Add additional tests, and minor meta updates

* Added some new tests
* Updated default rake task to run both test and rubocop
* Update SimpleCov to not test the coverage of the minitest suite itself

Author: joshbuker

.github/workflows/ruby.yml

@@ -33,7 +33,7 @@ jobs:
     - name: Test C library
       run: cd ext/argon2_wrap/ && make test && cd ../..
     - name: Run tests
-      run: bundle exec rake
+      run: bundle exec rake test
     - name: Coveralls Parallel
       uses: coverallsapp/github-action@master
       with:
@@ -54,7 +54,7 @@ jobs:
     - name: Install dependencies
       run: bundle install
     - name: Run rubocop
-      run: bundle exec rubocop
+      run: bundle exec rake rubocop
 
   finish:
     runs-on: ubuntu-latest

Rakefile

@@ -13,4 +13,4 @@ Rake::TestTask.new(:test) do |t|
   t.test_files = FileList['test/**/*_test.rb']
 end
 
-task :default => :test
+task :default => %i[test rubocop]

test/api_test.rb

@@ -41,4 +41,40 @@ def test_valid_hash
     secure_pass = Argon2::Password.create('A secret')
     assert Argon2::Password.valid_hash?(secure_pass)
   end
+
+  ###############
+  ## New Tests ##
+  ###############
+  ORIGINAL_PASSWORD = 'mypassword'
+  PEPPER = 'A secret'
+
+  def test_create_password_without_parameters
+    assert argon2 = Argon2::Password.create(ORIGINAL_PASSWORD)
+
+    assert argon2.is_a?(Argon2::Password)
+    assert_equal argon2.m_cost, 16
+    assert_equal argon2.t_cost, 2
+    assert argon2.matches?(ORIGINAL_PASSWORD)
+    assert Argon2::Password.verify_password(ORIGINAL_PASSWORD, argon2)
+  end
+
+  def test_create_password_with_parameters
+    assert argon2 = Argon2::Password.create(ORIGINAL_PASSWORD, t_cost: 4, m_cost: 12)
+
+    assert argon2.is_a?(Argon2::Password)
+    assert_equal argon2.m_cost, 12
+    assert_equal argon2.t_cost, 4
+    assert argon2.matches?(ORIGINAL_PASSWORD)
+    assert Argon2::Password.verify_password(ORIGINAL_PASSWORD, argon2)
+  end
+
+  def test_create_password_with_secret
+    assert argon2 = Argon2::Password.create(ORIGINAL_PASSWORD, secret: PEPPER)
+
+    assert argon2.is_a?(Argon2::Password)
+    assert_equal argon2.m_cost, 16
+    assert_equal argon2.t_cost, 2
+    assert argon2.matches?(ORIGINAL_PASSWORD, PEPPER)
+    assert Argon2::Password.verify_password(ORIGINAL_PASSWORD, argon2, PEPPER)
+  end
 end

test/key_test.rb

@@ -10,10 +10,73 @@ def test_key_hash
     assert basehash = Argon2::Password.create(PASS, t_cost: 2, m_cost: 16)
     # Keyed hash
     assert keyhash = Argon2::Password.create(PASS, t_cost: 2, m_cost: 16, secret: KEY)
+
+    # Isn't this test somewhat pointless? Each password will have a new salt,
+    # so they can never match anyway.
     refute_equal basehash, keyhash
+
+    # Demonstrate problem:
+    assert salthash = Argon2::Password.create(PASS, t_cost: 2, m_cost: 16)
+    refute_equal basehash, salthash
+    # Prove that it's not just the `==` being broken:
+    assert_equal basehash, basehash
+    assert_equal salthash, salthash
+    assert_equal keyhash,  keyhash
+
     # The keyed hash - without the key
     refute Argon2::Password.verify_password(PASS, keyhash)
     # With key
     assert Argon2::Password.verify_password(PASS, keyhash, KEY)
   end
+
+  # So apparently the salt that's in the digest is actually different from the
+  # salt used to generate the argon2 hash.
+  #
+  # To demonstrate:
+  #
+  # salt = Argon2::Engine.saltgen
+  # argon2 = Argon2::Password.create('anysecret', salt_do_not_supply: salt)
+  # salt == argon2.salt
+  # => false
+  # salt.length
+  # => 16
+  # argon2.salt.length
+  # => 22
+  # salt
+  # => "\xCA\xFD\xED\x18\x10\xD1!R\xF2\xA9\f4\xD2\x966\x9D"
+  # argon2.salt
+  # => "yv3tGBDRIVLyqQw00pY2nQ"
+  #
+  # This combined with the fact that you're not supposed to supply the salt in
+  # the first place, makes me wonder if we should just hard deprecate passing in
+  # the salt at all. In its current state, it provides literally no value and
+  # allows developers to shoot themselves in the foot.
+  #
+  # This test might be blown away soon anyway, temp disable abc cop.
+  # rubocop:disable Metrics/AbcSize
+  def test_key_hash_with_same_salts
+    skip('The salt going in is not the same as the salt in the digest')
+    assert basehash = Argon2::Password.create(PASS)
+    assert salthash = Argon2::Password.create(PASS, salt_do_not_supply: basehash.salt)
+    assert keyhash  = Argon2::Password.create(PASS, salt_do_not_supply: basehash.salt, secret: KEY)
+
+    # Prove that you can create an identical copy
+    assert_equal basehash, salthash
+    # Prove that both hashes without peppers do not equal hash with pepper
+    refute_equal basehash, keyhash
+    refute_equal salthash, keyhash
+
+    # Test unkeyed hashes
+    assert Argon2::Password.verify_password(PASS, basehash)
+    assert Argon2::Password.verify_password(PASS, salthash)
+
+    refute Argon2::Password.verify_password(PASS, basehash, KEY)
+    refute Argon2::Password.verify_password(PASS, salthash, KEY)
+
+    # Test keyed hash
+    refute Argon2::Password.verify_password(PASS, keyhash)
+
+    assert Argon2::Password.verify_password(PASS, keyhash, KEY)
+  end
+  # rubocop:enable Metrics/AbcSize
 end

