Add unit test for hash-based GenerateUserSettings

NikSays · NikSays · commit b315eaf84762 · 2024-09-24T00:37:43.000+03:00
diff --git a/internal/user_test.go b/internal/user_test.go
@@ -27,13 +27,16 @@ var _ = Describe("GenerateUserSettings", func() {
 		userTags = []topology.UserTag{"administrator", "monitoring"}
 	})
 
-	It("generates the expected rabbithole.UserSettings", func() {
+	It("uses the password to generate the expected rabbithole.UserSettings", func() {
 		settings, err := internal.GenerateUserSettings(&credentialSecret, userTags)
 		Expect(err).NotTo(HaveOccurred())
 		Expect(settings.Name).To(Equal("my-rabbit-user"))
 		Expect(settings.Tags).To(ConsistOf("administrator", "monitoring"))
 		Expect(settings.HashingAlgorithm.String()).To(Equal(rabbithole.HashingAlgorithmSHA512.String()))
 
+		// Password should not be sent, even if provided
+		Expect(settings.Password).To(BeEmpty())
+
 		// The first 4 bytes of the PasswordHash will be the salt used in the hashing algorithm.
 		// See https://www.rabbitmq.com/passwords.html#computing-password-hash.
 		// We can take this salt and calculate what the correct hashed salted value would
@@ -45,4 +48,19 @@ var _ = Describe("GenerateUserSettings", func() {
 		saltedHash := sha512.Sum512([]byte(string(salt) + "a-secure-password"))
 		Expect(base64.StdEncoding.EncodeToString([]byte(string(salt) + string(saltedHash[:])))).To(Equal(settings.PasswordHash))
 	})
+
+	It("uses the passwordHash to generate the expected rabbithole.UserSettings", func() {
+		hash, _ := rabbithole.SaltedPasswordHashSHA256("a-different-password")
+		credentialSecret.Data["passwordHash"] = []byte(hash)
+
+		settings, err := internal.GenerateUserSettings(&credentialSecret, userTags)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(settings.Name).To(Equal("my-rabbit-user"))
+		Expect(settings.Tags).To(ConsistOf("administrator", "monitoring"))
+		Expect(settings.HashingAlgorithm.String()).To(Equal(rabbithole.HashingAlgorithmSHA512.String()))
+		Expect(settings.PasswordHash).To(Equal(hash))
+
+		// Password should not be sent, even if provided
+		Expect(settings.Password).To(BeEmpty())
+	})
 })
diff --git a/system_tests/user_system_test.go b/system_tests/user_system_test.go
@@ -194,6 +194,7 @@ var _ = Describe("Users", func() {
 			Expect(generatedSecret.Data).To(HaveKeyWithValue("password", []uint8("-grace.hopper_9453$")))
 		})
 	})
+
 	When("providing a pre-defined username but autogenerated password", func() {
 		var credentialSecret corev1.Secret
 		BeforeEach(func() {
@@ -343,7 +344,7 @@ var _ = Describe("Users", func() {
 			Expect(k8sClient.Create(ctx, &credentialSecret, &client.CreateOptions{})).To(Succeed())
 			user = &topology.User{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:      "user-4",
+					Name:      "user-5",
 					Namespace: namespace,
 				},
 				Spec: topology.UserSpec{
@@ -367,7 +368,7 @@ var _ = Describe("Users", func() {
 
 			By("creating a new Secret with the provided credentials secret")
 			generatedSecretKey := types.NamespacedName{
-				Name:      "user-4-user-credentials",
+				Name:      "user-5-user-credentials",
 				Namespace: namespace,
 			}
 			var generatedSecret = &corev1.Secret{}
