vigilar/tests/unit/test_cli_set_pin.py

"""Tests for `vigilar config set-pin`."""

from click.testing import CliRunner

from vigilar.alerts.pin import verify_pin
from vigilar.cli.cmd_config import config_cmd


def test_set_pin_outputs_pbkdf2_hash_under_security_section():
    """The CLI must emit a hash that alerts.pin.verify_pin can validate,
    and direct the user to [security] pin_hash (not [system] arm_pin_hash)."""
    runner = CliRunner()
    result = runner.invoke(config_cmd, ["set-pin"], input="1234\n1234\n")

    assert result.exit_code == 0, result.output
    # The output must direct the user to the [security] section
    assert "[security]" in result.output
    assert "arm_pin_hash" not in result.output
    assert "pin_hash" in result.output

    # Extract the emitted hash (line starts with `pin_hash = "..."`)
    hash_line = next(
        line for line in result.output.splitlines() if line.strip().startswith("pin_hash")
    )
    hash_value = hash_line.split('"')[1]

    # Round-trip: the emitted hash must accept the plaintext PIN
    assert verify_pin("1234", hash_value) is True
    assert verify_pin("0000", hash_value) is False
    # And it must be in PBKDF2 format (not the legacy HMAC "secret:mac" format)
    assert hash_value.startswith("pbkdf2_sha256$")