEquals 4096, hash.memoryKiB
        assertEquals 4, hash.parallelism
        assertTrue matchesPassword
    }

    /**
     * Modern formats do not fit well / at all into the existing shiro1 crypt format.
     *
     * <p>This test just makes sure trying to squeeze Argon2 into a Shiro1CryptFormat string will throw
     * the correct exception every time.</p>
     */
    @Test
    void testArgon2HashShiro1Format() {
        // given
        def shiro1Format = '$shiro1$argon2id$v=19$t=2,m=131072,p=4$7858qTJTreh61AzFV2XMOw==$lLzl2VNNbyFcuJo0Hp7JQpguKCDoQwxo91AWobcHzeo='

        // when
        def thrownException = assertThrows(
                UnsupportedOperationException,
                { new Shiro1CryptFormat().parse shiro1Format } as Executable
        )

        // then
        assertTrue thrownException.getMessage().contains("shiro1")
    }

    @Test
    void testFromStringMatchesPw() {
        // when
        def argon2String = '$argon2id$v=19$m=4096,t=3,p=4$MTIzNDU2Nzg5MDEyMzQ1Ng$bjcHqfb0LPHyS13eVaNcBga9LF12I3k34H5ULt2gyoI'
        // for testing recreated salt and data parts, as the parameter order could change.
        def saltDataPart = argon2String.substring(30)

        // when
        def argon2Hash = Argon2Hash.fromString argon2String
        def recreatedSaltDataPart = argon2Hash.formatToCryptString().substring(30)

        // then
        assertTrue argon2Hash.matchesPassword(TEST_PASSWORD_BS)
        // we can only test the salt + data parts, as
        // the parameter order could change.
        assertEquals saltDataPart, recreatedSaltDataPart
    }

}