From: Tom Hughes <tom@compton.nu>
Date: Tue, 5 Sep 2023 16:22:04 +0000 (+0100)
Subject: Merge remote-tracking branch 'upstream/pull/4231'
X-Git-Tag: live~1085
X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/dc6e30bab61b02950133dea320c2138a8c251bf9?hp=caf49bb25d94f370cbd4ef9b3033e7f319aa6eaa

Merge remote-tracking branch 'upstream/pull/4231'
---

diff --git a/Gemfile.lock b/Gemfile.lock
index e58f26e1a..13c1a5927 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -79,14 +79,14 @@ GEM
     annotate (3.2.0)
       activerecord (>= 3.2, < 8.0)
       rake (>= 10.4, < 14.0)
-    argon2 (2.2.0)
+    argon2 (2.3.0)
       ffi (~> 1.15)
       ffi-compiler (~> 1.0)
     ast (2.4.2)
     autoprefixer-rails (10.4.13.0)
       execjs (~> 2)
     aws-eventstream (1.2.0)
-    aws-partitions (1.813.0)
+    aws-partitions (1.816.0)
     aws-sdk-core (3.181.0)
       aws-eventstream (~> 1, >= 1.0.2)
       aws-partitions (~> 1, >= 1.651.0)
@@ -228,8 +228,8 @@ GEM
     fspath (3.1.2)
     gd2-ffij (0.4.0)
       ffi (>= 1.0.0)
-    globalid (1.1.0)
-      activesupport (>= 5.0)
+    globalid (1.2.0)
+      activesupport (>= 6.1)
     hashdiff (1.0.1)
     hashie (5.0.0)
     highline (2.1.0)
@@ -368,7 +368,7 @@ GEM
     parser (3.2.2.3)
       ast (~> 2.4.1)
       racc
-    pg (1.5.3)
+    pg (1.5.4)
     popper_js (2.11.8)
     progress (3.6.0)
     public_suffix (5.0.3)
@@ -433,7 +433,7 @@ GEM
       rack (>= 1.4)
     rexml (3.2.6)
     rinku (2.0.6)
-    rotp (6.2.2)
+    rotp (6.3.0)
     rouge (4.1.3)
     rubocop (1.56.2)
       base64 (~> 0.1.1)
@@ -453,7 +453,7 @@ GEM
       rubocop (~> 1.41)
     rubocop-factory_bot (2.23.1)
       rubocop (~> 1.33)
-    rubocop-minitest (0.31.0)
+    rubocop-minitest (0.31.1)
       rubocop (>= 1.39, < 2.0)
     rubocop-performance (1.19.0)
       rubocop (>= 1.7.0, < 2.0)
@@ -482,7 +482,7 @@ GEM
       sprockets-rails
       tilt
     secure_headers (6.5.0)
-    selenium-webdriver (4.11.0)
+    selenium-webdriver (4.12.0)
       rexml (~> 3.2, >= 3.2.5)
       rubyzip (>= 1.2.2, < 3.0)
       websocket (~> 1.0)
@@ -523,7 +523,7 @@ GEM
       i18n
     vendorer (0.2.0)
     version_gem (1.1.3)
-    webmock (3.19.0)
+    webmock (3.19.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
diff --git a/test/lib/password_hash_test.rb b/test/lib/password_hash_test.rb
index 54450b186..2a42de123 100644
--- a/test/lib/password_hash_test.rb
+++ b/test/lib/password_hash_test.rb
@@ -28,16 +28,18 @@ class PasswordHashTest < ActiveSupport::TestCase
     assert PasswordHash.upgrade?("3wYbPiOxk/tU0eeIDjUhdvi8aDP3AbFtwYKKxF1IhGg=", "sha512!10000!OUQLgtM7eD8huvanFT5/WtWaCwdOdrir8QOtFwxhO0A=")
   end
 
-  def test_argon2_upgradeable
-    assert PasswordHash.check("$argon2id$v=19$m=65536,t=1,p=1$KXGHWfWMf5H5kY4uU3ua8A$YroVvX6cpJpljTio62k19C6UpuIPtW7me2sxyU2dyYg", nil, "password")
-    assert_not PasswordHash.check("$argon2id$v=19$m=65536,t=1,p=1$KXGHWfWMf5H5kY4uU3ua8A$YroVvX6cpJpljTio62k19C6UpuIPtW7me2sxyU2dyYg", nil, "wrong")
-    assert PasswordHash.upgrade?("$argon2id$v=19$m=65536,t=1,p=1$KXGHWfWMf5H5kY4uU3ua8A$YroVvX6cpJpljTio62k19C6UpuIPtW7me2sxyU2dyYg", nil)
-  end
-
-  def test_argon2
+  def test_argon2_t2_m16_p1
     assert PasswordHash.check("$argon2id$v=19$m=65536,t=2,p=1$b2E7zSvjT6TC5DXrqvfxwg$P4hly807ckgYc+kfvaf3rqmJcmKStzw+kV14oMaz8PQ", nil, "password")
     assert_not PasswordHash.check("$argon2id$v=19$m=65536,t=2,p=1$b2E7zSvjT6TC5DXrqvfxwg$P4hly807ckgYc+kfvaf3rqmJcmKStzw+kV14oMaz8PQ", nil, "wrong")
-    assert_not PasswordHash.upgrade?("$argon2id$v=19$m=65536,t=2,p=1$b2E7zSvjT6TC5DXrqvfxwg$P4hly807ckgYc+kfvaf3rqmJcmKStzw+kV14oMaz8PQ", nil)
+    assert_not PasswordHash.check("$argon2id$v=19$m=65536,t=2,p=1$b2E7zSvwrong5DXrqvfxwg$P4hly807ckgYc+kfvaf3rqmJcmKStzw+kV14oMaz8PQ", nil, "password")
+    assert PasswordHash.upgrade?("$argon2id$v=19$m=65536,t=2,p=1$b2E7zSvjT6TC5DXrqvfxwg$P4hly807ckgYc+kfvaf3rqmJcmKStzw+kV14oMaz8PQ", nil)
+  end
+
+  def test_argon2_t3_m16_p4
+    assert PasswordHash.check("$argon2id$v=19$m=65536,t=3,p=4$uxzL4aYTEDTRr2+KNA1qNQ$yuNOtH+IsCwWUbE4OGu+hIC0e4iyZ2wGhaCsQY1mJpI", nil, "password")
+    assert_not PasswordHash.check("$argon2id$v=19$m=65536,t=3,p=4$uxzL4aYTEDTRr2+KNA1qNQ$yuNOtH+IsCwWUbE4OGu+hIC0e4iyZ2wGhaCsQY1mJpI", nil, "wrong")
+    assert_not PasswordHash.check("$argon2id$v=19$m=65536,t=3,p=4$uxzL4aYwrongr2+KNA1qNQ$yuNOtH+IsCwWUbE4OGu+hIC0e4iyZ2wGhaCsQY1mJpI", nil, "password")
+    assert_not PasswordHash.upgrade?("$argon2id$v=19$m=65536,t=3,p=4$uxzL4aYTEDTRr2+KNA1qNQ$yuNOtH+IsCwWUbE4OGu+hIC0e4iyZ2wGhaCsQY1mJpI", nil)
   end
 
   def test_default