scrypt 3.0.7 → 3.1.0

data/spec/scrypt/password_spec.rb

@@ -3,135 +3,183 @@
 require File.expand_path(File.join(File.dirname(__FILE__), '..', 'spec_helper'))
 
 describe 'Creating a hashed password' do
-  before :each do
+  before do
     @password = SCrypt::Password.create('s3cr3t', max_time: 0.25)
   end
 
-  it 'should return a SCrypt::Password' do
+  it 'returns a SCrypt::Password' do
     expect(@password).to be_an_instance_of(SCrypt::Password)
   end
 
-  it 'should return a valid password' do
-    expect(-> { SCrypt::Password.new(@password) }).to_not raise_error
+  it 'returns a valid password' do
+    expect { SCrypt::Password.new(@password) }.not_to raise_error
   end
 
-  it 'should behave normally if the secret is not a string' do
-    expect(-> { SCrypt::Password.create(nil) }).to_not raise_error
-    expect(-> { SCrypt::Password.create(woo: 'yeah') }).to_not raise_error
-    expect(-> { SCrypt::Password.create(false) }).to_not raise_error
+  it 'behaves normally if the secret is not a string' do
+    expect { SCrypt::Password.create(nil) }.not_to raise_error
+    expect { SCrypt::Password.create(false) }.not_to raise_error
+    expect { SCrypt::Password.create(42) }.not_to raise_error
   end
 
-  it 'should tolerate empty string secrets' do
-    expect(-> { SCrypt::Password.create("\n".chop) }).to_not raise_error
-    expect(-> { SCrypt::Password.create('') }).to_not raise_error
-    expect(-> { SCrypt::Password.create('') }).to_not raise_error
+  it 'tolerates empty string secrets' do
+    expect { SCrypt::Password.create('') }.not_to raise_error
+    expect { SCrypt::Password.create('', max_time: 0.01) }.not_to raise_error
+    expect(SCrypt::Password.create('')).to be_an_instance_of(SCrypt::Password)
   end
 end
 
 describe 'Reading a hashed password' do
-  before :each do
+  before do
     @secret = 'my secret'
     @hash = '400$8$d$173a8189751c095a29b933789560b73bf17b2e01$9bf66d74bd6f3ebcf99da3b379b689b89db1cb07'
   end
 
-  it 'should read the cost, salt, and hash' do
+  it 'reads the cost, salt, and hash' do
     password = SCrypt::Password.new(@hash)
     expect(password.cost).to eq('400$8$d$')
     expect(password.salt).to eq('173a8189751c095a29b933789560b73bf17b2e01')
-    expect(password.to_s).to eq(@hash)
+    expect(password.digest).to eq('9bf66d74bd6f3ebcf99da3b379b689b89db1cb07')
   end
 
-  it 'should raise an InvalidHashError when given an invalid hash' do
-    expect(-> { SCrypt::Password.new('not a valid hash') }).to raise_error(SCrypt::Errors::InvalidHash)
+  it 'raises an InvalidHashError when given an invalid hash' do
+    expect { SCrypt::Password.new('invalid') }.to raise_error(SCrypt::Errors::InvalidHash)
   end
 end
 
 describe 'Comparing a hashed password with a secret' do
-  before :each do
+  before do
     @secret = 's3cr3t'
-    @password = SCrypt::Password.create(@secret)
+    @password = SCrypt::Password.create(@secret, max_time: 0.01)
   end
 
-  it 'should compare successfully to the original secret' do
-    expect((@password == @secret)).to be(true)
+  it 'compares successfully to the original secret' do
+    expect(@password == @secret).to be true
   end
 
-  it 'should compare unsuccessfully to anything besides original secret' do
-    expect((@password == '@secret')).to be(false)
+  it 'compares unsuccessfully to anything besides original secret' do
+    expect(@password == 'different').to be false
   end
 end
 
 describe 'non-default salt sizes' do
-  before :each do
+  before do
     @secret = 's3cret'
   end
 
