7 commits

Author	SHA1	Message	Date
Jesse Hallam	71ca373de7	Generate instead of hard-coding test passwords, enforce new minimum for FIPS, shard CI, fix FIPS builds (#35905) ... * Replace hardcoded test passwords with model.NewTestPassword() Add model.NewTestPassword() utility that generates 14+ character passwords meeting complexity requirements for FIPS compliance. Replace all short hardcoded test passwords across the test suite with calls to this function. * Enforce FIPS compliance for passwords and HMAC keys FIPS OpenSSL requires HMAC keys to be at least 14 bytes. PBKDF2 uses the password as the HMAC key internally, so short passwords cause PKCS5_PBKDF2_HMAC to fail. - Add FIPSEnabled and PasswordFIPSMinimumLength build-tag constants - Raise the password minimum length floor to 14 when compiled with requirefips, applied in SetDefaults only when unset and validated independently in IsValid - Return ErrMismatchedHashAndPassword for too-short passwords in PBKDF2 CompareHashAndPassword rather than a cryptic OpenSSL error - Validate atmos/camo HMAC key length under FIPS and lengthen test keys accordingly - Adjust password validation tests to use PasswordFIPSMinimumLength so they work under both FIPS and non-FIPS builds * CI: shard FIPS test suite and extract merge template Run FIPS tests on PRs that touch go.mod or have 'fips' in the branch name. Shard FIPS tests across 4 runners matching the normal Postgres suite. Extract the test result merge logic into a reusable workflow template to deduplicate the normal and FIPS merge jobs. * more * Fix email test helper to respect FIPS minimum password length * Fix test helpers to respect FIPS minimum password length * Remove unnecessary "disable strict password requirements" blocks from test helpers * Fix CodeRabbit review comments on PR #35905 - Add server-test-merge-template.yml to server-ci.yml pull_request.paths so changes to the reusable merge workflow trigger Server CI validation - Skip merge-postgres-fips-test-results job when test-postgres-normal-fips was skipped, preventing failures due to missing artifacts - Set guest.Password on returned guest in CreateGuestAndClient helper to keep contract consistent with CreateUserWithClient - Use shared LowercaseLetters/UppercaseLetters/NUMBERS/PasswordFIPSMinimumLength constants in NewTestPassword() to avoid drift if FIPS floor changes https://claude.ai/code/session_01HmE9QkZM3cAoXn2J7XrK2f * Rename FIPS test artifact to match server-ci-report pattern The server-ci-report job searches for artifacts matching "*-test-logs", so rename from postgres-server-test-logs-fips to postgres-server-fips-test-logs to be included in the report. --------- Co-authored-by: Claude <noreply@anthropic.com>	2026-04-08 16:49:43 -03:00
Christopher Speller	9b01e406f4	Move password hashers from server/v8 to server/public to fix module layering violation (#35805)a ... * Move password hashers from server/v8 to server/public to fix layering violation * Revert "Move password hashers from server/v8 to server/public to fix layering violation" This reverts commit 8cad5b8dc9. * invert dependency between hashers and model * make modules-tidy --------- Co-authored-by: Jesse Hallam <jesse@mattermost.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-04-01 15:20:12 +00:00
Carlos Garcia	fd2dd1c618	updated go to version 1.25.8 (#35817) ... * updated go to version 1.25.8 * updated gotestsum version to work with go 1.25.8 go 1.25 does not work with indirect tools 0.11 dependency pulled by gotestsum. * Use sync.WaitGroup.Go to simplify goroutine creation Replace the wg.Add(1) + go func() { defer wg.Done() }() pattern with wg.Go(), which was introduced in Go 1.25. * pushes fips image on workflow dispatch to allow fips test to run on go version update * fix new requirements for FIPS compliance imposed on updating to go 1.25.8 * updates openssl symbol check for library shipped with FIPS new versions go-openssl v2 shipped with FIPS versions starting from 1.25 uses mkcgo to generate bindings causing symbol names to be different. * removes temp workflow-dispatch condition * keep versions out of agents md file	2026-03-27 21:11:52 +01:00
Alejandro García Montoro	7201f42d95	MM-67277: Add check to legacy hasher (#35092) ... * Add check to legacy hasher * Make the linter happy	2026-01-29 17:47:48 +01:00
Alejandro García Montoro	7bbf8c71a2	Add missing check (#35034)	2026-01-24 13:55:59 +01:00
