Factor WorkFactorChangeDoesNotBreakExistingCredential tests to use table driven tests.

Additional Changes:
* Remove bcrypt Cost type usage to avoid bcrypt import in the test
* Add test for Pbkdf2WorkFactor changes

Author: dhui

credential_test.go

@@ -5,8 +5,6 @@ import (
 	_ "crypto/sha512"
 	"testing"
 
-	"golang.org/x/crypto/bcrypt"
-
 	"github.com/dhui/passhash"
 )
 
@@ -284,72 +282,68 @@ func TestMatchesPasswordUpdateWorkFactor(t *testing.T) {
 	}
 }
 
-func TestScryptWorkFactorMutationDoesNotBreakExistingCredential(t *testing.T) {
-	cfg := passhash.Config{
-		Kdf:         passhash.Scrypt,
-		WorkFactor:  &passhash.ScryptWorkFactor{N: 1024, R: 16, P: 1},
-		SaltSize:    16,
-		KeyLength:   32,
-		AuditLogger: &passhash.DummyAuditLogger{},
-		Store:       passhash.DummyCredentialStore{},
-	}
-	userID := passhash.UserID(1)
-
-	cred, err := cfg.NewCredential(userID, testPassword)
-	if err != nil {
-		t.Fatalf("Unable to create new Credential: %v", err)
-	}
-
-	if matched, _ := cred.MatchesPasswordWithConfig(cfg, testPassword); !matched {
-		t.Fatalf("Password did not match before work factor change")
-	}
-
-	wf := cfg.WorkFactor.(*passhash.ScryptWorkFactor)
-	wf.N *= 2
-
-	if matched, _ := cred.MatchesPasswordWithConfig(cfg, testPassword); !matched {
-		t.Fatalf("Password did not match after work factor change; credential should be stable")
-	}
+var configWorkFactorChangeDoesNotBreakExistingCredentialTests = map[string]struct {
+	kdf       passhash.Kdf
+	wf        passhash.WorkFactor
+	wfMutator func(passhash.WorkFactor)
+}{
+	"pbkdf2 WorkFactor": {
+		kdf: passhash.Pbkdf2Sha256,
+		wf:  &passhash.Pbkdf2WorkFactor{Iter: 10},
+		wfMutator: func(wf passhash.WorkFactor) {
+			wf.(*passhash.Pbkdf2WorkFactor).Iter -= 1
+		},
+	},
+	"bcrypt WorkFactor": {
+		kdf: passhash.Bcrypt,
+		wf:  &passhash.BcryptWorkFactor{Cost: 3},
+		wfMutator: func(wf passhash.WorkFactor) {
+			wf.(*passhash.BcryptWorkFactor).Cost -= 1
+		},
+	},
+	"scrypt WorkFactor": {
+		kdf: passhash.Scrypt,
+		wf:  &passhash.ScryptWorkFactor{N: 16, R: 16, P: 1},
+		wfMutator: func(wf passhash.WorkFactor) {
+			wf.(*passhash.ScryptWorkFactor).N /= 2
+		},
+	},
 }
 
-func TestBcryptWorkFactorMutationTriggersUpgrade(t *testing.T) {
-	cfg := passhash.Config{
-		Kdf:         passhash.Bcrypt,
-		WorkFactor:  &passhash.BcryptWorkFactor{Cost: 10},
-		SaltSize:    16,
-		KeyLength:   32,
-		AuditLogger: &passhash.DummyAuditLogger{},
-		Store:       passhash.DummyCredentialStore{},
-	}
-	userID := passhash.UserID(2)
-
-	cred, err := cfg.NewCredential(userID, testPassword)
-	if err != nil {
-		t.Fatalf("Unable to create new Credential: %v", err)
-	}
-
-	beforeCost, err := bcrypt.Cost(cred.Hash)
-	if err != nil {
-		t.Fatalf("Unable to read bcrypt cost: %v", err)
-	}
-
-	wf := cfg.WorkFactor.(*passhash.BcryptWorkFactor)
-	wf.Cost = beforeCost + 2
-
-	matched, updated := cred.MatchesPasswordWithConfig(cfg, testPassword)
-	if !matched {
-		t.Fatalf("Password did not match after bcrypt work factor change")
-	}
-	if !updated {
-		t.Fatalf("Expected credential to be upgraded after bcrypt work factor change")
-	}
-
-	afterCost, err := bcrypt.Cost(cred.Hash)
-	if err != nil {
-		t.Fatalf("Unable to read bcrypt cost after upgrade: %v", err)
-	}
-	if afterCost <= beforeCost {
-		t.Fatalf("Expected bcrypt cost to increase, got before=%d after=%d", beforeCost, afterCost)
+func TestConfigWorkFactorChangeDoesNotBreakExistingCredential(t *testing.T) {
+	for name, test := range configWorkFactorChangeDoesNotBreakExistingCredentialTests {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			cfg := passhash.Config{
+				Kdf:         test.kdf,
+				WorkFactor:  test.wf,
+				SaltSize:    16,
+				KeyLength:   32,
+				AuditLogger: &passhash.DummyAuditLogger{},
+				Store:       passhash.DummyCredentialStore{},
+			}
+
+			userID := passhash.UserID(1)
+			cred, err := cfg.NewCredential(userID, testPassword)
+			if err != nil {
+				t.Fatalf("Unable to create new Credential: %v", err)
+			}
+
+			if matched, _ := cred.MatchesPasswordWithConfig(cfg, testPassword); !matched {
+				t.Fatalf("Password did not match before work factor change")
+			}
+
+			test.wfMutator(test.wf)
+
+			matched, updated := cred.MatchesPasswordWithConfig(cfg, testPassword)
+			if !matched {
+				t.Fatalf("Password did not match after work factor change")
+			}
+			if !updated {
+				t.Fatalf("Expected credential to be upgraded after work factor change")
+			}
+		})
 	}
 }