|
| 1 | +//! Integration tests for `change_password` and `anonymize_identity` |
| 2 | +//! (plan 0347 / GAR-891 — Q6.15). |
| 3 | +//! |
| 4 | +//! # Mutants killed |
| 5 | +//! |
| 6 | +//! * `password.rs:81:8` — `delete !` in `change_password` (shard 2): killed by |
| 7 | +//! [`change_password_correct_argon2id_returns_success`]. |
| 8 | +//! * `password.rs:75:58` — `replace \|\| with &&` in `change_password` (shard 1): killed by |
| 9 | +//! [`change_password_correct_pbkdf2sha256_returns_success`]. |
| 10 | +//! * `password.rs:119:5` — `replace anonymize_identity with Ok(())` (shard 0): killed by |
| 11 | +//! [`anonymize_identity_updates_login`]. |
| 12 | +//! |
| 13 | +//! All tests use the shared `Harness` (one pgvector/pg16 container per binary, |
| 14 | +//! isolation via unique UUIDs per test). |
| 15 | +
|
| 16 | +mod common; |
| 17 | + |
| 18 | +use common::harness::Harness; |
| 19 | +use garraia_auth::{PasswordChangeOutcome, anonymize_identity, change_password, hash_argon2id}; |
| 20 | +use password_hash::{PasswordHasher, SaltString}; |
| 21 | +use pbkdf2::Pbkdf2; |
| 22 | +use secrecy::SecretString; |
| 23 | +use sqlx::Row; |
| 24 | +use uuid::Uuid; |
| 25 | + |
| 26 | +fn pw(s: &str) -> SecretString { |
| 27 | + SecretString::from(s.to_owned()) |
| 28 | +} |
| 29 | + |
| 30 | +/// Insert one user + one internal identity via the admin pool. |
| 31 | +/// Returns the new `user_id`. The `login` column is set to `email` so that |
| 32 | +/// `anonymize_identity` tests can detect the change by querying it. |
| 33 | +async fn seed(admin: &sqlx::PgPool, email: &str, password_hash: &str) -> anyhow::Result<Uuid> { |
| 34 | + let row = sqlx::query("INSERT INTO users (email, display_name) VALUES ($1, $2) RETURNING id") |
| 35 | + .bind(email) |
| 36 | + .bind(email) |
| 37 | + .fetch_one(admin) |
| 38 | + .await?; |
| 39 | + let user_id: Uuid = row.try_get("id")?; |
| 40 | + |
| 41 | + sqlx::query( |
| 42 | + "INSERT INTO user_identities \ |
| 43 | + (user_id, provider, provider_sub, login, password_hash) \ |
| 44 | + VALUES ($1, 'internal', $2, $3, $4)", |
| 45 | + ) |
| 46 | + .bind(user_id) |
| 47 | + .bind(user_id.to_string()) |
| 48 | + .bind(email) |
| 49 | + .bind(password_hash) |
| 50 | + .execute(admin) |
| 51 | + .await?; |
| 52 | + |
| 53 | + Ok(user_id) |
| 54 | +} |
| 55 | + |
| 56 | +// ── change_password tests ──────────────────────────────────────────────────── |
| 57 | + |
| 58 | +/// Kills `password.rs:81:8` — `delete !` mutant. |
| 59 | +/// |
| 60 | +/// The production code has `if !matches { return Ok(WrongPassword); }`. |
| 61 | +/// If the `!` were deleted it becomes `if matches { return Ok(WrongPassword); }`, |
| 62 | +/// meaning a CORRECT password returns `WrongPassword`. This test panics in that case. |
| 63 | +#[tokio::test(flavor = "multi_thread", worker_threads = 2)] |
| 64 | +async fn change_password_correct_argon2id_returns_success() -> anyhow::Result<()> { |
| 65 | + let h = Harness::get().await; |
| 66 | + let admin = sqlx::PgPool::connect(&h.admin_url).await?; |
