[JENKINS-75533] Remove jbcrypt mindrot, use Spring Security instead (#10604)

Co-authored-by: Daniel Beck <daniel-beck@users.noreply.github.com>
Co-authored-by: James Nord <jtnord@users.noreply.github.com>

Author: daniel-beck

bom/pom.xml

@@ -206,11 +206,6 @@ THE SOFTWARE.
         <artifactId>groovy-all</artifactId>
         <version>${groovy.version}</version>
       </dependency>
-      <dependency>
-        <groupId>org.connectbot</groupId>
-        <artifactId>jbcrypt</artifactId>
-        <version>1.0.2</version>
-      </dependency>
       <dependency>
         <!-- Groovy shell uses this, but it doesn't declare the dependency -->
         <groupId>org.fusesource.jansi</groupId>

core/pom.xml

@@ -246,10 +246,6 @@ THE SOFTWARE.
       <groupId>org.codehaus.groovy</groupId>
       <artifactId>groovy-all</artifactId>
     </dependency>
-    <dependency>
-      <groupId>org.connectbot</groupId>
-      <artifactId>jbcrypt</artifactId>
-    </dependency>
     <dependency>
       <!-- Groovy shell uses this, but it doesn't declare the dependency -->
       <groupId>org.fusesource.jansi</groupId>

core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java

@@ -91,7 +91,6 @@
 import org.kohsuke.stapler.StaplerRequest2;
 import org.kohsuke.stapler.StaplerResponse2;
 import org.kohsuke.stapler.interceptor.RequirePOST;
-import org.mindrot.jbcrypt.BCrypt;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
@@ -100,6 +99,7 @@
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 
 /**
@@ -451,11 +451,12 @@ private SignupInfo validateAccountCreationForm(StaplerRequest2 req, boolean vali
             si.errors.put("password1", Messages.HudsonPrivateSecurityRealm_CreateAccount_PasswordRequired());
         }
 
-        if (FIPS140.useCompliantAlgorithms()) {
-            if (si.password1.length() < FIPS_PASSWORD_LENGTH) {
-                si.errors.put("password1", Messages.HudsonPrivateSecurityRealm_CreateAccount_FIPS_PasswordLengthInvalid());
-            }
+        try {
+            PASSWORD_HASH_ENCODER.encode(si.password1);
+        }  catch (RuntimeException ex) {
+            si.errors.put("password1", ex.getMessage());
         }
+
         if (si.fullname == null || si.fullname.isEmpty()) {
             si.fullname = si.username;
         }
@@ -823,10 +824,6 @@ public Details newInstance(StaplerRequest2 req, JSONObject formData) throws Form
                     throw new FormException("Please confirm the password by typing it twice", "user.password2");
                 }
 
-                if (FIPS140.useCompliantAlgorithms() && pwd.length() < FIPS_PASSWORD_LENGTH) {
-                     throw new FormException(Messages.HudsonPrivateSecurityRealm_CreateAccount_FIPS_PasswordLengthInvalid(), "user.password");
-                }
-
                 // will be null if it wasn't encrypted
                 String data = Protector.unprotect(pwd);
                 String data2 = Protector.unprotect(pwd2);
@@ -849,10 +846,18 @@ public Details newInstance(StaplerRequest2 req, JSONObject formData) throws Form
                 if (data != null) {
                     String prefix = Stapler.getCurrentRequest2().getSession().getId() + ':';
                     if (data.startsWith(prefix)) {
+                        // The password is not being changed
                         return Details.fromHashedPassword(data.substring(prefix.length()));
                     }
                 }
 
+                // The password is being changed
+                try {
+                    PASSWORD_HASH_ENCODER.encode(pwd);
+                } catch (RuntimeException ex) {
+                    throw new FormException(ex.getMessage(), "user.password");
+                }
+
                 User user = Util.getNearestAncestorOfTypeOrThrow(req, User.class);
                 // the UserSeedProperty is not touched by the configure page
                 UserSeedProperty userSeedProperty = user.getProperty(UserSeedProperty.class);
@@ -917,11 +922,10 @@ public Category getCategory() {
         }
     }
 
