Enhance password validation tests with more test vectors

fmount · fmount · commit fb83fe14f140 · 2026-02-23T23:31:23.000+01:00
This patch reorganizes the way we test the new PasswordValidator method
due to the increased patterns that we want to test to validate the
existing components. In particular:
- Add TestVector struct to support structured test case definitions
- Add comprehensive test coverage for various password patterns:
  * Fernet encryption key format validation
  * Alphanumeric-only password patterns (tr command generated)
  * Shell expansion attack vector detection

Signed-off-by: Francesco Pantano &lt;fpantano@redhat.com&gt;
diff --git a/modules/common/secret/password_test.go b/modules/common/secret/password_test.go
@@ -19,11 +19,21 @@ package secret
 import (
 	. "github.com/onsi/gomega" // nolint:revive
 	"regexp"
+	"slices"
 	"testing"
 )
 
 const ErrMsg string = "password does not meet the requirements"
 
+// TestVector -
+type TestVector struct {
+	name     string
+	password string
+	wantErr  bool
+	errMsg   string
+}
+
+// Pattern definition (requirements and reject rules)
 var testRequirements []Rule = []Rule{
 	{
 		description: "Must contain at least one digit",
@@ -50,6 +60,201 @@ var testRejects []Rule = []Rule{
 	},
 }
 
+// Input TestVectors
+// 1. Fernet pattern
+// 2. alphaNumPattern
+// 3. validPattern
+// 4. Invalid patterns
+var fernetPattern []TestVector = []TestVector{
+	// Fernet pattern:
+	// python3 -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode(' UTF-8'))";
+	{
+		name:     "Fernet Pattern Test 1",
+		password: "dzUSgMefMDi3Mrq-PF8p4lHoOdF-ps_oDQB9-KzS-j0=",
+		wantErr:  false,
+	},
+	{
+		name:     "Fernet Pattern Test 2",
+		password: "7Q0cfVtxqzZMKWhY5LJQF4sImYyOvC_BYYd-yg2GvUg=",
+		wantErr:  false,
+	},
+	{
+		name:     "Fernet Pattern Test 3",
+		password: "UjQSpLh2WGEIFZ1Y-QCSiUr4aE76Wu3YdYLTStyEK1c=",
+		wantErr:  false,
+	},
+	{
+		name:     "Fernet Pattern Test 4",
+		password: "UWtR_BCTgszn2kDhz_yxBoxxiHytMB1IR0t200uRD2s=",
+		wantErr:  false,
+	},
+	{
+		name:     "Fernet Pattern Test 5",
+		password: "7cXj_fYimZ1WNu_87kNj4WM6JaI2KqCL3In2WZhAD7I=",
+		wantErr:  false,
+	},
+}
+
+var alphaNumPattern []TestVector = []TestVector{
+	// $(tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 32 | base64)
+	{
+		name:     "Default pattern 1",
+		password: "QTFkZ1U2VnF3RWdXWjZuQW9teUo2dHlEUk43UWtaOHM=",
+		wantErr:  false,
+	},
+	{
+		name:     "Default pattern 2",
+		password: "SlBVUm9OUVhEOWpjOHJsNkJmTENNbnlENjJvMU5yc1A=",
+		wantErr:  false,
+	},
+	{
+		name:     "Default pattern 3",
+		password: "QzA5ejh5a1ZoWVIxbk1LUmZ4elJNMVBQNFNVdzdhaG0=",
+		wantErr:  false,
+	},
+	{
+		name:     "Default pattern 4",
+		password: "ckIwWk1MUnRsSmtqdGFseThmRkYyUlhUUDdXUXhOcmc=",
+		wantErr:  false,
+	},
+	{
+		name:     "Default pattern 5",
+		password: "aUxHdDRDcFR4amM2MXg4bVBoaGU2blBJRHFER3hoMFU=",
+		wantErr:  false,
+	},
+}
+
+var validPattern []TestVector = []TestVector{
+	// Valid password scenarios
+	{
+		name:     "valid password with all requirements",
+		password: "Password123",
+		wantErr:  false,
+	},
+	{
+		name:     "valid password with minimum length",
+		password: "Abcdef12",
+		wantErr:  false,
+	},
+	{
+		name:     "valid password with longer length",
+		password: "MySecurePassword123",
+		wantErr:  false,
+	},
+	{
+		name:     "valid password with allowed special characters",
+		password: "Password123!@+=._-",
+		wantErr:  false,
+	},
+	{
+		name:     "valid password with semicolon",
+		password: "Password123;allowed",
+		wantErr:  false,
+	},
+	{
+		name:     "valid password with angle brackets",
+		password: "Password123<valid>",
+		wantErr:  false,
+	},
+	{
+		name:     "valid password with caret character",
+		password: "Password123^valid",
+		wantErr:  false,
+	},
+	{
+		name:     "valid password with percent character",
+		password: "Password123%valid",
+		wantErr:  false,
+	},
+	{
+		name:     "valid password with safe metacharacters",
+		password: "Password123*?{}[]|&~#'\"",
+		wantErr:  false,
+	},
+	{
+		name:     "valid password with isolated dollar and number",
+		password: "Password123$123",
+		wantErr:  false,
+	},
+}
+
+var invalidPattern []TestVector = []TestVector{
+	// Invalid password scenarios - shell expansion patterns
+	{
+		name:     "password made by all numbers",
+		password: "12345678",
+		wantErr:  true,
+	},
+	{
+		name:     "empty password",
+		password: "",
+		wantErr:  true,
+		errMsg:   "empty password not allowed",
+	},
+	{
+		name:     "password without uppercase",
+		password: "password123",
+		wantErr:  true,
+	},
+	{
+		name:     "password without lowercase",
+		password: "PASSWORD123",
+		wantErr:  true,
+	},
+	{
+		name:     "password without digit",
+		password: "PasswordABC",
+		wantErr:  true,
+	},
+	{
+		name:     "password too short",
+		password: "Pass12",
+		wantErr:  true,
+	},
+	{
+		name:     "password with variable expansion",
+		password: "Password123$HOME",
+		wantErr:  true,
+		errMsg:   ErrMsg,
+	},
+	{
+		name:     "password with variable expansion underscore",
+		password: "Password123$USER_NAME",
+		wantErr:  true,
+		errMsg:   ErrMsg,
+	},
+	{
+		name:     "password with braced variable expansion",
+		password: "Password123${HOME}",
+		wantErr:  true,
+		errMsg:   ErrMsg,
+	},
+	{
+		name:     "password with command substitution",
+		password: "Password123$(echo bad)",
+		wantErr:  true,
+		errMsg:   ErrMsg,
+	},
+	{
+		name:     "password with backtick command substitution",
+		password: "Password123`echo bad`",
+		wantErr:  true,
+		errMsg:   ErrMsg,
+	},
+	{
+		name:     "password with complex variable expansion",
+		password: "Password123${VARIABLE_NAME}",
+		wantErr:  true,
+		errMsg:   ErrMsg,
+	},
+	{
+		name:     "shell expansion attack example",
+		password: "c^sometext02%text%text02$someText&",
+		wantErr:  true,
+		errMsg:   ErrMsg,
+	},
+}
+
 func TestValidatePassword(t *testing.T) {
 	// Save original values
 	originalRequirements := requirements
@@ -65,139 +270,16 @@ func TestValidatePassword(t *testing.T) {
 		rejects = originalRejects
 	}()
 
