mirror of
https://github.com/mattermost/mattermost.git
synced 2026-04-13 04:57:45 -04:00
71ca373de7
Some checks are pending
API / build (push) Waiting to run
Server CI / Compute Go Version (push) Waiting to run
Server CI / Check mocks (push) Blocked by required conditions
Server CI / Check go mod tidy (push) Blocked by required conditions
Server CI / check-style (push) Blocked by required conditions
Server CI / Check serialization methods for hot structs (push) Blocked by required conditions
Server CI / Vet API (push) Blocked by required conditions
Server CI / Check migration files (push) Blocked by required conditions
Server CI / Generate email templates (push) Blocked by required conditions
Server CI / Check store layers (push) Blocked by required conditions
Server CI / Check mmctl docs (push) Blocked by required conditions
Server CI / Postgres with binary parameters (push) Blocked by required conditions
Server CI / Postgres (shard 0) (push) Blocked by required conditions
Server CI / Postgres (shard 1) (push) Blocked by required conditions
Server CI / Postgres (shard 2) (push) Blocked by required conditions
Server CI / Postgres (shard 3) (push) Blocked by required conditions
Server CI / Merge Postgres Test Results (push) Blocked by required conditions
Server CI / Postgres FIPS (shard 0) (push) Blocked by required conditions
Server CI / Postgres FIPS (shard 1) (push) Blocked by required conditions
Server CI / Postgres FIPS (shard 2) (push) Blocked by required conditions
Server CI / Postgres FIPS (shard 3) (push) Blocked by required conditions
Server CI / Merge Postgres FIPS Test Results (push) Blocked by required conditions
Server CI / Generate Test Coverage (push) Blocked by required conditions
Server CI / Run mmctl tests (push) Blocked by required conditions
Server CI / Run mmctl tests (FIPS) (push) Blocked by required conditions
Server CI / Build mattermost server app (push) Blocked by required conditions
Tools CI / check-style (mattermost-govet) (push) Waiting to run
Tools CI / Test (mattermost-govet) (push) Waiting to run
Web App CI / check-lint (push) Waiting to run
Web App CI / check-i18n (push) Blocked by required conditions
Web App CI / check-external-links (push) Blocked by required conditions
Web App CI / check-types (push) Blocked by required conditions
Web App CI / test (platform) (push) Blocked by required conditions
Web App CI / test (mattermost-redux) (push) Blocked by required conditions
Web App CI / test (channels shard 1/4) (push) Blocked by required conditions
Web App CI / test (channels shard 2/4) (push) Blocked by required conditions
Web App CI / test (channels shard 3/4) (push) Blocked by required conditions
Web App CI / test (channels shard 4/4) (push) Blocked by required conditions
Web App CI / upload-coverage (push) Blocked by required conditions
Web App CI / build (push) Blocked by required conditions
* Replace hardcoded test passwords with model.NewTestPassword() Add model.NewTestPassword() utility that generates 14+ character passwords meeting complexity requirements for FIPS compliance. Replace all short hardcoded test passwords across the test suite with calls to this function. * Enforce FIPS compliance for passwords and HMAC keys FIPS OpenSSL requires HMAC keys to be at least 14 bytes. PBKDF2 uses the password as the HMAC key internally, so short passwords cause PKCS5_PBKDF2_HMAC to fail. - Add FIPSEnabled and PasswordFIPSMinimumLength build-tag constants - Raise the password minimum length floor to 14 when