[Brig] Move password verification to the AuthenticationSubsystem, move to Argon2id with new settings. by elland · Pull Request #4271 · wireapp/wire-server

elland · 2024-09-26T07:26:19Z

https://wearezeta.atlassian.net/browse/WPB-9746

Checklist

Add a new entry in an appropriate subdirectory of changelog.d
Read and follow the PR guidelines

mdimjasevic

Here is a partial review

libs/wire-api/src/Wire/API/Password.hs

libs/wire-subsystems/src/Wire/AuthenticationSubsystem.hs

mdimjasevic · 2024-10-03T09:56:08Z

libs/wire-subsystems/src/Wire/AuthenticationSubsystem/Interpreter.hs

Suggested change

PasswordStore.lookupHashedProviderPassword pid

>>= maybe (throw AuthenticationSubsystemBadCredentials) pure

PasswordStore.lookupHashedProviderPassword pid >>= noteS @'AuthenticationSubsystemBadCredentials

noteS has a different type signature, forcing us the thread the specific error as a member of every function in the call chain 🤔 is that something we want here?

The call chain ain't long here. Note that this is in the interpreter, not the application code. I expect we call this interpreter only once.

mdimjasevic · 2024-10-03T09:56:38Z

libs/wire-subsystems/src/Wire/AuthenticationSubsystem/Interpreter.hs

libs/wire-subsystems/src/Wire/PasswordStore/Cassandra.hs

services/brig/brig.integration.yaml

services/brig/src/Brig/API/OAuth.hs

mdimjasevic · 2024-10-03T10:05:23Z

Have you searched for all usages of mkSafePasswordScrypt and checked that's as expected?

mdimjasevic

Some more comments inlined.

Given that this is changing the default hashing algorithm, and we forgot to do it before in some places, what would be good tests to add to capture this change?

services/brig/src/Brig/Data/User.hs

mdimjasevic · 2024-10-03T11:08:28Z

services/brig/src/Brig/Data/User.hs

Don't we have an equivalent in the UserStore effect?

services/brig/src/Brig/Provider/API.hs

Makefile

libs/wire-api/src/Wire/API/Password.hs

libs/wire-subsystems/src/Wire/AuthenticationSubsystem.hs

akshaymankar · 2024-10-07T09:33:46Z

libs/wire-subsystems/src/Wire/AuthenticationSubsystem.hs

+  VerifyPasswordError :: Local UserId -> PlainTextPassword6 -> AuthenticationSubsystem m ()
  CreatePasswordResetCode :: EmailKey -> AuthenticationSubsystem m ()
  ResetPassword :: PasswordResetIdentity -> PasswordResetCode -> PlainTextPassword8 -> AuthenticationSubsystem m ()
+  VerifyPassword :: PlainTextPassword6 -> Password -> AuthenticationSubsystem m (Bool, PasswordStatus)


From perspective of the AuthenticationSubsystem API this looks weird, why does anyone else have access to the hashed password outside this subsystem?

I would consider this a temporary problem. This is used in Brig.API.User, it should go away as we move more of that logic into subsystems.

libs/wire-api/src/Wire/API/Password.hs

services/brig/brig.integration.yaml

services/brig/src/Brig/Data/User.hs

changelog.d/5-internal/pwd

libs/wire-subsystems/test/unit/Wire/MockInterpreters/HashPassword.hs

echoes-hq bot added the echoes: technical-roadmap/security More specific category, to highlight task that tackle security requirements. label Sep 26, 2024

zebot added the ok-to-test Approved for running tests in CI, overrides not-ok-to-test if both labels exist label Sep 26, 2024

fisx changed the title ~~Move password verification to the AuthenticationSubsystem, move to Argon2id with default settings.~~ [WPB-9746] Move password verification to the AuthenticationSubsystem, move to Argon2id with default settings. Sep 26, 2024

elland force-pushed the wpb-9746/password branch from cdb06a4 to 8189763 Compare September 26, 2024 12:02

elland changed the title ~~[WPB-9746] Move password verification to the AuthenticationSubsystem, move to Argon2id with default settings.~~ [Brig] Move password verification to the AuthenticationSubsystem, move to Argon2id with default settings. Sep 26, 2024

elland force-pushed the wpb-9746/password branch 5 times, most recently from d87fbc1 to e4cb90f Compare October 2, 2024 12:45

mdimjasevic reviewed Oct 3, 2024

View reviewed changes

elland force-pushed the wpb-9746/password branch from da03847 to 5ced70d Compare October 3, 2024 13:23

elland added 16 commits October 7, 2024 08:59

Use Argon2id instead of scrypt, with default params.

