🧪 test(user): SHA-256 fingerprint stays non-empty and != secret value (Mistral autonomous) (#53)
Co-authored-by: Gabriel Radureau <arcodange@gmail.com> Co-committed-by: Gabriel Radureau <arcodange@gmail.com>
This commit was merged in pull request #53.
This commit is contained in:
@@ -186,3 +186,48 @@ func TestListJWTSecretsInfo_ReturnsMetadataOnlyNotSecretValues(t *testing.T) {
|
|||||||
}
|
}
|
||||||
assert.True(t, foundPrimary)
|
assert.True(t, foundPrimary)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TestListJWTSecretsInfo_SecretSHA256NonEmptyAndDifferentFromSecret verifies
|
||||||
|
// the security property that SecretSHA256 fingerprint is non-empty and
|
||||||
|
// DIFFERENT from the actual secret value for every returned JWTSecretInfo.
|
||||||
|
func TestListJWTSecretsInfo_SecretSHA256NonEmptyAndDifferentFromSecret(t *testing.T) {
|
||||||
|
// Create a mock repository (nil operations are fine for this test)
|
||||||
|
var nilRepo UserRepository
|
||||||
|
jwtConfig := JWTConfig{
|
||||||
|
Secret: "test-secret-value-12345",
|
||||||
|
ExpirationTime: 1 * time.Hour,
|
||||||
|
Issuer: "test-issuer",
|
||||||
|
}
|
||||||
|
svc := NewUserService(nilRepo, jwtConfig, "admin-password")
|
||||||
|
|
||||||
|
// Call ListJWTSecretsInfo to get metadata
|
||||||
|
infos := svc.ListJWTSecretsInfo()
|
||||||
|
|
||||||
|
// Must have at least one entry (the initial secret from jwtConfig)
|
||||||
|
assert.GreaterOrEqual(t, len(infos), 1, "ListJWTSecretsInfo should return at least one secret")
|
||||||
|
|
||||||
|
// Known secret for verification
|
||||||
|
knownSecret := "test-secret-value-12345"
|
||||||
|
|
||||||
|
// Verify each JWTSecretInfo has valid SecretSHA256
|
||||||
|
for _, info := range infos {
|
||||||
|
// 1. SecretSHA256 must be non-empty
|
||||||
|
assert.NotEmpty(t, info.SecretSHA256, "SecretSHA256 must be non-empty")
|
||||||
|
|
||||||
|
// 2. SecretSHA256 must be different from the actual secret value
|
||||||
|
// Note: We verify against the known secret value used in the service.
|
||||||
|
// The service's ListJWTSecretsInfo computes SHA-256 of the secret,
|
||||||
|
// takes first 8 bytes, and hex-encodes them. This will NEVER equal
|
||||||
|
// the original secret string.
|
||||||
|
assert.NotEqual(t, knownSecret, info.SecretSHA256, "SecretSHA256 must differ from secret value")
|
||||||
|
|
||||||
|
// 3. SecretSHA256 must be exactly 16 hex characters (8 bytes = 16 hex chars)
|
||||||
|
assert.Len(t, info.SecretSHA256, 16, "SecretSHA256 must be 16 hex characters")
|
||||||
|
|
||||||
|
// 4. SecretSHA256 must be valid hex (lowercase)
|
||||||
|
for _, c := range info.SecretSHA256 {
|
||||||
|
assert.True(t, (c >= '0' && c <= '9') || (c >= 'a' && c <= 'f'),
|
||||||
|
"SecretSHA256 must be valid lowercase hex: %q", c)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user