compiled with requirefips, applied in SetDefaults only when unset and validated independently in IsValid - Return ErrMismatchedHashAndPassword for too-short passwords in PBKDF2 CompareHashAndPassword rather than a cryptic OpenSSL error - Validate atmos/camo HMAC key length under FIPS and lengthen test keys accordingly - Adjust password validation tests to use PasswordFIPSMinimumLength so they work under both FIPS and non-FIPS builds * CI: shard FIPS test suite and extract merge template Run FIPS tests on PRs that touch go.mod or have 'fips' in the branch name. Shard FIPS tests across 4 runners matching the normal Postgres suite. Extract the test result merge logic into a reusable workflow template to deduplicate the normal and FIPS merge jobs. * more * Fix email test helper to respect FIPS minimum password length * Fix test helpers to respect FIPS minimum password length * Remove unnecessary "disable strict password requirements" blocks from test helpers * Fix CodeRabbit review comments on PR #35905 - Add server-test-merge-template.yml to server-ci.yml pull_request.paths so changes to the reusable merge workflow trigger Server CI validation - Skip merge-postgres-fips-test-results job when test-postgres-normal-fips was skipped, preventing failures due to missing artifacts - Set guest.Password on returned guest in CreateGuestAndClient helper to keep contract consistent with CreateUserWithClient - Use shared LowercaseLetters/UppercaseLetters/NUMBERS/PasswordFIPSMinimumLength constants in NewTestPassword() to avoid drift if FIPS floor changes https://claude.ai/code/session_01HmE9QkZM3cAoXn2J7XrK2f * Rename FIPS test artifact to match server-ci-report pattern The server-ci-report job searches for artifacts matching "*-test-logs", so rename from postgres-server-test-logs-fips to postgres-server-fips-test-logs to be included in the report. --------- Co-authored-by: Claude <noreply@anthropic.com>
239 lines
7.9 KiB
Go
239 lines
7.9 KiB
Go
// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
|
|
// See LICENSE.txt for license information.
|
|
|
|
package model
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"io"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestRemoteClusterIsValid(t *testing.T) {
|
|
id := NewId()
|
|
creator := NewId()
|
|
now := GetMillis()
|
|
data := []struct {
|
|
name string
|
|
rc *RemoteCluster
|
|
valid bool
|
|
}{
|
|
{name: "Zero value", rc: &RemoteCluster{}, valid: false},
|
|
{name: "Missing cluster_name", rc: &RemoteCluster{RemoteId: id}, valid: false},
|
|
{name: "Missing host_name", rc: &RemoteCluster{RemoteId: id, Name: NewId()}, valid: false},
|
|
{name: "Missing create_at", rc: &RemoteCluster{RemoteId: id, Name: NewId(), SiteURL: "example.com"}, valid: false},
|
|
{name: "Missing last_ping_at", rc: &RemoteCluster{RemoteId: id, Name: NewId(), SiteURL: "example.com", CreatorId: creator, CreateAt: now}, valid: true},
|
|
{name: "Missing creator", rc: &RemoteCluster{RemoteId: id, Name: NewId(), SiteURL: "example.com", CreateAt: now, LastPingAt: now}, valid: false},
|
|
{name: "Bad default_team_id", rc: &RemoteCluster{RemoteId: id, Name: NewId(), SiteURL: "example.com", CreateAt: now, LastPingAt: now, CreatorId: creator, DefaultTeamId: "bad-id"}, valid: false},
|
|
{name: "Valid default_team_id", rc: &RemoteCluster{RemoteId: id, Name: NewId(), SiteURL: "example.com", CreateAt: now, LastPingAt: now, CreatorId: creator, DefaultTeamId: NewId()}, valid: true},
|
|