0cd1e5e

Added verifyPassword to subsystem

f96f501

Improved handling of pwds between bots and users.

0ee6927

[brig] Use auth subsystem to verify pwds.

33ebee7

Adapt argon2id params.

4b22fc4

Adjusted params again, updated tests.

f4ce01a

Fixed test.

e8954ca

Added changelog.

cda7431

Fixed bug with provider pwd.

0c48e8d

Increase tolerance for local user suspension in integration tests.

789bc9b

Use Scrypt for OAuth.

7ba0b80

[wip] Use scrypt in select places.

a4c3b96

Clean up pragma.

6fc7577

Extract rabbit queue into own make cmd.

1adaaca

Updating provider pwd to argon.

47b0dcb

Restored argon for provider new acc.

cca6c0a

Test using only Scrypt.

dfc9fc0

elland force-pushed the wpb-9746/password branch from db9b19b to c1efb01 Compare October 7, 2024 06:59

Renamed function, restored argon2id.

0cd22c4

elland force-pushed the wpb-9746/password branch from c1efb01 to 0cd22c4 Compare October 7, 2024 07:04

elland added 3 commits October 7, 2024 10:01

Make argon2id hashing quicker.

7f7adab

Make it even lighter.

b927f37

Fixed rebase issue.

6455c8e

akshaymankar reviewed Oct 7, 2024

View reviewed changes

elland added 6 commits October 7, 2024 15:22

Refactored Password, cleaning up code and exports.

791eb35

Fixed tests.

4b724e7

Updated Scrypt params.

004900e

Added importand TODO for tomorrow.

7ef7275

Adjusted argon2 values, forced strictness on hashing.

481bbd1

Cleanup + reduce memory usage of argon2id for now.

14f80e9

elland force-pushed the wpb-9746/password branch from 1cae602 to 14f80e9 Compare October 8, 2024 07:46

battermann approved these changes Oct 8, 2024

View reviewed changes

libs/wire-api/src/Wire/API/Password.hs Outdated Show resolved Hide resolved

elland added 2 commits October 8, 2024 10:00

hi ci

f4c4804

lowered argon2id settings again.

12f413d

elland changed the title ~~[Brig] Move password verification to the AuthenticationSubsystem, move to Argon2id with default settings.~~ [Brig] Move password verification to the AuthenticationSubsystem, move to Argon2id with new settings. Oct 8, 2024

Adjusting values after running Kratos

7c47c67

elland merged commit 1f13ef2 into develop Oct 9, 2024

elland deleted the wpb-9746/password branch October 9, 2024 06:49

zebot mentioned this pull request Oct 9, 2024

Release 2024-10-09 - (expected chart version 5.6.0) #4288

Closed

fisx reviewed Oct 11, 2024

View reviewed changes

fisx mentioned this pull request Oct 11, 2024

[feat] Allow configuring argon2id parameters #4291

Merged

2 tasks

This was referenced Oct 23, 2024

Release 2024-10-23 - (expected chart version 5.6.0) #4305

Closed

Release 2024-10-25 - (expected chart version 5.6.0) #4312

Closed

	PasswordStore.lookupHashedProviderPassword pid
	>>= maybe (throw AuthenticationSubsystemBadCredentials) pure
	PasswordStore.lookupHashedProviderPassword pid >>= noteS @'AuthenticationSubsystemBadCredentials

Conversation

elland commented Sep 26, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Checklist

Uh oh!

mdimjasevic left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

mdimjasevic commented Oct 3, 2024

Uh oh!

mdimjasevic left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

elland commented Sep 26, 2024 •

edited

Loading