[JENKINS-73827] Adding a login password length check on ActiveDirectorySecurityRealm.…

src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java

@@ -24,6 +24,7 @@
 package hudson.plugins.active_directory;
 
 import com4j.typelibs.ado20.ClassFactory;
+import io.jenkins.cli.shaded.org.apache.commons.lang.StringUtils;
 
 import edu.umd.cs.findbugs.annotations.NonNull;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
@@ -941,6 +942,10 @@ public UserDetails loadUserByUsername(String username) throws UsernameNotFoundEx
 
     @Override
     protected UserDetails authenticate(String username, String password) throws AuthenticationException {
+        // Check if the password length is less than 14 characters
+        if(FIPS140.useCompliantAlgorithms() && StringUtils.length(password) < 14) {
+            throw new IllegalArgumentException(Messages.passwordTooShortFIPS());
+        }
         UserDetails userDetails = getAuthenticationProvider().retrieveUser(username,new UsernamePasswordAuthenticationToken(username,password));
         SecurityListener.fireAuthenticated(userDetails);
         return userDetails;

src/main/resources/hudson/plugins/active_directory/Messages.properties

@@ -13,4 +13,6 @@ TlsConfiguration.TrustAllCertificates = (Insecure) Trust all Certificates
 TlsConfiguration.JdkTrustStore = JDK TrustStore
 
 TlsConfiguration.AdministrativeMonitor.DisplayName = Active Directory TLS Configuration Monitor
-TlsConfiguration.ErrorMessage = Disabling TLS in FIPS mode is not allowed. Either enable StartTls or Require TLS.
+TlsConfiguration.ErrorMessage = Disabling TLS in FIPS mode is not allowed. Either enable StartTls or Require TLS.
+
+passwordTooShortFIPS = Password is too short (< 14 characters)

src/test/java/hudson/plugins/active_directory/ActiveDirectoryLoginInFIPSModeTest.java

@@ -0,0 +1,88 @@
+package hudson.plugins.active_directory;
+
+import java.lang.reflect.Field;
+import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
+import org.acegisecurity.userdetails.UserDetails;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+
+import jenkins.security.FIPS140;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertThrows;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.when;
+
+/**
+ * Author: Nevin Sunny
+ * Date: 30/09/24
+ * Time: 10:13 am
+ */
+public class ActiveDirectoryLoginInFIPSModeTest {
+
+
+	private ActiveDirectorySecurityRealm securityRealm;
+	private AbstractActiveDirectoryAuthenticationProvider authenticationProvider;
+
+	@Before
+	public void setUp() throws NoSuchMethodException, NoSuchFieldException, IllegalAccessException {
+		securityRealm = new ActiveDirectorySecurityRealm("domain", "site"
+				, "bindName", "bindPassword", "server");
+
+		// Create a mock instance of AbstractActiveDirectoryAuthenticationProvider
+		authenticationProvider = Mockito.mock(AbstractActiveDirectoryAuthenticationProvider.class);
+
+		// Use reflection to set the private field
+		Field field = ActiveDirectorySecurityRealm.class.getDeclaredField("authenticationProvider");
+		field.setAccessible(true);
+		field.set(securityRealm, authenticationProvider);
+
+	}
+
+	@After
+	public void tearDown() {
+		// Clear all static mocks after each test
+		Mockito.clearAllCaches();
+	}
+
+	@Test
+	public void testAuthenticateWithShortPassword() {
+		// Set FIPS to compliant algorithms
+		Mockito.mockStatic(FIPS140.class);
+		when(FIPS140.useCompliantAlgorithms()).thenReturn(true);
+
+		String username = "user";
+		String password = "short";
+
+		Exception exception = assertThrows(IllegalArgumentException.class, () -> {
+			securityRealm.authenticate(username, password);
+		});
+
+		assertEquals(Messages.passwordTooShortFIPS(),exception.getMessage() );
+	}
+
+	@Test
+	public void testAuthenticateWithValidPassword() {
+		// Set FIPS to compliant algorithms
+		Mockito.mockStatic(FIPS140.class);
+		when(FIPS140.useCompliantAlgorithms()).thenReturn(true);
+
+		String username = "user";
+		String password = "verylongpassword";
+
+		// Mock the retrieveUser method
+		UserDetails mockUserDetails = Mockito.mock(UserDetails.class);
+		when(mockUserDetails.getUsername()).thenReturn("user");
+		when(authenticationProvider.retrieveUser(anyString(), any(UsernamePasswordAuthenticationToken.class)))
+				.thenReturn(mockUserDetails);
+
+		UserDetails userDetails = securityRealm.authenticate(username, password);
+
+		assertEquals("user",userDetails.getUsername() );
+	}
+
+
+}