| 67 | + let email = format!("cp-ok-argon-{}@garraia.test", Uuid::now_v7()); |
| 68 | + let correct = pw("correct-horse-battery-staple-42"); |
| 69 | + let hash = hash_argon2id(&correct)?; |
| 70 | + let user_id = seed(&admin, &email, &hash).await?; |
| 71 | + |
| 72 | + let outcome = change_password( |
| 73 | + &h.login_pool, |
| 74 | + user_id, |
| 75 | + &correct, |
| 76 | + &pw("brand-new-password-99"), |
| 77 | + ) |
| 78 | + .await?; |
| 79 | + assert_eq!( |
| 80 | + outcome, |
| 81 | + PasswordChangeOutcome::Success, |
| 82 | + "correct Argon2id password must return Success — \ |
| 83 | + fails if `delete !` mutant (password.rs:81) is active" |
| 84 | + ); |
| 85 | + Ok(()) |
| 86 | +} |
| 87 | + |
| 88 | +/// Kills `password.rs:75:58` — `replace \|\| with &&` mutant. |
| 89 | +/// |
| 90 | +/// A PBKDF2-SHA256 PHC string starts with `$pbkdf2-sha256$` but NOT `$pbkdf2$`. |
| 91 | +/// The production branch is: |
| 92 | +/// ``` |
| 93 | +/// } else if stored_hash.starts_with("$pbkdf2-sha256$") || stored_hash.starts_with("$pbkdf2$") { |
| 94 | +/// ``` |
| 95 | +/// If `||` were replaced with `&&`, a `$pbkdf2-sha256$` hash would not match |
| 96 | +/// (it satisfies the first condition but not the second), causing the function |
| 97 | +/// to fall through to `Err(AuthError::UnknownHashFormat)` instead of `Success`. |
| 98 | +#[tokio::test(flavor = "multi_thread", worker_threads = 2)] |
| 99 | +async fn change_password_correct_pbkdf2sha256_returns_success() -> anyhow::Result<()> { |
| 100 | + let h = Harness::get().await; |
| 101 | + let admin = sqlx::PgPool::connect(&h.admin_url).await?; |
| 102 | + let email = format!("cp-ok-pbkdf2-{}@garraia.test", Uuid::now_v7()); |
| 103 | + |
| 104 | + // Build a real PBKDF2-SHA256 PHC string — same pattern as verify_internal.rs. |
| 105 | + let plaintext_str = "legacy-pbkdf2-password-for-change"; |
| 106 | + let salt = SaltString::generate(&mut password_hash::rand_core::OsRng); |
| 107 | + let phc = Pbkdf2 |
| 108 | + .hash_password(plaintext_str.as_bytes(), &salt) |
| 109 | + .expect("PBKDF2 hash must succeed in tests") |
| 110 | + .to_string(); |
| 111 | + // Hard assertion: the prefix must be exactly what production code dispatches on. |
| 112 | + assert!( |
| 113 | + phc.starts_with("$pbkdf2-sha256$"), |
| 114 | + "PBKDF2 PHC must start with $pbkdf2-sha256$ — prefix assumption violated: {phc}" |
| 115 | + ); |
| 116 | + assert!( |
| 117 | + !phc.starts_with("$pbkdf2$"), |
| 118 | + "PBKDF2-SHA256 must NOT start with bare $pbkdf2$ — test is targeting the wrong mutant" |
| 119 | + ); |
| 120 | + |
| 121 | + let user_id = seed(&admin, &email, &phc).await?; |
| 122 | + let outcome = change_password( |
| 123 | + &h.login_pool, |
| 124 | + user_id, |
| 125 | + &pw(plaintext_str), |
| 126 | + &pw("new-password-after-upgrade"), |
| 127 | + ) |
| 128 | + .await?; |
| 129 | + assert_eq!( |
| 130 | + outcome, |
| 131 | + PasswordChangeOutcome::Success, |
| 132 | + "PBKDF2-SHA256 correct password must return Success — \ |
| 133 | + fails if `|| → &&` mutant (password.rs:75) is active" |
| 134 | + ); |
| 135 | + Ok(()) |
