diff --git a/lib/auth/password.go b/lib/auth/password.go index 4c0a9474d7bd2..4ed50ac40451c 100644 --- a/lib/auth/password.go +++ b/lib/auth/password.go @@ -171,11 +171,6 @@ func (a *Server) ChangePassword(ctx context.Context, req *proto.ChangePasswordRe func (a *Server) checkPasswordWOToken(user string, password []byte) error { const errMsg = "invalid username or password" - err := services.VerifyPassword(password) - if err != nil { - return trace.BadParameter(errMsg) - } - hash, err := a.GetPasswordHash(user) if err != nil && !trace.IsNotFound(err) { return trace.Wrap(err) diff --git a/lib/auth/password_test.go b/lib/auth/password_test.go index 65af3c27e9c84..96c9d89945bee 100644 --- a/lib/auth/password_test.go +++ b/lib/auth/password_test.go @@ -30,6 +30,7 @@ import ( "github.com/jonboulle/clockwork" "github.com/pquerna/otp/totp" "github.com/stretchr/testify/require" + "golang.org/x/crypto/bcrypt" "github.com/gravitational/teleport" "github.com/gravitational/teleport/api/client/proto" @@ -46,6 +47,7 @@ import ( "github.com/gravitational/teleport/lib/events/eventstest" "github.com/gravitational/teleport/lib/services" "github.com/gravitational/teleport/lib/services/suite" + "github.com/gravitational/teleport/lib/utils" ) type passwordSuite struct { @@ -126,6 +128,38 @@ func TestUserNotFound(t *testing.T) { require.True(t, trace.IsBadParameter(err)) } +func TestPasswordLengthChange(t *testing.T) { + t.Parallel() + ctx := context.Background() + srv := newTestTLSServer(t) + authServer := srv.Auth() + + ap, err := types.NewAuthPreference(types.AuthPreferenceSpecV2{ + Type: constants.Local, + SecondFactor: constants.SecondFactorOff, + }) + require.NoError(t, err) + + err = authServer.SetAuthPreference(ctx, ap) + require.NoError(t, err) + + username := fmt.Sprintf("llama%v@goteleport.com", rand.Int()) + password := []byte("a") + _, _, err = CreateUserAndRole(authServer, username, []string{username}, nil) + require.NoError(t, err) + + hash, err := utils.BcryptFromPassword(password, bcrypt.DefaultCost) + require.NoError(t, err) + + // Set an initial password that is shorter than minimum length + err = authServer.UpsertPasswordHash(username, hash) + require.NoError(t, err) + + // Ensure that a shorter password still works for auth + err = authServer.checkPasswordWOToken(username, password) + require.NoError(t, err) +} + func TestChangePassword(t *testing.T) { t.Parallel() ctx := context.Background() diff --git a/lib/services/identity_test.go b/lib/services/identity_test.go index 78e0f6398ebcf..e207ebc253008 100644 --- a/lib/services/identity_test.go +++ b/lib/services/identity_test.go @@ -26,6 +26,7 @@ import ( "github.com/stretchr/testify/require" "github.com/gravitational/teleport/api/types" + "github.com/gravitational/teleport/lib/defaults" ) func TestSAMLAuthRequest_Check(t *testing.T) { @@ -326,3 +327,39 @@ func TestGithubAuthRequest_Check(t *testing.T) { }) } } + +func TestVerifyPassword(t *testing.T) { + tests := []struct { + name string + pass []byte + wantErr bool + }{ + { + name: "password too short", + pass: make([]byte, defaults.MinPasswordLength-1), + wantErr: true, + }, + { + name: "password just right", + pass: make([]byte, defaults.MinPasswordLength), + wantErr: false, + }, + { + name: "password too long", + pass: make([]byte, defaults.MaxPasswordLength+1), + wantErr: true, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + err := VerifyPassword(tt.pass) + if tt.wantErr { + require.Error(t, err) + require.True(t, trace.IsBadParameter(err)) + } else { + require.NoError(t, err) + } + }) + } +}