-    // TODO can we instead use BCryptPasswordEncoder from Spring Security, which has its own copy of BCrypt so we could drop the special library?
     /**
      * {@link PasswordHashEncoder} that uses jBCrypt.
      */
-    static class JBCryptEncoder implements PasswordHashEncoder {
+    static class JBCryptEncoder extends BCryptPasswordEncoder implements PasswordHashEncoder {
         // in jBCrypt the maximum is 30, which takes ~22h with laptop late-2017
         // and for 18, it's "only" 20s
         @Restricted(NoExternalUse.class)
@@ -931,12 +935,14 @@ static class JBCryptEncoder implements PasswordHashEncoder {
 
         @Override
         public String encode(CharSequence rawPassword) {
-            return BCrypt.hashpw(rawPassword.toString(), BCrypt.gensalt());
-        }
-
-        @Override
-        public boolean matches(CharSequence rawPassword, String encodedPassword) {
-            return BCrypt.checkpw(rawPassword.toString(), encodedPassword);
+            try {
+                return super.encode(rawPassword);
+            } catch (IllegalArgumentException ex) {
+                if (ex.getMessage().equals("password cannot be more than 72 bytes")) {
+                    throw new IllegalArgumentException(Messages.HudsonPrivateSecurityRealm_CreateAccount_BCrypt_PasswordTooLong());
+                }
+                throw ex;
+            }
         }
 
         /**
@@ -978,6 +984,9 @@ static class PBKDF2PasswordEncoder implements PasswordHashEncoder {
 
         @Override
         public String encode(CharSequence rawPassword) {
+            if (rawPassword.length() < FIPS_PASSWORD_LENGTH) {
+                throw new IllegalArgumentException(Messages.HudsonPrivateSecurityRealm_CreateAccount_FIPS_PasswordLengthInvalid());
+            }
             try {
                 return generatePasswordHashWithPBKDF2(rawPassword);
             } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {

core/src/main/resources/hudson/security/Messages.properties

@@ -37,6 +37,7 @@ HudsonPrivateSecurityRealm.ManageUserLinks.Description=Create/delete/modify user
 HudsonPrivateSecurityRealm.CreateAccount.TextNotMatchWordInImage=Text didn''t match the word shown in the image
 HudsonPrivateSecurityRealm.CreateAccount.PasswordNotMatch=Password didn''t match
 HudsonPrivateSecurityRealm.CreateAccount.FIPS.PasswordLengthInvalid=Password must be at least 14 characters long
+HudsonPrivateSecurityRealm.CreateAccount.BCrypt.PasswordTooLong=Jenkins’ own user database currently only supports passwords of up to 72 bytes UTF-8 (72 basic ASCII characters, 24-36 CJK characters, or 18 emoji). Please use a shorter password.
 HudsonPrivateSecurityRealm.CreateAccount.PasswordRequired=Password is required
 HudsonPrivateSecurityRealm.CreateAccount.UserNameRequired=User name is required
 HudsonPrivateSecurityRealm.CreateAccount.UserNameInvalidCharacters=User name must only contain alphanumeric characters, underscore and dash

core/src/test/java/hudson/security/HudsonPrivateSecurityRealmTest.java

@@ -1,5 +1,7 @@
 package hudson.security;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -13,7 +15,9 @@
 import java.security.spec.InvalidKeySpecException;
 import java.time.Duration;
 import javax.crypto.SecretKeyFactory;
+import org.junit.Assert;
 import org.junit.jupiter.api.Test;
+import org.jvnet.hudson.test.Issue;
 import org.mockito.Mockito;
 
 public class HudsonPrivateSecurityRealmTest {
@@ -151,4 +155,10 @@ public void testJBCryptPasswordMatching() {
         assertTrue(encoder.matches("thisIsMyPassword", encoded));
         assertFalse(encoder.matches("thisIsNotMyPassword", encoded));
     }
+
+    @Issue("JENKINS-75533")
+    public void ensureExpectedMessage() {
+        final IllegalArgumentException ex = Assert.assertThrows(IllegalArgumentException.class, () -> HudsonPrivateSecurityRealm.PASSWORD_HASH_ENCODER.encode("1234567890123456789012345678901234567890123456789012345678901234567890123"));
+        assertThat(ex.getMessage(), is(Messages.HudsonPrivateSecurityRealm_CreateAccount_BCrypt_PasswordTooLong()));
+    }
 }

test/src/test/java/hudson/security/HudsonPrivateSecurityRealmFIPSTest.java

@@ -35,7 +35,6 @@
 import hudson.logging.LogRecorderManager;
 import hudson.model.User;
 import hudson.security.HudsonPrivateSecurityRealm.Details;
-import java.lang.reflect.Method;
 import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.LogRecord;
@@ -52,13 +51,14 @@
 import org.jvnet.hudson.test.JenkinsRule;
 import org.jvnet.hudson.test.JenkinsRule.WebClient;
 import org.jvnet.hudson.test.RealJenkinsRule;
+import org.jvnet.hudson.test.recipes.LocalData;
 