Jesse Hallam	219530c82c	Add fast test hasher to speed up CI tests (#34707) ... The production password hasher uses PBKDF2 with 600,000 iterations, which is slow especially when combined with race detection. This adds a fast test hasher (work factor 1) that can be used during tests to speed up user creation. The fast hasher is only available in non-production builds via build tags, ensuring it cannot be used in production.	2025-12-11 09:46:21 -04:00
Alejandro García Montoro	c28d13cbc9	MM-64692: Migrate passwords to PBKDF2 (#33830) ... * Add parser and hasher packages The new `password` module includes two packages: - `hashers` provides a structure allowing for seamless migrations between password hashing methods. It also implements two password hashers: bcrypt, which was the current hashing method, and PBKDF2, which is the one we are migrating to. - `parser` provides types and primitives to parse PHC[0] strings, serving as the foundation of the `PasswordHasher` interface and implementations, which are all PHC-based. [0] https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md * Use latest hasher to hash new passwords The previous commit added a LatestHasher variable, that contains the `PasswordHasher` currently in use. Here, we make sure we use it for hashing new passwords, instead of the currently hardcoded bcrypt. * Use errors from hashers' package Some chore work to unify errors defined in `hashers`, not from external packages like `bcrypt`. * Implement password migration logic This commit implements the actual logic to migrate passwords, which can be summarized as: 0. When the user enters their password (either for login in `App.CheckPasswordAndAllCriteria` or for double-checking the password when the app needs additional confirmation for anything in `App.DoubleCheckPassword`), this process is started. 1. The new `App.checkUserPassword` is called. In `users.CheckUserPassword`, we parse the stored hashed password with the new PHC parser and identify whether it was generated with the current hashing method (PBKDF2). If it is, just verify the password as usual and continue normally. 2. If not, start the migration calling `App.migratePassword`: a. First, we call `Users.MigratePassword`, which validates that the stored hash and the provided password match, using the hasher that generated the old hash. b. If the user-provided password matches the old hash, then we simply re-hash that password with our current hasher, the one in `hashers.LatestHasher`. If not, we fail. c. Back in `App.migratePassword`, if the migration was successful, then we update the user in the database with the newly generated hash. * make i18n-extract * Rename getDefaultHasher to getOriginalHasher * Refactor App checkUserPsasword and migratePassword Simplify the flow in these two methods, removing the similarly named users.CheckUserPassword and users.MigratePassword, inlining the logic needed in the App layer and at the same time removing the need to parse the stored hash twice. This implements a package-level function, CompareHashAndPassword: the first step to unexport LatestHasher. * Add a package level Hash method This completely removes the need to expose LatestHasher, and lets us also remove model.HashPassword, in favour of the new hashers.Hash * Unexport LatestHasher * Remove tests for removed functions * Make the linter happy * Remove error no longer used * Allow for parameter migrations on the same hasher Before this, we were only checking that the function ID of the stored hash was the ID of the latest hashing method. Here, we no longer ignore the parameters, so that if in the future we need to migrate to the same hashing method with a different parameter (let's say PBKDF2 with work factor 120,000 instead of work factor 60,000), we can do it by updating the latestHasher variable. IsPHCValid will detect this change and force a migration if needed. * Document new functions * make i18n-extract * Fix typo in comment Co-authored-by: Ben Cooke <benkcooke@gmail.com> * Rename parser package to phcparser * Simplify phcparser.New documentation * Rename scanSymbol to scanSeparator Redefine the list of separator tokens, including EOF as one. * Document undocumented functions that are unexported * Reorder error block in checkUserPassword * Add unit tests for IsLatestHasher * Reorder code in parser.go * Enforce SHA256 as internal function for PBKDF2 * Fix typo in comment Co-authored-by: Eva Sarafianou <eva.sarafianou@gmail.com> --------- Co-authored-by: Ben Cooke <benkcooke@gmail.com> Co-authored-by: Eva Sarafianou <eva.sarafianou@gmail.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2025-09-11 16:43:34 +02:00