{name: "RemoteCluster valid", rc: &RemoteCluster{RemoteId: id, Name: NewId(), SiteURL: "example.com", CreateAt: now, LastPingAt: now, CreatorId: creator}, valid: true},
|
|
{name: "Include protocol", rc: &RemoteCluster{RemoteId: id, Name: NewId(), SiteURL: "http://example.com", CreateAt: now, LastPingAt: now, CreatorId: creator}, valid: true},
|
|
{name: "Include protocol & port", rc: &RemoteCluster{RemoteId: id, Name: NewId(), SiteURL: "http://example.com:8065", CreateAt: now, LastPingAt: now, CreatorId: creator}, valid: true},
|
|
}
|
|
|
|
for _, item := range data {
|
|
appErr := item.rc.IsValid()
|
|
if item.valid {
|
|
assert.Nil(t, appErr, item.name)
|
|
} else {
|
|
assert.NotNil(t, appErr, item.name)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestRemoteClusterPreSave(t *testing.T) {
|
|
now := GetMillis()
|
|
|
|
o := RemoteCluster{RemoteId: NewId(), Name: NewId()}
|
|
o.PreSave()
|
|
|
|
require.GreaterOrEqual(t, o.CreateAt, now)
|
|
}
|
|
|
|
func TestRemoteClusterMsgIsValid(t *testing.T) {
|
|
id := NewId()
|
|
now := GetMillis()
|
|
data := []struct {
|
|
name string
|
|
msg *RemoteClusterMsg
|
|
valid bool
|
|
}{
|
|
{name: "Zero value", msg: &RemoteClusterMsg{}, valid: false},
|
|
{name: "Missing remote id", msg: &RemoteClusterMsg{Id: id}, valid: false},
|
|
{name: "Missing Topic", msg: &RemoteClusterMsg{Id: id}, valid: false},
|
|
{name: "Missing Payload", msg: &RemoteClusterMsg{Id: id, CreateAt: now, Topic: "shared_channel"}, valid: false},
|
|
{name: "RemoteClusterMsg valid", msg: &RemoteClusterMsg{Id: id, CreateAt: now, Topic: "shared_channel", Payload: []byte("{\"hello\":\"world\"}")}, valid: true},
|
|
}
|
|
|
|
for _, item := range data {
|
|
appErr := item.msg.IsValid()
|
|
if item.valid {
|
|
assert.Nil(t, appErr, item.name)
|
|
} else {
|
|
assert.NotNil(t, appErr, item.name)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestRemoteClusterInviteIsValid(t *testing.T) {
|
|
id := NewId()
|
|
url := "https://localhost:8080/test"
|
|
token := NewId()
|
|
|
|
data := []struct {
|
|
name string
|
|
invite *RemoteClusterInvite
|
|
valid bool
|
|
}{
|
|
{name: "Zero value", invite: &RemoteClusterInvite{}, valid: false},
|
|
{name: "Missing remote id", invite: &RemoteClusterInvite{Token: token, SiteURL: url}, valid: false},
|
|
{name: "Missing site url", invite: &RemoteClusterInvite{RemoteId: id, Token: token}, valid: false},
|
|
{name: "Bad site url", invite: &RemoteClusterInvite{RemoteId: id, Token: token, SiteURL: ":/localhost"}, valid: false},
|
|
{name: "Missing token", invite: &RemoteClusterInvite{RemoteId: id, SiteURL: url}, valid: false},
|
|
{name: "RemoteClusterInvite valid", invite: &RemoteClusterInvite{RemoteId: id, Token: token, SiteURL: url}, valid: true},
|
|
}
|
|
|
|
for _, item := range data {
|
|
appErr := item.invite.IsValid()
|
|
if item.valid {
|
|
assert.Nil(t, appErr, item.name)
|
|
} else {
|
|
assert.NotNil(t, appErr, item.name)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestFixTopics(t *testing.T) {
|
|
testData := []struct {
|
|
topics string
|
|
expected string
|
|
}{
|
|
{topics: "", expected: ""},
|
|
{topics: " ", expected: ""},
|
|
{topics: "share", expected: " share "},
|
|
{topics: "share incident", expected: " share incident "},
|
|
{topics: " share incident ", expected: " share incident "},
|
|
{topics: " share incident ", expected: " share incident "},
|
|
}
|
|
|
|
for _, tt := range testData {
|
|
rc := &RemoteCluster{Topics: tt.topics}
|
|
rc.fixTopics()
|
|
assert.Equal(t, tt.expected, rc.Topics)
|
|
}
|
|