 
 @For(HudsonPrivateSecurityRealm.class)
 public class HudsonPrivateSecurityRealmFIPSTest {
 
-    // the jbcrypt encoded for of "a" without the quotes
-    private static final String JBCRYPT_ENCODED_PASSWORD = "#jbcrypt:$2a$06$m0CrhHm10qJ3lXRY.5zDGO3rS2KdeeWLuGmsfGlMfOxih58VYVfxe";
+    // the bcrypt encoded form of "passwordpassword" without the quotes
+    private static final String JBCRYPT_ENCODED_PASSWORD = "#jbcrypt:$2a$10$Nm37vwdZwJ5T2QTBwYuBYONHD3qKilgd5UO7wuDXI83z5dAdrgi4i";
 
     private static final String LOG_RECORDER_NAME = "HPSR_LOG_RECORDER";
 
@@ -75,7 +75,7 @@ private static void generalLoginStep(JenkinsRule j) throws Exception {
         HudsonPrivateSecurityRealm securityRealm = new HudsonPrivateSecurityRealm(false, false, null);
         j.jenkins.setSecurityRealm(securityRealm);
 
-        User u1 = securityRealm.createAccount("user", "password");
+        User u1 = securityRealm.createAccount("user", "passwordpassword");
         u1.setFullName("A User");
         u1.save();
 
@@ -84,8 +84,8 @@ private static void generalLoginStep(JenkinsRule j) throws Exception {
         assertThat(hashedPassword, startsWith("$PBKDF2$HMACSHA512:210000:"));
 
         try (WebClient wc = j.createWebClient()) {
-            wc.login("user", "password");
-            assertThrows(FailingHttpStatusCodeException.class, () -> wc.login("user", "wrongPass"));
+            wc.login("user", "passwordpassword");
+            assertThrows(FailingHttpStatusCodeException.class, () -> wc.login("user", "wrongPass123456"));
         }
     }
 
@@ -98,19 +98,20 @@ private static void userCreationWithHashedPasswordsStep(JenkinsRule j) throws Ex
         setupLogRecorder();
         HudsonPrivateSecurityRealm securityRealm = new HudsonPrivateSecurityRealm(false, false, null);
         j.jenkins.setSecurityRealm(securityRealm);
-        // "password" after it has gone through the KDF
+        // "passwordpassword" after it has gone through the KDF
         securityRealm.createAccountWithHashedPassword("user_hashed",
-                "$PBKDF2$HMACSHA512:210000:ffbb207b847010af98cdd2b09c79392c$f67c3b985daf60db83a9088bc2439f7b77016d26c1439a9877c4f863c377272283ce346edda4578a5607ea620a4beb662d853b800f373297e6f596af797743a6");
+                "$PBKDF2$HMACSHA512:210000:92857a190ac711436e8a9cb56595d642$0d66e61da0b04283148b4a574422a17762c96c46bcd3aa587b6d447a908367fe8030bd2083dc54313639561d36cc9ac707bed72fc3400465e7dc1d6805cffb66");
 
         try (WebClient wc = j.createWebClient()) {
             // login should succeed
-            wc.login("user_hashed", "password");
-            assertThrows(FailingHttpStatusCodeException.class, () -> wc.login("user_hashed", "password2"));
+            wc.login("user_hashed", "passwordpassword");
+            assertThrows(FailingHttpStatusCodeException.class, () -> wc.login("user_hashed", "passwordpassword2"));
         }
         assertThat(getLogRecords(), not(hasItem(incorrectHashingLogEntry())));
     }
 
     @Test
+    @LocalData
     public void userLoginAfterEnablingFIPS() throws Throwable {
         rjr.then(HudsonPrivateSecurityRealmFIPSTest::userLoginAfterEnablingFIPSStep);
     }
@@ -120,19 +121,10 @@ private static void userLoginAfterEnablingFIPSStep(JenkinsRule j) throws Excepti
         HudsonPrivateSecurityRealm securityRealm = new HudsonPrivateSecurityRealm(false, false, null);
         j.jenkins.setSecurityRealm(securityRealm);
 