-  it 'should enforce a minimum salt of 8 bytes' do
-    @password = SCrypt::Password.create(@secret, salt_size: 7)
-    expect(@password.salt.length).to eq(8 * 2)
+  it 'enforces a minimum salt of 8 bytes' do
+    @password = SCrypt::Password.create(@secret, salt_size: 4, max_time: 0.01)
+    expect(@password.salt.length).to eq(16) # 8 bytes * 2 (hex encoding)
   end
 
-  it 'should allow a salt of 32 bytes' do
-    @password = SCrypt::Password.create(@secret, salt_size: 32)
-    expect(@password.salt.length).to eq(32 * 2)
+  it 'allows a salt of 32 bytes' do
+    @password = SCrypt::Password.create(@secret, salt_size: 32, max_time: 0.01)
+    expect(@password.salt.length).to eq(64) # 32 bytes * 2 (hex encoding)
   end
 
-  it 'should enforce a maximum salt of 32 bytes' do
-    @password = SCrypt::Password.create(@secret, salt_size: 33)
-    expect(@password.salt.length).to eq(32 * 2)
+  it 'enforces a maximum salt of 32 bytes' do
+    @password = SCrypt::Password.create(@secret, salt_size: 64, max_time: 0.01)
+    expect(@password.salt.length).to eq(64) # 32 bytes * 2 (hex encoding)
   end
 
-  it 'should pad a 20-byte salt to not look like a 20-byte SHA1' do
+  it 'pads a 20-byte salt to not look like a 20-byte SHA1' do
     @password = SCrypt::Password.create(@secret, salt_size: 20)
     expect(@password.salt.length).to eq(41)
   end
 
-  it 'should properly compare a non-standard salt hash' do
-    @password = SCrypt::Password.create(@secret, salt_size: 20)
-    expect((SCrypt::Password.new(@password.to_s) == @secret)).to be(true)
+  it 'properly compares a non-standard salt hash' do
+    @password = SCrypt::Password.create(@secret, salt_size: 16, max_time: 0.01)
+    expect(@password == @secret).to be true
   end
 end
 
 describe 'non-default key lengths' do
-  before :each do
+  before do
     @secret = 's3cret'
   end
 
-  it 'should enforce a minimum keylength of 16 bytes' do
-    @password = SCrypt::Password.create(@secret, key_len: 15)
-    expect(@password.digest.length).to eq(16 * 2)
+  it 'enforces a minimum keylength of 16 bytes' do
+    @password = SCrypt::Password.create(@secret, key_len: 8, max_time: 0.01)
+    expect(@password.digest.length).to eq(32) # 16 bytes * 2 (hex encoding)
   end
 
-  it 'should allow a keylength of 512 bytes' do
-    @password = SCrypt::Password.create(@secret, key_len: 512)
-    expect(@password.digest.length).to eq(512 * 2)
+  it 'allows a keylength of 512 bytes' do
+    @password = SCrypt::Password.create(@secret, key_len: 512, max_time: 0.01)
+    expect(@password.digest.length).to eq(1024) # 512 bytes * 2 (hex encoding)
   end
 
-  it 'should enforce a maximum keylength of 512 bytes' do
-    @password = SCrypt::Password.create(@secret, key_len: 513)
-    expect(@password.digest.length).to eq(512 * 2)
+  it 'enforces a maximum keylength of 512 bytes' do
+    @password = SCrypt::Password.create(@secret, key_len: 1024, max_time: 0.01)
+    expect(@password.digest.length).to eq(1024) # 512 bytes * 2 (hex encoding)
   end
 