test/low_level_test.rb

@@ -7,6 +7,7 @@
 class LowLevelArgon2Test < Minitest::Test
   def test_that_it_has_a_version_number
     refute_nil ::Argon2::VERSION
+    assert ::Argon2::VERSION.is_a?(String)
   end
 
   def test_ffi_vector

test/test_helper.rb

@@ -11,7 +11,10 @@
   c.single_report_path = 'coverage/lcov.info'
 end
 SimpleCov.formatter = SimpleCov::Formatter::LcovFormatter
-SimpleCov.start
+SimpleCov.start do
+  # Don't test the coverage of the test suite itself...
+  add_filter '/test'
+end
 
 require 'argon2'
 

test/unicode_test.rb

@@ -24,5 +24,7 @@ def test_emoji
     hash = Argon2::Password.create(rawstr)
     assert Argon2::Password.verify_password(rawstr, hash)
     refute Argon2::Password.verify_password("", hash)
+    # Also test if emoji are stripped but spaces remained.
+    refute Argon2::Password.verify_password("        ", hash)
   end
 end

test/v3_tests/password_new_test.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class PasswordNewTest < Minitest::Test
+  # TODO: Randomly generate a new password with Faker
+  # SECRET = Faker::Internet.unique.password
+  SECRET = 'mysecretpassword'
+  PASS = Argon2::Password.create(SECRET)
+  DIGEST = PASS.to_s
+  # What would be appropriate bad digest(s) to test? Using a bcrypt hash for now
+  BAD_DIGEST = '$2a$05$CCCCCCCCCCCCCCCCCCCCC.E5YPO9kmyuRGyh0XouQYb4YMJKvyOeW'
+
+  def test_accepts_valid_string
+    assert argon2 = Argon2::Password.new(DIGEST)
+    assert argon2.is_a?(Argon2::Password)
+
+    assert_equal argon2, PASS
+    assert_equal argon2.to_s, DIGEST
+
+    assert argon2.matches?(SECRET)
+    assert Argon2::Password.verify_password(SECRET, argon2)
+    assert Argon2::Password.verify_password(argon2, DIGEST)
+  end
+
+  def test_rejects_invalid_string
+    assert_raises Argon2::Errors::InvalidHash do
+      Argon2::Password.new(BAD_DIGEST)
+    end
+  end
+
+  def test_accepts_argon2_password
+    assert argon2 = Argon2::Password.new(PASS)
+    assert argon2.is_a?(Argon2::Password)
+
+    assert_equal argon2, PASS
+    assert_equal argon2.to_s, DIGEST
+
+    assert argon2.matches?(SECRET)
+    assert Argon2::Password.verify_password(SECRET, argon2)
+    assert Argon2::Password.verify_password(argon2, DIGEST)
+  end
+end

test/v3_tests/verify_password_test.rb

@@ -13,19 +13,35 @@ class VerifyPasswordTest < Minitest::Test
   OTHER_PASS = Argon2::Password.create(OTHER_SECRET)
   OTHER_DIGEST = OTHER_PASS.to_s
 
-  def test_accepts_string
+  def test_accepts_string_as_secret
     assert Argon2::Password.verify_password(SECRET, DIGEST)
     assert Argon2::Password.verify_password(OTHER_SECRET, OTHER_DIGEST)
 
     refute Argon2::Password.verify_password(SECRET, OTHER_DIGEST)
     refute Argon2::Password.verify_password(OTHER_SECRET, DIGEST)
   end
 
-  def test_accepts_argon2_password
+  def test_accepts_argon2_password_as_secret
     assert Argon2::Password.verify_password(PASS, DIGEST)
     assert Argon2::Password.verify_password(OTHER_PASS, OTHER_DIGEST)
 
     refute Argon2::Password.verify_password(PASS, OTHER_DIGEST)
     refute Argon2::Password.verify_password(OTHER_PASS, DIGEST)
   end
+
+  def test_accepts_argon2_password_as_digest
+    assert Argon2::Password.verify_password(SECRET, PASS)
+    assert Argon2::Password.verify_password(OTHER_SECRET, OTHER_PASS)
+
+    refute Argon2::Password.verify_password(SECRET, OTHER_PASS)
+    refute Argon2::Password.verify_password(OTHER_SECRET, PASS)
+  end
+
+  def test_accepts_tautology
+    assert Argon2::Password.verify_password(PASS, PASS)
+    assert Argon2::Password.verify_password(OTHER_PASS, OTHER_PASS)
+
+    refute Argon2::Password.verify_password(PASS, OTHER_PASS)
+    refute Argon2::Password.verify_password(OTHER_PASS, PASS)
+  end
 end