[JENKINS-73827] checkin password length at login with AD plugin in FIPS mode

src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java

@@ -24,6 +24,7 @@
 package hudson.plugins.active_directory;
 
 import com4j.typelibs.ado20.ClassFactory;
+import io.jenkins.cli.shaded.org.apache.commons.lang.StringUtils;
 
 import edu.umd.cs.findbugs.annotations.NonNull;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
@@ -941,6 +942,11 @@ public UserDetails loadUserByUsername(String username) throws UsernameNotFoundEx
 
     @Override
     protected UserDetails authenticate(String username, String password) throws AuthenticationException {
+        // Check if the password length is less than 14 characters
+        if(FIPS140.useCompliantAlgorithms() && StringUtils.length(password) < 14) {
+            throw new IllegalArgumentException(Messages.passwordTooShortFIPS());
+        }
+
         UserDetails userDetails = getAuthenticationProvider().retrieveUser(username,new UsernamePasswordAuthenticationToken(username,password));
         SecurityListener.fireAuthenticated(userDetails);
         return userDetails;

src/main/resources/hudson/plugins/active_directory/Messages.properties

@@ -13,4 +13,5 @@ TlsConfiguration.TrustAllCertificates = (Insecure) Trust all Certificates
 TlsConfiguration.JdkTrustStore = JDK TrustStore
 
 TlsConfiguration.AdministrativeMonitor.DisplayName = Active Directory TLS Configuration Monitor
-TlsConfiguration.ErrorMessage = Disabling TLS in FIPS mode is not allowed. Either enable StartTls or Require TLS.
+TlsConfiguration.ErrorMessage = Disabling TLS in FIPS mode is not allowed. Either enable StartTls or Require TLS.
+passwordTooShortFIPS = Password is too short (< 14 characters)

src/test/java/hudson/plugins/active_directory/docker/FIPSActiveDirectoryLoginTest.java

@@ -0,0 +1,101 @@
+package hudson.plugins.active_directory.docker;
+
+import java.net.InetAddress;
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.acegisecurity.AuthenticationServiceException;
+import org.acegisecurity.userdetails.UserDetails;
+import org.hamcrest.MatcherAssert;
+import org.hamcrest.Matchers;
+import org.htmlunit.FailingHttpStatusCodeException;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.ClassRule;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TestRule;
+import org.jvnet.hudson.test.FlagRule;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.LoggerRule;
+
+import hudson.plugins.active_directory.ActiveDirectoryDomain;
+import hudson.plugins.active_directory.ActiveDirectoryInternalUsersDatabase;
+import hudson.plugins.active_directory.ActiveDirectorySecurityRealm;
+import hudson.plugins.active_directory.CacheConfiguration;
+import hudson.plugins.active_directory.DNSUtils;
+import hudson.plugins.active_directory.GroupLookupStrategy;
+
+import static org.hamcrest.Matchers.is;
+import static org.junit.Assert.assertThat;
+import static org.junit.matchers.JUnitMatchers.containsString;
+
+/**
+ * Author: Nevin Sunny
+ * Date: 26/09/24
+ * Time: 7:25 pm
+ */
+public class FIPSActiveDirectoryLoginTest {
+
+	@Rule(order = 0)
+	public RequireDockerRule rdr = new RequireDockerRule();
+
+	@Rule(order = 1)
+	public ActiveDirectoryGenericContainer<?> docker = new ActiveDirectoryGenericContainer<>().withDynamicPorts();
+
+	@Rule(order = 2) // start Jenkins after the container so that timeouts do not apply to container building.
+	public JenkinsRule j = new JenkinsRule();
+
+	@Rule
+	public LoggerRule l = new LoggerRule();
+
+	@ClassRule
+	public static TestRule fip140Prop = FlagRule.systemProperty("jenkins.security.FIPS140.COMPLIANCE", "false");
+
+	private final static String AD_DOMAIN = "samdom.example.com";
+	private final static String AD_MANAGER_DN = "CN=Administrator,CN=Users,DC=SAMDOM,DC=EXAMPLE,DC=COM";
+	private final static String AD_MANAGER_DN_PASSWORD = "ia4uV1EeKait";
+	private final static int MAX_RETRIES = 30;
+	private String dockerIp;
+	private int dockerPort;
+
+	@Before
+	public void setup() throws Exception {
+		String DNS_URLs = new URI("dns", null, InetAddress.getByName(docker.getHost()).getHostAddress(), Integer.parseInt(docker.getDNSPort()), null, null, null).toASCIIString();
+		System.setProperty(DNSUtils.OVERRIDE_DNS_PROPERTY, DNS_URLs);
+
+		dockerIp = docker.getHost();
+		dockerPort = docker.getMappedPort(3268);
+		ActiveDirectoryDomain activeDirectoryDomain = new ActiveDirectoryDomain(AD_DOMAIN,
+		                                                                        dockerIp + ":" +  dockerPort , null, AD_MANAGER_DN, AD_MANAGER_DN_PASSWORD);
+		List<ActiveDirectoryDomain> domains = new ArrayList<>(1);
+		domains.add(activeDirectoryDomain);
+		ActiveDirectorySecurityRealm activeDirectorySecurityRealm = new ActiveDirectorySecurityRealm(null, domains, null, null, null
+				, null, GroupLookupStrategy.RECURSIVE, false, true, null, false, null, true);
+		j.getInstance().setSecurityRealm(activeDirectorySecurityRealm);
+		UserDetails userDetails = null;
+		int i = 0;
+		while (i < MAX_RETRIES && userDetails == null) {
+			try {
+				userDetails = j.jenkins.getSecurityRealm().loadUserByUsername("Fred");
+			} catch (AuthenticationServiceException e) {
+				Thread.sleep(1000);
+			}
+			i ++;
+		}
+	}
+
+	@Test(expected = FailingHttpStatusCodeException.class)
+	public void testLoginFailureWithShortPasswordInFIPSmode() throws Exception {
+		// Try to login as Fred with a short password
+		j.createWebClient().login("Fred", "ia4uV1EeKait");
+	}
+
+	@Test
+	public void simpleLoginSuccessful() throws Exception {
+		JenkinsRule.WebClient wc = j.createWebClient().login("Dino", "p1bfdrMsqyHhbAm");
+		MatcherAssert.assertThat(wc.goToXml("whoAmI/api/xml").asXml().replaceAll("\\s+", "")
+				, Matchers.containsString("<name>Dino</name>"));
+	}
+}

src/test/resources/hudson/plugins/active_directory/docker/TheFlintstonesTest/TheFlintstones/custom.sh

@@ -13,10 +13,12 @@ samba-tool user add Fred ia4uV1EeKait
 samba-tool user add Wilma ia4uV1EeKait
 samba-tool user add Barney ia4uV1EeKait
 samba-tool user add Betty ia4uV1EeKait
+samba-tool user add Dino p1bfdrMsqyHhbAm
 
 # add users to groups
 samba-tool group addmembers The-Flintstones Fred
 samba-tool group addmembers The-Flintstones Wilma
+samba-tool group addmembers The-Flintstones Dino
 samba-tool group addmembers "The Rubbles" Barney
 
 # add alias for the "The Rubbles"