| 136 | +} |
| 137 | + |
| 138 | +/// Baseline: wrong password returns `WrongPassword` (anti-enumeration path). |
| 139 | +#[tokio::test(flavor = "multi_thread", worker_threads = 2)] |
| 140 | +async fn change_password_wrong_argon2id_returns_wrong_password() -> anyhow::Result<()> { |
| 141 | + let h = Harness::get().await; |
| 142 | + let admin = sqlx::PgPool::connect(&h.admin_url).await?; |
| 143 | + let email = format!("cp-wrong-{}@garraia.test", Uuid::now_v7()); |
| 144 | + let real_hash = hash_argon2id(&pw("actual-secret-password"))?; |
| 145 | + let user_id = seed(&admin, &email, &real_hash).await?; |
| 146 | + |
| 147 | + let outcome = change_password( |
| 148 | + &h.login_pool, |
| 149 | + user_id, |
| 150 | + &pw("definitely-wrong-password"), |
| 151 | + &pw("irrelevant-new-password"), |
| 152 | + ) |
| 153 | + .await?; |
| 154 | + assert_eq!( |
| 155 | + outcome, |
| 156 | + PasswordChangeOutcome::WrongPassword, |
| 157 | + "wrong password must return WrongPassword" |
| 158 | + ); |
| 159 | + Ok(()) |
| 160 | +} |
| 161 | + |
| 162 | +// ── anonymize_identity tests ───────────────────────────────────────────────── |
| 163 | + |
| 164 | +/// Kills `password.rs:119:5` — `replace anonymize_identity → Ok(())` mutant. |
| 165 | +/// |
| 166 | +/// If the function body were replaced with `Ok(())`, `user_identities.login` |
| 167 | +/// would remain the original email. This test queries the column directly and |
| 168 | +/// panics if the UPDATE was silently skipped. |
| 169 | +#[tokio::test(flavor = "multi_thread", worker_threads = 2)] |
| 170 | +async fn anonymize_identity_updates_login() -> anyhow::Result<()> { |
| 171 | + let h = Harness::get().await; |
| 172 | + let admin = sqlx::PgPool::connect(&h.admin_url).await?; |
| 173 | + let email = format!("anon-target-{}@garraia.test", Uuid::now_v7()); |
| 174 | + let hash = hash_argon2id(&pw("any-password-for-anon"))?; |
| 175 | + let user_id = seed(&admin, &email, &hash).await?; |
| 176 | + |
| 177 | + anonymize_identity(&h.login_pool, user_id).await?; |
| 178 | + |
| 179 | + let row = sqlx::query( |
| 180 | + "SELECT login FROM user_identities \ |
| 181 | + WHERE user_id = $1 AND provider = 'internal'", |
| 182 | + ) |
| 183 | + .bind(user_id) |
| 184 | + .fetch_one(&admin) |
| 185 | + .await?; |
| 186 | + let new_login: Option<String> = row.try_get("login")?; |
| 187 | + let new_login = new_login.expect( |
| 188 | + "login must be non-NULL after anonymize_identity — \ |
| 189 | + fails if `replace with Ok(())` mutant (password.rs:119) is active", |
| 190 | + ); |
| 191 | + assert!( |
| 192 | + new_login.starts_with("anon-"), |
| 193 | + "login must start with 'anon-' after anonymization, got: {new_login}" |
| 194 | + ); |
| 195 | + assert!( |
| 196 | + new_login.ends_with("@garraanon.local"), |
| 197 | + "login must end with '@garraanon.local' after anonymization, got: {new_login}" |
| 198 | + ); |
| 199 | + assert_ne!( |
| 200 | + new_login, email, |
| 201 | + "login must have changed from the original email" |
| 202 | + ); |
| 203 | + Ok(()) |
| 204 | +} |
0 commit comments