-  it 'should properly compare a non-standard hash' do
-    @password = SCrypt::Password.create(@secret, key_len: 512)
-    expect((SCrypt::Password.new(@password.to_s) == @secret)).to be(true)
+  it 'properly compares a non-standard hash' do
+    @password = SCrypt::Password.create(@secret, key_len: 64, max_time: 0.01)
+    expect(@password == @secret).to be true
   end
 end
 
 describe 'Old-style hashes' do
-  before :each do
+  before do
     @secret = 'my secret'
     @hash = '400$8$d$173a8189751c095a29b933789560b73bf17b2e01$9bf66d74bd6f3ebcf99da3b379b689b89db1cb07'
   end
 
-  it 'should compare successfully' do
-    expect((SCrypt::Password.new(@hash) == @secret)).to be(true)
+  it 'compares successfully' do
+    expect(SCrypt::Password.new(@hash) == @secret).to be true
   end
 end
 
 describe 'Respecting standard ruby behaviors' do
-  it 'should hash as an integer' do
-    password = SCrypt::Password.create('')
-    expect(password.hash).to be_kind_of(Integer)
+  it 'hashes as an integer' do
+    password = SCrypt::Password.create('secret', max_time: 0.01)
+    expect(password.hash).to be_an(Integer)
+  end
+end
+
+describe 'Password validation and parsing' do
+  it 'correctly parses hash components' do
+    password = SCrypt::Password.new('400$8$d$173a8189751c095a29b933789560b73bf17b2e01$9bf66d74bd6f3ebcf99da3b379b689b89db1cb07')
+
+    expect(password.cost).to eq('400$8$d$')
+    expect(password.salt).to eq('173a8189751c095a29b933789560b73bf17b2e01')
+    expect(password.digest).to eq('9bf66d74bd6f3ebcf99da3b379b689b89db1cb07')
+  end
+
+  it 'validates hash format strictly' do
+    valid_hash = '400$8$d$173a8189751c095a29b933789560b73bf17b2e01$9bf66d74bd6f3ebcf99da3b379b689b89db1cb07'
+
+    expect { SCrypt::Password.new(valid_hash) }.not_to raise_error
+    expect { SCrypt::Password.new('invalid') }.to raise_error(SCrypt::Errors::InvalidHash)
+    expect { SCrypt::Password.new('') }.to raise_error(SCrypt::Errors::InvalidHash)
+    expect { SCrypt::Password.new('400$8$d$') }.to raise_error(SCrypt::Errors::InvalidHash)
+  end
+
+  it 'handles alias method correctly' do
+    password = SCrypt::Password.create('secret', max_time: 0.01)
+
+    expect(password.is_password?('secret')).to be true
+    expect(password.is_password?('wrong')).to be false
+  end
+end
+
+describe 'Parameter boundary testing' do
+  it 'enforces minimum and maximum key lengths correctly' do
+    # Test minimum key length (should be clamped to 16)
+    password_min = SCrypt::Password.create('secret', key_len: 8, max_time: 0.01)
+    expect(password_min.digest.length).to eq(32) # 16 bytes * 2 (hex encoding)
+
+    # Test maximum key length (should be clamped to 512)
+    password_max = SCrypt::Password.create('secret', key_len: 1024, max_time: 0.01)
+    expect(password_max.digest.length).to eq(1024) # 512 bytes * 2 (hex encoding)
+  end
+
+  it 'enforces minimum and maximum salt sizes correctly' do
+    # Test minimum salt size (should be clamped to 8)
+    password_min = SCrypt::Password.create('secret', salt_size: 4, max_time: 0.01)
+    expect(password_min.salt.length).to eq(16) # 8 bytes * 2 (hex encoding)
+
+    # Test maximum salt size (should be clamped to 32)
+    password_max = SCrypt::Password.create('secret', salt_size: 64, max_time: 0.01)
+    expect(password_max.salt.length).to eq(64) # 32 bytes * 2 (hex encoding)
   end
 end

data/spec/scrypt/utils_spec.rb

@@ -3,12 +3,53 @@
 require File.expand_path(File.join(File.dirname(__FILE__), '..', 'spec_helper'))
 
