Merge pull request #9995 from tejasdrolia/BEE-51743

[JENKINS-74858] Added validation for Password length in FIPS mode
jenkinsci · Dec 5, 2024 · 0f0b023 · 0f0b023
2 parents 7d8d2a6 + 4d32ed8
commit 0f0b023
Show file tree

Hide file tree

Showing 2 changed files with 88 additions and 0 deletions.
diff --git a/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java b/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
@@ -839,6 +839,10 @@ public Details newInstance(StaplerRequest2 req, JSONObject formData) throws Form
                     throw new FormException("Please confirm the password by typing it twice", "user.password2");
                 }
 
+                if (FIPS140.useCompliantAlgorithms() && pwd.length() < FIPS_PASSWORD_LENGTH) {
+                     throw new FormException(Messages.HudsonPrivateSecurityRealm_CreateAccount_FIPS_PasswordLengthInvalid(), "user.password");
+                }
+
                 // will be null if it wasn't encrypted
                 String data = Protector.unprotect(pwd);
                 String data2 = Protector.unprotect(pwd2);

diff --git a/test/src/test/java/hudson/security/HudsonPrivateSecurityRealmFIPSTest.java b/test/src/test/java/hudson/security/HudsonPrivateSecurityRealmFIPSTest.java
@@ -43,6 +43,9 @@
 import org.hamcrest.Matcher;
 import org.hamcrest.Matchers;
 import org.htmlunit.FailingHttpStatusCodeException;
+import org.htmlunit.html.HtmlForm;
+import org.htmlunit.html.HtmlPage;
+import org.htmlunit.html.HtmlPasswordInput;
 import org.junit.Rule;
 import org.junit.Test;
 import org.jvnet.hudson.test.For;
@@ -149,6 +152,87 @@ private static void userCreationWithJBCryptPasswordsStep(JenkinsRule j) throws E
                 is("The hashed password was hashed with an incorrect algorithm. Jenkins is expecting $PBKDF2"));
     }
 
+    @Test
+    public void validatePasswordLengthForFIPS() throws Throwable {
+        rjr.then(HudsonPrivateSecurityRealmFIPSTest::validatePasswordLengthForFIPSStep);
+    }
+
+    private static void validatePasswordLengthForFIPSStep(JenkinsRule j) throws Exception {
+        HudsonPrivateSecurityRealm securityRealm = new HudsonPrivateSecurityRealm(false, false, null);
+        j.jenkins.setSecurityRealm(securityRealm);
+
+        User u1 =  securityRealm.createAccount("test", "aValidFipsPass");
+
+        WebClient wc = j.createWebClient();
+        wc.login("test","aValidFipsPass");
+
+        HtmlPage configurePage = wc.goTo(u1.getUrl() + "/security/");
+        HtmlPasswordInput password1 = configurePage.getElementByName("user.password");
+        HtmlPasswordInput password2 = configurePage.getElementByName("user.password2");
+        //Should fail as the password length is <14 (In FIPS mode)
+        password1.setText("mockPassword");
+        password2.setText("mockPassword");
+
+        HtmlForm form = configurePage.getFormByName("config");
+        assertThrows(FailingHttpStatusCodeException.class, () -> {
+            j.submit(form);
+        });
+    }
+
+    @Test
+    public void validatePasswordMismatchForFIPS() throws Throwable {
+        rjr.then(HudsonPrivateSecurityRealmFIPSTest::validatePasswordMismatchForFIPSStep);
+    }
+
+    private static void validatePasswordMismatchForFIPSStep(JenkinsRule j) throws Exception {
+        HudsonPrivateSecurityRealm securityRealm = new HudsonPrivateSecurityRealm(false, false, null);
+        j.jenkins.setSecurityRealm(securityRealm);
+
+        User u1 =  securityRealm.createAccount("test", "aValidFipsPass");
+
+
+        WebClient wc = j.createWebClient();
+        wc.login("test","aValidFipsPass");
+
+        HtmlPage configurePage = wc.goTo(u1.getUrl() + "/security/");
+        HtmlPasswordInput password1 = configurePage.getElementByName("user.password");
+        HtmlPasswordInput password2 = configurePage.getElementByName("user.password2");
+        //should fail as the passwords are different (even though the password length >=14) In FIPS mode
+        password1.setText("14charPassword");
+        password2.setText("14charPa$$word");
+
+        HtmlForm form = configurePage.getFormByName("config");
+        assertThrows(FailingHttpStatusCodeException.class, () -> {
+            j.submit(form);
+        });
+    }
+
+    @Test
+    public void validatePasswordSuccessForFIPS() throws Throwable {
+        rjr.then(HudsonPrivateSecurityRealmFIPSTest::validatePasswordSuccessForFIPSStep);
+    }
+
+    private static void validatePasswordSuccessForFIPSStep(JenkinsRule j) throws Exception {
+        HudsonPrivateSecurityRealm securityRealm = new HudsonPrivateSecurityRealm(false, false, null);
+        j.jenkins.setSecurityRealm(securityRealm);
+
+        User u1 =  securityRealm.createAccount("test", "aValidFipsPass");
+
+        WebClient wc = j.createWebClient();
+        wc.login("test","aValidFipsPass");
+
+        HtmlPage configurePage = wc.goTo(u1.getUrl() + "/security/");
+        HtmlPasswordInput password1 = configurePage.getElementByName("user.password");
+        HtmlPasswordInput password2 = configurePage.getElementByName("user.password2");
+        //should pass as the passwords are same and length >=14 In FIPS mode.
+        password1.setText("14charPassword");
+        password2.setText("14charPassword");
+
+        HtmlForm form = configurePage.getFormByName("config");
+        HtmlPage success = j.submit(form);
+        assertThat(success.getWebResponse().getStatusCode(), is(200));
+    }
+
     private static Matcher<LogRecord> incorrectHashingLogEntry() {
         return Matchers.hasProperty("message",
                 is("A password appears to be stored (or is attempting to be stored) that was created with a different hashing/encryption algorithm, check the FIPS-140 state of the system has not changed inadvertently"));