}
|
|
|
|
func TestRemoteClusterInviteEncryption(t *testing.T) {
|
|
testData := []struct {
|
|
name string
|
|
badDecrypt bool
|
|
password string
|
|
invite RemoteClusterInvite
|
|
skipFIPS bool
|
|
}{
|
|
{name: "empty password", badDecrypt: false, password: "", invite: makeInvite("https://example.com:8065"), skipFIPS: true},
|
|
{name: "good password", badDecrypt: false, password: "Ultra secret password!", invite: makeInvite("https://example.com:8065")},
|
|
{name: "bad decrypt", badDecrypt: true, password: "correct horse battery staple", invite: makeInvite("https://example.com:8065")},
|
|
}
|
|
|
|
for _, tt := range testData {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
if tt.skipFIPS && FIPSEnabled {
|
|
t.Skip("skipping under FIPS: encryption requires keys >= 14 bytes")
|
|
}
|
|
encrypted, err := tt.invite.Encrypt(tt.password)
|
|
require.NoError(t, err)
|
|
|
|
invite := RemoteClusterInvite{}
|
|
if tt.badDecrypt {
|
|
buf := make([]byte, len(encrypted))
|
|
_, err = io.ReadFull(rand.Reader, buf)
|
|
assert.NoError(t, err)
|
|
|
|
err = invite.Decrypt(buf, tt.password)
|
|
require.Error(t, err)
|
|
} else {
|
|
err = invite.Decrypt(encrypted, tt.password)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, tt.invite, invite)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestRemoteClusterInviteBackwardCompatibility(t *testing.T) {
|
|
// Test that we can decrypt invites created with the old scrypt method
|
|
oldInvite := RemoteClusterInvite{
|
|
RemoteId: NewId(),
|
|
SiteURL: "https://example.com:8065",
|
|
Token: NewId(),
|
|
RefreshedToken: NewId(),
|
|
Version: 2, // Old version using scrypt
|
|
}
|
|
|
|
password := NewTestPassword()
|
|
|
|
// Encrypt with old method (scrypt)
|
|
encrypted, err := oldInvite.Encrypt(password)
|
|
require.NoError(t, err)
|
|
|
|
// Decrypt should work with backward compatibility
|
|
decryptedInvite := RemoteClusterInvite{}
|
|
err = decryptedInvite.Decrypt(encrypted, password)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, oldInvite, decryptedInvite)
|
|
|
|
// Test new version (PBKDF2)
|
|
newInvite := RemoteClusterInvite{
|
|
RemoteId: NewId(),
|
|
SiteURL: "https://example.com:8065",
|
|
Token: NewId(),
|
|
RefreshedToken: NewId(),
|
|
Version: 3, // New version using PBKDF2
|
|
}
|
|
|
|
// Encrypt with new method (PBKDF2)
|
|
encrypted, err = newInvite.Encrypt(password)
|
|
require.NoError(t, err)
|
|
|
|
// Decrypt should work
|
|
decryptedInvite = RemoteClusterInvite{}
|
|
err = decryptedInvite.Decrypt(encrypted, password)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, newInvite, decryptedInvite)
|
|
}
|
|
|
|
func makeInvite(url string) RemoteClusterInvite {
|
|
return RemoteClusterInvite{
|
|
RemoteId: NewId(),
|
|
SiteURL: url,
|
|
Token: NewId(),
|
|
RefreshedToken: NewId(),
|
|
Version: 3,
|
|
}
|
|
}
|
|
|
|
func TestNewIDFromBytes(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
ss string
|
|
}{
|
|
{name: "empty", ss: ""},
|
|
{name: "very short", ss: "x"},
|
|
{name: "normal", ss: "com.mattermost.msteams-sync"},
|
|
{name: "long", ss: "com.mattermost.msteams-synccom.mattermost.msteams-synccom.mattermost.msteams-synccom.mattermost.msteams-sync"},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
got1 := newIDFromBytes([]byte(tt.ss))
|
|
|
|
assert.True(t, IsValidId(got1), "not a valid id")
|
|
|
|
got2 := newIDFromBytes([]byte(tt.ss))
|
|
assert.Equal(t, got1, got2, "newIDFromBytes must generate same id for same inputs")
|
|
})
|
|
}
|
|
}
|