 describe 'Security Utils' do
-  it 'should perform a string comparison' do
-    expect(SCrypt::SecurityUtils.secure_compare('a', 'a')).to equal(true)
-    expect(SCrypt::SecurityUtils.secure_compare('a', 'b')).to equal(false)
-    expect(SCrypt::SecurityUtils.secure_compare('aa', 'aa')).to equal(true)
-    expect(SCrypt::SecurityUtils.secure_compare('aa', 'ab')).to equal(false)
-    expect(SCrypt::SecurityUtils.secure_compare('aa', 'aaa')).to equal(false)
-    expect(SCrypt::SecurityUtils.secure_compare('aaa', 'aa')).to equal(false)
+  describe '.secure_compare' do
+    it 'performs a string comparison correctly' do
+      expect(SCrypt::SecurityUtils.secure_compare('a', 'a')).to equal(true)
+      expect(SCrypt::SecurityUtils.secure_compare('a', 'b')).to equal(false)
+      expect(SCrypt::SecurityUtils.secure_compare('aa', 'aa')).to equal(true)
+      expect(SCrypt::SecurityUtils.secure_compare('aa', 'ab')).to equal(false)
+    end
+
+    it 'returns false for different length strings' do
+      expect(SCrypt::SecurityUtils.secure_compare('aa', 'aaa')).to equal(false)
+      expect(SCrypt::SecurityUtils.secure_compare('aaa', 'aa')).to equal(false)
+      expect(SCrypt::SecurityUtils.secure_compare('', 'a')).to equal(false)
+      expect(SCrypt::SecurityUtils.secure_compare('a', '')).to equal(false)
+    end
+
+    it 'handles empty strings correctly' do
+      expect(SCrypt::SecurityUtils.secure_compare('', '')).to equal(true)
+    end
+
+    it 'handles binary data correctly' do
+      binary1 = "\x00\x01\x02\x03"
+      binary2 = "\x00\x01\x02\x03"
+      binary3 = "\x00\x01\x02\x04"
+
+      expect(SCrypt::SecurityUtils.secure_compare(binary1, binary2)).to equal(true)
+      expect(SCrypt::SecurityUtils.secure_compare(binary1, binary3)).to equal(false)
+    end
+
+    it 'handles unicode strings correctly' do
+      unicode1 = 'héllo'
+      unicode2 = 'héllo'
+      unicode3 = 'hello'
+
+      expect(SCrypt::SecurityUtils.secure_compare(unicode1, unicode2)).to equal(true)
+      expect(SCrypt::SecurityUtils.secure_compare(unicode1, unicode3)).to equal(false)
+    end
+
+    it 'is resistant to timing attacks' do
+      # This test ensures the function takes constant time regardless of where differences occur
+      long_string1 = ('a' * 1000) + 'x'
+      long_string2 = ('a' * 1000) + 'y'
+      long_string3 = 'x' + ('a' * 1000)
+      long_string4 = 'y' + ('a' * 1000)
+
+      # All of these should return false and take similar time
+      expect(SCrypt::SecurityUtils.secure_compare(long_string1, long_string2)).to equal(false)
+      expect(SCrypt::SecurityUtils.secure_compare(long_string3, long_string4)).to equal(false)
+    end
   end
 end

data/spec/spec_helper.rb

@@ -4,4 +4,44 @@ $LOAD_PATH.unshift(File.expand_path(File.dirname(__FILE__) + '/../lib'))
 