-	tests := []struct {
-		name     string
-		password string
-		wantErr  bool
-		errMsg   string
-	}{
-		// Valid password scenarios
-		{
-			name:     "valid password with all requirements",
-			password: "Password123",
-			wantErr:  false,
-		},
-		{
-			name:     "valid password with minimum length",
-			password: "Abcdef12",
-			wantErr:  false,
-		},
-		{
-			name:     "valid password with longer length",
-			password: "MySecurePassword123",
-			wantErr:  false,
-		},
-		{
-			name:     "valid password with allowed special characters",
-			password: "Password123!@+=._-",
-			wantErr:  false,
-		},
-		{
-			name:     "valid password with semicolon",
-			password: "Password123;allowed",
-			wantErr:  false,
-		},
-		{
-			name:     "valid password with angle brackets",
-			password: "Password123<valid>",
-			wantErr:  false,
-		},
-		{
-			name:     "valid password with caret character",
-			password: "Password123^valid",
-			wantErr:  false,
-		},
-		{
-			name:     "valid password with percent character",
-			password: "Password123%valid",
-			wantErr:  false,
-		},
-		{
-			name:     "valid password with safe metacharacters",
-			password: "Password123*?{}[]|&~#'\"",
-			wantErr:  false,
-		},
-		{
-			name:     "valid password with isolated dollar and number",
-			password: "Password123$123",
-			wantErr:  false,
-		},
-
-		// Invalid password scenarios - shell expansion patterns
-		{
-			name:     "password made by all numbers",
-			password: "12345678",
-			wantErr:  true,
-		},
-		{
-			name:     "empty password",
-			password: "",
-			wantErr:  true,
-			errMsg:   "empty password not allowed",
-		},
-		{
-			name:     "password without uppercase",
-			password: "password123",
-			wantErr:  true,
-		},
-		{
-			name:     "password without lowercase",
-			password: "PASSWORD123",
-			wantErr:  true,
-		},
-		{
-			name:     "password without digit",
-			password: "PasswordABC",
-			wantErr:  true,
-		},
-		{
-			name:     "password too short",
-			password: "Pass12",
-			wantErr:  true,
-		},
-		{
-			name:     "password with variable expansion",
-			password: "Password123$HOME",
-			wantErr:  true,
-			errMsg:   ErrMsg,
-		},
-		{
-			name:     "password with variable expansion underscore",
-			password: "Password123$USER_NAME",
-			wantErr:  true,
-			errMsg:   ErrMsg,
-		},
-		{
-			name:     "password with braced variable expansion",
-			password: "Password123${HOME}",
-			wantErr:  true,
-			errMsg:   ErrMsg,
-		},
-		{
-			name:     "password with command substitution",
-			password: "Password123$(echo bad)",
-			wantErr:  true,
-			errMsg:   ErrMsg,
-		},
-		{
-			name:     "password with backtick command substitution",
-			password: "Password123`echo bad`",
-			wantErr:  true,
-			errMsg:   ErrMsg,
-		},
-		{
-			name:     "password with complex variable expansion",
-			password: "Password123${VARIABLE_NAME}",
-			wantErr:  true,
-			errMsg:   ErrMsg,
-		},
-		{
-			name:     "shell expansion attack example",
-			password: "c^sometext02%text%text02$someText&",
-			wantErr:  true,
-			errMsg:   ErrMsg,
-		},
-	}
+	// Build TestVector
+	var tests []TestVector
+	tests = slices.Concat(
+		tests,
+		validPattern,
+		invalidPattern,
+		alphaNumPattern,
+		fernetPattern,
+	)
+	// Execute ValidatePassword against the generated TestVector
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			g := NewWithT(t)
