Merge branch 'develop' into feature/rotate-api-key

Author: briskt

apikey.go

@@ -52,7 +52,7 @@ func (k *ApiKey) Hash() error {
 	return err
 }
 
-// IsCorrect returns true if and only if the given string is a match for HashedSecret
+// IsCorrect returns true if and only if the key is active and the given string is a match for HashedSecret
 func (k *ApiKey) IsCorrect(given string) error {
 	if k.ActivatedAt == 0 {
 		return fmt.Errorf("key is not active: %s", k.Key)

apikey_test.go

@@ -2,8 +2,12 @@ package mfa
 
 import (
 	"bytes"
+	"crypto/aes"
+	"crypto/rand"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net/http"
 	"regexp"
 	"testing"
@@ -13,6 +17,8 @@ import (
 )
 
 func TestApiKey_IsCorrect(t *testing.T) {
+	const hashedSecret = "$2y$10$Y.FlUK8q//DfybgFzNG2lONaJwvEFxHnCRo/r60BZbITDT6rOUhGa"
+
 	tests := []struct {
 		name         string
 		HashedSecret string
@@ -22,21 +28,21 @@ func TestApiKey_IsCorrect(t *testing.T) {
 	}{
 		{
 			name:         "valid secret",
-			HashedSecret: "$2y$10$Y.FlUK8q//DfybgFzNG2lONaJwvEFxHnCRo/r60BZbITDT6rOUhGa",
+			HashedSecret: hashedSecret,
 			ActivatedAt:  1744896576000,
 			Given:        "abc123",
 			wantErr:      false,
 		},
 		{
 			name:         "invalid secret",
-			HashedSecret: "$2y$10$Y.FlUK8q//DfybgFzNG2lONaJwvEFxHnCRo/r60BZbITDT6rOUhGa",
+			HashedSecret: hashedSecret,
 			ActivatedAt:  1744896576000,
 			Given:        "123abc",
 			wantErr:      true,
 		},
 		{
 			name:         "inactive",
-			HashedSecret: "$2y$10$Y.FlUK8q//DfybgFzNG2lONaJwvEFxHnCRo/r60BZbITDT6rOUhGa",
+			HashedSecret: hashedSecret,
 			ActivatedAt:  0,
 			Given:        "abc123",
 			wantErr:      true,
@@ -137,7 +143,7 @@ func TestApiKey_EncryptDecrypt(t *testing.T) {
 	}
 }
 
-func (ms *MfaSuite) TestApiKey_EncryptDecryptLegacy() {
+func (ms *MfaSuite) TestApiKeyEncryptDecryptLegacy() {
 	plaintext := []byte("this is a plaintext string to be encrypted")
 	key := &ApiKey{Secret: "ED86600E-3DBF-4C23-A0DA-9C55D448"}
 
@@ -333,6 +339,49 @@ func (ms *MfaSuite) TestNewApiKey() {
 	ms.Regexp(regexp.MustCompile("[a-f0-9]{40}"), got)
 }
 
+func (ms *MfaSuite) TestNewCipherBlock() {
+	random := make([]byte, 32)
+	_, err := io.ReadFull(rand.Reader, random)
+	ms.NoError(err)
+
+	tests := []struct {
+		name    string
+		key     string
+		wantErr bool
+	}{
+		{
+			name:    "key too short",
+			key:     "0123456789012345678901234567890",
+			wantErr: true,
+		},
+		{
+			name:    "key too long",
+			key:     "012345678901234567890123456789012",
+			wantErr: true,
+		},
+		{
+			name: "raw",
+			key:  string(random),
+		},
+		{
+			name: "base64",
+			key:  base64.StdEncoding.EncodeToString(random),
+		},
+	}
+	for _, tt := range tests {
+		ms.Run(tt.name, func() {
+			got, err := newCipherBlock(tt.key)
+			if tt.wantErr {
+				ms.Error(err)
+				return
+			}
+
+			ms.NoError(err)
+			ms.Equal(aes.BlockSize, got.BlockSize())
+		})
+	}
+}
+
 func (ms *MfaSuite) TestApiKeyReEncrypt() {
 	oldKey := ApiKey{}
 	must(oldKey.Activate())