 require 'rubygems'
 require 'rspec'
+require 'yaml'
 require 'scrypt'
+
+# Load shared examples
+Dir[File.expand_path('support/**/*.rb', __dir__)].each { |f| require f }
+
+# Load test fixtures
+TEST_VECTORS = YAML.load_file(File.expand_path('fixtures/test_vectors.yml', __dir__)).freeze
+
+RSpec.configure do |config|
+  # Use documentation format for better output
+  config.default_formatter = 'doc' if config.files_to_run.one?
+
+  # Run specs in random order to surface order dependencies
+  config.order = :random
+
+  # Seed global randomization in this process using the `--seed` CLI option
+  Kernel.srand config.seed
+
+  # Allow more verbose output when running a single file
+  config.filter_run_when_matching :focus
+
+  # Enable expect syntax (recommended)
+  config.expect_with :rspec do |expectations|
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+    # Disable deprecated should syntax
+    expectations.syntax = :expect
+  end
+
+  # Configure mocks
+  config.mock_with :rspec do |mocks|
+    mocks.verify_partial_doubles = true
+  end
+
+  # Enable shared context metadata behavior
+  config.shared_context_metadata_behavior = :apply_to_host_groups
+
+  # Configure warnings and deprecations
+  config.warnings = true
+  config.raise_errors_for_deprecations!
+end

data/spec/support/shared_examples.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+# Shared examples for SCrypt tests
+RSpec.shared_examples 'a valid scrypt hash' do
+  it 'has the correct format' do
+    expect(subject).to match(/^[0-9a-z]+\$[0-9a-z]+\$[0-9a-z]+\$[A-Za-z0-9]+\$[A-Za-z0-9]+$/)
+  end
+
+  it 'is a string' do
+    expect(subject).to be_a(String)
+  end
+end
+
+RSpec.shared_examples 'a valid cost string' do
+  it 'has the correct format' do
+    expect(subject).to match(/^[0-9a-z]+\$[0-9a-z]+\$[0-9a-z]+\$$/)
+  end
+
+  it 'is valid according to Engine.valid_cost?' do
+    expect(SCrypt::Engine.valid_cost?(subject)).to be(true)
+  end
+end
+
+RSpec.shared_examples 'a valid salt string' do
+  it 'has the correct format' do
+    expect(subject).to match(/^[0-9a-z]+\$[0-9a-z]+\$[0-9a-z]+\$[A-Za-z0-9]{16,64}$/)
+  end
+
+  it 'is valid according to Engine.valid_salt?' do
+    expect(SCrypt::Engine.valid_salt?(subject)).to be(true)
+  end
+end
+
+RSpec.shared_examples 'proper input validation' do |method, args, error_class, error_message|
+  it "raises #{error_class} for invalid input" do
+    expect { subject.send(method, *args) }.to raise_error(error_class, error_message)
+  end
+end
+
+RSpec.shared_examples 'deterministic output' do |method, args|
+  it 'produces the same output for the same input' do
+    result1 = subject.send(method, *args)
+    result2 = subject.send(method, *args)
+    expect(result1).to eq(result2)
+  end
+end

data/spec/support/test_helpers.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module TestHelpers
+  # Common test data
+  VALID_SECRETS = [
+    'simple_password',
+    'complex_password_123!@#',
+    '',
+    'unicode_tésting',
+    '🔒secure🔑'
+  ].freeze
+
+  INVALID_HASH_FORMATS = [
+    '',
+    'invalid',
+    '400$8$d$invalid',
+    '400$8$d$173a8189751c095a29b933789560b73bf17b2e01',
+    '400$8$d$173a8189751c095a29b933789560b73bf17b2e01$'
+  ].freeze
+
+  INVALID_SALT_FORMATS = [
+    '',
+    'invalid',
+    'nino',
+    '400$8$d$'
+  ].freeze
+
+  # Helper methods
+  def self.generate_test_password(secret = 'test_secret', options = {})
+    default_options = { max_time: 0.05 }
+    SCrypt::Password.create(secret, default_options.merge(options))
+  end
+
+  def self.generate_test_salt(options = {})
+    default_options = { max_time: 0.05 }
+    SCrypt::Engine.generate_salt(default_options.merge(options))
+  end
+
+  def self.reset_calibration
+    SCrypt::Engine.calibrated_cost = nil
+  end
+end
+
+# Include helper methods in RSpec
+RSpec.configure do |config|
+  config.include TestHelpers
+end