-        User u1 = securityRealm.createAccount("user", "a");
-        u1.setFullName("A User");
-        // overwrite the password property using an password created using an incorrect algorithm
-        Method m = Details.class.getDeclaredMethod("fromHashedPassword", String.class);
-        m.setAccessible(true);
-        Details d = (Details) m.invoke(null, JBCRYPT_ENCODED_PASSWORD);
-        u1.addProperty(d);
-
-        u1.save();
-        assertThat(u1.getProperty(Details.class).getPassword(), is(JBCRYPT_ENCODED_PASSWORD));
+        assertThat(securityRealm.getUser("user").getProperty(Details.class).getPassword(), is(JBCRYPT_ENCODED_PASSWORD));
 
         try (WebClient wc = j.createWebClient()) {
-            assertThrows(FailingHttpStatusCodeException.class, () -> wc.login("user", "a"));
+            assertThrows(FailingHttpStatusCodeException.class, () -> wc.login("user", "passwordpassword"));
         }
         assertThat(getLogRecords(), hasItem(incorrectHashingLogEntry()));
     }

test/src/test/java/hudson/security/HudsonPrivateSecurityRealmTest.java

@@ -76,7 +76,7 @@
 import org.jvnet.hudson.test.JenkinsRule.WebClient;
 import org.jvnet.hudson.test.LoggerRule;
 import org.jvnet.hudson.test.TestExtension;
-import org.mindrot.jbcrypt.BCrypt;
+import org.springframework.security.crypto.bcrypt.BCrypt;
 
 @For({UserSeedProperty.class, HudsonPrivateSecurityRealm.class})
 public class HudsonPrivateSecurityRealmTest {
@@ -549,7 +549,7 @@ public void hashedPasswordTest() {
         // password = password
         assertFalse("too big number of iterations", PASSWORD_ENCODER.isPasswordHashed("#jbcrypt:$2a208$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"));
 
-        // until https://github.com/jeremyh/jBCrypt/pull/16 is merged, the lib released and the dep updated, only the version 2a is supported
+        // Supported by Spring Security's BCrypt, but not by the Jenkins wrapper
         assertFalse("unsupported version", PASSWORD_ENCODER.isPasswordHashed("#jbcrypt:$2x$08$Ro0CUfOqk6cXEKf3dyaM7OhSCvnwM9s4wIX9JeLapehKK5YdLxKcm"));
         assertFalse("unsupported version", PASSWORD_ENCODER.isPasswordHashed("#jbcrypt:$2y$06$m0CrhHm10qJ3lXRY.5zDGO3rS2KdeeWLuGmsfGlMfOxih58VYVfxe"));
 
@@ -563,13 +563,15 @@ public void ensureHashingVersion_2a_isSupported() {
     }
 
     @Test
-    public void ensureHashingVersion_2x_isNotSupported() {
-        assertThrows(IllegalArgumentException.class, () -> BCrypt.checkpw("abc", "$2x$08$Ro0CUfOqk6cXEKf3dyaM7OhSCvnwM9s4wIX9JeLapehKK5YdLxKcm"));
+    public void ensureHashingVersion_2x_isSupported() {
+        // See #hashedPasswordTest for the corresponding test going through the Jenkins core wrapper class rejecting 2x
+        assertTrue("version 2x is supported", BCrypt.checkpw("abc", "$2x$08$Ro0CUfOqk6cXEKf3dyaM7OhSCvnwM9s4wIX9JeLapehKK5YdLxKcm"));
     }
 
     @Test
-    public void ensureHashingVersion_2y_isNotSupported() {
-        assertThrows(IllegalArgumentException.class, () -> BCrypt.checkpw("a", "$2y$08$cfcvVd2aQ8CMvoMpP2EBfeodLEkkFJ9umNEfPD18.hUF62qqlC/V."));
+    public void ensureHashingVersion_2y_isSupported() {
+        // See #hashedPasswordTest for the corresponding test going through the Jenkins core wrapper class rejecting 2y
+        assertTrue("version 2y is supported", BCrypt.checkpw("a", "$2y$08$cfcvVd2aQ8CMvoMpP2EBfeodLEkkFJ9umNEfPD18.hUF62qqlC/V."));
     }
 
     private void checkUserCanBeCreatedWith(HudsonPrivateSecurityRealm securityRealm, String id, String password, String fullName, String email) throws Exception {
@@ -759,6 +761,23 @@ public void userCreationWithPBKDFPasswords() throws Exception {
                 is("The hashed password was hashed with an incorrect algorithm. Jenkins is expecting #jbcrypt:"));
     }
 
