#849 Catch exception in TwoFactor hash and write unit tests

This commit is contained in:
ljacqu 2016-07-15 18:23:18 +02:00
parent 3616c3187e
commit 160cbc6aa4
2 changed files with 70 additions and 7 deletions

View File

@ -4,12 +4,14 @@ import com.google.common.escape.Escaper;
import com.google.common.io.BaseEncoding; import com.google.common.io.BaseEncoding;
import com.google.common.net.UrlEscapers; import com.google.common.net.UrlEscapers;
import com.google.common.primitives.Ints; import com.google.common.primitives.Ints;
import fr.xephi.authme.ConsoleLogger;
import fr.xephi.authme.security.crypts.description.HasSalt; import fr.xephi.authme.security.crypts.description.HasSalt;
import fr.xephi.authme.security.crypts.description.Recommendation; import fr.xephi.authme.security.crypts.description.Recommendation;
import fr.xephi.authme.security.crypts.description.SaltType; import fr.xephi.authme.security.crypts.description.SaltType;
import fr.xephi.authme.security.crypts.description.Usage; import fr.xephi.authme.security.crypts.description.Usage;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.security.InvalidKeyException; import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom; import java.security.SecureRandom;
@ -17,9 +19,6 @@ import java.util.Arrays;
import java.util.Calendar; import java.util.Calendar;
import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeUnit;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
@Recommendation(Usage.DOES_NOT_WORK) @Recommendation(Usage.DOES_NOT_WORK)
@HasSalt(SaltType.NONE) @HasSalt(SaltType.NONE)
public class TwoFactor extends UnsaltedMethod { public class TwoFactor extends UnsaltedMethod {
@ -58,12 +57,13 @@ public class TwoFactor extends UnsaltedMethod {
public boolean comparePassword(String password, HashedPassword hashedPassword, String name) { public boolean comparePassword(String password, HashedPassword hashedPassword, String name) {
try { try {
return checkPassword(hashedPassword.getHash(), password); return checkPassword(hashedPassword.getHash(), password);
} catch (NoSuchAlgorithmException | InvalidKeyException encryptionException) { } catch (Exception e) {
throw new UnsupportedOperationException("Failed to compare passwords", encryptionException); ConsoleLogger.logException("Failed to verify two auth code:", e);
return false;
} }
} }
public boolean checkPassword(String secretKey, String userInput) private boolean checkPassword(String secretKey, String userInput)
throws NoSuchAlgorithmException, InvalidKeyException { throws NoSuchAlgorithmException, InvalidKeyException {
Integer code = Ints.tryParse(userInput); Integer code = Ints.tryParse(userInput);
if (code == null) { if (code == null) {

View File

@ -0,0 +1,63 @@
package fr.xephi.authme.security.crypts;
import fr.xephi.authme.TestHelper;
import org.junit.BeforeClass;
import org.junit.Test;
import static org.hamcrest.Matchers.equalTo;
import static org.junit.Assert.assertThat;
/**
* Test for {@link TwoFactor}.
*/
public class TwoFactorTest {
@BeforeClass
public static void initLogger() {
TestHelper.setupLogger();
}
@Test
public void shouldGenerateBarcodeUrl() {
// given
String user = "tester";
String host = "192.168.0.4";
String secret = "3AK6Y4KWGRLJMEQW";
// when
String url = TwoFactor.getQRBarcodeURL(user, host, secret);
// then
String expected = "https://www.google.com/chart?chs=130x130&chld=M%7C0&cht=qr"
+ "&chl=otpauth://totp/tester@192.168.0.4%3Fsecret%3D3AK6Y4KWGRLJMEQW";
assertThat(url, equalTo(expected));
}
@Test
public void shouldHandleInvalidHash() {
// given
HashedPassword password = new HashedPassword("!@&#@!(*&@");
String inputPassword = "12345";
TwoFactor twoFactor = new TwoFactor();
// when
boolean result = twoFactor.comparePassword(inputPassword, password, "name");
// then
assertThat(result, equalTo(false));
}
@Test
public void shouldHandleInvalidInput() {
// given
HashedPassword password = new HashedPassword("3AK6Y4KWGRLJMEQW");
String inputPassword = "notA_number!";
TwoFactor twoFactor = new TwoFactor();
// when
boolean result = twoFactor.comparePassword(inputPassword, password, "name");
// then
assertThat(result, equalTo(false));
}
}