+    @Issue("JENKINS-75533")
+    public void supportLongerPasswordToLogIn() throws Exception {
+        HudsonPrivateSecurityRealm securityRealm = new HudsonPrivateSecurityRealm(false, false, null);
+        j.jenkins.setSecurityRealm(securityRealm);
+        final String _72CharPass = "123456789012345678901234567890123456789012345678901234567890123456789012";
+        final String username = "user";
+        securityRealm.createAccount(username, _72CharPass);
+        try (WebClient wc = j.createWebClient()) {
+            // can log in with the real 72 byte password
+            wc.login(username, _72CharPass);
+        }
+        try (WebClient wc = j.createWebClient()) {
+            // can log in with even longer password for this edge case
+            wc.login(username, _72CharPass + "345");
+        }
+    }
+
     private static Matcher<LoggerRule> hasIncorrectHashingLogEntry() {
         return LoggerRule.recorded(is(
                 "A password appears to be stored (or is attempting to be stored) that was created with a different hashing/encryption algorithm, check the FIPS-140 state of the system has not changed inadvertently"));

test/src/test/resources/hudson/security/HudsonPrivateSecurityRealmFIPSTest/userLoginAfterEnablingFIPS/users/user_1072549610582667998/config.xml

@@ -0,0 +1,41 @@
+<?xml version='1.1' encoding='UTF-8'?>
+<user>
+  <version>10</version>
+  <id>user</id>
+  <fullName>The User</fullName>
+  <properties>
+    <jenkins.console.ConsoleUrlProviderUserProperty/>
+    <hudson.model.MyViewsProperty>
+      <views>
+        <hudson.model.AllView>
+          <owner class="hudson.model.MyViewsProperty" reference="../../.."/>
+          <name>all</name>
+          <filterExecutors>false</filterExecutors>
+          <filterQueue>false</filterQueue>
+          <properties class="hudson.model.View$PropertyList"/>
+        </hudson.model.AllView>
+      </views>
+    </hudson.model.MyViewsProperty>
+    <hudson.model.PaneStatusProperties>
+      <collapsed/>
+    </hudson.model.PaneStatusProperties>
+    <hudson.search.UserSearchProperty>
+      <insensitiveSearch>true</insensitiveSearch>
+    </hudson.search.UserSearchProperty>
+    <hudson.model.TimeZoneProperty/>
+    <jenkins.model.experimentalflags.UserExperimentalFlagsProperty>
+      <flags/>
+    </jenkins.model.experimentalflags.UserExperimentalFlagsProperty>
+    <jenkins.security.ApiTokenProperty>
+      <tokenStore>
+        <tokenList/>
+      </tokenStore>
+    </jenkins.security.ApiTokenProperty>
+    <hudson.security.HudsonPrivateSecurityRealm_-Details>
+      <passwordHash>#jbcrypt:$2a$10$Nm37vwdZwJ5T2QTBwYuBYONHD3qKilgd5UO7wuDXI83z5dAdrgi4i</passwordHash>
+    </hudson.security.HudsonPrivateSecurityRealm_-Details>
+    <jenkins.security.seed.UserSeedProperty>
+      <seed>ec31fd374346de1e</seed>
+    </jenkins.security.seed.UserSeedProperty>
+  </properties>
+</user>

test/src/test/resources/hudson/security/HudsonPrivateSecurityRealmFIPSTest/userLoginAfterEnablingFIPS/users/users.xml

@@ -0,0 +1,10 @@
+<?xml version='1.1' encoding='UTF-8'?>
+<hudson.model.UserIdMapper>
+  <version>1</version>
+  <idToDirectoryNameMap class="concurrent-hash-map">
+    <entry>
+      <string>user</string>
+      <string>user_1072549610582667998</string>
+    </entry>
+  </idToDirectoryNameMap>
+</hudson.model.UserIdMapper>